Adopting the appropriate information security solutions and having an IT staff that understands how to use them effectively is critical to protecting your organization from malicious hackers and cyber security attacks. But an advanced set of tools alone is insufficient, because disconnect between your SOC and the C-suite can severely hinder cyber security efforts.
For example, end-user education is an important piece of any comprehensive information security plan; employees must be informed about topics like how to protect sensitive company information in a BYOD environment or how to spot a spear phishing attack in an email. Information security professionals need complete organizational buy-in for educational efforts to be successful, and that all starts by having collective buy-in with upper management so belief and engagement can trickle down to all levels. After all if the COO and CEO, for example, don’t stress cyber security as a priority, most of the rank-and-file employees likely won’t either.
Unfortunately for CIOs, CISOs and other high-ranking security staffers, a cultural gap between a SOC and the C-suite is an all-too-common issue. For instance, in a recent survey commissioned by the defense contractor Raytheon of 1,006 of CIOs, CISOs, and other technology executives, 78 percent said their boards had not been briefed even once on their organization’s cyber security strategy over the past 12 months. Additionally, only 42 percent of respondents to a PwC survey said their board actively participates in overall security strategy and just 25 percent said their boards were involved in reviewing privacy risks to their organizations.
If you are struggling to get your company’s top executives to give cyber security the attention it warrants, it might be time to take a more aggressive approach by using tactics like:
- Presenting hard financial data: Nothing grabs the collective attention of executives like compelling fiscal information. So the next time you get the opportunity, share some compelling information, like the fact that the average cost of a security breach to a company is $11.6 million, according to Intel CEO Brian Krzanich. These kinds of eye-popping numbers make it clear that everyone in the C-suite has a vested interest in creating a robust information security strategy.
- Getting monthly briefings on the calendar: Insist on a monthly meeting with your company’s executives at which time you can provide an overview of company policy and present relevant metrics and suggest possible strategic adjustments. You can even use some of this time to discuss industry news as a way to create interest. Providing progress reports helps keep executives engaged in the information security process, and that engagement will filter down to the rest of the company.
- Providing updates about the latest security trends and solutions: If you can get the aforementioned meetings on the calendar, consider devoting some time to detailing some of the latest tactics that cybercriminals are using and the cyber security measures available—like automated incident response or software-defined security—that can help combat them. Keeping the C-suite informed about the latest developments in information security allows executives to contribute more meaningfully to policy and purchasing discussions, which makes life easier for a CISO or CIO.
Like any important project, getting cyber security buy-in from upper management requires a significant time investment up front. But just as with any worthwhile investment, the end result is more than worth the effort.