9 highly effective ways to talk to your CEO about prioritizing website security

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://memeburn.com/2015/09/9-highly-effective-ways-to-talk-to-your-ceo-about-prioritizing-website-security/

Online security threats are a rapidly growing menace. I know it, you know
it, more than 37 million Ashley Madison users know it. So why is your CEO
keeping the purse strings drawn tight? Your online business needs
protection! Security often falls to the CIO, CTO, CISO, or even just an IT
manager, and then everyone else might only pay attention when there’s a
security breach.

Company websites are full of sensitive and valuable data. If you’re an IT
professional responsible for your company’s website security, you need to
take control of your online security as soon as possible, and you need the
CEO on your side. Here are 9 highly effective ways to get your CEO’s
attention about the importance of cybersecurity.

1. Speak the language of CEOs

If you’re a tech person, you probably know all about unsecured ports,
cross-site scripting (XSS), andreversing the polarity of the neutron flow,
but that’s not how CEOs talk. In order to convey the importance of
cybersecurity, it’s up to you to explain complicated technical details in a
comprehensible way to someone who’s more geared toward revenue and
reputation. CEOs don’t have the time to listen to long drawn-out
explanations. In other words, it’s up to you to explain website security
issues and why it’s important as effectively as possible.

Any half-competent CEO probably has a pretty good idea of how important
website security is, but disagreements rise when it comes to putting a
number to that, which means taking away from other priorities such as
marketing and promotion.

2. Emphasise the reputation damage caused by security failures

Security breaches can permanently tarnish a company’s reputation, or
disrupt commerce, or initiate a devastating chain reaction of the two. The
three are closely interconnected.

Once your website is hacked, its reputation is now at risk. Whether that’s
due to being taken offline by DDoS attack, malware infection, or a
devastating data dump exposing all your correspondence and customer
information, people will lose faith in your business.

3. Explain that your company may be held liable for security breaches

If you ran an unsanitary restaurant and gave all of your customers food
poisoning, you could be held legally responsible for that. Likewise, if
online customers trust their data to your website and you don’t take
appropriate steps to secure that data, shouldn’t you be held accountable
for any breaches that occur?

Letting your customers down due to website security incompetence could make
your company legally responsible for the damages. In the US, the Federal
Trade Commission (FTC) has the authority to regulate and fine businesses
that lose customer data to hackers through “unfair” or “deceptive” business
practices. Or, your users could even sue you for negligence or breach of
contract.

So if you fail to take care of your customers’ data, it’s on you. If the
unthinkable happens (as it does daily), you should be able to say you tried
everything.

4. Connect headline-grabbing security breaches with your situation

Every week, a new data breach or other catastrophic cybersecurity failure
hits the headlines, and popular culture is taking increased notice of these
online threats. Your CEO is probably already talking about Hillary
Clinton’s email scandal, or wondering whether his Corvette is vulnerable to
hackers.

Connecting your own company’s unique security needs with what’s going on in
the headlines is a great way to reach higher-ups. It provides an
opportunity to deepen understanding and give your own insider knowledge
about mistakes made, techniques used, and the significance of security
solutions that might have prevented these headline-grabbing breaches and
how they could address issues directly affecting your own business.

5. Emphasise the point that all websites are vulnerable

The risk of talking about these prominent hacking examples is it might also
backfire and make people feel invulnerable.

No, truthfully any website is prone to cyber threats. It’s inevitable that
your site will be attacked. Despite the rise of hacktivism and
state-sponsored cyberwarfare, most cyber attacks are impersonal and
relatively unsophisticated. Anyone with a bit of sense and a lack of
conscience can go online,hire a mercenary botnet, and take down your site
or hold it for ransom. Why target you? Simply because your site had
detectable vulnerabilities. By taking precautions, you can drive up the
costs and the effort needed to outsmart your defenses, and that will
discourage most attacks.

6. Foster a culture of cybersecurity communication

Cybersecurity is the responsibility of every employee, and they need a CEO
who leads by example. A healthy cybersecurity culture is created through
training and seminars, emergency plans and protocols for security breaches,
and having a clear line of communication to implement company-wide
solutions at the first sign of suspicious activity. Effective security
communication may save you a fortune.

7. Explain the potential security threats your website faces

Your CEO needs a solid understanding of the biggest threats facing online
businesses. It’s one thing to know about the risk of DDoS attack, but it’s
entirely different to understand the threat it represents in real life and
what it could do to your business.

As well as identifying the attacks that could be leveled against your site,
it is also useful to be aware of particularly attractive hacking targets in
your website, which could be video files, financial records, customer
contact information, or just your own connectivity resources.

8. Present suitable solutions for your CEO

Not all solutions are equal, and a high price doesn’t necessarily mean the
best protection. The needs of a powerful corporation and the smallest
startup SMB are very different.

In narrowing down the options to present to your CEO, it’s important to
consider price, obviously, but also what specific features you’re getting
for that price and what is most appropriate to propose. There is a large
market full of affordable web application security solutions, and many of
them offer free trials and limited option plans, or charge you based on
website traffic rather than access to protection features.

9. Introduce the advantages of a security solution

No security system is 100 percent impregnable, but what they offer beyond
protection is control. Control over your website, control over visitor
access.

A good website security solution should include tools allowing you to
analyze visitor activity, locate suspicious IPs, and filter out bad traffic
while avoiding false positives that could turn away legitimate customers.
Having all these controls don’t hermetically seal you against all threats,
but at least they level the playing field and help increase your awareness.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!