One of the toughest parts of cyber security planning is getting everyone to recognize the importance of cyber security. Despite numerous high-profile data breaches, many people still assume that cyber protection isn’t something that they have to worry about. This perception can hamper an organization’s efforts to increase their security.
Without buy-in from management, it’s more difficult to get employees to follow cyber security plans the way they should—reducing the effectiveness of your security measures. How can you get management to recognize cyber security’s importance?
Here’s a quick explanation:
What is a Cyber Security Plan?
To get the leadership in an organization to recognize the importance of cyber security planning, it’s important to have a solid grasp on what a cyber security plan is in the first place. One broad, but basic, definition of a cyber security plan would be that it is a framework for increasing an organization’s overall information security that accounts for the organization’s biggest security risks—and then prescribes tools and processes to mitigate those risks.
Cyber security plans typically involve a lot of moving parts, as there have to be roles and responsibilities for every member of the organization. In most cases, the larger an organization is, the more complex its cyber security plan template will need to be to account for the:
- Assets that need protecting;
- Different employee roles in the company; and
- Various types of attackers that need to be dealt with.
What’s the Importance of Cyber Security?
Cyber security awareness is important to every organization, regardless of size. This is because anyone can be a target for cybercriminals (even if the majority of attempts are easy to counter with only the most basic of security precautions).
Furthermore, an information technology security breach can be highly disruptive to business operations as IT team members have to investigate and remediate security breaches and management have to reach out to any affected customers to warn them about potential impacts.
For example, as noted in IBM’s Cost of a Data Breach study, the average direct costs of data breaches in 2019 were about $3.92 million. Yet, it was also noted that “companies with an incident response team that also extensively tested their incident response plan experienced $1.23 million less in data breach costs on average.”
In other words, being prepared for cyberattacks before they happen can help to minimize their impacts. So, having a solid cyber security plan in place can be crucial.
What to Include in Your Cyber Security Plan
While the previously-mentioned statistic about the cost of a security breach (and how much having a plan in place can save you) is an important piece of evidence for convincing management about the importance of cyber security, that isn’t the end of the discussion. It’s also important to show management what should go into a cyber security plan, so they know what they’re buying into.
Some important cyber security plan components that managers might care about include:
- Risk Management. What are your organization’s biggest security risks? Risk management in security planning helps identify your most important vulnerabilities so you can create the biggest improvement to security for the smallest possible cost.
- Compliance Management. What regulations apply to your company’s information technology security? Keeping up to date with these regulations is a major concern for leaders in any organization.
- Accountability by Role. Who is responsible for executing each part of the security plan? Management will want to know where the accountability for maintaining and following the plan lies before engaging in it.
- Security Costs. What expenses will the plan incur? Without a clear understanding of your cyber security plan’s costs, it’s hard to establish the potential ROI for it. Having a detailed explanation of your security plan costs can help increase buy-in from management.
Tips for Presenting Cyber Security Plans to Upper Management
So, it’s time to pitch your cyber security plan to the top leaders in your company—how are you going to present it? Sometimes, the way you communicate your security plans to your upper management can be just as important (if not more important) than what the plan’s actual impacts and benefits will be.
With this in mind, here are a few tips for presenting your cyber security plans to your company’s leadership:
- Keep Your Communications Positive. Pushing a cyber security plan based on fear and doubt alone isn’t necessarily going to convince your leadership of its necessity. After all, the business has been doing alright so far, and leaders are used to hearing worst-case scenarios from running risk analyses on other business processes. While presenting realistic information about threats is necessary, you should also focus on the potential positive impacts of a cyber security plan. For example, you could highlight the cyber security plan as a way to fix existing problems, how it can help build trust with investors and customers, or how it can prevent future issues before they start.
- Don’t Rely on Cyber Security Speak Too Much. Using a bunch of unfamiliar terms and acronyms is a great way to get glass-eyed stares during a planning session or presentation. Instead of talking about SIEM, AV programs, and the “dark web,” it might help to couch things in terms that are more familiar to your business. For example, as noted in a Government Technology post, “Communication that talks about business priorities and reducing risk is usually well-received when compared to technical jargon.”
- Have Some Analytics at the Ready. Having some easy-to-understand security metrics at the ready can go a long way toward helping establish a business case for cyber security planning with upper management. Analytical data helps to set expectations and track the actual success of any security strategies that you employ—helping prove the ROI for cyber security planning.
- Build a Rapport with Leaders. Whenever possible, try to create a long-term relationship with upper management before trying to pitch a cyber security strategy to them. Leaders are more likely to listen to suggestions from trusted friends than they are from some random employee—regardless of their reputation for expertise. As the old saying goes: “it’s not what you know, it’s who you know.” Building a rapport with leaders helps to create more trust for your cyber security plan.
Cyber Security Resources for Upper Management
Another way to generate some buy-in for a cyber security plan is to provide upper management with some resources they can use to help them understand the basic concepts of cyber security. Some good resources to share include:
- The CSO Blog. This blog is geared towards chief information security officers, but can provide a lot of useful insights for the rest of the management team as well. It is a great resource for learning about cyber security issues.
- The IBM Cost of a Data Breach Study. This report outlines many of the major threats that face modern businesses and some key statistics about data breaches. This can help to demonstrate the need for a cyber security plan and establish a potential ROI for preventing security breaches.
- The Symantec Internet Security Threat Report. This threat report highlights many of the most important security threats to emerge in the last year and major cybercrime trends to watch out for—providing valuable context for security planning.
- The Knogin Security Blog. We may be a bit biased, but our own cyber security blog provides educational articles and security threat updates that can help business leaders learn about critical security issues.
These are just a few of the potential resources you could share.
Need help gathering intelligence for your own cyber security program? Try out Knogin’s CyberEasy for business tool to gain critical insights into your organization’s security landscape!