On this episode of Inside the CISO’S Office, vCISO John Bruggeman converses with Allan Hackney and Jim Studer, each a current consultant and former CIO of several large corporations, including GE, Bank of America, and Univision. They discuss the landscape of legal risk and regulatory compliance surrounding cybersecurity, and how to effectively communicate these pressures in order to obtain the necessary budget to execute your security strategy.
Making the financial case for cybersecurity involves knowing your audience
A robust cybersecurity strategy is essential in today’s risk landscape, but many companies still need to catch up. Like any leader in a large organization, a CISO or other technology head must often battle competing business priorities for limited budget resources. Securing the necessary financial backing to advance your cybersecurity strategy hinges on communicating relevant information framed in a way that will be accessible to non-technical business leaders.
“The ideal [situation] is your business recognizes your ability to manage risk—particularly cyber risk in this case—is, in fact, a business enabler,” said Allan. “That argument, in my experience, falls flat almost all the time.” What does work, Allan said, is drilling down into your organization’s specific priorities and vulnerabilities to understand “where cybersecurity risk could impede your ability to compete and to be profitable.”
Allan cited the examples of regulatory liability in the banking industry, negative impacts on brand reputation in a brand-managed business, and threats to a healthcare company’s sensitive data. In each case, a cybersecurity event could threaten the organization’s ability to do business by driving customers away or incurring regulatory penalties. These existential threats clearly establish the return on a cybersecurity investment.
“A lot of it also depends on who you’re talking to. If it’s the CFO, they’re going to have a different kind of way to understand the money,” added Jim. “There’s an infinite number of good ways an enterprise can spend money—so you have to get up in the queue.”
While navigating the C-suite to make your business case may initially seem intimidating, listening is key. Solving smaller pain points can build trust with your fellow executives and give your cybersecurity strategy greater credibility during budget discussions. Enlisting the backing of in-house legal counsel or the COO is valuable to corroborate your risk mitigation priorities, but as Jim noted, the CFO’s alignment is essential. “No matter what else, the CFO will have a major, major voice in where the money goes.”
Read more: Remote working security risks
Cybersecurity risk carries legal implications
The first step to a robust cybersecurity strategy is to understand where your vulnerabilities are. Multiple frameworks exist for assessing and categorizing risk, but Allan cited his preference for a risk register.
“It’s… a proper assessment of your vulnerability to the risk, the frequency that the risk could happen, and then, ultimately, the impact,” he said. “If you do a thoughtful exercise on that, you should be able to categorize the primary risks to your business in a pretty straightforward way.”
For certain types of cybersecurity risk, the impact can include legal liability or regulatory penalties. In these cases, managing or mitigating risk becomes especially critical, and arguments for more significant investments—including partnering with a third party—are easier to make.
Methods for mitigating regulatory or legal cybersecurity risks include:
- Risk transfer. Commonly executed via cybersecurity insurance.
- Third-party support. Assessing the risk management functions currently performed in-house can help you identify tasks better handled by experts, such as implementing security controls beyond your staff’s capabilities.
- Managed cybersecurity services. Third parties specializing in developing, executing, monitoring, and updating risk management plans will often have compliance and regulatory expertise in your industry. Fully managed cybersecurity providers will holistically approach your cybersecurity and compliance needs and potentially create efficiencies.
“You reduce that risk by picking the best [partners] when what you need to do is beyond the capability of your in-house staff,” said Jim. Enterprise cybersecurity needs are “getting bigger and bigger and bigger, not smaller.” By partnering with a vendor, you benefit from the vendor’s scale, their strategic partnerships, their specific industry knowledge, and their best-in-class tools. An expert partner is arguably a necessity for businesses to stay ahead of sophisticated cybersecurity threats.
Take the next step in your cybersecurity strategy with OnX
Up-to-the-minute cybersecurity knowledge—not only of cyber threats but of regulatory and compliance obligations—is essential in the current risk landscape. OnX is your expert partner in safeguarding your business from threat actors and mitigating the impact of a cybersecurity event.
Contact OnX today to better understand your risks and build a security roadmap to achieve peace of mind.