Die Kunst des Verkaufens von IT-Sicherheit

Every year, CISOs and CIOs have to negotiate a budget for IT security. If there are no incidents, the money was worth it. But how do you explain that to the board? In this blog post, we provide some strategies and background for successful "Battles of the Boardroom" that can help you as an IT executive.

When board members are given the task of prioritizing a list of business segments, cybersecurity regularly lands in the top four of the tasks with the highest priority. However, when board members are asked to create their own list of important business segments, only one in five board members names cybersecurity as a priority issue. This is according to a 2020 McKinsey study. Board members understand the importance of IT security, but they often don't seem to see it as part of their own business area and thus as a risk to be borne on their own.

However, the massive shift to working from home since 2020, as well as the still rampant ransomware epidemic, have highlighted that without adequate protection of IT systems, orderly business operations are nearly impossible. However, cybersecurity costs money and a CISO, or CIO for that matter, must have growing budgets approved by the board. In order to successfully fight this "Battle of the Boardroom", a few precautions should be taken, which we briefly outline here.

We've talked about a "culture of cybersecurity" on the Digital Compliance Blog before, and this topic needs to be mentioned first as well. Exercises on the topic can make a big contribution to creating a corporate culture, especially in the boardroom, that is open to IT security. Learning experiences and an understanding that IT security is not just the domain of the CIO, but also affects human resources, legal, operations, and finance, among others, help in agreeing to an increased budget. The American FTC proved in a survey that 89% of all board members see the issue solely in the hands of the CIO - this thinking must be changed by involving the department heads.

If you know your work area, you can talk about it with confidence. As a CISO, you should regularly gain an overview of your IT security landscape. One way to do this is via self-assessments, which Complion also often conducts with companies. This also should include regular penetration tests, which can reveal specific vulnerabilities in the organization. In addition, knowledge about the data landscape in the company is indispensable. Knowing which data requires special protection and which data belongs to the "crown jewels" clearly shows where special protection must be purchased.

Regular briefings to the board of directors on the "IT security climate" can raise awareness of IT security. Reports on competitors that have been successfully compromised or on campaigns that are currently underway can also make it clear to supposedly uninvolved colleagues why an investment in IT security is worth the money. It is of great importance that no horror stories with extreme examples are brought out, though. It has been proven that this tends to scare people off and does not lead to the desired success. The focus should therefore clearly be on education and not on fearmongering. Complion, in cooperation with Voice e.V., publishes the Cyber Security Competence Center's situation reports on a weekly basis, which are used by participating CISOs for exactly this purpose, among others.

In addition to information on the activities of hacker groups, the reports should also highlight applicable cybersecurity regulations and mandatory standards that must be followed. Often, these are associated with significant investments in the IT security landscape. Examples of this are VAIT in the German insurance sector and the mandatory BSI IT-Grundschutz for critical industries in Germany.

Vague descriptions of personnel resources that may be needed in the future come across as disorganized and speculative. To avoid giving the impression that you are trying to secure yet another full-time position in your department for a rainy day, be as specific as possible when making requests for IT security personnel. Communicate what the requested individuals are needed for and why their hiring is essential. Specific role descriptions are important here. That said, you should also pay attention to communication here.  Tech jargon is off-putting and can lead to irritation or misunderstanding.

Last but not least, before the budget discussion, take a look at the competition and find out what similarly situated companies spend on IT security and what systems are in use. This information can be used as a guide to determine the state of the industry, but should not be adopted as a specific goal.

IT security can still be a business enabler. We have already written about this topic in this blog post. In short, automation in IT security, for example through smarter authentication mechanisms, can save users time and frustration, which can have a positive impact on both the perception of IT security and the efficiency of the business.

 All these aspects can facilitate IT security budget discussions in favor of CIOs and CISOs. Complion specializes in IT landscape analysis and subsequent interface communication with the board of directors. For more information on our cybersecurity services, click here.

Author: Tobias Philipsen