TMC's Advisor

The Advisor is published by TMC

Security Scare Tactics Don’t Work

If your executive team doesn’t support your cyber-security program, the likelihood of disaster increases. For everyone’s sake, you need to convince them to take your recommendations very seriously. Unfortunately, they don’t speak tech, and they can’t be scared into understanding. So how do you convince your executive to see cyber-security for what it is?

By Ellen Koskinen-Dodgson

Ellen Koskinen-Dodgson is President and Managing Partner of TMC IT and Telecom Consulting Inc. She is an IT and Telecommunications Management Consultant, electrical engineer, author, speaker, media resource and Expert Witness.

Avoid IT-Speak

Don’t speak of botnets, brandjacking, catfishing, darknets, DDOS attacks, pharming, (spear) phishing, ransomware, whaling and all of the other cool words that you know. If they ask about one of these words, be prepared to define it, but otherwise stick to business language.

Use Their Language

The C-suite and board members are business people who think in business terms like “value” and “ROI.”  Value can include compliance, data confidentiality, protection of intellectual property and systems availability.

While the ROI of security is difficult to quantify, it’s the same with insurance costs, and senior management understand the value of insurance even if it’s also hard to put into ROI terms. They know that “perfectly secure” isn’t doable in the real-world and that chasing that goal can be cripplingly expensive. They understand that they will need to balance risk vs. cost. Help them do that.

Help Them Decide

Help them understand enough to assess the risk:

After a Breach

Security breaches will happen, so have the presentation mapped out in advance. In fact, it should be included in the business continuity/disaster recovery reporting process. If it’s not already part of your plan, now is the time. After all, when you’re dealing with a breach, you’ll have no inclination to start writing then.

BCP/DR Advice

That said, when is the last time you updated or tested your business continuity/disaster recovery plans? You should consider BCP/DR to be a program (rather than a plan) that can be written, then ignored. When you need it, it must work and can’t be out of date. Put testing and updating on your calendar at least once per year.

We encourage our clients to test and review segments of their BCP/DR plans on a quarterly basis. This keeps the topic a little closer to front of mind without quadrupling the work.

This article was published in the September 2019 edition of The TMC Advisor
- ISSN 2369-663X Volume:6 Issue:2

©2019 TMC Consulting