How to Increase Cybersecurity Buy-In
February 02, 2021 by Loren Lachapelle
As local government agencies across the U.S. continue to be easy targets for cybercriminals, having a cybersecurity program has never been more important. Cybercriminals are looking to take advantage of organizations with immature programs and limited cybersecurity controls in place. It’s easier than you may think for criminals to hack a network and wreak havoc. While there is no silver bullet to prevent a cyberattack, those who take a programmatic, risk-based approach to cybersecurity – by implementing people, process, and technical controls – will ultimately have a good foundation and be more resilient when an attack occurs.
Cybersecurity programs don’t look the same for every organization … resiliency is not a ‘one-size-fits-all’ approach. And it’s also not simply a ‘set-it-and-forget-it’ plan. For that reason, cybersecurity has to be baked in to your organization, and it must transform and mature over time. It should align with your mission, goals, and objectives, and help guide the organization towards\ a safer, more secure path. Everyone should understand organization policies, complete cybersecurity awareness training, and continuously check and evaluate technical controls. This maturity model of cybersecurity should be driven from the top-down to truly be effective.
To start your journey toward becoming a cyber mature, resilient organization, you must first get buy-in from your leadership team, elected officials, and other high-level stakeholders. Buy-in enables you to institute the policy changes needing to take place and secure the budget you need. That’s a challenge for any organization, especially when cybersecurity is not a priority. But, there is a way. Let’s outline how you can start the conversation with your decision-makers.
An Ideal Starting Point
As mentioned, cybercriminals work around the clock to fool unsuspecting employees and find vulnerabilities in software, hardware, and endpoints that exist on a network. They also tend to go after organizations that have the means to pay a ransom. That’s why public sector agencies of all kinds and sizes – school districts, municipalities, counties – are a great target for hackers.
For stakeholders to make informed decisions about cybersecurity strategy and funding, they first must gain an awareness of the risks they face, which is a great way to get the conversation started. Specifically, you should research and use examples of high-profile local government breaches to get the ball rolling. By doing this, you’ll help them understand why cybersecurity should be at the forefront of their minds and baked in to the mission and values of the organization.
Four More Tips
Now that you’ve started the conversation, it’s your team’s responsibility to move it forward to ensure cybersecurity investment and stakeholder buy-in. Below are some tips to help you.
1. Develop and maintain relationships with leadership and stakeholders.
You can’t just have one conversation and expect all of your cybersecurity needs to be met. Increasing buy-in takes time, so you must build and maintain relationships with each individual stakeholder. An organizational change of this size takes time to accomplish. And it will only happen if you get to know your stakeholders, their objectives, and desires for the organization, so you can convey the importance of having multiple layers of security within your organization.
2. Build a culture of trust.
After you’ve established yourself with leadership, it’s now time to build trust with them. Always tell the truth, even if it’s not something they want to hear. And, always avoid offering solutions that you’re unsure your security team can carry out. For example, don’t pitch the need for buying every technical control if you haven’t done the research to ensure they’re an appropriate fit for your organization. Above all, do not give the impression there is a magic silver bullet that will secure all security ills. A good rule of thumb is to underpromise and overdeliver to continue building trust among your leadership team.
3. Focus on shared motives.
Another good tip is to focus on shared motives. Identify what motivates your stakeholder and determine how your cybersecurity plan will support their goals. Be sure to communicate this clearly and directly, so they understand how your plan will benefit the larger organization.
4. Make sure leadership and stakeholders understand their contribution.
Finally, make sure your stakeholders understand their contribution to the project. Communicate this clearly and allow stakeholders to share their concerns and ideas they have surrounding cybersecurity. It’s easier to get things done if stakeholders fully understand how their contribution is impacting the outcome of the project.
By getting the conversation started and following these tips, you’ll be on your way to identifying your needs, assessing where you currently stand, and further protecting and securing your organization.