4 tips to increase executive buy-in
When it comes to communicating security concerns and the critical threat that cyberattacks and subsequent data loss pose to business, one of the core challenges that CISOs continue to face is bridging the considerable knowledge gap amongst senior level stakeholders.
Too often, organisations believe they have a comprehensive disaster recovery (DR) plan in place, accounting for and mitigating all potential risks and ensuring sufficient provision for a rapid return to ‘business as usual’. But often the risks in terms of interrupted service, loss in revenue, potential supply chain disruption and damage to reputation, are not fully understood.
With the frequency and impact of cybercrime growing each year, as well as the inevitability of hardware failures and other outages, having a comprehensive disaster recovery strategy in place and the ability to persuade senior management to increase budget allocation where needed, is absolutely critical.
So, in terms of ensuring disaster recovery plans are complete, how can CISOs improve their chances of getting senior executives on board with a budget increase before a data centre interruption impacts the business?
A starting point is to join the dots between tech failure and business performance - to reframe technology concerns around potential commercial impact and loss of business opportunities - and beyond this it is about education. Here are four key strategies for CISOs to consider that will deliver vital context to address the IT knowledge gap amongst the C-Suite, to enable greater comprehension and buy-in to conversations around DR budget:
Communicating Commercial Impact – communicate “risk mitigation” and “revenue impact” over “IT recovery”
C-level executives preside over risk mitigation and the protection and delivery of revenue opportunity within the business. So, it is critical for CISOs to adopt the same vocabulary and to talk in the same commercial terms that will resonate. When discussing IT recovery plans security professionals must highlight the risks of losing hundreds of thousands of pounds in revenue due to the interruption of a mission-critical application. And the causes of outages should be fully explained and prioritised in terms of probability and severity of commercial impact. There are hundreds of resources available around this now – as well as almost daily news stories highlighting severe business loss and closure - you don’t have to search hard for companies experiencing cybercrime-caused outages to find a recent headline as an example.
Then ask executives to evaluate and prioritise the most critical parts of the business – or the risks they would be willing to mitigate versus the risks they are willing to accept.
Ultimately by working closely with C-Suite, security professionals should aim to deliver an evolving programme that starts by addressing the highest probability and highest impact risks.
Business Resiliency - strike the term “disaster” from your vocabulary
One of the core issues when it comes to communicating technology concerns to a business audience is the use of appropriate vocabulary and the ability to communicate context. Tech-rich terminology will immediately switch off those that don’t understand it and ambiguous references that don’t adequately explain the impact to business or the everyday prevalence of security threats, will fall on deaf ears.
In terms of disaster recovery, the word “disaster”, for example, is often associated with low probability events such as a widespread outage due to an earthquake, flood or act of terrorism, and fails to adequately communicate the prevalence of data loss events.
In reality, however, most downtime is caused by mundane, everyday events such as hardware failure, human error, severe weather or power outages. This has become even more the case since the pandemic has driven widespread adoption of hybrid and home working. As employees work remotely in greater frequency, employee-based incidents are increasingly on the rise, wreaking havoc on IT environments.
By removing the word “disaster” from conversations with senior management and discussing business resiliency in terms of high probability data loss events, CISOs are far more likely to grab the attention and focus of the C-Suite.
Outline Business Continuity and Business Growth benefits
While it is important to outline and fully explain the risks around data loss, communicating the benefits of IT recovery will augment pitches to C-Suite and, in articulating continuity and growth, will deliver greater impact and leverage in securing additional resource commitment.
Gaining competitive advantage, meeting supply chain demands, meeting service-level agreements and meeting regulatory and compliance requirements are just a few to start the conversation. Investigating and delivering cost effective options to enhance recovery after downtime can also enhance C-Suite buy-in, such software-as-a-service partners that offer different tiers of application-as-a-service and charge higher price points for the additional benefits of disaster recovery features. Faster recovery means mission-critical, revenue-supporting applications stay up, but the organisation can also turn IT recovery into a revenue generator.
Identify Specific Solutions
Lastly, it is important to recommend which specific applications require an active recovery plan rather than simply outlining where management needs to spend more money on IT recovery. Pointing to a specific, proven and comprehensive solution that meets IT recovery needs not only creates greater understanding amongst executives, it also justifies the investment
In today’s competitive environment, the consequences of data loss for business are dire: downtime, lost productivity and long-term reputational damage deliver significant blows to business performance and potential. It is only in ensuring that an organisation has a comprehensive, multi-layered approach to IT recovery, that CISOs can help improve business resilience to high probability threats and quickly respond in the event of data loss or theft.
Achieving critical understanding and buy-in amongst the C-Suite is paramount. Educating them on how data loss will impact the various parts of the business, the possible approaches, products and support partners available, and talking in clear commercial terms, will deliver the greater knowledge and context required to secure this critical investment and buy-in.