10 ways to get execs thinking about security

For far too many IT pros, the battle to show executives the value of caring about your security systems is an uphill one. The top brass sees security as a cost-center and one it can’t afford, end of discussion. 

But there are ways you can change their mind – or at least open up the possibility of getting them to see the value of security to your organization.

Here are some of the best bets:

  1. Use the right examples. Most IT pros know that bringing up examples of a breach suffered by another company can get attention to the security cause. But not just any example will do: While you may realize that the tactics used in the Target breach can be replicated almost anywhere, if you’re a non-profit or a healthcare company, execs might not make the connection. If you’re going to use an example from another company’s security fallout, pick one that’s in the same industry, geographic area or even parent company to make sure it carries weight.
  2. Use simple metrics. Chances are you have thousands of metrics you could report on that could show every aspect of your security program. But simplify your approach by showing only those that are most important to the organization’s bottom line and easy to understand.
  3. Keep in front of them. If you report on security to your board once a year, you probably will only get a shot at getting support for your security programs once a year. And if it happens to fall at a bad time, you’ll be stuck in the same place. Make every effort to get as much face time with the top brass as possible since each time is another chance to win support.
  4. Use them in training. Invite board members or other execs to make brief opening remarks to kick off security training for users. Tell them how important it is to you that users get to hear your organization values security. This appeals to most execs – many love to know their workers would be influenced and motivated by their words – and will actually get them thinking, Maybe this is something that should be a top priority.
  5. Make execs the focus. Rather than “training” executives on security, tell them you’re concerned they could be a target for cyberattacks personally. Explain that spearphishers are coming after knowledgeable people with valuable data all the time. Once you’ve explained the threat they’re facing, make the point that while other users might not have as big a target on their backs, each one of them will also probably be phished at least once. That’ll get execs to think twice about any ideas security can be a luxury, not a necessity.
  6. Tell a story. Talking about what you want to do next makes it difficult to support security. It sounds like just adding features on, and it can be tough to tell which are really needed. Instead, talk about the journey: Tell them what your security system used to be like, where it is today and what value could be added in the future.
  7. Use it for marketing. If you keep your security details in-house, it’ll be seen mostly as something that your organization pays good money to run behind the scenes. But every time you suggest a security enhancement, add some variation of “And if we let customers know we’re doing this to protect their data, it could be a good marketing strategy.” That clearly puts security in a revenue-generating light.
  8. Mention replacement savings. Most new security projects can replace at least one service you’re already using. Don’t bury that lead … Make sure to highlight the savings you can expect to see by eliminating redundant services before even getting into any costs.
  9. Bring up the “hidden” data. You may not be able to convince execs that your company’s primary data is a target. But remind them that there are other records you have that are always valuable – for instance, employees’ Social Security or payroll information. And that includes their own, personal information in addition to every other user’s.
  10. Put it in dollars and cents. There’s a reason this idea comes up in every discussion of getting execs to value security: It works, and it’s probably the only way to make sure your message is going to get through.

Make Smarter Tech Decisions

Get the latest IT news, trends, and insights - delivered weekly.

Privacy Policy