Tony Robbins once said “Communication is power. Those who have mastered its effective use can change their own experience of the world and the world’s experience of them. All the behaviour and feelings find their original roots in some form of communication.”
My agreement with Tony’s submission is absolute! Cybersecurity professionals must grow to become great communicators to effectively convey the justification for security investments.
Cybersecurity is fast becoming a major component of every organization’s business plan and budget. However, the responsibility to justify cybersecurity investment still lies with the Chief Information Security Officer (CISO) and other cybersecurity professionals. It becomes complicated when you express yourself in technical terms. The C-level executives (who call the shots on budgets) are not interested in the technical jargons. You do not need to tell them about the storms you encountered on the sea. What is important is this, “Did you bring the ship?”.
Over the last decade, many organizations have adopted the top-down approach to cybersecurity of their assets and infrastructure. Notwithstanding, the importance of good communication in cybersecurity cannot be overemphasized.
Highlighted below are some of the strategies you can adopt when presenting justification for cybersecurity investments.
Cybersecurity communication strategies
1. Translate cyber risk to business risk
It is imperative to succinctly paint the picture of what is at stake should we experience a breach/compromise. Enumerating the Confidentiality, Integrity and Availability (CIA) rating of the risk component is insufficient. The cyber risks must be translated into dollar/pound terms, this is the language that easily resonates with the C-Suite executives.
2. Use of internal metrics
Most organizations have internal metrics that are used for measuring performance and productivity level. For example, in the manufacturing industry, Loss of Production Opportunity (LPO) is a major lagging indicator of performance and efficiency. This and many more can be used for cybersecurity investment justification.
3. Utilize industry-specific threat data
Leveraging on Open-Source Threat intelligence on specific industry, Operating System (OS), applications and processes add credence and credibility to your claim and story. Data do not lie, do your research and present the facts for informed decision making.
4. Communicate the reputational impact of breaches
Reputational damage due to compromise of data can have a lasting impact on an organization. Often, you lose the trust of shareholders and future investors. Leadership and decision makers must be made to see how failure to invest in cybersecurity can deter potential investors.
5. Asset insurance
For most assets (especially critical infrastructure and Operational Technology assets) cybersecurity has become a major layer of protection considered by insurance companies in evaluating the premium for asset insurance. It is also a major component of the metric tracked throughout the lifecycle of the insurance. When making a claim, organizations must be willing and able to provide evidence of consistent cybersecurity programs (governance and compliance) and adherence to a relevant framework.
6. Industry breaches and the cost incurred
Garnishing your story with examples of related industry breaches may provide clarity to decision makers on how close to home the breach can be if nothing is done.
7. Penetration and vulnerability assessment outcomes
Insights from penetration and vulnerability assessment outcomes and a high-level report detailing the gaps and how they can be exploited will be most appropriate to justify the cybersecurity investment. Cybersecurity professionals must do their due diligence to ensure the recommended solution will solve a problem and is not merely cosmetics.
In the words of Milton Erickson, “The effectiveness of communication is not defined by the communication, but by the response.” Cybersecurity professionals at all levels must ensure all relevant facts and data are left on the decision table to empower business leaders for cybersecurity investments.
