There is no question that technology of any kind costs money. Even so, there is plenty of evidence that people are willing to pay for technology if the technology provides them with benefits.
Why then, does IT security have such a hard time getting funding within companies? It is a lament often heard from Chief Security Officers (CSOs) and their equivalents across industries and sectors.
There are multiple issues with establishing security funding; a key example is a risk versus reward mentality, which often drives decisions at the highest levels of business. Security cannot make your business money. It will very likely save you money. But like insurance, sustainability, crisis communications, and human resources — and so many other parts of the modern workforce — security is often viewed as a cost center rather than a profit center.
Anyone can understand why companies prioritize the way they do. Supply chain issues and economic downturns are dominating C-suite conversations today. It is understandable logic: If we cannot manufacture or sell a product, these issues must come first. However, the denial mindset begins like this: Why should I deal with a potential problem when I have a real one to grapple with?
But that tendency — “the biggest problem is the one I need to deal with now” — is why CSOs often ponder whether trying to scare board members and CEOs with the worst examples of security exposures is the right tactic. After all, if the Washington DC Metropolitan Police Department can be hacked, anyone can.
But fear tactics are like asking your leadership team to watch horror movies for life lessons. It is hard to take them seriously. Those attacks are vulnerable to the “what are the odds that would happen to us” defense. The random nature of attacks makes it seem that you can get away without preparedness, despite the fact that they are very real.
If you work in the security industry, you know that attacks are no longer random. They are almost guaranteed. If the attacks come, then breaches — a successful attack — will not be far behind. In a 2022 report, security company Cybereason recently polled 1,400 cyber professionals and found that nearly three-quarters of the companies they work for have been targeted by at least one ransomware attack over the past two years. Everyone’s turn is coming.
Security is not in a unique spot here in business. The aftermath of a security-related attack is often a crisis communication situation, and they always are when an attack becomes publicly known. Companies also do not usually prepare for crisis scenarios until they are in the middle of one. And yet, like crisis communication situations – security breaches that can embarrass and affect corporate reputation– are best prepared for in advance.
If you try and wing it when you are in the middle of a communications crisis, you are most likely to make things worse with blundering quotes and no clear message. If you fly by the seat of your pants in a security breach, you stand a good chance of never fixing the problem. In the worst-case scenario, you might end up paying ransoms or explaining to customers they have been compromised. Managing these situations in real-time at any company is not advisable due to the ethical dilemmas and high-stress levels.
The situations are similar: If you are in a security breach or a crisis communications situation, to minimize damage, you are better off with people, systems, and protocols in place to first understand and then contain any threat.
If fear is not your friend in pitching security as a concern, re-frame the issue, get help, and get heard is your three-point approach to your C-suite executives. Instead of fear, a shift in proposal is often best when trying to communicate upstream.
There is a tendency for IT departments to present their ideas based on overly technical concerns that are confusing to people and are therefore easy to reject. They talk about how instead of what it means by fully explaining the implications for the business. Instead, visualize and demonstrate the damage a breach can have on your specific company. This will negate the “it’s bad luck for them, but what are the chances it will happen to us?” argument. If you can show what could and is most likely to happen at your own company that you need to prepare for, your work will be more immediately relevant to stakeholders. You will be able to motivate stakeholders to spend money if you can show them what might and is most likely to happen at their own company and what preparations need to be taken.
An internal crisis communications team or program is an ideal place to start when looking for partners. It means your company has already recognized the need for action in a similar area. You are more likely to be listened to if your head of manufacturing explains what a security breach would mean for your product delivery cycle, how long production would be halted, and the financial consequences. It does not matter who presents first. What matters is that an additional person supports the overall movement, as this video demonstrates. It is essential to hear from our leaders, besides the IT department, so that management can recognize the importance of security preparation as a corporate need.
Be aware of the top five priorities for the company set by your leadership team – because chances are that is what top management is constantly dealing with, the most pressing issues of the day. Most likely, security is not one of the top five issues that leadership needs to deal with right at this very moment. But that does not mean you will not be in the top five next quarter. Keep putting security out there as a concern and building critical mass among colleagues, so your voices are heard as one. If you can achieve that, chances are you will find security rising on your company’s list of action items.
It can be tough being a leading voice of security inside any company. But remember, your job is not just to speak but to be heard – that is a crucial part of leadership. These tips should help your C-suite team listen a little more closely.