Compliance is a key part of any organisation and in business terms, it is about ensuring companies of all sizes and their employees comply with existing national and international laws. In the UK the Companies Act 2006 is the main legislation that forms the primary source of company law and businesses of all sizes must ensure they adhere to it to remain compliant.
However, compliance only ever gets tighter with each passing year. Regulations come and go, and often businesses need to invest a considerable amount of revenue to remain compliant. Many businesses often overlook security when ensuring they are compliant, but if you start from a security perspective you will often automatically meet compliance needs and cover any tightening of regulations.
Today, cybersecurity is a huge issue in virtually all industries with the need for organisations to understand the threat landscape and consider how they can respond effectively to cyber-attacks by having a well-designed plan in place. With a data breach, it is not a matter of if it will happen, but when it will happen. The cost of a data breach – financially and reputationally – can be so large that it can no longer be ignored by organisations.
There are numerous cases of organisations being fully compliant, yet they still suffered a data breach. In 2021 LinkedIn suffered a breach that affected 700 million users, Facebook suffered a breach in 2019 that affected 533 million users and Yahoo! suffered a breach in 2013 that affected over 1 billion users. The problem is worsening, in 2021 39% of UK businesses identified a cyber-attack against them, and in 2022 the same number of UK businesses have identified a cyber-attack against them, and we are only four months into the year. Being compliant is therefore not enough.
Gary Hibberd, Professor of Communicating Cyber, said in the whitepaper “Mind the Cyber Security Gap – Why Compliance Isn’t Enough”, that by focusing on the people around the Boardroom table and what they are trying to achieve, we can reframe what we do to support and help them. The Chief Financial Officer typically wants to save money, so show them how spending on Cybersecurity can be better targeted. The CEO will want to increase market value, so show them how good Cybersecurity can protect brand reputation. The Sales Director will want to increase sales, so show them how they can use Cybersecurity as a business differentiator and a competitive advantage.
Business leaders can no longer ignore the growing cyber threat and should have security on their agendas not only at board level but cascaded down through the organisation at all levels. But how do you think about your business case for security and gain buy in for cybersecurity projects?
Building a Strong Business Case for Security with Compliance in Mind
Every organisation should be investing in cybersecurity, with security officers developing a compelling business case. By starting from a security first perspective, compliance will often automatically be covered. Businesses should therefore consider the following when attempting to gain buy in from the Board for cybersecurity:
1. Run a Full Compliance Audit
You should conduct a full inspection of your present security posture and note any gaps or areas that require improvement. This should include looking at where any confidential or sensitive data is stored and who has access to it. Insider threats are common and many in security do not understand the risks of potential data breaches caused by malicious, or even careless, insiders. However, it is worth noting that not all data carries the same level when it comes to risk. This process will likely be time consuming, but it is a necessary one to get a full picture of what security measures already exist.
2. Expectations Should be set From the Beginning
Cybersecurity is not a service or product; it is prudent to show how protecting an organisation from losses is the only way for any financial benefit to be gained. Try to communicate to the board in numbers, for example, show that a £1 investment would stop a security event that could potentially cost £10 to the company. That way, it should be possible to get the board to vote on your side by demonstrating the business case and return on investment in security measures and protection.
3 Pick the Right Areas for Investment
In order for the board to determine their investment decision in security, you should give them data that focuses on any threat vectors that are already evident, such as inadequate services for security awareness and employee training, processes and policies that are not adequately applied and recorded or a lack of data backup practices and patching updates. Formulating a risk/reward equation using a tiered security approach is a good way forward, as you can then direct investments towards incident response and detecting compliance.
4. Present a Strong Business Case to the Board
Once you have created a robust and compelling business case for your organisation, you need to share the proposal with the board. When presenting your case to them consider any questions they may have, where their focus is and their general understanding of cyber security. Ensure you demonstrate the requisite collaterals and proof points to support any requests for budget – these decision-makers need to be able to make informed decisions not only for the security posture of an organisation, but for the organisation as a whole.
Final Thoughts
When submitting a strong business case for security buy in, it is important to align your plan with the risks, needs and compliance requirements of your organisation. Every organisation wants to be secure in the long term, but compliance requirements mean they often stay focussed on the short-term cycle. Organisations need to create a strong partnership between compliance and security if they want to protect their systems and data – an either/or situation won’t work.
To find out more, we spoke to several experts with insights into managing security and compliance programs to share their experience of the disconnect between cyber security and compliance. Find out more by downloading a copy of our whitepaper “Mind the Cyber Security Gap – Why Compliance Isn’t Enough” now.
Mastering Security Configuration Management
Master Security Configuration Management with Tripwire's guide on best practices. This resource explores SCM's role in modern cybersecurity, reducing the attack surface, and achieving compliance with regulations. Gain practical insights for using SCM effectively in various environments.