Trying to Get Boardroom Buy-In on Cybersecurity? Try a Material Risk Approach

While it’s hard for executives to deny the danger that cybercrime poses both to their bottom line and their relationship with customers, many IT professionals continue to struggle with securing the board-level buy-in necessary to execute a sophisticated cybersecurity strategy.

According to the 2017 edition of the National Association of Corporate Directors’ (NACD) Director’s Handbook on Cyber-Risk Oversight, nearly 90% of the collective value of Fortune 500 companies now stems from intellectual property and other intangible assets. And as enterprise assets increasingly move to the digital realm, so does the work of protecting them.

This mass digitization has caused a significant shift in corporate behavior. NACD numbers indicate that fewer than 40% of corporate boards were regularly receiving in-depth reports on data privacy and cybersecurity in 2012; as of last year, that number jumped to 90%.

This shift is encouraging, yet many cybersecurity experts worry that their executives still don’t fully understand the threats their companies face, and thus struggle to get all the support they need.

Buy-in Takes More Than Money

This self-reported prevalence of board-level engagement with cybersecurity is at least partially borne out in Gartner’s analyses of global spending on information security products and services. Such spending reached $86.4 billion in 2017 — a healthy 7% increase over 2016 — and is expected to surpass $93 billion by the end of this year.

This robust financial commitment notwithstanding, Gartner Principal Research Analyst Sid Deshpande cautions that board members have a responsibility to do more than just throw money at their cybersecurity problems. “Improving security is not just about spending on new technologies,” Deshpande says. “Organizations can improve their security posture significantly just by addressing basic security and risk-related hygiene elements like threat-centric vulnerability management, centralized log management, and internal network segmentation, backups, and system hardening.”

Unfortunately, this is where many enterprise IT professionals lose the boardroom. The NACD Handbook reports that a mere 14% of security experts believe that their company’s board members have “a high level of knowledge” regarding cybersecurity threats. Similarly, a 2016 study by Nasdaq and Tanium found that over 90% of enterprise executives are unable to understand even a basic cybersecurity report.

This is a very real problem, as in today’s day and age, an effective corporate cybersecurity strategy requires the participation of stakeholders from the very bottom of an organization to the very top. In order to secure this kind of comprehensive buy-in (which must involve nuanced engagement with a variety of cybersecurity issues, not just a willingness to hand over budgetary resources), IT professionals must find ways of communicating the details of their company’s cybersecurity needs within a framework that the average board member understands.

Highlighting Material Risks of Cybersecurity Threats

Like nearly every other business decision, cybersecurity boils down to an exercise in risk management. Unlike black-and-white corporate postures like compliance — a company either is or is not compliant with a given set of regulations, period — cybersecurity exists along a continuum. More often than not, progress in cybersecurity comes at the expense of ease of operations, for instance, or of efforts to meet certain financial goals.

In order to help board members and C-suite executives assess these tradeoffs in an informed manner, cybersecurity specialists need to frame their concerns in terms of the real, material threats they pose to the company’s business. Most corporate boards maintain a risk-mitigation heatmap that schematizes the likelihood of an adverse event — e.g. a high-level resignation or an act of God that compromises critical IT infrastructure — and the potential material damage such an event might cause.

IT professionals must learn to situate cybersecurity risks within this kind of heatmap, which first and foremost means coming up with concrete risk assessments.

Statements like, “Our current cybersecurity protocols are insufficient,” simply won’t get the job done. How is the company at risk of being compromised? What are the odds of a breach of this kind actually happening? If such a breach does happen, what are the expected ramifications? A PR fiasco, loss of proprietary data, compliance penalties, or all of the above? These are the kinds of questions that board members need answered to determine just how much cybersecurity risk they are willing to take on.

Embracing Managed IT Services

While focusing on material risks is often the best way to secure board-level cybersecurity buy-in, many enterprise IT teams are simply too overburdened to do so. That’s why, according to Gartner, “to deal with the complexity of designing, building, and operating a mature security program…many large organizations are looking to security consulting and IT outsourcing providers that offer customizable delivery components that are [bundled] with managed security service contracts.”

At Turn-key Technologies, we’ve been delivering award-winning managed services for over two decades. We recognize that each managed services relationship must be tailored to the client’s unique needs, and we have all the tools, resources, and expertise necessary to get the job done no matter the circumstances.