Now that we have officially started 2019, the headlines are already rolling as to what the new Cybersecurity landscape will look like.  As I have described previously from last year, one of the biggest issues will be about the C-Suite accountability.  Last year, there were many issues with regards to holding the CIO, the CSIO, the CEO, etc. responsible for the Security Breaches that took place at their organizations.

Some were fired, some faced huge stiff penalties.  This issue will go onto this year as well, as Corporate America tries to figure out who in the C-Suite is accountable for what, and who reports to who in terms of Cybersecurity.  But as all this is being worked out, there is still one key issue that the IT Security Manager and their staffs have to realize: 

No matter who is responsible for what at the C-Suite, you still have to get approval from your CIO or CISO to move forward with any Security plans that you may want to implement.  In other words, it still your responsibility to show what the value that your ideas and strategies bring to the table, and how it can overall benefit the business or the corporation.

You want to build a strong Cybersecurity culture so that you will get the eventual buy in from the C-Suite.  In fact, two Cybersecurity organizations, known as “ISACA” and the “CMMI Institute” just conducted a rather lengthy study on what it takes to build up a strong Cybersecurity culture not only with the C-Suite, but with your other co workers as well. 

This report can be downloaded and viewed from this link:

Here are some of the key findings of this survey:

*27% of the respondents felt that “a lack of senior executive buy-in or understanding” is key impediment in building a strong culture of cybersecurity:

Yes, it is true that the C-Suite needs to be much more technically grounded in the Cybersecurity landscape that they are currently facing.  But this is something that they have to individually address, it cannot be up to you do this.  Rather, your responsibility is, as mentioned before, to get that buy in from your CIO or CISO.  This is obviously a huge mountain to climb and conquer, but it can be done.  So how do you do this?  Keep it is simple, really.  In a one-page document, show the following:

*What Security methodologies and tools are currently working;

*What is not working;

*How you plan to fix the above.

In this instance, you are showing that not only you have taken initiative to do the grunt work, but that you also understand the business risks; how to measure them; as well as communicate those risks effectively so that your CIO or CISO can understand what is going on in less than five minutes. In this case, having some visuals, such as an infographic, might be prudent as well.

*29% of the respondents felt that “a lack of funding” is key another key obstacle in building a strong culture of cybersecurity:

OK, now you have the buy in from the C-Suite on your ideas and strategies as to how to beef up the lines of defenses at your organization.  Now the next bridge to be crossed is actually getting the money you need to put all of those items into action.  It is important to keep in mind at this point that the with the C-Suite, Cybersecurity is still considered to be more a side issue, rather than being a main issue that needs to be addressed.  For instance, all they care about those activities that are the revenue generators.  Spending money on Security Technology in the eyes of the C-Suite, is not a revenue generating process.  So, in this instance, you need to prove that if your ideas and strategies for increasing the levels of Security at your organization are not implemented, there will be some real costs that will be incurred in the event that you were hit by a Cyberattack.  In other words, you want to get the C-Suite to get out their short-term ways of thinking, and into the long term, as Cyberthreats will never magically just disappear.  The bottom line is that you need to prove to your CIO or CISO that there is real value to your propositions. An effective way to do this is once again create a one-page document with the following components:

*Show where the money is currently spent on Cybersecurity initiatives and the technologies that are needed to support them;

*Demonstrate where the weaknesses and the vulnerabilities are in your current lines of defense;

*Show how the requested money will be deployed to further fortify the current lines of defense.  Once again, show a graphic or a pictorial as to what the costs will could be if you were hit by a Cyberattack.  In this case, using the proverbial fear factor will be a very powerful tool in your arsenal.

There is one thing to keep in mind here as well.  There are economic predictions that there could be a slowdown in Corporate America, which could even lead to a recession.  If this does happen, Cybersecurity will take a back seat.  But it is up to you try to move it back up to the front seat.  For example, the current way of thinking in Cybersecurity is that if you spend more money on deploying more Security technologies, you will be 100% protected from a Cyberattack.  But this a critical flaw in thinking.  If you follow this approach, you are simply increasing the attack surface for the Cyberattacker.  For example, instead of showing how spending money on one firewall is more effective than spending money on four firewalls to do the same job.

*43% of the respondents felt that “executive champions who speak up for security” is a critical factor in building a strong culture of cybersecurity:

If you’ve made it past the first two, then you can almost bet that your CIO or CISO will be your unequivocal voice for vouching for your future ideas and strategies.  But keep in mind not to take advantage of this; rather, the best way to keep and maintain this kind of relationship is to demonstrate what you just need in terms of funding and a little bit more.  Never go beyond that.  Remember, your CIO or CISO want to keep their jobs as well, and they also have to ultimately report to the CEO.  Any extra, frivolous spending than what is really needed will be a huge red flag.  But this can also be very subjective, as the Cybersecurity threat landscape is always changing by the hour, and you can never know for sure what you will really need except for that particular point in time. 

So, there you have it, three ways in which in you can further enhance the level of the Cybersecurity Culture at your organization in 2019.  But as mentioned, Cybersecurity is just one area of risk that the C-Suite evaluates in their meetings.  At the same time, they evaluate other kinds of risks as well that impact the bottom line.  Try to make your point in no more than two pages (less is even preferable).  As far as possible, never show any forms of qualitative data.  The C-Suite wants hard core numbers, and how they will ultimately bring value to the corporation or business.

Finally, yes, the C-Suite does need to be much more accountable for the Cybersecurity of their organizations, and they do need to take a much more proactive approach in understanding the technical details of it all.  The numbers can’t speak for everything.  But that is the job for the Board of Directors to handle.

Your job as an IT Security Manager is to win the heart of your CIO and/or CISO, and get the money you need for your Cybersecurity initiatives.