3 ways to advocate for data security at your company
There’s an unfortunate tendency among many businesses to rank data security well below other functions. It’s a familiar story: firms slash resources at the first sign of a budget shortfall and otherwise invest anemically in security personnel or tools. “If we’re in compliance with industry rules or regulations,” says leadership, “that’s enough.”
But it’s not enough. Often, those rules and regulations are slow to adapt to a turbulent data security landscape. Still more often, organizations aren’t as compliant as they imagine themselves to be. But most crucially, every business has a unique set of risks determined by their particular goals, assets, resources, and challenges. If a security strategy isn’t tailored to the needs of a given organization, there will be cracks in their armor – and likely big ones. By taking a generic or low-impact approach to security, companies expose themselves and their customers to serious risks, which can result in big costs to both their reputation and the bottom line.
As cyber attacks grow more common and more sophisticated, businesses must make data security a priority. But often leadership is resistant. How can you advocate for stronger security within your organization? Here are three steps you can take to make the case.
1. Speak with top-level executives
To achieve meaningful change, it is increasingly necessary to engage directly with top-level executives, sharing security needs and concerns directly. Try to initiate an ongoing conversation with your CFO and CEO to address the needs of your organization.
Often, security advocates spend a lot of time seeking the funding for the latest security technology, and these are the requests senior leaders are most used to hearing. Sometimes they’re wary due to past experiences with inadequate technology. Yet the most important resource for so many organizations is the right people. Starting a dialogue about your need for experienced and current security professionals may not only get more traction, but also benefit the security function much more than a given tool.
2. Demonstrate the consequences
The consequences of a major data breach are many and varied. While you shouldn’t use “scare tactics,” it is important to help senior leadership make an informed assessment of business risks.
One challenge in this effort is that it is difficult to provide a concrete measurement of cost savings through security investment. These decision-makers are often accustomed to thinking in terms of return on investment, but security investments don’t make for so straightforward an equation as traditional ROI calculations.
Don’t let this dissuade you, however. An in-depth risk assessment conducted by a qualified third-party assessor will reveal your organization’s unique risks and help you make the most knowledgeable decisions possible.
What’s more, current events can help you make your case. In the wake of today’s nearly continuous series of high profile breaches, from Sony Pictures Entertainment to Anthem, more senior leaders are recognizing the gravity of data security issues. From serious penalties to tarnished brands to loss of public trust, the consequences can be sobering.
3. Be consistent and measured
Advocates for data security can run the risk of sounding like Chicken Little, always warning of falling skies. Make sure your warnings are grounded, identifying both specific threats and the particular impacts they might have on your business. The more measured you are in your warnings, the more credibility you will build.
Similarly, develop consistent and specific reporting. Conduct annual risk assessments, in line with industry best practices. These will help share a picture of your company’s evolving needs. It can also be helpful to share metrics on a more regular – perhaps monthly – basis. One useful number to report on is security events: all irregularities your team must follow up on. This number is typically higher than decision-makers recognize.
With persistence, these strategies will help encourage a culture of more robust security in many organizations. It’s hard work, but it can truly pay off for your business.