Security teams often complain that the board doesn’t give them the investment they need, the proper level of attention or acknowledgment for a job well done. After all, an attacker only needs to get lucky once, but defenders need to be successful every time. Part of the problem is how security teams communicate risk to their boards. How can they get the value of security across in a way that resonates with business leaders?
Why Our Fear Tactics Aren’t Working
From talking to security teams in a range of industries, it’s clear that part of the challenge is in how we in the security industry measure success. Security is a complex and broad subject that demands deep technical knowledge across a broad range of subjects. When communicating the value of security to those not in the industry, we tend to retreat into talking about confidentiality, integrity and availability. Surprisingly, we still lead with data breaches and confidentiality attacks far more than anything else, sticking to a tried-and-true formula when, for most people in this share-everything age, the loss of availability is a far more terrifying prospect.
The trouble with this approach is that we are falling afoul of another bad habit of security professionals, which is using fear, uncertainty and doubt (FUD) to scare management into giving us the investment, time and kudos we want. Sadly, this formula doesn’t really work because it’s vulnerable to a basic counterposition: “We didn’t do this security stuff before and we are still here; why would that change?” We can talk until we’re blue in the face about increasing cybercrime levels, state actors, hacktivists and dark web marketplaces where those who lack the skills to create their own can buy entire malware tool kits — but no matter how urgent these risks, the board tends to put them on the back burner.
It’s important to keep in mind that cybersecurity is only one of many issues the board needs to worry about. The IT director of a global car manufacturer once told me, “Any spare money we have goes into improving the design of our cars.” Of course this is the right approach: Don’t invest in cybersecurity and you might suffer from an attack, sell a product inferior to that of your competition and you might go out of business, and so on. On top of this, the board has lots of other boring issues to worry about, such as paying staff and suppliers, taxes, meeting new regulations, marketing, sales — the list goes on.
The Department of Yes: How to Make Security Relevant to the Board
So what is to be done? Is the fate of security to always be swept under the rug, relegated to a dark corner of the office, doing amazing things to keep the company safe despite a severe lack of cybersecurity investment? If we stick to the FUD approach, the answer is yes. But it doesn’t have to be that way.
Over the last 10 years, security teams have endeavored to shed their reputation as a “department of no” and become more engaged with the rest of the organization, helping to drive innovation and support their colleagues in developing the business. Now, it’s time for us security professionals to take the next step and start communicating in terms the business side finds exciting.
It is far more interesting, for example, to talk about improving the time it takes to bring someone into the business, or how to improve customer and staff experiences when using our IT systems. In a recent series of pilots IBM conducted for a client, we were tasked with making security relevant. We looked at threats to confidentiality, integrity and availability — so far, everything was normal. But then we looked at how they related to a series of business outcomes.
These business outcomes were financial, operational, regulatory and organizational. Some of these areas are self-explanatory, but within the organizational outcomes, we not only considered matters such as governance, but also subjects such as employees’ experience with their IT systems. In this cutthroat world, where companies struggle to find qualified employees and moving jobs is the norm, it is vitally important to make your organization an attractive place to work, and having good IT is an essential part of that. If business leaders bake intelligent security processes into the organization, they can make all processes faster and more automated and improve the efficiency of the whole business.
Align Business Goals to Prove the Value of Security
Obviously, translating security outcomes in a business context is anything but straightforward. However, by doing so we are better equipped to communicate in a language the board understands and can relate to. Suddenly, it makes perfect business sense to invest in cybersecurity; it means something in terms of the cost of running the business, being more competitive and delivering a better service to customers.
Even better, money spent on cybersecurity is no longer considered a necessary evil at worst or an insurance policy at best. Instead, the company’s cybersecurity investment has knock-on downstream returns that can be measured. Now, the security team is not only a valued part of the business, but it’s even aligned with the board’s goals and values. If you are adding value to the business, it’s easy to show why an investment in security makes sense.
Associate Partner, IBM Security