Struggling to get buy-in for Information and Cyber Security? Here’s our advice.
One of the biggest challenges in Information and Cyber Security is undoubtedly budget. It’s one of the biggest objections that companies such as CyberLens need to handle in the sales process. It’s also one of the biggest issues for technology leaders in businesses. Two sides of the same coin you might say.
When speaking with customers around this issue we always recommend two things:
Understand who’s accountable
To help here, let’s introduce Jo.
Jo is the Head of IT in a company that employs 200 people in the FMCG sector and is trying to ensure that the company doesn’t suffer a cyber-security breach, or at least that if it does, that it doesn’t go undetected.
Jo’s team has deployed a leading anti-malware product and has introduced a cost-effective annual user-education and awareness campaign, but these are the only security improvements Jo has been able to make over the last three years, due to resources. Jo knows there is so much more to do.
Traditional perimeter security for the organisation is good, but there’s no way of knowing what goes on here in terms of threats. The company issues an Office 365 E3 license for every user, but there’s nobody to monitor or manage the security alerts that this platform produces.
Jo knows that, if the web-filtering solution could be upgraded so that it also works for users outside of the office, this would help minimise the risk of a drive-by infection or a phishing related incident. An upgrade to an E5 license would also give Jo’s team a much greater security capability such as CASB functionality and the necessary improvements to web-filtering, but the jump in cost is significant and, without the people to manage the platform’s security elements even now, this is a tough sell.
Jo’s head is full of worry about all the things that need to be done and is concerned about the professional, and personal ramifications that any uncontained breach may have.
Obviously, this scenario is fictitious….right? Well while the level of risk being carried here may or may not be exaggerated, the root issue is very real.
Information and Cyber Security risk does not belong to an individual, it belongs to the organisation itself. It stands, therefore, that the leaders of that organisation are the ones who are accountable should something unfavourable happen. Whilst there are many Jos out there that understand this, there are also many Jos that don’t. Our advice is to ensure that an understanding is reached with line managers and leaders of the organisation over this matter in order to be successful in securing the right level of resources for information and cyber security.
Communicate risks, not technical opinion
While potentially “on the money” in advising the company to invest in better web filtering or upgraded Office 365 licenses, Jo needs to help the business weigh the cost of these improvements against the risk that it will, by way of its decision, accept and face should it not take Jo’s advice.
Although Jo will be integral in getting this risk assessment right, once the facts around the risks are laid bare, the only people that can make the decision on whether to invest are those that hold the purse strings.
This is why it’s so important that when trying to secure investment for Information and Cyber Security, we measure and talk about risk and don’t simply request budget for what we see as necessary technical improvements.
Divest responsibility
This third point can be more difficult to overcome. In Jo’s situation, we have an obvious conflict of interests. Jo manages a significant budget and could choose to invest more money in security, but this will always be at the expense of something else. A team member, a technology that helps with the day-to-day, backups – something else will always take a back seat at the expense of additional security spend or focus.
By forcing accountability for security on to the organisation’s leaders, the next step is for Jo to advise those same leaders to take away some of the responsibility that Jo currently holds for Information and Cyber security, as well.
The creation of a dedicated security function, internal or external, full time or part time, gives an objective view of what the organisation needs to do to properly manage its Information and Cyber Security risk. It also gives focus to the task and removes any conflicts of interest.
Consider the order of this advice
Depending on your circumstances, it might be better to try to divest some responsibility for security prior to trying to secure more budget.
If you’re a hands-on, technical Head of IT, for example. Evaluating and communicating risk to business leaders, potentially board members, may not be your forte. For a trained security officer, on the other hand, this is part of the day job and you might find this a better route to success than trying to hold the conversations around accountability and risk yourself.
If you’ve any questions about this article, please get in touch at https://cyberlens.com/contact