Making the case for information security in your organization

What hurdles need to be jumped to make sure cybersecurity concerns are taken seriously by the board and the C-suite?

This is a contributed article by Dan Pitman, senior solutions architect at Alert Logic

Communicating the challenges of cybersecurity in a business context is difficult and often falls upon deaf ears. As hard as it may be to comprehend for those of us inside the cybersecurity industry it can be incredibly difficult to make the economical case as to why cybersecurity is such an important aspect of business; eyes glaze over and you are directed to the IT team to discuss further. In today's world this is not good enough.

As the constant stream of personal information lost through data breaches continues to be readily available on the dark web, cybersecurity is becoming increasingly important to organizations' customers and stakeholders. An actual hack, and having to report it to the ICO, will make the board sit up and listen, but by the time this happens it's too late. So how can we make the case for cybersecurity before an incident occurs?

IT security posture: understand your context, and your requirements

There is no one-size fits all security solution to protect every organization. Before asking any serious questions of one's IT security posture, it's important to figure out what gaps you need to fill in the first place. Before you delve into the depths of detailed system and application auditing, pen tests and more it's important to establish what kind of IT security model you want your business to follow. Every company within every industry is unique; this means the cyber security solution which they need will have to be made up of multiple parts that work together to provide an outcome. Your first step with cybersecurity policy should be to identify where business priorities will impact decision making for security. This will be defined by a plethora of factors, including engagement with web applications (the most likely source of a secure incident), and where data security is a priority versus availability of applications, amongst other factors.

Cybersecurity capabilities - be aware of your own

Just as important as knowing your requirements is knowing your own ability to execute to those requirements - it can hardly be ignored that the IT security industry is bang in the midst of a skills crisis; according to studies, by 2021 an estimated 3.5 million cybersecurity jobs will be unfilled. This means that unless you're a company large or well-funded enough to compete for skilled cybersecurity experts needed to manage cybersecurity solutions, you may need to consider working with an MSSP (managed security service provider) who can utilize their own SOC (Security Operations Centre) capabilities to offer you 24x7 access to security researchers and analysts, and develop responses to escalating security incidents in ways that internal security teams would struggle to.

These providers can help measure your systems against best practices (i.e. CIS AWS Benchmark) and third party standards that can be used to demonstrate a need that is not based on opinion inside an organization, and then be used to show improvement.

Make the potential impacts clear

Unfortunately, it's too common that within the wider business, IT security is not at the forefront of decision making. Educating business leaders is crucial if you're hoping to make the case for a secure network; talking in technical jargon about cyber threats and vulnerability isn't going to cut through the noise, it just adds to it.

What will resonate, however, is discussing the real-world business impacts that could follow a data breach. If a web application is breached for example, customer or confidential data would be stolen, which in turn is likely to cost the business significantly in both capital and reputation. Since May 2018, this could also be accompanied by crippling GDPR fines, large enough to undoubtedly make senior directors sit up and take notice. If you can describe the fallout of a cyber breach in terms that wider business decision makers will understand - as a public relations scandal, a significant fine, and a loss of client, market or consumer confidence, the battle is half won already.

Calculating the cost to the business of system outages that inevitably follow a cyber breach can help drive home the security message. The cost could mean tangible losses to the revenue that can be incurred through fines, as well as longer-term damage to the brand.

It's also important to remind your organization that the work required to come back from a cybersecurity incident is significantly more than the effort to avoid it in the first place. Don't forget, if the areas of the UK's National Health Service had undergone adequate patching of Windows 7, and had made efforts to secure their firewalls, they could have avoided the WannaCry disaster which saw non-emergency operations cancelled and patients turned away at the gates.

Trying to bring other areas of business function into the realm of cybersecurity can be a daunting prospect. In a corporate world more used to thinking about bottom lines, marketing strategy and profits than vulnerabilities, data breaches and patching, it's crucial that people from every element of the business are aware that failure to meet the cybersecurity threat head-on can mean losing more than just data. Pointing to these real-world examples where businesses have lost time, money and reputation can help bring home the reality.