All modern businesses go belly-up without IT, which makes security incidents a business-wide management issue. By repositioning security as an integral part of finance instead of the IT-department, security risks can be seen for what they are: a business risk. But how do you convince your board and change their perspective on security?
Firstly, you have to convince your board of the risks of being hacked by presenting calculation sheets that translate all possible risks to potential implications. Secondly, ask the board members; what is the place of security in this company? IT does security on the side, next to maintenance, and licensing subscriptions. Shouldn’t we regard security as a vital part of the business and therefore, as a major business risk? The answer is without a doubt ‘yes’.
Learn to speak ‘board language’
To effectively argue this stance, find the support you need. Make sure the people who have to learn new methods and implement innovative processes – your developers and security professionals – are up to speed and confident that time and capacity will not hinder new developments. Involve all the business unit managers and ask them about their risks and translate these immediately to possible implications in costs and time. By strengthening your backup, the board is more likely to feel the urge to invest in new security measures. It’s up to you to translate the needs others in the organization have to the language of the board.
What happens after a hack?
Another effective way of talking about the risks and consequences of being hacked is discussing who’s involved. The question: ‘what happens after a hack?’ doesn’t have an easy answer. The list of the people and expertise involved is long, as well as the potential impact list. Here’s what can happen after a hack:
- Intellectual property loss
Sensitive data, client lists, business patents, and product information.
- Legal costs
Including fines, costs for defence (in court) and possible compensation.
- Loss of reputation
A decline of market value and trust of customers and partners.
- Time and administrative costs
Researching, restoring a breach, as well as communicating with all parties involved, like the authorities, clients and media.
To prevent this from happening, security, Dev, IT and management have to shoot into action, trying to assess if the potential breach is, in fact, a hack. If this is the case, a calamity plan has to be acted out, prompting up cascading communications between the internal teams and all notified clients, partners, and shareholders. Managing a breach also creates the urge to involve the authorities, the government, and if necessary, the media.
So, managing the events after a hack requires a lot of preparation and coordination. The list above conclusively illustrates the necessary effort of everyone involved. It highlights the ripple effect of a (potential) hack and gives you a reasonable estimate of the time and money that has to be invested in restoring the organization to the pre-hack level.
Alright, this should give you sufficient ammo to convince your board. If you feel you need some more, then download our free whitepaper on this subject.
Zero Days of Love ♥️ | our CTO explains CDI pipelines and his role in OWASP. If you’re interested...
Written by Zerocopter
February 28, 2020
Share this blog: