How to Get Board-Level Buy-In for Cybersecurity Awareness
It’s October, which everyone knows means time for trick-or-treating, pumpkin-spiced everything and cybersecurity awareness. Ok, possibly you didn’t immediately think of that last part. However, October is Cybersecurity Awareness month and with it comes the announcement from the Cybersecurity and Infrastructure Security Agency (CISA) and the National Cybersecurity Alliance (NCA) that this year’s theme is “See Yourself in Cyber.” The goal is to highlight that whether one works in network security or is exclusively an end user, everyone has a role to play in strengthening cybersecurity.
After years of highly publicized ransomware attacks and expensive data breaches, it has become clear that organizations must allocate considerable resources for cybersecurity. This emphasis is necessary to protect company data, promote customer trust, and maintain compliance with the government and other regulatory agencies. Investment in secure and resilient infrastructure and applications such as next-generation firewalls, advanced backup and disaster recovery solutions, and utilizing IaaS and SaaS continues to significantly increase. However, broader cybersecurity awareness campaigns have yet to obtain such ubiquitous adoption status.
While most organizations acknowledge the importance of cybersecurity mindfulness, investing in and committing to cybersecurity awareness initiatives still lag significantly behind this stated recognition. This lack of prioritization, in many cases, is originated at the Board of Directors (BOD) level. There are many reasons for potential BOD hesitancy to support fully implementing cybersecurity campaigns, but some of the more common themes and means to address them include:
- Budgetary Concerns– All organizations have a limit to the resources designated for security. In many cases, it is often easier to convince board-level members to allocate these assets for infrastructure, applications or even additional staffing. Garnering support to assign these resources to less-tangible elements, such as security awareness training, is often challenging. Bringing to the BOD assessments that demonstrate how security training aids an organization while concurrently underscoring the costs of inaction can go a long way in convincing board members of the elevated ROI they will see from implementation.
- Lack of Cybersecurity Understanding– Education is vital. Company leadership will not support or approve campaigns they do not understand. It is common for leadership to view cybersecurity as an “IT issue” and not something that involves the entire organization. To raise the levels of understanding, one must ensure board members themselves are involved in cybersecurity training and are aware of not only the benefits of proactive company-wide approaches to cybersecurity but simultaneously understand the financial and reputational ramifications of breaches or attacks.
- Resistance to Change– Technology is evolving, and so are the threats. The modern workplace requires a modern approach where everyone is part of the solution. Ultimately individuals, including board members, don’t like change and often want to continue doing things as they have always been. A prospective way to combat this inertia is by increasing board member involvement in planning cybersecurity activities and training. When you have full board-level support for a cybersecurity awareness initiative, all employees and team members will eventually be able to “see themselves in cybersecurity” and recognize that compliance with training exercises or policies is a core component of their profession.
When asked about obtaining board-level support for cybersecurity awareness campaigns, Katie McCullough, Chief Information Security Officer at OneNeck, advised, “At its core, cybersecurity is about assessing, managing or removing risk to the availability of customer’s critical data and services. By ensuring cybersecurity is included as part of any Enterprise Risk Management (ERM), one can typically help drive the awareness and support of these campaigns through scheduled reviews of the ERM, by the Board of Directors.”
Clarification of why organization-wide cybersecurity awareness matters before successfully bringing cybersecurity campaign concepts to the BOD’s attention is imperative. Begin by stressing that critical concepts such as data protection and holistically solid security posture are at their core intelligent business decisions. This can be followed by emphasizing awareness training provides significant ROI, with expenses for designing and implementing awareness campaigns being greatly overshadowed by the cost of a breach. Finally, it is wise to highlight the short-term inconvenience of awareness training will materialize into significant long-term gains. Ultimately, the goal is to work with your BOD to answer questions and provide information, so they feel comfortable making informed decisions.
Another area to underscore to board members is that they are accountable for the organization’s cybersecurity. We see an extreme example of this accountability by analyzing the well-publicized breach of SolarWinds. In November of 2021, investors sued the BOD, claiming knowledge of cybersecurity vulnerabilities before a data breach and subsequent failure of action.
While a lawsuit may not be the most likely outcome of a cyberattack, it nonetheless serves as a stark reminder to board members that they are ultimately responsible for how organizations secure themselves. Having proactive board-level conversations about cybersecurity awareness helps protect the organization’s customers, profits, reputation and the Boards of Directors themselves.
Encouraging professional education for board members is another technique for getting board-level buy-in. Katie McCullough notes, “More and more companies are looking for Board of Directors to consider certifications such as NACD Certification program, which includes a certification for Cyber-Risk Oversight as an emerging area of board oversight.” Board members can use training resources to:
- Learn foundational principles for board-level cyber-risk oversight.
- Increase comprehension of issues, including allocating cybersecurity responsibilities, legal implications, setting expectations about the organization’s cybersecurity processes and ways to improve employee engagement in security practices.
- Gain the ability to apply procedures and tools to improve organizational practices by focusing on specific risk components, including insider threats, third-party exposures, merger and acquisition due diligence, and adequate risk disclosure.
Board of Director buy-in is key to any organization having an effective cybersecurity awareness culture. For everyone in an organization to “see yourself in cyber,” the impetus must come from the top. Implementations of awareness campaigns, whether specifically designed to coincide with Cybersecurity Awareness Month or throughout the year, will only be effective if they are supported and promoted by company leadership.
While we have discussed several strategies and potential tools that can be used to secure top-level support, the essential thing to remember when dealing with board members is that despite their lofty positions, they are ultimately still just people. Effective communication, proper education and comprehensive information on the organization-wide benefits of cybersecurity awareness campaigns will go a long way in securing board-level support and approval.