What to do when executives ignore security recommendations

In our previous post, we discussed many of the pressures that IT and security professionals are faced with on a daily basis. The list is long and one of the biggest pressures is to provide secure networks and systems in a time where major data breaches are highly publicized. IT professionals are working hard to keep their data secure, but often feel that their concerns are seemingly dismissed by business managers and executives who accept the risk instead of approving the proposed strategies.

Why executives may not be listening

There are many reasons why infosec personnel’s security and risk recommendations may not be accepted by executives:

• Executives may feel better-suited for making risk decisions than information security professionals and are willing to accept the risk.

• Executives may have become immune to security concerns expressed through fear, uncertainty or doubt.

• Executives may be tired of making risk decisions, and find it easier to maintain the status quo instead of acting upon the security concerns.

• Executives don’t understand the IT security risk, possibly because the infosec professional presents it in a context to which they cannot relate.

• Executives and IT professionals speak a different language, causing a communication barrier.

• Executives aren’t presented with practical options for handling IT security risks and feel the recommendations are too costly or difficult to act upon.

How to get executives to listen

While the increase of cybercriminal activity may be common knowledge, it still may be difficult to communicate the true implications of a breach to your board of executives. It’s necessary for a CEO to raise the priority of cyber security not just with the CIO, but across the C-suite and the board. Information can get trapped between departments—miscommunication and inconsistent security measures included. Leaders must work together to break down those barriers and create damage-prevention strategies that flow seamlessly from one department to the next.

Begin by calculating the true cost of an attack on your business. The mistake that breached companies are finding out the hard way is that they didn’t predict the overall price a breach would ultimately cost them. Next, consider the implications of how a breach will affect the overall health of your organization. Not only will a security breach affect your market valuation but also the health of your reputation or image in the eyes of your customers and shareholders.

When it comes to accurately communicating risk to your board, put the implications in terms they can understand. Attend Secure360 Iowa on Monday, September 19 to learn 5 Ways to Improve Your Cyber Risk Communications.