Getting cyber security buy-in from the board

Written by Joe Beaumont on 21/08/2020

Problems at the top

As any seasoned cyber security professional will tell you, good security only works when it’s embedded as culture within an organisation – and that must come from the top. But sometimes, the top doesn’t want to know. Even with recent events highlighting the vital importance of cyber security and the average cost of a breach reaching an eye-watering £3 million, many organisations still struggle to get security on the boardroom agenda. This leads to critical levels of under-investment, leaving organisations wide open to cyber attack. Let’s look at the problems in more detail.

Not having a CISO means boards are likely to be unaware of the very real operational risks to the business that poor cyber security presents

Examining the underlying issues

Let’s start with the obvious: some boards don’t have a CISO. Not having a CISO means boards are likely to be simply unaware of the very real operational risks to the business that poor cyber security presents. Unaware, that is, until it’s too late: over half of medium and large businesses have suffered a cyber security breach or attack in the last 12 months. Without a board member literally bringing it to the table, it’s going to be an uphill struggle for any security manager to get cyber on the agenda. Even boards who want a CISO might struggle to get one thanks to the security skills gap.

Examining the underlying issues

Those boards who do have a CISO, and so have hopefully invested in cyber security in some degree, still face the challenges of making their security investment truly effective in the real-world. This requires the CISO to have the full trust of the board and the resources to move and react quickly. Effective controls can only come from understanding hackers’ motives and abilities, as well as fully analysing the risks of internal threats.

Security service providers can even make matters worse by trading on fear, uncertainty and doubt (something we at Bulletproof work hard to avoid). This only serves to muddy the waters for organisations trying to manage their cyber risk profile as it obscures threats and confuses priorities, which ultimately – and not to mention ironically – can leave businesses less secure.

In numbers

Source: https://nominetcyber.com/major-global-study-of-senior-cyber-security-professionals-reveals-increasing-pressure-workload-and-budgetary-deficits

Source: https://www.scmagazineuk.com/wheres-cisos-missing-third-fortune-500/article/1661131

Board-level investment doesn't include cyber, or cyber controls aren’t effective despite investment, because of a lack of knowledge

Knowledge is power

Having outlined the problems, the common theme running through these problems is clear to see: lack of knowledge. Boards don’t have a CISO because they don’t know they need one. CISOs don’t always invest wisely because they aren’t given the resources they need to uncover the real threat profile. In our experience, even organisations who have invested wisely in cyber security often lack the capability to detect a hack. To put it more succinctly, board-level investment doesn't include cyber, or cyber controls aren’t effective despite investment, because of a lack of knowledge.

Knowledge is power

Stories from the security frontline

To demonstrate the problem in action, we have some real-life examples from Oliver Pinson-Roxburgh, our Co-founder and from Nicky Whiting, our Head of Consulting. These are all real and repeated scenarios they’ve encountered during the course of their security careers when trying to educate a board on the importance of security.

“But we have anti-virus, surely that’s enough”

Oli avatar sm

Oli: “This is a great demonstration of the lack of knowledge of a typical board. Anti-virus is one specific tool in the cyber security armoury. On its own it’s nowhere near enough. As any good penetration test will show, hackers have many tools and techniques that can compromise your environment and steal your data without ever setting off an anti-virus alert. Then there’s the threats that come with newer tech such as containerisation – how many board members will know what containerisation is or understand it as a risk?”

“But a breach is less costly than good security”

Nicky avatar sm

Nicky: “The cost of data breaches is rising year on year, and if personal or financial data is involved (and it almost always is) then it’ll increase hugely thanks to things like GDPR and PCI DSS. Insurance can sometimes cover some of the cost, but it can’t save you from reputational damage – and that destroys companies much quicker than financial damage.”

“But we’re not a target”

Oli avatar sm

Oli: “Most hackers don’t care who you are, only if you’re an easy target. That makes anyone with weak security a target. Plus the larger you are, the more likely you are to be targeted by a determined attacker as well as hit by opportunistic ones. This presents an additional threat to mid-market and larger organisations over SMEs.”

“But we don’t have the staff or technical expertise”

Nicky avatar sm

Nicky: “Many organisations don’t have the technical staff – but that’s not actually a problem. Here cyber security can take a leaf out of the modern compliance playbook and look at managed options. With outsourced Data Protection Officers being so common, increasing numbers of organisations are also looking at a virtual CISO, and even managed SIEM services to fill the gaps.”

“But we haven’t been attacked yet”

Oli avatar sm

Oli: “What I always say to this is: how do you know? Typically most organisations lack the capability to detect an attack. Your data could already be being sold on the dark web. There could be a ransomware-laden email sitting in someone’s inbox right now. Statistically there’s almost certainly a few phishing emails just waiting to be clicked on. They don’t usually have an answer for that.”

Checklist Icon

How confident are you on your company’s cyber security readiness?

Get a quick practical assessment and identify priority gaps.

6 tips for security managers

For those stressed security managers trying to combat the problem and get the board on-side with cyber, we feel for you. To help you win them over, here’s our handy guide to what you can do.

