March 28, 2019 By Gavin Kenny 3 min read

Security teams often complain that the board doesn’t give them the investment they need, the proper level of attention or acknowledgment for a job well done. After all, an attacker only needs to get lucky once, but defenders need to be successful every time. Part of the problem is how security teams communicate risk to their boards. How can they get the value of security across in a way that resonates with business leaders?

Why Our Fear Tactics Aren’t Working

From talking to security teams in a range of industries, it’s clear that part of the challenge is in how we in the security industry measure success. Security is a complex and broad subject that demands deep technical knowledge across a broad range of subjects. When communicating the value of security to those not in the industry, we tend to retreat into talking about confidentiality, integrity and availability. Surprisingly, we still lead with data breaches and confidentiality attacks far more than anything else, sticking to a tried-and-true formula when, for most people in this share-everything age, the loss of availability is a far more terrifying prospect.

The trouble with this approach is that we are falling afoul of another bad habit of security professionals, which is using fear, uncertainty and doubt (FUD) to scare management into giving us the investment, time and kudos we want. Sadly, this formula doesn’t really work because it’s vulnerable to a basic counterposition: “We didn’t do this security stuff before and we are still here; why would that change?” We can talk until we’re blue in the face about increasing cybercrime levels, state actors, hacktivists and dark web marketplaces where those who lack the skills to create their own can buy entire malware tool kits — but no matter how urgent these risks, the board tends to put them on the back burner.

It’s important to keep in mind that cybersecurity is only one of many issues the board needs to worry about. The IT director of a global car manufacturer once told me, “Any spare money we have goes into improving the design of our cars.” Of course this is the right approach: Don’t invest in cybersecurity and you might suffer from an attack, sell a product inferior to that of your competition and you might go out of business, and so on. On top of this, the board has lots of other boring issues to worry about, such as paying staff and suppliers, taxes, meeting new regulations, marketing, sales — the list goes on.

The Department of Yes: How to Make Security Relevant to the Board

So what is to be done? Is the fate of security to always be swept under the rug, relegated to a dark corner of the office, doing amazing things to keep the company safe despite a severe lack of cybersecurity investment? If we stick to the FUD approach, the answer is yes. But it doesn’t have to be that way.

Over the last 10 years, security teams have endeavored to shed their reputation as a “department of no” and become more engaged with the rest of the organization, helping to drive innovation and support their colleagues in developing the business. Now, it’s time for us security professionals to take the next step and start communicating in terms the business side finds exciting.

It is far more interesting, for example, to talk about improving the time it takes to bring someone into the business, or how to improve customer and staff experiences when using our IT systems. In a recent series of pilots IBM conducted for a client, we were tasked with making security relevant. We looked at threats to confidentiality, integrity and availability — so far, everything was normal. But then we looked at how they related to a series of business outcomes.

These business outcomes were financial, operational, regulatory and organizational. Some of these areas are self-explanatory, but within the organizational outcomes, we not only considered matters such as governance, but also subjects such as employees’ experience with their IT systems. In this cutthroat world, where companies struggle to find qualified employees and moving jobs is the norm, it is vitally important to make your organization an attractive place to work, and having good IT is an essential part of that. If business leaders bake intelligent security processes into the organization, they can make all processes faster and more automated and improve the efficiency of the whole business.

Align Business Goals to Prove the Value of Security

Obviously, translating security outcomes in a business context is anything but straightforward. However, by doing so we are better equipped to communicate in a language the board understands and can relate to. Suddenly, it makes perfect business sense to invest in cybersecurity; it means something in terms of the cost of running the business, being more competitive and delivering a better service to customers.

Even better, money spent on cybersecurity is no longer considered a necessary evil at worst or an insurance policy at best. Instead, the company’s cybersecurity investment has knock-on downstream returns that can be measured. Now, the security team is not only a valued part of the business, but it’s even aligned with the board’s goals and values. If you are adding value to the business, it’s easy to show why an investment in security makes sense.

More from CISO

X-Force Threat Intelligence Index 2024 reveals stolen credentials as top risk, with AI attacks on the horizon

4 min read - Every year, IBM X-Force analysts assess the data collected across all our security disciplines to create the IBM X-Force Threat Intelligence Index, our annual report that plots changes in the cyber threat landscape to reveal trends and help clients proactively put security measures in place. Among the many noteworthy findings in the 2024 edition of the X-Force report, three major trends stand out that we’re advising security professionals and CISOs to observe: A sharp increase in abuse of valid accounts…

Boardroom cyber expertise comes under scrutiny

3 min read - Why are companies concerned about cybersecurity? Some of the main drivers are data protection, compliance, risk management and ensuring business continuity. None of these are minor issues. Then why do board members frequently keep their distance when it comes to cyber concerns?A report released last year showed that just 5% of CISOs reported directly to the CEO. This was actually down from 8% in 2022 and 11% in 2021. But even if board members don’t want to get too close…

The CISO’s guide to accelerating quantum-safe readiness

3 min read - Quantum computing presents both opportunities and challenges for the modern enterprise. While quantum computers are expected to help solve some of the world’s most complex problems, they also pose a risk to traditional cryptographic systems, particularly public-key encryption. To ensure their organization’s data remains secure now and in the future, chief information security officers (CISOs) should educate themselves about quantum computing, proactively address the coming quantum risks to cybersecurity and work to establish cryptographic agility in their enterprise.A future cryptographically…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today