Recently, I helped a friend that was leading the charge to increase his budget for information security/cybersecurity at his company. We had met for a beer to chat through some of the things that he was considering, and he was picking my brain for ideas on how to convey his informed opinion on what he hoped to acquire for his company in 2019.
On his wish list, he had a multitude of new InfoSec tools, a head count increase, some hardware upgrades, a vendor risk management program, and as he called it, “things and stuff.” I gave him some additional items to add to his list and helped give him some information on the items that he had on the list already. Shortly after, we moved on to chatting about football, kids, and fishing.
About two weeks later, I ran into him at the grocery store. After we exchanged a few pleasantries I asked him how his request went with upper management and the corporate board. He shook his head and looked a little dejected. He said that they were reviewing his requests, but that they did not want to make that much of an investment in “IT projects.” And by that, they meant that they had recently made some improvements to the data center and their website.
He thanked them for their consideration and left the meeting.
My friend made a monumental mistake in doing so. He failed his company by not showing his managers and board members that information security is NOT an IT problem; information security has a stark business impact. Instead of presenting his case the way he did, my friend needed to propose his project overview in a way that proved what the potential impacts would be if information security was not handled the way he suggested for 2019. He needed to show his senior management and board that these things are business problems and business liabilities if left unaddressed or underfunded.
My friend’s managers and board members need to be educated that if they assume information security improvements are only impacting the IT department, they’re missing the big picture. Your managers and board members may be struggling to see the same thing. What these people fail to see is that an improved information security plan positively improves the manufacturing part of your business, sales, marketing, accounting, and customer service too.
Business leaders across the globe can be blinded by the fact that the entire company may easily be dismantled by a significant breach. Sure, they happened to impact gear belonging to the IT department, but that really is the extent of their ownership. One single breach can wipe out or ransom your company’s precious data, it can do the same with your financials, and you can suffer irreparable reputational damage. None of these things are an IT problem. Not one.
The Business Impact
If you are like most small-to-medium businesses, you have invested your heart, soul, and kid’s college funds into this business. It’s worked so far, but misinterpreting information security as an IT problem and not something that can make a dramatic business impact puts you (or your employer in the case of my friend) at risk for massive failure.
The obvious business impact of a breach is the cost. If an attacker is after your money, it may be impossible to get that back. On top of that, you’re paying employees or a consultant extra to be unexpectedly all-hands-on-deck to remediate the issue. If it’s bad enough, you may even need to employ lawyers to represent you. And none of this includes the fine that may be incurred from regulatory bodies. The cost of a breach alone is enough to cause many small and medium businesses to permanently close doors.
While harder to measure, it certainly impacts your organization financially in some way or another. The truth is that consumers have a hard enough time trusting brands in today’s world. Imagine what might happen to your loyal customers if you had to beg for their forgiveness for leaking their personally identifiable information into the wrong hands. They may certainly take their loyalties (and their cash) with them.
A breach’s business impact extends far beyond actual dollars. Certain breach consequences are immeasurable, but still incredibly impactful. Important data may end up in the wrong hands or end up lost entirely. Things like trade secrets, intellectual property, or sensitive employee data being lost or stolen would be detrimental to your organization. Machines may be ransomed, causing downtime. If you’re manufacturing products or rely on computers for employees to do their jobs, your business’s efficiencies will come to a screeching halt. These are just a few examples.
Realize that your entire business depends on proper information security— not just your IT department. As you are wrapping up your budgeting efforts, don’t make the mistake of believing that the issue is up for negotiation or reprioritization. Just because you purchased some network switches last quarter and now need to show some love to the marketing team does not mean that your information security efforts should suffer.
The need to protect your business operations from cyber threats is one of the most important things that you can do in the new year. If you are not seeing the entire threat picture, if you are not taking steps to protect the business (the entire business) from disruptive events, you are putting every effort you’ve taken to grow your business in jeopardy. Information security isn’t an IT issue. Instead, it is an important business decision that will help guide your business to a successful new year.
If your business needs assistance understanding its security landscape and creating a roadmap on what to make investments in to improve your defenses, reach out to FRSecure. A security risk assessment like the FISASCORE can give you an understanding of your information security situation and will give you the tools needed to make the proper investments in information security for your company.