  1. 1

    Realise it’s a sales pitch

    You are essentially selling your requirements to the business. That means it’s a sales pitch, and like all sales pitches, it works better in person. Get in front of your board by any means necessary. If you’re not the point-person who reports to the board on cyber, work closely with the person who does.

  2. 2

    Regular communication

    Regular communication with valuable, insightful information is key to getting board engagement. This means sticking to simple metrics presented in easy-to-read, visual ways. There’s absolutely no room for ‘death by Powerpoint’ here.

  3. 3

    Education, education, education

    Upskilling the board should be a primary goal. Where a board is reluctant to take on additional training, sneak extra training into mandatory or already in-place training regimes (such as GDPR, ISO, etc). Add in a few additional slides that are catered specifically for the board.

  4. Education
  5. 4

    Don’t talk about technology

    Boards are largely non-technical and a lot of people go wrong because they focus on tech. Sell it to them in a way that outlines the benefits of the approach, such as regulatory requirements, winning more tenders, reducing risk, rather than the technology required.

  6. 5

    Leverage common compliance standards

    GDPR and ISO 27001 can create a more focussed way of spending money on security. Shiny new tech might be tempting for the IT team, but there will be other things the business needs more that will be revealed through the risk work and data mapping that comes from ISO and GDPR. Compliance helps organisations target their spending better and focus on what’s really needed, rather than what’s nice to have.

  7. 6

    Show that it’s an investment, not a cost

    Well-implemented security forces an organisation to analyse workflows, implement new structures and drive consistency, leading to streamlined processes and procedures. When security spending leads to increased efficiency and better ways of working, it becomes an investment, not a cost.

Compliance helps organisations target their spending better and focus on what’s really needed

6 security tactics for every board

To finish up, here are 6 security tactics that every board can follow to solve their problems of security – whether they’re aware of them or not

  1. 1

    Get a CISO

    Dear board, I’m going to cut right to the chase: it’s 2020 and you know you need to have a CISO. If you can't justify a full-time a CISO – and many can’t – then hire a virtual CISO on a retainer basis. This lets you access all the experience of a seasoned security pro for a much lower cost. Without this, you’ll never understand the threat landscape and your true cyber risks. And what that means in practice is, you’re going to have a data breach.

    If you have a CISO, they need to make sure they’re being listened to. They should be talking non-technical so you can understand the impact of what they’re saying. If you have a CISO but are still struggling to meet your security challenges, then it’s time to look at the relationship you have with your CISO and examine your communication.

  2. 2

    Get basic security training

    Basic security awareness training for all staff, from frontline call loggers right up to board members, is an absolutely essential, fundamental security control. You have probably heard of phishing, but are you aware of whaling, CFO fraud, and the advancements in deepfake technologies? This is just the tip of the iceberg. Security is everyone’s duty, and the board needs to have a level of security understanding in-line with their responsibility.

  3. 3

    Focus on risks and business outcomes

    Ask for options. As senior strategy setters, it’s not the board’s job to be researching what the many technology options are and their varied impacts. Instead ask for a curated selection of options and explore the outcomes of each to see what’s the best direction for the business. This also means understanding that high spending does not equal high security. Use your vCISO or a trusted security manager to empower yourselves to spend wisely, not freely. Again, where you don’t have the staff and/or can't afford the CapEx to deliver security outcomes, look at taking a managed service.

  4. Focus on risks and business outcomes
  5. 4

    Get operational support with specific compliance

    Compliance isn’t security, but they’re often treated as one and the same. Leverage compliance, be it a mandatory standard or not, to enable wise investment in key projects that will have an impact to your security posture. This way compliance can be a benefit instead of a chore. You probably won’t have the in-house expertise to manage this, so look for cost-effective operational support.

  6. 5

    Consider a managed SIEM service

    If your risk analysis warrants it, explore a SOC/SIEM service. With high-tier features such as proactive threat hunting, it can be the gold standard of security, but only when it is implemented and run correctly. Check out this guide for options of building, buying or outsourcing a SIEM. If not done correctly, a SOC/SIEM service can actually be worse than useless, as you'll think you're secure when you’re not.

  7. 6

    Communicate for success

    You must realise your power of influence and take this responsibility seriously. It’s important to support security and compliance initiatives by practicing what the business preaches. If you don’t, every security project and every compliance project will fail. You need to be the change.

    Involve your CISO in discussions at the earliest opportunity so they can contribute perspectives on business strategies. Another tip is to get your CISO/vCISO to talk to your DPO (or whoever’s responsible for data protection within your organisation). Cyber security and data protection aren't the same but they are related, and synergies and cost savings will appear with communication.



  • Bulletproof are CREST approved

    CREST approved

  • Bulletproof are ISO 27001 and 9001 certified

    ISO 27001 and 9001 certified

  • Bulletproof are Tigerscheme qualified testers

    Tigerscheme qualified testers

  • Bulletproof are a PCI DSS v3.2 Level 1 service provider

    PCI DSS v3.2 Level 1
    service provider

  • Bulletproof have 24/7 on-site Security Operations Centre

    24/7 on-site Security
    Operations Centre

Get a quote today

If you’re interested in our services, get a free, no obligation quote today by filling out the form below.

By submitting this form, I agree to the Bulletproof privacy policy.