How to Get Executive Buy-In to Adopt a Security-First Posture

Get Executive Buy-In to Adopt a Security-First Posture

September 8, 2020

Rubrik Vice President and GM APJ Kamal Brar says by tying the security strategy back to the business impact, IT leaders can help stakeholders understand the importance of investing time and resources into a security-first posture.

By Kamal Brar

Cybersecurity threats are one of the major concerns for businesses across regions and industries. The financial implications of breaches and resulting downtime are well-known and the cost to organisations is projected to compound in the coming years as the adoption of technology accelerates. Globally, businesses face a total value at risk of USD 5.2 trillion over the next five years. In Singapore, the average cost of a cybersecurity attack is approximately SGD 1.7 million per breach. This is the highest in Asia Pacific, ahead of markets such as Australia, Hong Kong, India, Indonesia, Malaysia, New Zealand and Thailand.

As cybercriminals continue to find ways to thwart installed security systems, no organisation is exempted from intrusions and threats.

IT leaders must learn how to navigate the technical security landscape by building agile and responsive teams and bring forward the business value of security to influence company-wide priorities. In order to effectively drive and advocate for a security-first posture within their organisations, tech leaders must take decisive and specific steps supportive of this goal.

Conduct an Honest Analysis of a Security Event

Whenever a security event of any kind occurs, IT teams should first seek to contain it, and then conduct a thorough incident analysis to pinpoint the vulnerabilities that were exploited and identify all systems that were affected.

Though these steps may seem obvious, the long-term positive outcomes of the event may be less so. An honest analysis of a security event can expose the weak points in a system but can also highlight the context in which the event occurred and prompt a more rigorous interrogation of existing security measures.

Corporate IT teams may be aware of the need to evolve their security strategy, but conflicting priorities and lack of resources can sometimes push this goal to the back burner. Often, it is only when the IT team is confronted with an event that security becomes a top of mind concern.

A cybersecurity breach can bring issues that have been overlooked, like data replication or the company’s disaster recovery programme, to the surface and demonstrate the need for a more urgent response.

A deep dive into existing security architecture might reveal a need for re-evaluating SLAs, improving RPOs, and minimising manual processes, as well as prompting holistic reprioritisation of security’s role in the company’s IT framework.

Security-First Posture

A security-first posture prioritises proactive approaches to security.

Improving visibility into all data and assets, as well as ensuring that data is clean and easily accessible for the users who need it.

Implementing employee training programmes, often bringing in third-party speakers and consultants to provide additional perspective.

Communicating regularly and openly with employees about what processes are changing, and what the anticipated timeline looks like for those new processes to take effect, in order to mitigate productivity loss.

Planning regular risk management meetings that address real-life examples of various types of security breaches and take employees through simulation exercises.

Effective change management requires IT leaders not just to onboard new processes and guide their teams through smooth transitions, but also to make choices based on where they want to get to. In this way, leaders can help their teams maintain the stability they need as they track towards their overarching goals.

Securing Executive Buy-In

Formulating a new strategy is only half the battle. The next step is getting buy-in from stakeholders.

Securing executive buy-in for investment in security is, understandably, much easier to do after experiencing a security event within the company or hearing about one on the news.

The real challenge, however, is maintaining that buy-in even as the buzz starts to wane. Secure airtime with the decision-makers by focusing on three areas:

By homing in on an industry’s most common types of attack and providing real-life statistics and examples of events at similar companies, IT leaders are more likely to capture the attention of stakeholders who may downplay the likelihood of experiencing an event themselves.

Trust is everything. A company’s reputation is one of its most valuable assets, and a security-first posture gives customers the confidence that their data will be well protected, and that the company is a reliable partner. In turn, this sense of trust can yield a stable and loyal customer base.

A security-first approach means IT organisations are well-equipped to respond to a security event without significantly disrupting the team’s operations. However, if security is addressed as an afterthought, teams are forced to scramble for ad-hoc solutions. This kind of ‘fire drill’ is time-consuming and frustrating, and distracts teams from their long-term goals. Downtime can also affect functions beyond IT by preventing other organisations from working, thereby affecting the company’s overall productivity.

By tying the strategy back to the business impact, IT leaders can help stakeholders understand the importance of investing time and resources into a security-first posture and can maintain executive buy-in even when the potential of a security event may not feel particularly tangible.

As a whole, IT leaders ought to think of their strategy as a reflection of their business’s vision, their team’s priorities, and their company’s culture. The shift to a security-first posture is an essential element of becoming a reliable, adaptable, and forward-thinking organisation.

(Ed. Featured image by Photographer


Leave a Reply

Your email address will not be published. Required fields are marked *