Not so long ago, cyber-security was viewed by many organisations as a grudge purchase and the folk in charge of it a peripheral part of the broader ICT team.
No longer. Last year’s COVID triggered surge in malicious cyber-activity, coupled with widespread reporting of attacks at household name organisations, including dairy and beverage giant Lion and BlueScope Steel, has raised public awareness of the danger and put cyber-safety squarely on the corporate agenda.
Senior leaders and decision makers are worried and they’re right to be. A successful malware or phishing campaign can cause widespread disruption to operations, be difficult and expensive to mediate, create long lasting reputational damage and, in some instances, cost senior executives their positions.
And they’re coming thick and fast – to the point that, in June 2020, Prime Minister Scott Morrison took the unusual step of advising local businesses and organisations to beef up their defences in the face of a barrage of attacks. The government subsequently announced additional funding of $1.67 billion to help them do so, over the next decade.
Stepping into the limelight
Against this backdrop, we’re seeing more senior leadership teams seeking to engage directly with the individuals whose responsibility it is to prevent such catastrophes from occurring, namely Chief Information Security Officers.
For those who got into the profession because they loved the technical aspects of the role and were happy to stay out of the limelight, bad news: it’s a development that’s unlikely to be reversed.
For those who feel they’re perpetually asked to do too much with too little, good news: engaging effectively with decision makers can help ensure your team has the resources it needs to provide solid protection for the enterprise, in these times.
Here are three tips for building constructive relationships at the highest level.
Be solution oriented
Sharing horror stories about attacks and data breaches may be a temporary attention grabber but successful CISOs soon twig that the boardroom appetite for them is strictly limited. Business leaders don’t want to hear about impending disasters: they want to know what you’re doing to ensure they don’t occur. That means being able to give them a precise rundown of the security programs you’re pursuing, or hope to pursue, and without resorting to technical jargon that will bamboozle and bore them.
Focus on the two Rs
There are two themes that will resonate at the highest level: Risk and Return on investment. Laying out the numbers – the funding you’re seeking or receiving, what it covers and how this investment will reduce the risk of compromise or attack – allows decision makers to see cyber-security through the lens with which all other major costs are viewed, and to judge its value accordingly.
You’ll earn additional respect if you’re able to demonstrate a solid understanding of the enterprise – where it makes its money, who’s on the key customer list and how a strong cyber-security posture will better position the organisation to attract and retain new business.
Build connections outside the boardroom
There’s a third R that’s also worthy of your time and attention: relationships. Your occasional appearances in the boardroom shouldn’t be the sum total of your interactions with the team at the top. Fostering connections with senior leaders and having interim conversations with them about your security program will help build awareness of the work being done by your team and instil confidence that you have things in hand.
Making cyber-security central to business success
In a rapidly digitising world, protecting the enterprise against high tech attack will be an integral aspect of responsible planning and management, in 2021 and beyond. CISOs who hope to thrive in this changing business landscape will need to form tighter ties with the individuals making those decisions and become comfortable working in a role that’s higher profile than it used to be.