For business leaders, the time since the outbreak of COVID-19 has been a brutally tough challenge, with no easy calls—just sober, analytical thinking that often results in no one being satisfied, and a nagging fear that you just haven’t done enough. I’m not here to tell you it’s going to get any easier. But what I’m going to try to do is help you retain a reasonable level of cybersecurity spending. I also want to give you some rationale on how chief information security officers (CISOs) should make their case in the C-suite or the boardroom, and why business leaders should get out in front of this.
What Have We Learned? Plenty
On a personal level, most of us know someone who has been directly affected by the pandemic. For organizations, many are faced with declining revenues and profits, workforce furloughs, customer upheaval, project delays, supply chain disruptions and more.
Our dealings with the pandemic have, however, taught us a few things. First, work from home is not a fad or a short-term accommodation; it is the way more and more people will work in the future. Second, there are very important security implications to work from home, and these are going to entail conversations about budgets and resources. And third, those conversations are not going to be easy ones. Not for cybersecurity executives, CEOs, board members or chief finance officers (CFOs)—not when so many organizations’ business opportunities have been severely constrained, or in many cases see their businesses hanging by a thread.
The good news is that we are seeing indications that organizations seem to understand the increasingly strategic role of cybersecurity in this era of the so-called “New Normal.” Since the pandemic erupted, I have not had a single executive tell me that their organization’s cybersecurity budget has been cut. Although, I assume that people are being honest with me, I’m not naïve enough to think that apparent commitment to holding the line on cybersecurity budget cuts will hold unless a few important steps take place.
Let’s Talk: The Right Way and the Wrong Way
Anyone reading is aware that cybersecurity investments must be meaningful, have executive support up to and including the board, and be tightly aligned with business goals. Frankly, those are table stakes. And the stakes just got a lot higher. In order to keep our organizations, our employees, our customers’ data and our most valuable digital assets secure, we must rethink the way we all talk about cybersecurity. That’s because without the right conversations, CISOs, CEOs, and board members will struggle to find the optimal spending levels that straddle the line between fiscal responsibility and optimizing security as a business enabler.
After having conversations with hundreds of CISOs and business executives about the disruptions this year, I’ve learned valuable lessons about the right and wrong way for those groups to talk to each other about security spending:
First, the wrong way: Talking about doom and gloom, FUD (fear, uncertainty and doubt) and avoiding disaster caused by draconian cuts to the cybersecurity budget. Board members and CEOs occasionally take a perverse interest in the data breach stories of their competitors and in other industries, and CISOs often fan the flames of those fears in hopes of landing more funding. But those talks rarely, if ever, result in maintaining necessary spending levels for cybersecurity. That’s because cybersecurity is cast as insurance, as disaster avoidance, as a moat around the castle keeping out the bad guys. That’s a mindset that is still too prevalent in many business meetings, and it marginalizes both the cybersecurity function and the role of the CISO.
Then, there’s the right way: Talking about cybersecurity as not just a technology—but as a business enabler. When it comes to cybersecurity budget and cost reduction, engagement must happen at inception. Making security an afterthought, after products or services are rolled out, or equating it with insurance, actually costs money…and not just in the long run. Fixing security issues that arise late in the process, because that team wasn’t clued in earlier, often results in quick fixes designed to address only the most essential potential glitches in order not to hold up new releases. You have to demonstrate the strong value of cybersecurity to the business, rather than treat it as piecemeal solutions where costs add up. This is especially effective when you are able to measure cyber risk. I would urge all CISOs to read Richard Seiersen’s article which gives clear examples on how to achieve this.
Is Cybersecurity Your “No Team” or “Yes Team?”
When your organization fails to include the CISO and their team in the loop from the very start of business conversations, you put them in an unenviable spot: You make them the “No Team.” And I don’t know of many people who relish being on the “No Team”:
- No, you can’t let employees use their same passwords at home as they use at work.
- No, you can’t extend access privileges to part-time workers.
- No, you can’t release the new smart-home product because the security footprint is too big for that sensor.
Instead, think of how to position cybersecurity as the “Yes Team.” Think of the sense of empowerment to your business when the team adds value to the business, and makes it more agile:
- Yes, you can expand work from home policies to all employees.
- Yes, you can enable customer self-service on account transfers from mobile devices.
- Yes, you can roll out that sensor-based inventory management system.
Whether the CISO and their team is positioned and acts as the “No” or “Yes Team” depends upon a lot of factors. These include the relationship the CISO enjoys with the CEO and the board, the trust developed among the parties, the extent to which the CISO takes a business view of issues rather than a technology-centric perspective, and many more.
But if the CISO has the foresight, discipline and cultural awareness (read: political savvy) to be an enabler, a problem-solver, a facilitator and a business visionary, he or she will take the key step toward building the perception of their organization as being the “Yes Team.” And when you become a “Yes Team”, your budget discussions become a lot more strategic, and a lot more fruitful.
Of course, becoming a “Yes Team” is a lot easier when the technology teams and the business units rally around a common goal—or, in this case, a common enemy—to support a more digitally secure organization. Take the WFM paradigm. People had been working from home to varying degrees for a while, but COVID made that the new reality. And what we all found out very fast is that WFM could become a snake pit for employees, suppliers, partners and contractors if the right cybersecurity frameworks were not in place.
The same thing has become evident in cloud services, which are experiencing stratospheric growth across the board in businesses—including, interestingly enough, the development, deployment and support for cybersecurity services. The cloud’s potential for delivering cybersecurity has been understood for some time, and now it is becoming a reality. COVID may have accelerated these trends, but the collaboration throughout the organization in response to the pandemic has helped remake cybersecurity into the “Yes Team.”
Changing Rules, Changing Roles
For all of us, our organizational roles and priorities have undoubtedly evolved as the pandemic has lingered and its impact expanded and deepened. Take the CISO, for instance. With security budgets increasingly moving away from the centralized control of the CISO and residing at least in part now with business units, CISOs have been moving to build tighter relationships with business executives for some time. COVID has accelerated that to the points where the CISO now is acting more as a trusted advisor to the business.
The CEO, of course, still is singularly focused on big picture issues and strategy. But now corporate strategy necessarily includes cybersecurity, done in concert with the CISO and others. CEOs have had to embrace a new skill set, new vocabulary and a new perspective on where cybersecurity fits into the budget picture.
CFOs unquestionably care more deeply than ever about cash management (cash preservation, actually) and driving operating profit amid increasing market uncertainty. But the CFO has often been tasked with being on the cybersecurity team, especially as it relates to the essential risk management functions of compliance, legal and governance. And has there ever been a risk management challenge as meaningful as COVID?
We all have to find a way to work together to identify, protect against, and remediate the impact of cybersecurity risk. Many business leaders recognize that cybersecurity is more important than ever in an era of remote work. But with an uncertain economic landscape, it is critical to get alignment to the dramatic shift businesses have to make, earlier rather than later. Don’t wait. Don’t procrastinate. Don’t delay having the occasional hard conversations. You may be surprised. At the end of the day, you want to build out your “Yes Team” to drive the organization toward safety and security, and having the proper investment and budget is absolutely essential. So go for it.
Matt Gyde is Chairman and Chief Executive Officer at Foresite MSP.
This article is excerpted from Matt’s chapter in the book, Navigating the Digital Age, The Definitive Cybersecurity Guide for Directors and Officers, Third Edition. Download your free digital copy.