In business, you need to be able to justify your budget in monetary terms and this is often easier for some departments such as sales and marketing, whose job it is to generate revenue, than it can be for other departments such as IT, whose job it often is to keep the home fires burning and prevent financial (and reputational) losses.
IT professionals can find it frustrating that the importance of effective security measures, including data protection measures, can sometimes only become apparent when it’s too late. To prevent this, take some tips from your sales team and learn to sell the importance of cybersecurity measures so that their importance becomes clear and remember, it’s not necessarily all about money, reputation matters too.
Here are three approaches you can try:
Successful businesses understand the importance of good customer service, so position IT security as a key part of keeping customers happy.
When you get questions on social media asking if your website is safe, or when you get complaints about your data security practices, make sure the people at the top of the organisation are aware of it, and don’t hesitate to provide relevant information on your website to make sure customers understand the issues at hand. If it’s tricky to understand, consider whether you need to make complex information more user friendly, perhaps by converting it into a graph, pie chart or infographic.
It’s great to be positive but sometime the fear factor gets results, so make it clear to your colleagues what can happen to the company (and them personally) if they fail to take cyber security seriously.
Even those managers without technical knowledge could probably take a good guess that security breaches could result in reputational damage and fines if they become publicly known, but they may not realise just how big those fines can become under GDPR or that covering it up is no longer an option.
The threat of a company being fined – even enough to close it down – cost jobs and potentially hinder attempts to find new employment could well be enough to get their attention. Be realistic but candid, pointing out if necessary that GDPR does have the option to send people to prison in severe cases.
This is essentially a variation of the “stick” approach but it can help to make the situation real in every sense of the phrase.
Do some research on the net and find some examples of companies that were the source of data breaches and summarise just how much damage it did them.
Try to find evidence of financial penalties, reputational damage and any other form of business loss, for example Equifax in the US has had its IRS contract suspended as a result of its data security breach.
Emphasise the fact that your examples are all pre-GDPR (as GDPR has not yet been implemented) and that post-GDPR the range of penalties available will be much wider and potentially much harsher. If you can, see if you can research what a post-GDPR penalty might be and be prepared to explain your reasoning.