Learn to manage upwards and get your security needs met.
One of the hardest things IT workers deal with is talking to your boss about Cyber Security. Maybe you report to a manager, a director or even the C-Suite itself. Regardless, this can be a struggle owing to the fact your boss probably doesn’t know, much less understand a lot of the concepts that you’re discussing.
Compounding things even more, their time is valuable, so you’re going to need to manage upwards. You may have to make the pitch in just a few minutes, which can fluster some people. And while you may have a singular focus within your organization, your boss is likely juggling several.
Before you can even begin the conversation, here are some things you should be doing:
- Make sure you spend time rehearsing what you’re going to say. I’m not telling you to stand in front of a mirror like an idiot, but at least read over it several times and make sure you are familiar with it.
- Work on your elevator pitch. If you had 30 seconds to explain, what’s the most concise way to do it? Doing this will help you determine what the most crucial elements of your pitch are.
- Make sure you bring data. Bosses don’t want anecdotal evidence, they want numbers. Can we afford to take our systems offline that long? Is this a sunken cost? Will this disrupt other workflows? Data can help you answer those questions. Guesswork won’t.
Once you’ve prepared to have the discussion with your boss about cyber security, it’s also good to remember exactly what your objective is. For all intents and purposes, you’re now becoming a salesman (or woman) and your goal is to get your boss to buy in to what you’re selling. This isn’t an ask, it’s a negotiation. Don’t come in hoping you’re going to get his support, come in confident. This is a big deal. Then demonstrate why with proven facts and numbers.
Here are five more tips for talking to your boss about cybersecurity.
1.) Establish Some Basic Facts
As you start this conversation you’re going to want to establish a few things right off the bat. Lay the foundation by citing a few proven facts about what you’re asking for. Don’t overdo it, but try to pick two or three impactful facts – things that relate to the industry you’re in, or that pertain to competitors. Make sure your boss understands the implications of lagging security, which is what your organization could be opening itself up to if you don’t act.
RELATED: 2018 Cybercrime Statistics
2.) Be ready to do a cost/benefit analysis
Your boss and you have different objectives. Yours is cyber security-based. It’s your job to keep the network safe and your systems up and running, which requires both a reactive and proactive approach. Your boss, on the other hand, is likely more concerned with being profitable and growing the company. You’re about to ask him to invest in something you need, so be ready to explain what the costs would be to do this, and what it might cost if you don’t. Again, this is a good place to have data to back up your claim.
3.) Bring up Compliance
Depending on where you’re located, there are rules and regulations you must abide by. Whether its HIPAA, PCI DSS or the upcoming GDPR, nobody wants to get slapped with fines and other penalties for not being compliant. Make sure your boss is aware of what your organization’s responsibilities are and what impact failing to follow them would bring. Afterwards, you may want to document that you informed your boss of the regulations and rules that the company might run afoul of. Just send a quick email to your boss, recapping your conversation. That way if heads roll because of compliance issues, your butt will be covered.
RELATED: GDPR Penalties coming by year-end
4.) Identify the biggest gaps in your security
Ideally, you should be running regular scans and penetration tests on your digital infrastructure. This will help inform you where the biggest vulnerabilities are. Take this information and categorize it by order of severity. This will help inform your boss about where the fire is and what it would take to put it out. Remember, you may not get everything you ask for. So prioritizing the gaps in terms of severity can make sure you get the most critical things taken care of.
RELATED: How to perform a Risk Assessment
5.) Make sure your boss can effectively explain things to his boss
This may not apply to some of you – you may be pitching your ideas directly to the C-Suite or the Board. In which case, I’ve done all I can for you. But oftentimes, your boss may not be the decision-maker. Your boss may need to take it to their boss to get approval. Remember that elevator pitch we discussed earlier? That’s a good guide in terms of identifying the key information your boss needs to take away. Try not to use too much technical jargon, focus on benefits and costs and make sure you have at least one or two important statistics or facts that they can internalize and repeat. Also, don’t be afraid to repeat yourself occasionally. Repetition, when done tactfully, really drives home a point.
It’s easy to overlook IT and the rest of the people who do the behind-the-scenes work on your systems and infrastructure. That’s largely owed to the fact that other people have no idea what you’re doing, much less talking about. But it’s important that your superiors understand what a critical component of their business you are. You are literally all that stands between your organization and a breach or attack. According to the National Cyber Security Alliance, 60% of SMBs that are the victim of a cyber-attack go out of business within six months of the incident. Larger companies tend to fare a little better, but they do take a hit to their reputations and are oftentimes fined or penalized.
Your boss needs to understand the stakes. And you’re just the person to explain it to them.
As always, leave any comments or questions below…