How to convince the c-suite for more security spend?

Perhaps the most challenging component of a senior security executive’s job is the need to convince the C-Suite to invest in corporate security. But often this topic is lost in translation.

When people think of security they consider what they can see – access control, security guards and cameras. There is little consideration for what is unseen– governance, preparedness and incident response.

For the heads of security, the issue is persuasive communication. How to communicate and position their team to the C-Suite with other components of an organisation jostling for money, time and resources?

The below details the best strategies to persuade the C-Suite of your need for money

1)      The data approach? How much did your organisation spend on responding to incidents last year, whether cyber, physical, or workplace related? What was the cost of these incidents and could their impacts have been mitigated through more effective mitigation measures, training, or other?

2)      The tactical or geopolitical  developments have occurred within the wider threat environment and if they were to occur or directly impact your organisation, how much would the financial and reputational cost of these incidents be? This could be a geopolitical development such as the Taiwan-China- US issue, which results in a specific increase to the vulnerability of your supply chain, of your operations, or perhaps to your staff who are exposed to a higher digital risk as a result of the risk profile of its executives, or others.

3)      Technical developments. We have seen the increasing merging of physical and digital security attacks — how much would it cost your organisation in the event that someone stole confidential information from your organisation after entering the premises at night, then released the distorted information online in an effort to undermine either a senior executive, or to distort information with a view to damaging share prices, or the broader reputation of the organisation?

4)      The emerging legislation which perhaps might directly impact your organisation? For instance; this includes in the UK, for instance, the likely emergence of Protect Duty, the evolution of Duty of Care, which is increasingly seeing executives, or the C-suite held personally liable for a lack of maturity around security mitigation; which has come directly through the McDonald’s scandal in the US. (A landmark ruling in former McDonald’s executive suit could put HR heads at legal risk | Fortune).

5)      Business continuity and managing a crisis? Does our organisation have the resources to respond to crises which could occur in different locations simultaneously and to protect our reputation at the same time? Another way to answer this question would be to compare the spend to other organisations or industries in the sector.

The bottom line is that we can’t all spend the 26.5 million dollars per year on security which the CEO of META has done, but we can ensure through our communication with the c-suite that we get more bang for our buck.