I’m Jeffrey Wheatman, Cyber Risk Evangelist at Black Kite.
I read an interesting post on LinkedIn last week. The topic was: how can you prioritize security when all the business cares about is making money?
Before Black Kite, I spent 15 plus years working in an advisory role, advising CISOs on this exact challenge. The problem that we frequently saw people run into is that when they (the CISO or CIO) appealed to their executives with wants and needs, their priorities were misaligned. Most often, no one cared about what the CISO wanted.
What’s in It for the Business?
Typically, most business leaders care most about what’s in it for the business. Simply put, business executives care about three things:
1. Money coming in.
- More revenue
- More customers
- More market share
- Happy customers
- Fulfilling on goals and objectives
2. Money going out.
- Cost optimization
- More efficiency
- Less expenses
3. If something bad happens, who gets blamed?
Advantages of the Business Appeal
For years, I’ve been advising and encouraging CISOs to focus on the objectives of their business stakeholders and not focus so much on what’s in it for the security team. Yes, security is a critical business initiative, but it’s not going to be at the top of the list for every executive at all times. Successful CISOs contextualize their needs by exemplifying them within a business objective. Here is a strong example:
We could say: we need money because within our patch management needs, we are missing 100,000 patches. We need $2.5MM dollars to fix it.
And the business audience will nod, smile, and show you the door.
– OR –
We could say: we worked with our business stakeholders and have established that we need to patch business critical servers within 3 days. We are currently patching in 8 days. We are much more likely to be victimized by ransomware. The average ransomware attack causes outages of 5-7 days. Every day the organization is down, we lose $400k in revenue. If we hired 1 FTE and acquired a new scanning tool, at a cost of $2.5MM, we could get to the 3-day target.
Maybe they still don’t give you the money, but at least they know what decisions they made (or didn’t make) and why.
The Reputation of Cyber Security Professionals
Historically, what we have seen is that business executives see cybersecurity professionals as the people who get in the way, the people who say no, the people who say stop, and the people who always say the sky is falling.
If we as cybersecurity professionals wish to be successful, we need to focus on what our stakeholders care about most…and unfortunately they don’t often care about security…unless someone makes them, or until it’s too late.
I encourage all of you, (before you go and ask for more money, people, tools, or heaven forbid behavioral change,) to think about what benefit the business gets. Put yourself in your audience’s shoes; ask yourself, “What do they care about? How are they evaluated for success? What puts money in or takes money out of their pockets?”
Lead with the value and then talk about the solution. And don’t forget about context! (See my previous blog.)