For better or worse, upper management doesn’t like to pay for things that don’t pay for themselves. IT affects their life, at least peripherally. When they reach out to the IT team for a new computer, someone shows up and crawls under a desk. Security is only important when it’s not there or fails. Unfortunately, by then, it’s too late.
The reality is that unlike even building security, cybersecurity is invisible. In many cases, people, including highly-educated executives, will wonder why they need it if they can’t see an effect.
Worse, and we don’t want to sound mean, many of the people in the boardroom can remember a time when only accounting had computers. The idea of a cyber attack sounds a bit like science fiction that only affects Experian and Target.
The Conflict – Profits versus Expenses
The simple truth is that there is no profit in security. They might spend tens of thousands of dollars over the course and nothing will happen. It’s like someone taking antibiotics. They will stop taking them as soon as they feel better. They don’t think about taking them again until their sick again.
The concept is as simple as explaining the size of potential losses and long-term reputation effects.
What follows is a step-by-step guide to getting the executive team’s buy-in. It’s not going to be easy, but it can be done.
Understanding the Executive Team
- Start early – Don’t just dive into the issue. Be sure to talk to people about the importance of cybersecurity over the course of weeks or months. Presenting it as a sudden idea will be more difficult than if you talk about the importance over time. And don’t make it the only thing you talk about. Add the idea as a seasoning, not as a theme.
- One voice – Don’t have 25 people sending messages about cyber-attacks. If a competitor is attacked or if there is a major global attack, like the recent Wannacry ransomware attack, make sure that everyone under your control stays quiet. One message about something is interesting. Ten messages about something is annoying.
- Talk to the people below – When you’re about to approach the executive team, talk to the people who work directly for them. That includes not only other executives but also an administrative assistant. If you can get their buy-in, it will make the whole presentation easy. Even the most powerful executives refer to their staff for advice and guidance.
- Get personal – Everyone in the executive boardroom has a different priority. Sales, accounting, manufacturing, facilities, investor relations, the CEO, and all the rest have very different priorities. Sales need to figure out how to explain to potential new customers that their information is secure or that the company is not in danger. The accounting team needs to know that the accounts are safe and the important data can’t be leaked. Manufacturing needs to know that the plants can’t be shut down by a cyber-attack. Investor relations will not like having to take calls from thousands of investors. The CEO will not like having to explain to everyone why she was at the helm when the company lost millions due to an attack. Make sure that everything you do during your presentation answers these concerns.
- Real numbers – Speak to the executive team in real numbers. “Might”, “maybe” and other possibles are not part of their language. When professionals make a decision, they do it with facts and the best available projections. Include numbers like industry losses due to cyber-attack, specific losses suffered by a competitor, potential losses to investors due to a cyber attack, percentage of lost sales after an attack, and so on. The key is to keep everything as numeric and concrete as possible.
- Let’s get visual – Put everything into a PowerPoint presentation and print it out. Large numbers are much easier to understand when there are graphs and charts. A 25% drop in sales looks like a deadly cliff to the sales team. A loss of 20% to investors is a painful thing for the investor relations team. Everything needs to be expressed in numbers and charts. Even the Chief Financial Officer will get number fatigue after a few minutes.
- Priorities – There are a lot of different facets to cybersecurity. Will the MSSP be able to phase in protections? Which of those protections are most important? Make sure that you have a clear set of priorities. You should have a list of must-haves, should-haves, and can-waits. That will make the decisions easier for the executive team if they understand that they don’t have to buy it all at once.
- Schedule – Layout a tentative schedule for deployment. How long will a server upgrade take versus a cloud email monitoring program? Just as importantly, what impact will this have on users? How long will the network be down? What contingencies can be made to keep everything running? Your schedule should be detailed and should be endorsed by the MSSP. If you get approval, you will want to be sure that you have everything in place on time. You won’t get the next round of your wishlist if the first items aren’t done on time.
- Speak their language – Change the terms that you use as you move through your presentation and answer questions. The personnel staff might be asking about how this will affect staff. You need to speak in terms of retention and growth. The CFO will want to know the costs and the potential benefits to the profits. The marketing staff might want to know how they can use this as a marketing tool.
- Bring in the big guns – You might need some backup. Consider bringing in the MSSP executives or the lead technician to answer questions about their procedures and techniques. Having someone who specializes in cybersecurity can make the sale easier. They will be able to explain some aspects of security that you might not be able to. They are also likely to have true stories that can drive the point home.
- Stand your ground – Don’t let the priorities of others let you compromise the company’s security. Sometimes, something as simple as not paying for a license or not renewing a specific service from an MSSP can create a gap in your security. Make it clear that there is a minimum of service that you need to have in place.
What about doing it without an MSSP?
Almost without exception, someone in the room will ask if you can maintain the proper levels of security without an outside contractor. The short answer is no, but here’s why.
- There is a shortage of qualified, experienced cybersecurity experts. Finding the right people might be difficult, but moreover, it will likely be expensive to hire them.
- Getting a team that is on the job 24 hours a day is definitely cost-prohibitive. Your team would need to be in place 365 days a year. That alone will cost a lot if you can find people who are willing to do it.
- Any team like that will need management, preferably management that knows as much or more than any of the team members. You might not have that experience and getting someone who does might be very cost-prohibitive.
This is another place where you might find it helpful to enlist the expert from the MSSP to help guide your executive team in making the right decision.
Managed security services are, for the most part, much less expensive than trying to do things in-house. Even a decade’s worth of MSSP fees is less expensive than the mess that you might have to clean up after a cyber-attack.
It might seem like an uphill climb, but you can convince senior management that security services, as provided by an MSSP, is in the best interests of the company.