9 Highly Effective Ways to Talk to Your CEO About Prioritizing Website Security
Online security threats are a rapidly growing menace. I know it, you know it, more than 37 million Ashley Madison users know it. So why is your CEO keeping the purse strings drawn tight? Your online business needs protection! Security often falls to the CIO, CTO, CISO, or even just an IT manager, and then everyone else might only pay attention when there’s a security breach.
Get Your CEO’s Attention About Website Security
Company websites are full of sensitive and valuable data. If you’re an IT professional responsible for your company’s website security, you need to take control of your online security as soon as possible, and you need the CEO on your side. Here are 9 highly effective ways to get your CEO’s attention about the importance of cybersecurity.
1. Speak the Language of CEOs
If you’re a tech person, you probably know all about unsecured ports, cross-site scripting (XSS), and reversing the polarity of the neutron flow, but that’s not how CEOs talk. In order to convey the importance of cybersecurity, it’s up to you to explain complicated technical details in a comprehensible way to someone who’s more geared toward revenue and reputation. CEOs don’t have the time to listen to long drawn-out explanations. In other words, it’s up to you to explain website security issues and why it’s important as effectively as possible.
Any half-competent CEO probably has a pretty good idea of how important website security is, but disagreements rise when it comes to putting a number to that, which means taking away from other priorities such as marketing and promotion. And increased security will never pay off the way a hit ad campaign or viral video may promise to, which is why it’s important for CEOs to understand the value of risk management. This is a cost that does nothing when it’s working properly — it only mitigates losses and allows the company to more freely pursue its mission. Allocating more money into a cybersecurity budget now will almost certainly save money down the line by preventing unwanted intrusions and disruptions to website service.
2. Emphasize the Reputation Damage Caused By Security Failures
Security breaches can permanently tarnish a company’s reputation, or disrupt commerce, or initiate a devastating chain reaction of the two. The three are closely interconnected.
Once your website is hacked, its reputation is now at risk. Whether that’s due to being taken offline by DDoS attack, malware infection, or a devastating data dump exposing all your correspondence and customer information, people will lose faith in your business. The relationship between cybersecurity and reputation should be apparent to everyone, especially the CEO when making budget decisions.
|Cybersecurity, reputation, revenue — lose one, and your online business is doomed.|
3. Explain That Your Company May Be Held Liable for Security Breaches
If you ran an unsanitary restaurant and gave all of your customers food poisoning, you could be held legally responsible for that. Likewise, if online customers trust their data to your website and you don’t take appropriate steps to secure that data, shouldn’t you be held accountable for any breaches that occur?
Letting your customers down due to website security incompetence could make your company legally responsible for the damages. In the US, the Federal Trade Commission (FTC) has the authority to regulate and fine businesses that lose customer data to hackers through “unfair” or “deceptive” business practices. Or, your users could even sue you for negligence or breach of contract.
So if you fail to take care of your customers’ data, it’s on you. If the unthinkable happens (as it does daily), you should be able to say you tried everything.
4. Connect Headline-Grabbing Security Breaches With Your Situation
Every week, a new data breach or other catastrophic cybersecurity failure hits the headlines, and popular culture is taking increased notice of these online threats. Your CEO is probably already talking about Hillary Clinton’s e-mail scandal, or wondering whether his Corvette is vulnerable to hackers, or musing on his secretary’s crazy fan theory that Mr Robot is really Christian Slater’s grown-up character from Pump Up the Volume. And who knows, maybe he is a member over at Established Men, the lesser-known cousin to Ashley Madison which also experienced a security breach. Probably best to keep that one to yourself though.
Connecting your own company’s unique security needs with what’s going on in the headlines is a great way to reach higher-ups. It provides an opportunity to deepen understanding and give your own insider knowledge about mistakes made, techniques used, and the significance of security solutions that might have prevented these headline-grabbing breaches and how they could address issues directly affecting your own business.
5. Emphasize the Point That All Websites Are Vulnerable
The risk of talking about these prominent hacking examples is it might also backfire and make people feel invulnerable. “Oh, those cheaters had it coming,” “Thanks, Obama,” “Hacking Team deals with repressive regimes!” All easy answers that place the blame on foolish people who should have known better and deserve the consequences.
No, truthfully any website is prone to cyber threats. It’s inevitable that your site will be attacked. Maybe you don’t have any website security, and you haven’t noticed any problems — well, the IRS didn’t know it had a problem for the four months in which criminals were stealing information from their site. Anyway, we were talking about websites that don’t deserve to get hacked, such as yours.
Despite the rise of hacktivism and state-sponsored cyberwarfare, most cyber attacks are impersonal and relatively unsophisticated. Anyone with a bit of sense and a lack of conscience can go online, hire a mercenary botnet, and take down your site or hold it for ransom. Why target you? Simply because your site had detectable vulnerabilities. By taking precautions, you can drive up the costs and the effort needed to outsmart your defenses, and that will discourage most attacks.
6. Foster a Culture of Cyber Security Communication
Sure, you might be the one who designs and implements security strategies, but it is the CEO who must put it in place. After all, if there is a website security breach caused by an inadequate security budget, is it the IT person’s fault, or the CEO’s?
Cyber Security is the responsibility of every employee, and they need a CEO who leads by example. A healthy cybersecurity culture is created through training and seminars, emergency plans and protocols for security breaches, and having a clear line of communication to implement company-wide solutions at the first sign of suspicious activity. Effective security communication is important, and any employees handling security need to be able to speak directly to the CEO about security concerns, rather than submit reports passed through a middle manager who may omit or ignore important details.
7. Explain the Potential Security Threats Your Website Faces
Your CEO needs a solid understanding of the biggest threats facing online businesses. It’s one thing to know about the risk of DDoS attack, but it’s entirely different to understand the threat it represents in real life and what it could do to your business.
As well as identifying the attacks that could be leveled against your site, it is also useful to be aware of particularly attractive hacking targets in your website, which could be video files, financial records, customer contact information, or just your own connectivity resources.
You can do all of this with carefully collected data or news reports. Be prepared to write a report about your website’s unique vulnerabilities. Speak with numbers. Back it up with undeniable facts underlining the relevance to your own business.
8. Present Suitable Solutions For Your CEO
Not all solutions are equal, and a high price doesn’t necessarily mean the best protection. The needs of a powerful corporation and the smallest startup SMB are very different.
In narrowing down the options to present to your CEO, it’s important to consider price, obviously, but also what specific features you’re getting for that price and what is most appropriate to propose to your CEO.
There is a large market full of affordable web application security solutions, and many of them offer free trials and limited option plans. Cloudbric offers a comprehensive web app security package that charges based on your website’s monthly traffic volume, which is especially helpful for smaller companies which may not be able to afford the equivalent level of services supplied by other solutions.
9. Introduce the Advantages of a Security Solution
“Uh, we’ll be safer?” you might start to say. But then what will your CEO think when the website encounters a new security threat that challenges your security precautions? No security system is 100 percent impregnable, but what they offer beyond protection is control. Control over your website, control over visitor access.
A good website security solution should include tools allowing you to analyze visitor activity, locate suspicious IPs, and filter out bad traffic while avoiding false positives that could turn away legitimate customers. Having all these controls don’t hermetically seal you against all threats, but at least they level the playing field and help increase your awareness.