Whether it happens every year, or every day, it is hard to miss the fact that it happens. A business owner or president has to go to the news and to the public and announce that their cyber-security has been breached. The information that consumers thought was safe with them—credit card numbers, private health information, addresses, are in the hands of people who do not have a legal right to that information. People who may use that information to harm those consumers.
It might seem that this atmosphere of breaches to security and business embarrassment would make it easy to sell cybersecurity. The truth is, there are so many options for companies to choose from that CIOs and CISOs are sometimes reluctant to make the purchase. It is understandable. Who wants to spend money on a system, have the president of the company, the board, or even if it is a one-man shop, then the person making the buy think the problem is solved only to find out later that it was not solved. Often, people find out the cybersecurity wasn’t good enough after a breach was discovered.
The responsibility for cybersecurity is immense:
- Money can be lost—literally stolen from the business and/or from clients.
- It can be expensive to clean up the mess, then to add different security in hopes of thwarting future breaches.
- Reputations can be damaged, causing current clients to flee and future clients to stay away.
The best solution for CIOs and CISOs is to get the best cybersecurity they can afford on the front end and prevent problems later.
Unfortunately, there are many examples of data breaches and how they have effected a company. A salesman can sit down and show what happens when a similar business had a data breach. They can discuss lost clients, the full cost of patching software and of going public with the bad news. No one who works at company wants to be part of recovering from a breach.
The theory is that if a CIO or CISO has been reluctant to make a purchase on new cybersecurity, then showing them how much it could cost to do nothing may be the impetus they need to commit to an upgrade. Fear can make people freeze in their decision making. Fear can also unfreeze people and make them see what could happen if they don’t commit to something.
Help the CIO and CISO Talk to the CFOs and CEOs
Sometimes the problem that is the last one to be fixed is the problem that is never seen—until it is too late. A CEO and CFO are trying to attain as much profit as possible, adding better cybersecurity does not make profit easier to attain. The thing these people need to understand is that cybersecurity is part of the businesses infrastructure. If you don’t improve the infrastructure then soon enough, it crumbles and the entire structure may crumble with it.
A recommendation that a salesperson or supplier of cybersecurity has to help the CIO or CISO sell the importance of improved cyber security is to share a speech with one or both of these people. HealthcareITNews.com recommends the speech not as a way to reach the reluctant executives at an intellectual level, but at a more gut level. The speech is a sample of one that a CEO has to make the day after a data breach was discovered. The speech would start with, “We are sorry to report that our data has been stolen and your 1. Private data, 2. Credit card information, 3. Health records have been stolen.”
The second important thing the CIO would tell the CFO in order to underline the importance of improving cybersecurity is that it will cost $1 million to clean up the cybersecurity mess and to improve their cyber wall. Time to have an internal investigation about the breach. Then there are factors that cannot be measured, like loss of future business, loss of reputation. Often, these scenarios get the CFO and CEO’s attention. Or, if the CEO doesn’t want to go through that embarrassment, a new and better system could cost $100,000 on the front end.
What CIOs need is facts, including the cost of the system, what might make their current system vulnerable, and how the new system would operate. Safety is an important factor in cybersecurity, but so is relative simplicity. The harder it takes to learn a system, the easier it is to mess up and the harder it is to make a sell.
CIOs and CISOs need to know the advantages of a system they are selling, and the disadvantages of a current system. These advantages might include how expensive a breach might be if nothing is done, and it can help to give the information security person help in selling the idea of spending this money to their own boss. With these facts, the system might be successfully moved to more companies.