Security Scare Tactics Don’t Work
If your executive team doesn’t support your cyber-security program, the likelihood of disaster increases. For everyone’s sake, you need to convince them to take your recommendations very seriously. Unfortunately, they don’t speak tech, and they can’t be scared into understanding. So how do you convince your executive to see cyber-security for what it is?
Avoid IT-Speak

Don’t speak of botnets, brandjacking, catfishing, darknets, DDOS attacks, pharming, (spear) phishing, ransomware, whaling and all of the other cool words that you know. If they ask about one of these words, be prepared to define it, but otherwise stick to business language.
Use Their Language
The C-suite and board members are business people who think in business terms like “value” and “ROI.” Value can include compliance, data confidentiality, protection of intellectual property and systems availability.
While the ROI of security is difficult to quantify, it’s the same with insurance costs, and senior management understand the value of insurance even if it’s also hard to put into ROI terms. They know that “perfectly secure” isn’t doable in the real-world and that chasing that goal can be cripplingly expensive. They understand that they will need to balance risk vs. cost. Help them do that.
Help Them Decide
Help them understand enough to assess the risk:
- Explain your recommended program and the trade-offs between cost and improved security.
- What is the organization’s most sensitive data? How will it be treated differently than the rest of the data?
- What is the cost of system or data loss?
- Explain that monitoring is in place to detect and stop emerging risks and how effective that monitoring will be.
After a Breach
Security breaches will happen, so have the presentation mapped out in advance. In fact, it should be included in the business continuity/disaster recovery reporting process. If it’s not already part of your plan, now is the time. After all, when you’re dealing with a breach, you’ll have no inclination to start writing then.
BCP/DR Advice
That said, when is the last time you updated or tested your business continuity/disaster recovery plans? You should consider BCP/DR to be a program (rather than a plan) that can be written, then ignored. When you need it, it must work and can’t be out of date. Put testing and updating on your calendar at least once per year.
We encourage our clients to test and review segments of their BCP/DR plans on a quarterly basis. This keeps the topic a little closer to front of mind without quadrupling the work.
This article was published in the
September 2019
edition of The TMC Advisor
- ISSN 2369-663X Volume:6 Issue:2
©2019 TMC Consulting