What advice can you offer security leaders currently trying to win executive support to create a secure behavior and culture program? How should they frame the business case for an SBCP?
Sort By:
Oldest
CISO/CPO & Adjunct Law Professor in Finance (non-banking)2 months ago
The easiest way to win support is to show them the data. Compare the number of breaches or incidents due to external hacking, like getting through the firewall, to the number that occurred due to social engineering or email compromise. The numbers are usually skewed. The easiest and cheapest way to protect an organization is through security awareness programs. If the highest risk is someone clicking on something they shouldn't, preventing that click is a much better return on investment.Associate Vice President, Information Technology & CISO in Education2 months ago
I agree with Lawrence. We also did a baseline comparison of our college with others and the US higher education sector, which has a better security posture than Canada. We aimed to go above and beyond the Canadian levels. It's always about a risk management conversation. We demonstrated the cost-benefit analysis. For example, we might spend 100,000 on security, but it could potentially save us $5M if a breach were to happen. We used metrics to show where we are and where we want to be.
COO2 months ago
I concur with both Lawrence and John. My additions would be to keep the approach personal, maintain the status of a trusted advisor, and highlight the human element. Effective communication with upper management is crucial.
CISO in Banking2 months ago
This is one of those programs where you have to ensure that the executives have the current threat information and trends based on the type of organization you're in. I get a lot of my data from industry reports and Infragard, which I encourage every CISO to be affiliated with. We also need support from the board and CEO level. I do an in-person training for our board of directors each year and we talk about trends and necessary investments. Communication is key. When things change, as they often do in our world, continually communicating with the executive level about what's going on and how the security program can help address those threats is crucial.
Here's what helped me in gai ing exec support
> using Awareness programs as employee engagement avenue. It's not just about sending awareness emails but about brining people in for virtual or in-person contests. HR leaders love it and become your marketeers
> while it depends on your CxO's outlook, in my case a candid discussion with the CEO and COO helped in showing value of how several pitfalls can be avoided (like phishing ) and thus business loss
> nothing like getting the top management as your spokesperson. I've had the fortunate opportunity that the couple of CEO and MDs I've worked with willingly share their personal stories on them being targeted and what users should watch out for. I also jokingly refer this to another 60s of fame within the org (for them)
> research like Verizon data breach report and contents from conferences like RSA help enumerate topics that campaigns should cover to safe guard organizations and that the CxO must also be informed about