Winning Support for Breach PreventionGetting Executive Buy-In Requires Highlighting Risks
With the plethora of data breaches in recent months, especially the high-profile Target incident, the topic of breach prevention may now be on the minds of more CEOs and boards of directors. But getting buy-in for funding still requires educating executives on the risks that could have a material impact on the business and raising awareness of critical data security issues.
"[Breach prevention] has certainly garnered attention with executives," says Matthew Speare, executive vice president of governance and integration at Regions, a bank holding company with $117 billion in assets. "It cost the Target Corp. CEO his job. However, the latest rash of breaches and vulnerabilities is merely a reminder of how diligent we have to be on a daily basis to architect and implement secure systems."
Conducting a risk assessment - a basic security step - can play an important role in winning senior leadership support for security investments, says Phil Curran, CISO at Cooper University Health Care. That's the strategy he used to win support for the purchase of a security information and event management system, or SIEM.
"Our business leaders understand risk," he says. "On a daily basis they make decisions based on financial risk and marketplace risk. They have a hard time understanding information risk until you put it into a risk assessment format. Based on that risk assessment, they provided us with that capital investment - they understood what the risks were."
Cybersecurity leaders should look at which enterprise risks could materially affect the company, says Malcolm Harkins, chief information security and privacy officer at Intel. "Start looking at enterprise risks and see which of them might be triggered by a cyber-event," he says.
Speare at Regions says organizations need to put breach prevention into the context of the business view of the organization. "As any investment you recommend is to mitigate a risk, you must quantify the risk in terms of probability and financial impact," he says. "Once you have built the business case of the cost of risk mitigation, then you can layer in reputational, regulatory and legal risk."
The use of "scare tactics," or "crying wolf," in front of the board is inappropriate, Speare says. "Be a professional and approach in a logical, thoughtful way."
The growing number of breaches has shifted the focus of cybersecurity to being a business problem, not a technology one, Speare says. "While [executives] may not understand the bits and bytes of the threat, they are understanding that the risks are significant and real and are willing to make the investments to protect their institutions and the customers they serve."
Another key to obtaining buy-in for breach prevention initiatives is building executive and board awareness of broader data security issues, says Erik Avakian, chief information security officer for the state of Pennsylvania.
"It can't be a 'once-and-done' thing," he says. "You need to get in front of your C-level staff regularly, and across all levels of the organization, to stress the importance of cybersecurity preparedness and best practices for users."
Ongoing security awareness training is also important to changing the organization's culture to be more security-conscious, Avakian says. "Such a culture shift will lead to changes in how the organization views cyber, the breach prevention costs and support for funding initiatives involving breach prevention," he says.
Harkins meets annually with the Intel board to raise their awareness of enterprise risk issues. "One of the [recent risks] I raised was related to industrial control systems, as the threats and vulnerabilities towards ICS were growing," he says. "I let them know what our plans were to begin to invest in front of that risk."
In his next meeting with the board, Harkins will give an update, "telling them the progress we've made and any issues or challenges we've encountered."
Where to Invest
Security pros need to explain to senior executives and board members which technologies represent the best investments for the company, based on its risks and needs.
"You've got to look at hardening your endpoint and keeping the hygiene up on all of your systems," Intel's Harkins says. "Lots of attention is being focused on connecting the information and connecting the security solutions together so you can have heightened security business intelligence to give you situational awareness."
Regions, the bank holding company, is continuing to make investments in data loss prevention, encryption and monitoring capabilities. "More important are the investments we are making in the skill sets of our people," Speare says. "Technology tools are valuable, but a skilled analyst can put together the pieces of the puzzle much better than any system."
The state of Pennsylvania is working to ensure its security protections are keeping pace with the dynamic and rapidly evolving cybersecurity threat landscape, Avakian says. "We are further advancing our data loss prevention activities this year, placing an added emphasis on security awareness training for all of our application developers."
In addition, Avakian says he's investing in enterprise governance, risk and compliance, which includes a dashboard that will give an enterprise view of security and IT risk, agency by agency.
Avakian recommends organizations place an emphasis on following the National Institute of Standards and Technology's cybersecurity framework. "This would go a long way in not only formulating a good cybersecurity posture, but showing gaps which can then be used to formulate buy-in and funding to further mature the security posture of the organization, which will certainly go a long way in preventing breaches," he says.
CISOs also need to put themselves in the shoes of the business executives they're trying to persuade to fund breach prevention initiatives, Speare says. "Their role is to make a profit and they have both revenue and expense pressures and you are coming to them with another expense," he says. "Talk to them in rational business terms of realistic probability and impact potential, what are their options, and what the investment you are recommending will mitigate and to what degree."
Organizations need to also accept that they cannot eliminate all risks, Intel's Harkins says. "There's a level of breach prevention that can be done through hardening your endpoints and network, and having those investments, so together you have the right architecture to as best as possible prevent and then quickly detect unusual events so you can respond to them," he says. "It's not only how quickly you can detect, but then do you have the right response mechanisms, because you won't get 100 percent prevention. That's pretty critical for folks to understand."