How Do You Convince Management to Invest in Security Technology or Initiatives?
Network Security Tips
How Do You Convince Management to Invest in Security Technology or Initiatives?
In the ever-evolving landscape of digital threats, we reached out to cybersecurity experts and founders to uncover their strategies for securing management buy-in on security investments. From presenting a VPN case with risk analysis to highlighting cost savings and industry standards, here are five key tactics they've successfully used to advocate for cybersecurity initiatives.
- Present VPN Case with Risk Analysis
- Demonstrate Risks with Real-Time Testing
- Use Sector Benchmarking for Cybersecurity Investment
- Conduct Thorough Risk and Cost-Benefit Analysis
- Highlight Cost Savings and Industry Standards
Present VPN Case with Risk Analysis
Convincing management to invest in a VPN required presenting a compelling case based on both risk mitigation and cost-benefit analysis. I began by outlining the current vulnerabilities, emphasizing how a VPN could significantly fortify our network against unauthorized access and data breaches.
Highlighting real-world incidents where similar companies faced substantial losses due to inadequate security underscored the urgency. I also presented a detailed cost-benefit analysis, demonstrating how the investment in a VPN would ultimately lead to substantial savings by preventing potential financial and reputational damage.
Demonstrate Risks with Real-Time Testing
I've often been on both sides of the table when it comes to discussing investments in cybersecurity technologies and initiatives. Convincing management or stakeholders to invest in cybersecurity can be challenging, but it's crucial for the protection of our assets and maintaining trust with our users. Here is one of the strategies I've used to successfully advocate for such investments, drawing on my experiences leading a company that develops productivity and collaborative tools.
One tactic was to facilitate a real-time demonstration of the risks by conducting penetration testing with the potential security service in place versus our current system. The visual impact of seeing how easily our existing defenses could be breached, compared to the robust protection offered by the proposed solution, provided a stark, compelling reason to invest. This experiential evidence helped management understand the tangible benefits of the investment, making the decision clearer and more urgent.
An effective strategy was bringing in external cybersecurity experts to speak to our management team. These experts provided third-party validation of the threats and potential solutions, adding credibility to the proposed investments. My tip is to leverage external expertise whenever possible, as it can provide an impartial perspective that may resonate more strongly with stakeholders than internal reports.
Use Sector Benchmarking for Cybersecurity Investment
Cybersecurity business cases usually involve a structured process of assessing cyber risk/maturity, defining the desired target state, designing a roadmap to transition from the current to the target state, and then building a business case to transition to the target state. While this traditional approach is effective, I've found as a CISO that sometimes a more unstructured approach can yield very favorable results in gaining investment from the likes of board members, Audit and Risk Committees, and Investment Committees.
Rather than a risk-based approach, it's a sector benchmarking approach. This can significantly enhance the persuasiveness of a cybersecurity business case as it plays on the intercompetitive nature of executives between different companies in the same sector. When executives see how the cybersecurity capabilities of their organization compare to their sector peers, it can create a really compelling incentive to avoid falling behind. While very few want to be at the 'bleeding edge,' nobody wants to be at the back of the pack.
In a recent initiative, I helped a leading Russell Group university secure £2.3 million for an Identity and Access Management (IDAM) program of work. As part of the benchmarking, I interviewed 12 other UK universities, discovering what identity governance tooling they use, how much funding they allocate to IDAM, the size of their InfoSec team, the capabilities they have in place (e.g., Just-in-Time access provisioning, role-based access, privileged access monitoring tools, segregation of duty controls, etc.).
This built up a rich picture of where the university stood in terms of its current risk posture and capabilities compared to its closest peers—and they did not like where they stood. I was able to objectively illustrate the areas they were lagging behind in and articulate the level of spending required to bring them back in line with their fellow Russell Group counterparts.
This resulted in a strong business case which was waved through from ideation through to executive sign-off.
Conduct Thorough Risk and Cost-Benefit Analysis
I conducted a detailed risk assessment and cost-benefit analysis to persuade my employers to back a particular security technology or measure. This involved pointing out recent security breaches within our industry and showing how the suggested technology could prevent similar incidents from happening. I also made a very strong business case by comparing potential losses due to breaches with what it would take to implement the new system.
In addition, I provided them with feedback and success stories from other companies that had implemented such solutions, thus underlining their efficiency and return on investment. Such an all-inclusive approach helped them understand the worth of this investment.
Highlight Cost Savings and Industry Standards
Convincing managers to invest in cybersecurity can be tough, but highlighting the potential cost savings is key. Show how security prevents data breaches and downtime, saving the company money. Frame it as an investment, like new equipment, that protects valuable data and keeps things running smoothly. Strengthen your case by finding real-life examples of cyberattacks, referencing industry security standards, and showcasing success stories of improved security benefiting other companies.
