From sensitive emails to customer credit card information, it seems like "hack du jour" is a staple on the nightly news. So, why is cybersecurity such a hard sell to your board of directors?
Convincing your company to pour money into prevention can feel like you're trying to sell an invisible suit of armor ("I swear, a sword won't run through it."). But cybersecurity ROI is exactly that—an investment delivering an end result that can't be seen. You're going to need to spin the conversation the right way to get the C-suite to buy in.
Crunch the numbers
Most company cybersecurity ROI decisions come down to balancing acceptable risk for your organization. If your company doesn't have a big IT budget, it's your job to put hard data behind your argument, and peer pressure can't hurt. More than half of cybersecurity professionals anticipate that their organization will suffer an attack within the next 12 months, according to the 2017 Cybersecurity Trends Report by Crowd Research Partners. As a result, 46 percent are boosting their security budget by an average of 21 percent, spending money on additional cloud infrastructure, training and education, and mobile devices.
In a CSO article, author Ilia Kolochenko shares an equation called Annual Loss Expectancy (ALE), calculating the number of incidents per year times the potential loss per incident. If your company does nothing to better its cybersecurity, the result of that equation is what you can expect to lose.
To come up with a figure, start by providing a year's worth of credit monitoring for affected customers at about $20 per account. Next, factor in potential legal fees, costs to recover and restore data, charges for forensic investigations, and compliance fines. The damage could quickly add up—Kaspersky Lab found in 2016 that the average cybersecurity incident costs large businesses a total of $861,000 and small and midsize businesses $86,500.
Don't forget your rep
If your CEO or board is questioning a large investment in cybersecurity compared to a potential low-cost loss, it's time to play the company reputation card. In addition to a financial loss, security breaches impact a company's brand value. Following a data breach, 12 percent of retail customers said they'd stop shopping at the affected retailer, according to Retail Perceptions. Seventy-nine percent would continue to shop at the retailer but wouldn't use credit or debit cards, and 36 percent would spend less with the retailer. Winning over customer confidence can take months, if not years, especially if your company is small and has limited funds for crisis management and public relations.
Sometimes, the C-suite understands these points, but their resistance may not have anything to do with money or brand trust. Have any of your past IT upgrades caused unexpected problems you needed to address and solve, like software glitches or department-wide downtime? Some organizations don't welcome upgrades of any kind if they're afraid it will negatively impact their organization's productivity. Address this up front and be honest. Chances are, your team is thinking about the last crash and how it inconvenienced them. Provide a realistic timeline for debugging a new system and details about what people can expect during the upgrade.
Focus on education
When it comes to cybersecurity ROI, your biggest job is educating the rest of the company. "Cybersecurity is viewed as the CISO's problem," said Christopher Porter, vice president and CISO at Fannie Mae, during a panel at the MIT Sloan CIO Symposium. He continues, "But, ultimately, it's an enterprise problem. My job is to educate them about that."
Give your team information on how data breaches happen, and provide the basic cybersecurity protection the company needs, including an investment in secure devices. While convincing the C-suite is a difficult task, Andrew Stanley, CISO at Phillips and the MIT Sloan panel moderator, believes it's getting better: "Boards are learning. They need to know—and as it becomes more of a regulatory issue, they want to know," he said. "Wise CISOs can educate the board and then get the budget they need to do the job."