If You Fail to Plan, You Plan to Fail - Selling Security to the C-Suite
By Ricky Chau, VP- Asia Pacific region, Level 3 Communications
This famous line by Benjamin Franklin should be the mantra for cyber security. If an organization isn’t discussing, testing and implementing cyber security policies, they are planning to fail. And that failure could be very public, drawn out and brand damaging.
In the Asia Pacific, good cyber hygiene has never been more important. Australia, China and Hong Kong are listed among the most vulnerable to cyber attack around the globe, according to a report by Project Sonar. The ‘Cyber Five’ — South Korea, Australia, New Zealand, Japan and Singapore — appear nine times more vulnerable to cyber attack than other Asian economies, according to Deloitte.
This could be, in part, because of the incredible infrastructure present in the region. For example, Singapore is a global data management hub connected to 15 active submarine cable systems, with a total submarine cable capacity of 114 Tbps and the ability to carry more than 50 percent of the commercial carrier and carrier neutral data center space in South East Asia.
If you aren’t talking about cyber security to your C-Suite and Board, you should be.
Ultimately, the C-Suite mentality needs to evolve to a place where daily consideration is given to how the company will defend against a motivated, aggressive, global threat in a manner that doesn’t disrupt their business from a cost management and workflow perspective.
"If you aren’t talking about cyber security to your C-Suite and Board, you should be"
To help the C-Suite get to that place, you need to start with a comprehensive risk assessment, the foundation of all cyber security governance plans. Armed with the risk assessment, which also can provide information on how your business is compared to others in the industry, it will be much easier to make a case for investments in security.
In addition to the risk assessment, an industry maturity model review will provide a third-party expert evaluation of the company's security infrastructure and preparedness in clear report executives and directors can understand.
Clearly defining the risks, goal and objective of your cyber security plan and needs. Protection of assets, reputation management, intellectual property and end goals should be communicated to leadership to underscore the connection between cyber security and the business’ objectives.
Otherwise, security can fall to the wayside with the onslaught of issues IT leaders face today.
Another aspect to keep in mind, is cost. Over the past two years, the cost of security products has escalated with security spending ballooning to 21 percent of IT budgets across most industry sectors, according to a March 2016 Forrester report. It’s even as much as 44 percent, according to another study.
Pair the cost issue with the complex security architecture created by organization restructuring and the hardware-based security market and we see the creation of an environment where it is challenging to have a uniform global security posture.
Finally, the lack of trained cybersecurity professionals has made it a very competitive market to fill every security job. Cybersecurity Ventures announced last week the cyber security unemployment rate has dropped to zero percent. Japan, for example, is struggling to fill the ranks of cyber-warriors needed in time for the 2020 Olympics, according to The Japan Times.
In thinking about how to sell security to the C-Suite, you can use these factors, along with the security assessment, to start the conversation.
Support for cyber security needs to start at the top. If you don’t have buy-in from your board, add it to your 2017 to-do list.
Level 3 Communications [NYSE:LVLT] headquartered in Broomfield, Colorado, provides data, security, video, voice and unified communications solutions to overcome IT challenges. Founded in 1985, the firm has its presence in Africa, Asia Pacific, Europe and Middle-East.