Get Free Information Around Information Security &
The Latest News in Cybersecurity Right to Your Inbox

Talking to the C-Suite about Cybersecurity

By SentinelOne -

Talking to the C-Suite about Cybersecurity

Talking to the C-Suite about Cybersecurity

The Equifax data breach in September, which exposed 143 million people’s private information to malicious actors, is only the latest event in a worrying trend. News of devastating cyber attacks have dominated the headlines in 2017 and it is widely expected that 2018 will be more of the same.

However, despite such obvious risks and threats many IT professionals still struggle to get their message across during conversations with nontechnical company leaders in the C-suite. The advice below will help anyone looking to bridge this gap in knowledge and improve their organization’s understanding of the importance of cybersecurity.

 Why Are IT Security Conversations So Challenging?

IT security conversations can be difficult for all parties involved. The problems below are just a few reasons why communication in these conversations leave a lot to be desired.

  • Organizational inertia: Far too many executives are comfortable with their current cybersecurity posture, often adopting the attitude that “it can’t happen here” or that “we’re too small to be a target.”
  • Lack of technical knowledge: Unless an organization has a chief information security officer (CISO), it’s very unlikely that anyone in the C-suite will have a technical background in cybersecurity.
  • Different “languages”: Conversations about cybersecurity are so difficult because fundamentally, the two groups aren’t speaking the same language in terms of risk. IT people see risk in terms of the threats to their assets and network, while executives typically see risk in terms of the financial costs to the business.
  • Emphasizing compliance: Executives often confuse IT compliance with IT security, when compliance should be taken as the bare minimum standard. Just like passing the bar exam doesn’t make someone a good lawyer, compliance with regulations such as PCI or HIPAA doesn’t mean that an organization is secure against cyber threats.

In order to convince executives of the need for change, IT professionals, ideally, need to have a strategy that addresses each of these issues.

How Can IT Professionals Address These Challenges?

In order to convey the importance of investing in cybersecurity tools to executives, IT professionals should follow the advice below.

  • Focus on ROI: Rather than asking how much cybersecurity is costing their organization, executives should focus on whether the tools are a sound investment. The costs of a data breach or malware infection are not only the immediate costs of responding and recovering but also the long-term damage to a company’s reputation and the legal action and settlements that may result.
  • Recruit the CEO: Without an ally in the C-suite, it will be much more difficult to convince executives of the necessity for new IT security solutions. Key figures such as the CEO and CFO are the most important to win over. This means that IT professionals will need to couch their arguments in the language of business and financial risk: the loss of revenue, decreased productivity, brand damage, and lawsuits that can result from a cyber attack.
  • Make it personal: The most effective lines of persuasion are those that hit closest to home. Massive cyber attacks over the past few years such as Equifax, Target and Home Depot are scary but somewhat abstract. Even scarier is showing how a current flaw with the company’s security procedures puts employees careers and personal information at risk.

Final Thoughts

Many IT professionals struggle to get their message across during conversations with nontechnical company leaders in the C-suite, but the increasing occurrence of serious data breaches over the past year has made improving these conversations a necessity. The key factor for IT professionals serious about creating change for the better in their organization will be the ability to convert technical concepts into the language of business risk. By helping executives understand the impacts of a potential attack, IT professionals can break down misconceptions and start getting their message heard.

 

Need some help from SentinelOne talking to the C-Suite? Request a Demo Now
Like this article? Subscribe to our blog or follow us on LinkedInTwitter, or Facebook and stay up to date on the content we post each week!