Recent data breaches at companies like British Airways and Capital One have made it more evident than ever before that cybersecurity leaders must prepare for a staggering amount of potential threats. Credential stuffing, account takeovers, and insider threats are all vectors of attack that could potentially devastate a business. But without the C-suite’s support, it’s impossible for cybersecurity leaders to effectively plan for and defend against these threats.
If the C-suite doesn’t fully understand a security risk, they likely won’t prioritize investing to defend against the potential threat. This, of course, can lead to disastrous consequences, like losing loyal customers, hurting brand reputation, or incurring major fines. The British Airways breach led to a fine of almost $230 million, and that doesn’t include non-tactile losses like a damaged reputation. As a result, it’s up to the security leaders to effectively communicate and position security risks to company leaders and decision-makers.
Here are five tips to help cybersecurity leaders navigate the C-suite:
Make cybersecurity a priority—for everyone
While leaders acknowledge security is a vital part of their organization, they often prioritize other initiatives that provide a more direct return on investment. According to a recent study from Nominet, 90 percent of C-suite members think their organization lacks the proper resources to defend against a cyberattack, and 76 percent of them think a security breach is inevitable. This highlights a disconnect: While C-suite executives acknowledge security is an issue, they’re not doing all they can to protect their organizations.
In another report from Wipro, 72 percent of organizations cited employee negligence and lack of awareness as a top cyber risk. Because of this, cybersecurity leaders need to find ways to relate cybersecurity to all departments of a business. Pushing everyone in the organization—not just the C-suite and IT teams—to think about security through awareness programs and other initiatives is necessary for any organization. When everyone actively thinks about cybersecurity and how it affects the overall well-being of the company, preventative measures will be more effective. Whenever presenting a specific threat, take a minute to explain why all employees across the business, including the C-suite, should care about it. For instance, the CMO will likely be interested to know how a hacked third-party tag on the website could steal customers’ personal information, thus violating user privacy regulations and affecting brand reputation. By working with the C-suite to make the business security efforts a top priority across the company, nobody will be caught off guard in the case of a new threat or a security incident.
Attach cybersecurity needs to business requirements
Cybersecurity leaders often have difficulty quantifying risk into impact, or cash cost, and presenting it in a way that aligns with business goals. For example, a member of the security team might need to explain to the C-suite why an organization should purchase a new encryption service. Instead of only speaking to the importance of encryption and broadly mentioning that it could save the organization money down the road, point out some industry statistics to back it up. A recent IBM study suggests that encryption reduces the cost of a data breach by $360,000 on average—a number that should persuade anyone to consider better encryption. A simple cost-benefit analysis is all that’s needed.
Overall, security leaders should communicate threats in an easily digestible way, but also show how the small initial cost to close a security hole can prevent a more significant cost down the road. According to the same IBM study, the average data breach costs an organization $3.92 million—a crippling setback for any organization. If possible, spell out what a cyber threat could cost the organization, including costs around incident response, potential fines, and lost customers.
Get to the point
The C-suite has a lot of responsibilities. If security teams present them with too much information at once, C-suite executives might overlook critical details. It rests on the cybersecurity leader’s shoulders to provide just enough information to show impact, but not too much to lose their audience. Explain essential details, like the immediacy of an attack or how many people it could affect. Diving into the technical specifics of credential stuffing or email phishing attacks, however, might not be the best strategy to get a CEO’s attention. Leave out extremely technical jargon along with the non-essential graphs and charts.
Similarly, a small amount of context is helpful. If briefing the C-suite on account takeovers, point out some recent examples in the news. Too much context, however, like offering the history of account takeover strategies, can be distracting.
Plan ahead, if and when possible
New methods of attack emerge constantly. Recently, for example, Magecart attacks have become increasingly more common but difficult to defend against, as attackers use a variety of approaches to skim information. RisqIQ pointed out that even though credit card skimming attacks have been used since 2000, attackers are continually finding new ways to access information. This degree of unpredictability makes it difficult to guard against upcoming threats.
With this ever-evolving landscape of attack-and-defend, cybersecurity leaders typically can’t provide goals beyond 6 to 10 months. The C-suite generally likes to see long term goals out of departments, so it’s important for security teams to make business leaders aware of the quickly shifting threat landscape. To keep abreast of potential threats, stay updated on cybercrime trends, reports, and news. Noticing new or popular modes of attack will help security leaders prepare for the long-term, rather than having to quickly react to current vulnerabilities.
Be real, but not alarmist
Even with a vast knowledge of what could potentially happen, cybersecurity leaders should avoid earning a “chicken little” reputation. Unlike the storied chicken that runs around exclaiming that the sky is falling, security leaders should aim to be realistic when trying to present severity to the C-suite. While clear communication is crucial to explain security issues, it sometimes comes across as alarmist as well. Tailor messaging toward business goals and impact, but omit disastrous information unless requested. To avoid triggering fear, stick to the facts and avoid speculation or hyperbole.
Building relationships—especially with the C-suite—is a process that naturally takes time and effort. However, based on my experience, these practices should help cybersecurity leaders feel more confident in their ability to keep the C-suite up-to-speed on the latest threats and vulnerabilities. Once both security leaders and business decision-makers agree that cybersecurity should work hand in hand with a business’s overall goals, the relationship will continue to grow. As a result, businesses can expect to protect themselves and their customers in a more efficient, proactive manner.