A 3-step plan to get execs on board with IT security

handshakeIT managers face the difficult task of convincing Finance decision makers and other executives that IT security is a worthwhile investment. Here’s some new data that can help them make their case: 

Investors are more likely to give money to companies with strong cyber security records.

In the past, the people in charge of company funds have often viewed IT security strictly has a cost center — in other words, it was at best a necessary evil that requires spending without any measurable return.

However, there are signs that’s starting to change. One recent survey, conducted by Zogby Analytics on behalf of HBGary, found that most investors pay attention to a company’s cyber security when they’re deciding where to invest.

In fact, 70% said they’re likely to research a publicly traded firm’s IT security practices and prior security incidents, and 78% would shy away from investing in companies that have suffered multiple data breaches.

Investors are particularly worried about breaches of customer data. Among the 405 survey respondents, 57% said a computer hack that compromises customer data was the most troubling type of incident, compared to just 29% that were most concerned about theft of intellectual property.

IT security can help businesses grow

The ramifications of those results are two-fold. The first point, of course, is that for public companies, having a strong security operation and avoiding IT security incidents can lead directly to greater interest from investors.

But there’s another lesson that applies even to private organizations: Most business experts agree that keeping data secure is a key factor that can determine an organization’s success.

That same sentiment was found in another survey of IT pros conducted by Turnkey Consulting.

Among the 108 IT pros surveyed, 44% said their organization views IT security as an essential business practice that can deliver a return on investment. An additional 38% said the company sees IT security investments as an insurance policy for company assets.

Even more good news for IT: Companies are beginning to get the message that protecting data requires cooperation from the entire organization, including IT, Finance and other business leaders, and staff.

Nearly two-thirds (64%) say company leadership views IT security as the responsibility of everyone in the organization, and not just the IT department. And 72% said security is one of the company’s top three concerns when an IT project is implemented.

3 ways to get execs on board

Of course, this doesn’t mean that business leaders everywhere are giving IT departments as much security funding as they ask for. Many tech teams still struggle to get execs on board with their proposals to protect the company’s data.

What can IT managers do to get more execs and Finance decision makers to see greater value in IT security and approve stronger budgets? Here are some tips from experts:

1. Educate decision makers

One reason many IT departments don’t get the security support they need is that the people at the top are over-confident in the company’s ability to keep systems secure. In one poll conducted last year by PwC Consulting, most (68%) of the 9,300 CEOs, CFOs, vice presidents and IT leaders surveyed said their companies have “instilled effective security behaviors into their organizational culture.” Only 20% weren’t confident in their organization’s security stance.

However, those respondents also indicated that there were many basic security steps their organizations weren’t taking. The bottom line: For decision makers to understand what security projects are necessary, they need to be educated about the company’s risks.

2. Quantify the potential costs

Another thing execs need to make informed decisions about security is an accurate estimate of what the company stands to lose by not protecting data.

While it’s impossible to predict what will happen to each individual company in the future, IT managers can give execs a breakdown of all the factors that add to the cost of a data breach, including:

  • Regulatory penalties
  • Potential loss of revenue due to downtime or damage to the company’s reputation
  • Costs related to remediating identity theft and credit monitoring services
  • Forensic analysis to determine the scope of the breach
  • Costs related to re-establishing a secure environment
  • The time and equipment necessary to prevent future attacks
  • Legal costs, and
  • A potential decline in the value of company stock (for public companies).

3. Ask questions first

If IT managers want Finance decision makers to understand their point of view, first they need to make sure their own department understands the point of view of the rest of the business. IT is there to educate decision makers, but IT security plans, like all IT initiatives, need to be structured so they’re in line with the business’s goals.

One important thing IT pros must know before making a security pitch: What does the organization consider an acceptable level of risk? After that is known, the IT department can work out a proposal that meets the company’s needs.