It’s great news for security professionals that cybersecurity is finally getting more attention in the boardroom, and it’s important to keep that momentum going. As evolving compliance regulations are spreading more of the responsibility for data breaches among the C-suite, executives will be more willing to listen.
That’s why we, as security experts, need to be able to make a case for our data protection initiatives that will not only hold their interest, but tell them the only thing they came to find out; how bad’s the problem, and how much is your solution going to benefit us when it solves it?
To help that conversation move forward, here are five real-world strategies I use to communicate data security risks to non-technical leaders, focusing on the ROI that comes from increased data protection.
- Get rid of bad information. Many come into a data loss prevention (DLP) discussion with a few preconceived notions that already incline them to say “no.” One I frequently encounter is that DLP tools lessen end-user productivity. That may have been true before, but not now. Modern DLP is designed to be minimally invasive (when configured correctly) and ultimately saves teams far more time in the long run. Even the bit of work it takes to keep a DLP solution up-to-date is nothing when compared to the alert sifting and incident response teams can avoid by using it.
- Make their point your point. When a company loses data, that’s everyone’s problem. Executives need to see it that way, or else DLP is just going to sound like another cybersecurity acronym (and cybersecurity problem). When you connect DLP to things they care about like growth, cost savings, etc., people perk up.
- Tell them what’s at stake. Communicate the risk, which I like to put in terms of cost versus benefit. Talk about the cost of lost data, the reputational and legal ramifications, the compliance penalties, and the possible fallout resulting in job loss, loss of consumer trust, and more. When stacked against the nominal fee of investing in DLP, the answer becomes clear.
- Communicate how data loss happens – they might be surprised. A lot of people think data gets breached when bad actors are out looking for victims to strike. However, it’s simple human error that introduces risk more often than you’d think. . These are things that happen every day, like inserting a wrong email address or accidentally sharing a sensitive file. Knowing how easy it is to stumble can make board members realize that data protection is a necessary everyday solution.
- You’re selling an outcome, not a product. Remember, business leaders want solutions to real problems that will impact the business. If you’ve done your job setting up the business case, you’ll find that you’re easily walking them into a mutually beneficial solution, not another product buy.
To move security forward, we need the soft skills to speak with nontechnical leaders in a way that shows the value of what we do every day. And it needs to show them how security tools like DLP directly impact the goals they have for the business because at the end of the day, our goals are the same.
This article was based on a recent Fortra eBook, How to Get C-Suite Buy-in for DLP Tools.
John Grancarich is chief strategy officer at Fortra, a global cybersecurity company. As an advocate for practical cybersecurity, John is driving Fortra’s growth into a platform company and helping it become one of the leading cybersecurity providers in the world. His work revolves around communicating effective, force-multiplying strategies that will close the cyber skills gap by combining current talent with smarter uses of AI and innovation. Follow John on LinkedIn.
