They say nothing is certain in life but death and taxes, but I’d also add cyberattacks to that list.
Cyber criminals are constantly trying to infiltrate the systems of financial institutions and other companies to steal data, install ransomware, and wreak havoc. Chances are your institution has fended off more than a few of these attacks before, but what about the next one?
That’s probably the question keeping you up at night if you’re responsible for cybersecurity at your institution. Cyberthreats and vulnerabilities are constantly evolving, and you need to keep up. Your budget does too.
But how do you get senior management to spend more on cybersecurity? When a financial institution has been successful (or lucky) in evading cyberattacks, management often doesn’t see why it would need to spend more money when everything appears to be working just fine.
Here are five tips for making the case for why your institution needs to spend more on cybersecurity.
Be specific and thoughtful. Explain the specific challenges your institution faces with cybersecurity and go through the details of those issues, including why you are concerned and how likely these events are to happen. Identify specific solutions intended to mitigate these challenges whether its firewalls, virus protection, monitoring, risk management, penetration testing, or vendor management software. It’s possible to spend an infinite amount on cybersecurity. Show that the choices you’re making are the most cost efficient and effective.
Have strong data sources. Management might think you’re Chicken Little worrying the sky is falling. Use data breach studies as ammunition in your discussion about the frequency and relevance of data breaches to your organization. Examples include the Verizon 2018 Data Breach Investigations Report and Harvard Business Review. Create a context of probability.
Speak their language. Many people glaze over when they hear technical terms, so make your conversation about cybersecurity more relatable by translating it to something else they buy to protect themselves: The typical financial institution spends five or six figures every year on various insurance policies to mitigate a bunch of scenarios that the institution has never actually experienced. The institution would save a fortune if it didn’t buy insurance, yet the board and management wouldn’t dream of canceling its errors and omissions policy. The risk the policies mitigate against is such a large risk to the organization’s health that it is worth the expense to have some protection. Explain that cybersecurity works the same way. Staying current with cybersecurity best practices is an investment in protecting the institution against loss.
Spell out the operational and reputational impact. Show how a cyber event would impact an institution from both an operational and reputation standpoint. Don’t assume everyone naturally knows how big a risk there is or what the consequences would be.Demonstrate the types of risks the organization is taking on by not spending money to mitigate them vs. the cost of halted operations, stolen data, regulatory fines, crisis communications, and other potential consequences. The more specific you can be, the more successful you’ll be in marshaling more resources for cybersecurity efforts.
Choose your timing carefully. As with everything, timing is key. Don’t just ask for a budget increase. Make your case before making the ask. Understand management’s current priorities, and find a way to link your request to the institution’s strategic goals.
Using these strategies can help you make a logical, compelling, and financially sound argument for why your institution needs more funding for cybersecurity.