Welcome to the fourth and final part of “3 Compelling Reasons to Invest in Cyber Security”. In Part 1, I discussed assessing and prioritising your organisation’s risks as well as commencing a risk assessment. Part 2 involved the importance of assessing your organisation’s supply chain and including the details within the overall risk assessment. Part 3 targeted the importance of complying with GDPR.
Perspective of the Board
In part 4, the conclusion, I discuss what the board are looking for from your presentation with regards to justifying an investment.
Cyber security is among the essential subjects to boards, alongside business strategy and leadership. The board wants to rest assured that management fully understands customer and technology trends. The board is reliant upon the technology leaders to provide them with intelligence in order to better evaluate management’s decisions and assist with the implementation of new strategies.
Technology is both an enabler and growth driver of business strategy. Therefore, technology leaders are expected to give regular presentations to the board. Keeping the board informed of the state of technology can be challenging, given the quickening pace of technical change, increasing threat landscape, and ever-evolving security risks.
When justifying a security investment, the board needs to understand the value that your proposed security investment can bring to the business.
You must consider your organisation’s objectives, as well as the industry’s objectives because identifying business-critical risks will help to pinpoint the benefit your investment will bring.
Communicating the business impact is key. Technical acronyms must be avoided or, when necessary, clearly explained. Additionally, it would be better to refer to business processes and scenarios/incidents which the board can easily understand.
The board is initially looking for a snapshot status of security. This will include a description of the risk roadmap and how you propose to address current risks. This will also demonstrate that the organisation is effectively utilising existing technology and staff. Additionally, the board will want to see a demonstration of the effectiveness of current security controls, as well as the current ability to respond to a security incident. This will involve explaining the money saved from remediation and the use of metrics such as:
- Mean time to detect (MTTD)
- Mean time between failures (MTBF)
- Mean time to repair (MTTR)
This should be followed by a plan that highlights the organisation’s security gaps and the budget required to reduce security risks to an acceptable level. This plan must include required resources, anticipated deadlines, and an explanation of how much of the budget will be required for each area.
While you explain this information, the board will be expecting an estimate on the Return on Security Investment (ROSI). This involves quantifying how well your security solution mitigates the risks it is intended to address and how much money can be saved from the reduced exposure to risk.
Considering the importance of GDPR, your presentation can be used to inform the board of how it can increase the value of the business. The process of reviewing existing data, removing unnecessary data, and obtaining further consents can allow your organisation to leverage data useful to capitalising on new business. However, the board will need to agree to provide the resources that make this possible. Explaining that GDPR compliance can increase the organisation’s public image should help you persuade them.
The expanding threat landscape, increasing the risk to your organisation and its supply chain, and the pressure to comply with legislation and regulations make for a strong business case for the board to invest in security. Organisations must be ready for breaches and data loss events. They must also have an effective, tested plan for dealing with these situations, including the appropriate resources/suppliers for incident response, legal counsel, breach notification, etc. By considering and following the 3 steps outlined in this article, you can drastically improve your chances of persuading the board to finance adequate security measures.