A few years ago, I was talking to an organization’s executive about the budget needed for a security initiative. We discussed the idea that organizations must understand that it’s not if they’ll be breached, but when. If a breach is inevitable either way, the executive asked, why should I spend all this money on security?
The question made me think about how security experts often use fear and uncertainty to get buy-in for projects. This is a common practice, and it has been for years, but it isn’t necessarily effective.
The Problem with Cybersecurity Fear Mongering
Neuroscience demonstrates that scaring or threatening people is a poor way of influencing their behavior. In fact, encouraging a positive action is a more effective motivator than a threat.
Fear and threats ultimately trigger a stress response, and humans naturally avoid the source of this stress. When security professionals try to scare an executive into a budget decision, the executive associates the fear of a breach with us — and eventually they just fear us.
Science shows that humans respond more positively to rewards, and I’ve found that when we talk to management and executives about security, it’s best to show them that there’s a reward.
Good, Better and Best
I encourage security professionals to approach executives with good, better and best suggestions for building a business case, and demonstrate the rewards an organization can expect to see.
A good reward might be simple cost savings. For example, if I’m suggesting that an organization deploy next-generation endpoint protection, it’s useful to demonstrate that purchasing this solution ultimately will save money. One IT professional I spoke with told me his team spent a burdensome amount of time and money on rebuilding laptops that had been infected with malware. The NGEP solution prevented these infections, yielding greater savings than the solution itself cost.
A better option is to find items on an organization’s IT wish list that a security initiative can enable. If the savings from a security deployment are large enough to fund a value-added IT project, that makes the case for security even stronger.
The best scenario is to show how security will enable new capabilities or a new revenue stream. I worked with one company whose core business was to manage intellectual property. The company wanted to move its operations to a cloud infrastructure as part of a digital transformation effort, but it wasn’t confident that its data would be secure in the cloud. We built a comprehensive cloud security strategy for them that included security controls such as multifactor authentication and a cloud access security broker. This security strategy enabled the company to set up a cloud-based portal that served the customer’s intellectual property to them through a subscription service. This service provided an innovative, new revenue stream for the company that differentiated it from its competitors.
How to Talk to the Board
In addition to offering positive scenarios when making the case for security initiatives, security professionals should keep several other factors in mind when presenting to executives or a board of directors. Here’s the advice I offer CISOs:
- Be brief: Executives will lose interest quickly, so your presentation must provide all key information up front. Start with your conclusions.
- Expect interruptions: A presentation to the board is often more like a conversation. Don’t expect them to let you finish before they ask questions.
- Prepare for specific questions: Be ready for what executives are likely to ask you. Do some research beforehand to get an understanding of their motivations, which should help you learn what they may ask.
At the end of the day, most boards focus on business considerations, such as market leadership, market innovation and disruption. They’re interested in stock performance. That’s why they exist. Your presentation is more likely to be effective if it pays heed to business impacts and long-term efficiencies.