How to Sell Cybersecurity Solutions to Management... Before It’s Too Late

ThinkstockPhotos-641410152When Yahoo announced recently that almost three billion users were impacted by a security breach back in 2013, which is about a billion more than initially reported, it quickly became clear that anyone who’s even had a Yahoo account was most likely affected. For many in the IT industry, news about such breaches, hacks among some of the biggest, seemingly impermeable tech companies – think: Equifax – creates a new urgency, a call for better, more effective preemptive measures. As such, more and more IT managers are having to find smart, creative ways to sell much-needed cybersecurity solutions on management to ultimately prevent breaches before they happen.

According to a new survey from ReportLinker, a French technology company with offices around the world, opinions about cybersecurity have actually shifted since last year. Not only do almost half of all Americans feel unsafe, says ReportLinker, those surveyed revealed that awareness about these issues stems largely from high-profile cyber-attacks, like the ransomware attack that paralyzed San Francisco’s transportation system late last year.

Richard White, an expert in the fields of cybersecurity infrastructure, remediation and program development, explained to CompTIA that even as security threats become much more sophisticated globally, and require new, more sophisticated preemptive measures, one of the biggest risks to any company is the employee.

“Deliberate, malicious actions, accidents, use of systems, and general behaviors are very difficult to mediate,” said White, the author of Cybercrime: The Madness Behind the Methods. “Having a codified set of policies and procedures, coupled with a well-trained workforce, goes a long way in lessening the damage that can potentially result from external and internal threats.”

As the former Chief Information Security Officer for the United States Capitol Police, and managing director for Oxford Solutions, a cybersecurity company in New York, White has delved into his fair share of cybersecurity fails in hopes of pinpointing weak links and rethinking strategies that work toward prevention. Among the lessons he shares with his classes in cybersecurity and information assurance at the University of Maryland is that prevention is key, even though not all breaches can always be prevented.

“The practical recommendations are focused on prevention, detection and response,” explained White. “Using a framework such as NIST will help to ensure that all of the aspects are covered, or at least understood from a risk management perspective. Having the capability to prevent some and detect nearly all will lessen the time the hacker has on target, which clearly equates to a more rapid and accurate incident response.”

But he said that if cybersecurity is not taken seriously now, we open ourselves up to increased risk, public loss of confidence, regulatory issues, compliance concerns, and many issues associated with increased costs and legal issues.

Often the financial setbacks associated with regrouping after a breach can be an effective selling point to management that may not always be eager to invest as much as they need to in cybersecurity measures before a breach happens. But like most experts, White cautions that cleaning up a mess is always more costly, not only in terms of technology, but also brand image and customer trust – perhaps the two biggest risks we face well into the future.

Here are three ways to sell decision-makers on why it’s essential to invest in cybersecurity measures:

 

  1. Do the math: Illustrate that recouping after a breach is far more costly than investing in security measures before a breach happens. Add to this the cost of regaining customer trust and rebuilding a brand image – two things not easily quantified.
  2. Be blunt: Don’t go light on the seriousness of the issue, and let management know the risks that exist to exposing data and customer information to the dark web. The time and money it takes to clean up after a breach often makes the early investment into prevention seem that much more reasonable. 
  3. Emphasize training: Because employees are often a gateway for hackers, let supervisors know why ongoing training is essential – not only to ensure that users have a better understanding of how to use technology, but also so they understand what not to do to invite breaches.

 

More Internet-Enabled Devices = More Challenges

Robert Servian, a lead IT administrator for a private college in Philadelphia, said that much of his cybersecurity focus these days is on the Internet of Things (IoT). It has truly changed the way he and his team approach security.

“As more devices become internet-enabled, and at a college campus this is usually at least two to three devices per person,” he explained, “hacking through them can be very effective.” Since he estimates that because most of the popular devices are unsecured or secured poorly, hackers can directly exploit these devices and use them as gateways into the network. And this can have damaging results.

One of the biggest threats Servian must wrestle with is phishing; fraudulent email messages that may appear to come from legitimate sources, like a bank or school. “It’s the easiest way to steal someone’s identity or to actually install malware to infiltrate an organization’s network, where they can get all sorts of confidential information,” he explained. A lot of people – especially students – are apt to fall for these scams, which leaves the school open to endless risk for breaches.

That’s why Servian helps to protect the university networks by regularly keeping up with certifications like CompTIA Security+ and CCNA Security from Cisco. He said that taking preventive measures can have an enormous impact on keeping data safe, but there are some challenges.

“Educating the general public is a daunting task,” he admitted, “especially in the workplace. People have a lot of responsibility and do not want to have to change how they do things to be more secure. Most of them hardly believe you when you send out department or company-wide memos about secure practices. Ultimately, the end-user just wants the problem gone and they don't care to learn to fix it themselves.”

As such, finding new ways of training employees has become an important part of the overall cybersecurity plan at this university – and one that doesn’t have a deadline.

 

Boardrooms Are Waking Up – Finally

Even as challenges persist toward building the most effective, comprehensive and secure cyber-environments, White actually thinks more people – including COOs who can fund these measures – are wising up to the need for cybersecurity protection.

“It is more common today to see cybersecurity as a line item on the boardroom agenda,” he said. “CEOs and board members are quickly realizing that cyber is a worthwhile and critical topic that requires involvement from all facets of the organization, from C-suite and legal to HR and finance, etc.”

And while many more decision makers than ever are adopting measures to protect both data and reputation, there are some ways people can become even more compliant, no matter what size the network.

“Employers can ensure that all employees have a good understanding of the enforced organizational policies and procedures,” White explained. “Organizations should train all employees to understand the most practical elements of cybersecurity within the general context, as well as within the context of the organization’s policies and procedures.”

He said every employee, regardless of seniority, should consider these five steps that IT managers can share companywide:

White said that if the Yahoo breach can teach us anything, it’s that data breaches are becoming far more destructive and widespread than the industry may have ever wanted to admit. It’s also why when an attack occurs, he said, “the victim organization must bring in qualified incident response personnel that can accurately and comprehensively determine the vector, extent and containment of the breach.”

Headline-making incidents have changed the way everyone thinks about issues like identity, finance and wireless computing.

“It is not uncommon for experts to uncover additional breach details after the initial public reporting is made,” added White, “and in the Yahoo case the number of hacked accounts has grown to three billion, an astonishing number even for the seasoned cyber professional.”

To get more engaged in cybersecurity today, click here to learn more about CompTIA’s IT Security Community.

Natalie Hope McDonald is a writer based in Philadelphia.