As cyber security threats continue to rise more companies are looking to bolster their protection from risks, yet can not always secure funding to do so. Panellists at the recent Robert Walters Cyber Security seminars, held across the UK, recognised this growing problem and gave tips on how to approach senior stakeholders to secure the funding needed.
"Cyber security is no longer just an IT risk.. its now a board level risk" said Haroon Malik, Managing Consultant - NCC Group. Making senior stakeholders aware of the potential damage an attack can cause, and highlighting the tools that can be used to prevent an attack, alongside the losses the company will suffer from an attack, will help secure funding towards taking preventative measures.
Change your language
Do not focus on the technical aspects of cyber security. Few outside of the technology circles, and in some companies the legal circles, will understand the technical jargon used in the sector. Many professionals have found they lose buy-in from the Board if they focus too heavily on this.
Instead, use examples from real life that people know about. You can discuss what has happened recently to both Talk Talk and Carphone Warehouse. Show examples of real life situations that stakeholders will know about.
You can also use examples of the Board's personal situations. Adrian Holloway - Information Security Manager, SCC said "The first thing I always ask [our chairman] is if he would leave his car unlocked on his drive over night? And he wouldnt so why leave the accounting system for a whole company unlocked and allow everybody to interlink to the bank and then to the phones."
Emphasize the threat
Alongside changing your language, you want to put the emphasis on the "so what?" question. Many stakeholders will listen to the potential problem on a grander scale but will really want to how "What will happen to me/us given this attack". Cyber security is no longer just an IT risk.. its now a Board level risk
You can really highlight the potential problem by discussing whats happened before, but will secure more buy-in if you can show the exact problems your company faces. Many senior stakeholders might not be aware about the type of information you store and how its held so be honest about the ways a potential cyber security criminal can attack you.
A good example of this is to remind stakeholders about the company's HR records and how employees' bank details are held on internal servers to help complete payroll.
Highlight the sales opportunity for the company
Not all companies will be able to focus on the opportunity for a new product, but those that do can gain support from senior stakeholders by highlighting the financial growth and profit made by selling their cyber security packages to other companies.
You can justify the expense of cyber security by showing what you will do to secure the company and how you will protect the infrastructure, and how you can then sell this to clients and partners. This is seen more and more amongst Canadian and US banks.
Running potential simulations on what could happen given an attack will allow you to give real-time data on how it would affect the company. be careful using this method - to make sure you have the company's permission. The panel suggested running the simulations, or "spoofs", on one small area of the business first and then if needed open it up to the whole business.
Martin Tyley, Partner at KPMG told of a situation where he knew a company ran simulations on a potential threat and then brought in a PR agency to explain the commercial damage the attack would cause.
This will not work with all Boards as some may be aware of the hype you are giving, but it still gives you relevant data that pertains directly to the business to build a business justification for more
Read more information on cyber security and to the other topics discussed at the seminars here.
Contact us for more information about future technology seminars, or to have a confidential discussion about any of your recruitment needs please contact: