Is Your C-Suite Listening? How to Get Buy-In for Cybersecurity

by | August 18, 2022

It’s a conundrum facing every CISO. Cybercrime is booming, attacks are evolving and becoming more complex, phishing breaches, ransomware payouts and data exposure risks are skyrocketing, and executives throughout your company say cyber threats keep them awake at night. Yet, despite all these realities, your company views cybersecurity as an IT responsibility, making it nearly impossible to create the security and shared-responsibility culture you need to strengthen your company in today’s threatscape.  

The good news is that, with some anecdotes and solid data behind you, you can break through to company leadership and get vital, top-down buy-in on the need to build the bottom-up training, systems and response plans you need.  

Get Your C-Suite to the Table with Stories and Data, Not Tech 

When it comes to cybersecurity and resilience, your C-suite and board members fall into one of four categories: 

  • Those with a compressive understanding of cybersecurity 
  • Those who have some cybersecurity knowledge, but not across the security stack 
  • Those who know they know a little about it and leave it to the experts 
  • Those who know very little about it 

When you look at this list, it’s easy to see why many CISOs struggle to get buy-in when they present technical solutions – few executives understand what’s being proposed and what it means for business outcomes. 

Fortunately, they all have read cyberattack headlines and horror stories and know that cyberattacks are on the rise, often with devastating consequences. They know about phishing, breaches, ransomware and potential nation-state cyberattacks. They probably know about ransomware-as-a-service and perhaps that cybercrime itself is a high-growth industry. And they know that no one – not even government agencies with the best defenses on the planet – is safe from attack. 

This is how we recommend you present your case—in terms they all can understand.  

  • Explain that your company is under attack – constantly – from cybercriminals who want your money and your data.  
  • Quantify the threats you’ve fended off, using statistics, when possible, as well as any close calls or even breaches you’ve experienced and dealt with.  
  • Bring in a specialist from a company with security experience like UPSTACK to share information on how cybercriminals are attacking companies like yours and how successful attacks are not mere annoyances but are causing business production disruptions and missed sales and financial targets.  

Explain the Need for Response Teams and Tabletop Exercises  

It’s important to address why cyber resilience isn’t only the responsibility of the IT and information departments. The reason is simple: Most breaches occur through human error or compromise, so security is a company-wide responsibility, from the CEO down to each employee.  

Cybersecurity Awareness Training is a great start in acclimating your team to the realities of today’s cyberthreats and how they play a critical role in preventing devastating breaches with good cyberhygiene. For most, it’s a major wake-up call to learn about the ingenious schemes cybercriminals execute to achieve their objectives. From there, it’s easy for everyone to see why bad actors are often successful and the sad truth of the oft-repeated phrase, “It’s not if, but when your business will be victim to a cyberattack.” 

Preparing for that eventuality becomes paramount and makes it easier for you to successfully advocate for an incident response team with representatives from departments across the company, including the C-Suite. This team is tasked not only with developing your response plan but also with running cybersecurity tabletop exercises to ensure all stakeholders know their roles and can execute during the stress of a live event. 

Plan and Run Incident Response Exercises 

There are many shelves with unread disaster recovery plans, so running simulations with your new incident response team is absolutely critical to proving their value to the C-Suite. Exercises will help you evaluate the efficacy of your plan, enable updates to match current threat intelligence and keep cyber threats top of mind with key stakeholders. 

Here’s a 10-step framework that can help you get started with your tabletop exercises: 

  1. Identify internal and external stakeholders that will run, participate in and observe your tabletop exercise. Get as much C-suite participation as possible, preferably including the CEO.
  2. Set up response team leadership and reporting roles.
  3. Establish objectives and a meeting cadence with support from leadership to emphasize the project’s importance.
  4. Determine and prioritize “attack scenarios” by likelihood, frequency and damage/business interruption potential.
  5. Develop and document a response plan to your first attack scenario.
  6. Conduct your exercise.
  7. Create an after-action report identifying changes needed in your draft response plan.
  8. Re-run your exercise to validate your changes and improvements.
  9. Convert your plan documents into an official response manual.
  10. Move on to your next scenario.

Document Your Progress 

Your communications job isn’t done when your team is in place or even when you’re running regular exercises. You must maintain C-Suite support and encourage a more robust security culture within your company. Documenting your progress – and any successful defenses that occur as a result of your exercises – can help you meet both needs.  

Work with a trusted partner like UPSTACK to evaluate and source security solutions, so you’re able to defend and respond quickly and effectively to cyberthreats like ransomware, phishing and insider threats.