Tell a compelling story about a security breach, preferably in your industry. Give examples from your own company. Identify critical information assets—intellectual property, sensitive customer data—and paint a picture of what would happen and what it would cost if they were compromised.
2. Provide metrics that convince
If you have gaps in security control that you are struggling to get resources to fix, give them evidence proving that you are continuously under attack and your networks are constantly probed. Make it clear that sooner or later, the bad guys will succeed. Educate them. Surprise them.
- 73 percent of companies suffered at least one security breach in the past year
- About a third of employees targeted for phishing will open fraudulent emails
- More than one in 10 take the bait—and it only takes one
- Less than two minutes elapse from the hacker hitting send to your systems being compromised
- Hackers are inside your organization, on average, for at least four months before they’re discovered
- Web apps are the number one entry point for breaches
3. Get their support in adopting a culture of security
Human error accounts for 58 percent of cyber breaches. A secure business is a business in which everyone is educated about threats and does their part to reduce risk. This starts with rigorous—and repeated—training, and perhaps even commitment to a standard like ISO 27001.
4. Convince them they need incident response help
Encourage the board to face facts: all organizations today face the very real possibility they will be breached. How much damage you suffer depends on how quickly and effectively you respond, so why not get prepared? Most companies don’t have the skills for effective incident response (IR). You need technical, forensic, legal, and public relations support to get through the trauma. Your best bet: a third party with specialized expertise. A good IR firm will have your back.
5. Discuss cyber insurance
Cyber insurance is integral to your security strategy. Yet only 19 percent of companies have cyber insurance. And most are grossly underinsured, with only 12 percent of the total costs of a typical breach covered. Cyber insurance is the fastest-growing insurance in the world, projected to increase 300 percent from $2.5 billion today in annual premiums by 2020. Do the math for your board. Calculate how much your business can absorb from a breach without financial catastrophe. Pick a level of risk that you are comfortable with, and insure the rest.