Every IT pro who is worth their awesome multi-monitor workstation, appreciation for the finer aspects of geek culture, and undying love of remote work knows that strong IT security is not a nice-to-have thing, or even a “best practice.” It is absolutely, categorically, and unquestionably essential.
Indeed, this has been the case for several decades. But in the last few years, the critical importance of strong IT security cannot be overstated. Considering the potentially catastrophic consequences of a data breach or leak — the current price tag is around $200,000 USD per incident and climbing — it’s hard to imagine that anyone would view strong IT security as anything but essential.
Yet despite this truth, many otherwise highly intelligent, accomplished, prudent, and forward-looking executives outside of the IT world are doing precisely that: failing to see strong IT security as basic requirement. What is going on here?
The reason is likely rooted in the word “strong.” Some executives without an IT background — which includes many business owners, CEOs, CFOs, VP of Operations, etc. — can mistakenly believe that their company is already investing in strong IT security; especially if they haven’t (yet) experienced a severe and scary breach or leak. As such, they believe that there is no need to increase the IT security budget, or give their IT pros more authority to decide, in terms of access, who in the company can do what (and where, when, how, and why).
What’s more, IT pros who repeatedly sound the “WE NEED STRONGER IT SECURITY AROUND HERE!” alarm bells in conversations, memos, and meetings can be seen as alarmists who are somehow motivated by self-interest. Obviously, nothing could be further from the truth!
Look at it this way: firefighters are not acting out of self-interest when they warn people to install and maintain the appropriate number of smoke alarms in their home. Similarly, IT pros have no personal motivation to get The Powers That Be in their company to take strong IT security more seriously. On the contrary, increasing the IT security budget and dialing up the spotlight means MORE work for IT pros, not LESS! Truly, the only agenda that IT pros have is keeping their company safe and productive on an external and internal threat landscape that is constantly becoming more dangerous, and harder to defend.
And so, what can IT pros who lack the resources they need to thwart bad actors — and mitigate the damage and chaos triggered by negligent end users — do to finally convince their boss (or perhaps, their multiple bosses!) that investing in strong IT security RIGHT NOW is strategic instead of superficial? We suggest that any pitch, proposal, or presentation should cover these five core reasons:
Strong IT security helps earn and maintain customer trust.
Billionaire Warren Buffet has said that “it takes 20 years to build a reputation and five minutes to ruin it. If you think about that, you’ll do things differently.”
Far be it from us to improve upon anything said by the Oracle of Omaha. But we think he would not mind if we added that it can actually take less than five minutes for a hack or breach to occur, and inflict lasting or even permanent reputation damage. Consider that:
More than 80% of consumers view trust as a deciding factor in their buying decisions.
88% of consumers say that trust is more important in times of change (and we are definitely experiencing that now!).
70% of consumers want to know that data protection is considered a top priority by the companies that they do business with.
The message for IT pros to convey to their boss or bosses is clear: allocating more resources towards IT security is not just a TECHNICAL issue. It is fundamental to earning and maintaining customer trust, which makes it a BUSINESS issue. Companies that are viewed as untrustworthy because they neglected to invest in strong IT security are forced to spend an enormous amount of money to try and recover. Obviously, this expense is far, far greater than what it would have cost to strengthen IT security in the first place. The old saying “an ounce of prevention is worth a pound of cure” definitely applies here.
Strong IT security is necessary for compliance.
We just finished noting that many customers will stop doing business with a company that failed to proactively strengthen its IT security (even if those customers, themselves, were not directly or materially affected by an attack).
However, there are also some customers that will outright refuse to do business with a company that has not had its IT security infrastructure, governance, and controls evaluated and verified by a third-party. There are several credible compliance standards and programs, such as:
The advice for IT pros here is to clearly explain that tolerating weak IT security (and if IT security is not strong, then it’s weak — there is no middle ground!), then there is a large and growing group of potential customers who will simply not consider entering into a relationship. They may admire a company’s product, and they may also find the price affordable and attractive. But if they do not feel confident in a company’s IT security profile — as evidenced by their compliance with relevant standards and programs — then they will head to a competitor.
Since the one thing that keeps executives awake at night is leaving revenues and profits on the table, conveying the above in practical terms can go a long way towards creating a paradigm-changing “aha” moment where IT security stops being perceived as an unavoidable expense, and starts being seen as a profitable investment. Strong IT security expands the marketplace to include more customers. Weak IT security shrinks the marketplace and puts companies at disadvantage relative to the competition.
Strong IT security may be necessary for insurance.
This is a trend that we have been seeing accelerate greatly in the last couple of years: companies that have purchased cybersecurity insurance are discovering, upon renewal of their policy, that their insurer is demanding stronger IT security controls — especially with respect to privileged access management (PAM).
Obviously, IT pros who work for companies that face this requirement can leverage this to get more IT security resources (and perhaps send a nice thank you card to their insurance company for being an ally in their quest for more budget and resources!).
However, even IT pros who work for companies that do not have cybersecurity insurance (or whose insurer, at the moment, has not demanded stronger IT controls) can nevertheless cite this trend to help bolster their case. For example, IT pros can say: “If a growing number of insurance companies are so terrified of covering the costs of weak IT security, then shouldn’t we be just as afraid?”
Strong IT security sends the right message to employees.
Whether they are falling for phishing scams, insecurely and/or improperly sharing passwords, losing laptops — and the list goes on — end users have always been, and will always be, the weakest link in the IT security chain.
A company that makes suitable investments in IT security, and which highlights these measures, sends a clear and compelling message to end users: “We take strong IT security very seriously around here, and we expect you to do the same”.
Conversely, a company that has weak IT security will constantly face credibility obstacles when it directs end users to practice good IT security hygiene. Some end users will see the disconnect between what executives are demanding vs. doing, and will not take the message seriously.
IT pros should help their boss (or bosses) understand the implications of this disconnect: it makes end users LESS willing to practice good security hygiene, which means the attack surface gets bigger and risks grow.
Strong IT security is ethical.
IT pros should try and help executives grasp that getting behind strong IT security is not just the SMART thing, but also doing the RIGHT thing to do. It is not just about avoiding costs and consequences. It is also about being socially responsible and being a good corporate citizen.
Executives who lead the way on IT security (or more wisely, authorize and empower their IT pros to lead the way!) earn the right to feel great about “living their values” at work. Because when good companies win the IT security fight, bad actors lose.
The Bottom Line
IT pros know that strong IT security is mandatory vs. optional. But getting bosses and other stakeholders on board — including “gatekeepers” who may not have the formal authority to approve anything, but unfortunately have the ability to obstruct — can be difficult and frustrating.
We hope that the advice above will help IT pros in their quest to get the budget, resources, and authority they need to keep their company safe and productive. And IT pros can also be assured that Devolutions will be on their side, supporting them every step of the way!