Getting Your Exec Team On-Board With Modernizing Its IT Security Solutions
Change can be a terrifying thing – especially when it comes to security. Overhauling a company’s IT and investing in new security solutions is a daunting prospect, especially for a company’s executive team. After all, the executive philosophy is “if it isn’t broken, don’t fix it.”
However, as IT specialists know, change is happening all around us – whether we’re causing it or not. Security vulnerabilities are constantly being discovered and exploited. New malicious technologies are being developed. Things will change. Your organization has to choose whether it will change as well to keep up, or fall behind, increasing risk.
Why Complacency is the Enemy
It’s human nature to attempt to avoid change. When it comes to security systems, change involves juggling many aspects of the organization. New security solutions need to be discovered and tested. Budgets need to be analyzed. Employees have to be trained. All of this comes with some fear of failure — the idea that the new system might not be as good as the old system. And there’s a new vendor to bring on board.
The C-suite of any organization can fall into the trap of assuming that their system is safe because they have IT security solutions already in place. For example, they may believe that, since your organization has a secure email gateway, your email is 100% secure. Why invest any additional money into a system that’s already secured?
In some cases, an exec team may see the value in investing in new IT security solutions but will prioritize other business initiatives that have, in their mind, a more immediate benefit or predictable ROI. They don’t see IT security solutions as directly impacting the bottom line, and are therefore ok with putting the adoption of these solutions on the backburner.
Explaining Cybersecurity to the C-Suite
Cybersecurity is an on-going project — and that is critical for the Executive Team to understand. No organization wants to bear the costs of an on-going expense, but realistically, the cost of improving cybersecurity is far less than the cost of dealing with the fallout from a data breach.
One of the best ways to explain to the C-Suite that you need to update your cybersecurity solutions is to frame it in terms of competitive advantage. Failing to keep up with cybersecurity doesn’t just put your business in danger — it puts your business at a competitive disadvantage.
New cybersecurity solutions are able to reduce business disruption while also promoting productivity and efficiency. Older cybersecurity solutions may slow network traffic, require additional input from users, and take more time for the IT department to maintain. If an attack isn’t remediated in time and data is stolen or encrypted, then the resulting expense and PR nightmare can potentially set your organization back millions and put it at a competitive disadvantage.
Other Ways to Overcome Modernization Paralysis
Data security is a hot topic right now. High profile security breaches are in the news every other week. To explain the risk of poor security, an IT expert need only point to the data breaches that are constantly occurring. Businesses are already concerned about “being the next victim” — they just need to know that there’s a path forward that doesn’t require them to engage in significant risk.
Here are some tips for explaining the need for improved security to the C-suite:
- Break down the costs of a potential data breach for your organization. When it comes to the true cost of a data breach, there are a lot of numbers floating around – numbers that may or may not have anything to do with your organization. Rather than letting general fear of a breach drive your C-suite towards the correct business decisions, let them know what the true cost of a data breach would be for your business. You can use a data breach calculator tool to find out the numbers that apply to your company and your industry.
- Talk about the total cost of ownership. When looking at various IT security solutions, talk about them in terms of total cost of ownership. This includes adoption, training, maintenance, and updates. Compare this to your existing solutions, as well; your legacy solutions actually may cost more than new ones in terms of maintenance and management. Older solutions often need more custom maintenance, as they don’t provide the same features out-of-the-box.
- Explain why the existing solutions are ineffective. The C-suite must know that this isn’t “change for the change’s sake.” You aren’t upgrading because new technology is attractive, you’re upgrading because it is necessary. Show exactly what the risks are that new technology will defeat. For example, the fact that “dictionary-based” malware detection no longer works, and that new technologies use behavior-based analysis instead. The more concrete the improvements are, the easier the C-suite will find it to understand.
- Keep security front of mind. As mentioned, security is an on-going project; it isn’t something that is ever “complete.” Keep the topic at the forefront of the C-suite’s mind. Make sure that the board is refreshed on new developments periodically, and that they know what is and isn’t working about their current security system. The more involved you get the board, the more willing you will find them to make the changes and adjustments necessary to keep your system secure and your technology up-to-date.
- Demonstrate success. You’re likely stopping attacks every day, at least in some part due to earlier investments. Remind execs of the impact that earlier investments have had, especially newer technologies that have stopped newer attacks. This will reinforce the message that the attacks will continue to evolve, and you need to invest to keep up.
- Highlight successful attacks against other companies. There is no shortage of high profile data breaches. Review these attacks and explain why they happened, whether it’s due to outdated technology, outdated training, staff shortages, a new types of attack, or something else. This helps to make the potential risk factors for the company more real. At the same time, you can go through the improvements that your organization may need to make to their own technology and processes in order to protect against the same mistakes.
- Create a clear roadmap for modernization. Don’t just tell the C-suite what the company should have; draw them a map. Show them how the upgrades and new IT security solutions will be implemented, such as by prioritizing critical upgrades first. The C-suite will want to know exactly how you plan to accomplish upgrading the security and technology of the environment, and the clearer picture you’re able to draw, the more confidence they’ll have in your plan.
Upgrading your security systems doesn’t have to be a painful, time-consuming, or costly process. Many of today’s solutions are cloud-based and easy to deploy, and cost-effective. With a host of integration features, these IT security solutions are relatively simple to roll out; they aren’t the complex behemoths of yesteryear.
Once you have the support of your executive team, you can begin identifying the IT security solutions that will work best for keeping your organization safe and secure.
Latest posts by Bert Rankin (see all)
- No Detail is Too Small: Is Your Network Behavior Analysis Up to the Task? - December 11, 2018
- Security Culture: How Everyone Plays a Part in Keeping Your Organization Secure - December 6, 2018
- Improving Incident Response Time With Smarter Network Security Tools - December 4, 2018