Security teams often complain that the board doesn’t give them the investment they need, the proper level of attention or acknowledgment for a job well done. After all, an attacker only needs to get lucky once, but defenders need to be successful every time. Part of the problem is how security teams communicate risk to their boards. How can they get the value of security across in a way that resonates with business leaders?

Why Our Fear Tactics Aren’t Working

From talking to security teams in a range of industries, it’s clear that part of the challenge is in how we in the security industry measure success. Security is a complex and broad subject that demands deep technical knowledge across a broad range of subjects. When communicating the value of security to those not in the industry, we tend to retreat into talking about confidentiality, integrity and availability. Surprisingly, we still lead with data breaches and confidentiality attacks far more than anything else, sticking to a tried-and-true formula when, for most people in this share-everything age, the loss of availability is a far more terrifying prospect.

The trouble with this approach is that we are falling afoul of another bad habit of security professionals, which is using fear, uncertainty and doubt (FUD) to scare management into giving us the investment, time and kudos we want. Sadly, this formula doesn’t really work because it’s vulnerable to a basic counterposition: “We didn’t do this security stuff before and we are still here; why would that change?” We can talk until we’re blue in the face about increasing cybercrime levels, state actors, hacktivists and dark web marketplaces where those who lack the skills to create their own can buy entire malware tool kits — but no matter how urgent these risks, the board tends to put them on the back burner.

It’s important to keep in mind that cybersecurity is only one of many issues the board needs to worry about. The IT director of a global car manufacturer once told me, “Any spare money we have goes into improving the design of our cars.” Of course this is the right approach: Don’t invest in cybersecurity and you might suffer from an attack, sell a product inferior to that of your competition and you might go out of business, and so on. On top of this, the board has lots of other boring issues to worry about, such as paying staff and suppliers, taxes, meeting new regulations, marketing, sales — the list goes on.

The Department of Yes: How to Make Security Relevant to the Board

So what is to be done? Is the fate of security to always be swept under the rug, relegated to a dark corner of the office, doing amazing things to keep the company safe despite a severe lack of cybersecurity investment? If we stick to the FUD approach, the answer is yes. But it doesn’t have to be that way.

Over the last 10 years, security teams have endeavored to shed their reputation as a “department of no” and become more engaged with the rest of the organization, helping to drive innovation and support their colleagues in developing the business. Now, it’s time for us security professionals to take the next step and start communicating in terms the business side finds exciting.

It is far more interesting, for example, to talk about improving the time it takes to bring someone into the business, or how to improve customer and staff experiences when using our IT systems. In a recent series of pilots IBM conducted for a client, we were tasked with making security relevant. We looked at threats to confidentiality, integrity and availability — so far, everything was normal. But then we looked at how they related to a series of business outcomes.

These business outcomes were financial, operational, regulatory and organizational. Some of these areas are self-explanatory, but within the organizational outcomes, we not only considered matters such as governance, but also subjects such as employees’ experience with their IT systems. In this cutthroat world, where companies struggle to find qualified employees and moving jobs is the norm, it is vitally important to make your organization an attractive place to work, and having good IT is an essential part of that. If business leaders bake intelligent security processes into the organization, they can make all processes faster and more automated and improve the efficiency of the whole business.

Align Business Goals to Prove the Value of Security

Obviously, translating security outcomes in a business context is anything but straightforward. However, by doing so we are better equipped to communicate in a language the board understands and can relate to. Suddenly, it makes perfect business sense to invest in cybersecurity; it means something in terms of the cost of running the business, being more competitive and delivering a better service to customers.

Even better, money spent on cybersecurity is no longer considered a necessary evil at worst or an insurance policy at best. Instead, the company’s cybersecurity investment has knock-on downstream returns that can be measured. Now, the security team is not only a valued part of the business, but it’s even aligned with the board’s goals and values. If you are adding value to the business, it’s easy to show why an investment in security makes sense.

More from CISO

Poor Communication During a Data Breach Can Cost You — Here’s How to Avoid It

5 min read - No one needs to tell you that data breaches are costly. That data has been quantified and the numbers are staggering. In fact, the IBM Security Cost of a Data Breach estimates that the average cost of a data breach in 2022 was $4.35 million, with 83% of organizations experiencing one or more security incidents. But what’s talked about less often (and we think should be talked about more) is how communication — both good and bad — factors into…

5 min read

Ransomware Renaissance 2023: The Definitive Guide to Stay Safer

2 min read - Ransomware is experiencing a renaissance in 2023, with some cybersecurity firms reporting over 400 attacks in the month of March alone. And it shouldn’t be a surprise: the 2023 X-Force Threat Intelligence Index found backdoor deployments — malware providing remote access — as the top attacker action in 2022, and aptly predicted 2022’s backdoor failures would become 2023’s ransomware crisis. Compounding the problem is the industrialization of the cybercrime ecosystem, enabling adversaries to complete more attacks, faster. Over the last…

2 min read

Do You Really Need a CISO?

2 min read - Cybersecurity has never been more challenging or vital. Every organization needs strong leadership on cybersecurity policy, procurement and execution — such as a CISO, or chief information security officer. A CISO is a senior executive in charge of an organization’s information, cyber and technology security. CISOs need a complete understanding of cybersecurity as well as the business, the board, the C-suite and how to speak in the language of senior leadership. It’s a changing role in a changing world. But…

2 min read

What “Beginner” Skills do Security Leaders Need to Refresh?

4 min read - The chief information security officer (CISO) was once a highly technical role primarily focused on security. But now, the role is evolving. Modern security leaders must work across divisions to secure technology and help meet business objectives. To stay relevant, the CISO must have a broad range of skills to maintain adequate security and collaborate with teams of varying technical expertise. Learning is essential to simply keep pace in security. In a CISO Series podcast, Skillsoft CISO Okey Obudulu recently said,…

4 min read