Small business owners and operators might think that cyberattackers prefer to target large organizations. But that’s just not the case. According to international insurance group Hiscox, 41% of small businesses fell victim to a cyberattack in 2023, up from 38% in 2022. And those attacks were costly. The victims paid over $16,000 in ransoms in the past 12 months. Since most small businesses don’t have a Chief Information Security Officer (CISO) or a dedicated team of cybersecurity professionals, whoever heads up IT is often the only person who understands the risks of a bad cybersecurity posture.
That could be the owner, or someone tasked with overseeing all IT responsibilities. If that’s you, you might need some help deciding whether to increase your cybersecurity investment and explain why to your colleagues.
Here’s what works for me.
Setting the stage
Since the responsibility for managing an organization’s cyber risk has landed on your plate, you’re probably the only person looking at it holistically. This means you’ll have to spend some time contextualizing cyber risk for the rest of your team.
You’ll want to present the idea of cyber risk to the rest of your team in a way that they can easily understand and that relates to their interests. Often, people outside of IT teams don’t think about cyber risk at all, much less in terms of making an investment. Not because they’re bad at their jobs but because people don’t tend to think about things that don’t impact them personally.
This is where being a good storyteller will help you. Set the stage for your team by adopting the language the organization uses to talk about other, less technical issues. Learn what motivates your audience, and craft your story using the same language.
Also, get to know your team. Learn how to communicate with them and what might motivate them to take cybersecurity seriously. Time spent learning about your key stakeholders is one of the best investments you can make.
Remember, cybersecurity isn’t an end in itself. It has real implications for other aspects of the business. Learn what those impacts are and use them to communicate the direct benefit of cybersecurity to the rest of your team — and the risks of not taking it seriously.
As you discuss cybersecurity, cover critical risk areas like engineering, finance, and legal. Describe the potential impacts on issues like the business roadmap, regulatory compliance, and supply chain security. Bring the impacts home to where your audience lives. This will start them thinking about how cybersecurity isn’t just a vague concept but a very real benefit to the organization.
Making the case
Whether you like it or not, yours is the voice that will spread the word about cybersecurity to the rest of your organization. That can be a lot of pressure, but it’s also an opportunity to frame the conversation in a way that will have the greatest impact on your company.
Start by preparing properly. Every organization is different. Sometimes, you’ll be speaking to a board of directors. Other times, it may be key managers or heads of discrete business units. Know who’s sitting around the table, and tailor your presentation to their interests. Focus on the impact of a cyber incident on their areas of responsibility, like reputation, regulatory compliance, and financial ROI. And help them understand how cyber resilience can protect the entire organization in the face of unpredictable and potentially destructive cyber events.
When it comes to your presentation, visualize as much data as you can. Remember that “less is more.” Don’t overwhelm your audience with data points. Show only what you need to show to make your point. And be consistent from meeting to meeting so that attendees know what to expect.
One thing that works for me is finding a cyber ally, someone in the room who’s sympathetic to my cause and who I can talk to before or after meetings and strategize with. Not knowing what I don’t know when walking into a room can be tricky. I mitigate that by leaning on someone who can give me the lay of the land.
Testing the theory
Once you’ve reached a consensus on the benefits of investing in cybersecurity, you can maintain that momentum by hosting regular tabletop exercises. These simulate incidents where different people play different roles. You’ll be given information that may or may not have a bearing on a cybersecurity incident, and you must sift through what’s relevant and what isn’t to make decisions in real time.
Tabletop exercises effectively communicate the speed and unpredictability of a cybersecurity incident. They are also useful tools for developing working plans and alignment on critical issues before an incident actually occurs. When that happens, there won’t be time to make plans.
The U.S. cybersecurity agency, CISA, has some tips for running tabletop exercises, as well as a list of exercise packages you can use to run your own exercises.
I’ve also created a simple scorecard that you can use to share essential facts and metrics with stakeholders in key areas of risk or strategic focus. Use it to quickly and accurately communicate what you see as the biggest risks facing your organization and how you’re proposing to address them.
Siroui Mushegian is the CIO at Barracuda.
Cybersecurity stock image by VideoFlow/Shutterstock
