Pitching security projects or investments to an unwilling board or executive can be a regular challenge for CISOs.
However, according to Seek's head of IT risk Andre Bertrand, there are three key strategies security chiefs should adopt when advocating a particular project.
Speaking to iTnews on the sidelines of the AISA national conference in Melbourne, Bertrand advised against focusing solely on risk.
"Coming from security, you often talk about risks around what happens in court. In companies [based] online that can be more apparent," Bertrand said.
Instead, he advocated emphasising the ways IT security projects can create value and revenue for businesses.
"Sometimes [in IT], things are tight. So it's about being honest with yourself, looking at what [different] kinds of information can provide, explaining it to the executives and saying 'here are the metrics I'm trying to align myself to'," Bertrand said.
"From an executive's point of view, they'll think 'here's a sales guy that has guaranteed, or pretty close to guaranteed, the revenue they're going to bring in' as opposed to 'here's a risk around something that may or may not happen'.
"It's really about understanding what your business does and its pain points, and then trying to align yourself to those things. But I make no bones about it, it's not easy and it's not an exact science."
Security as value add-on
Bertrand's first tip is to look at how core services process security and how that can generate revenue.
"Think about your products and security. From my perspective, security itself is starting to become billable, and increasingly it's something that customers want enough they're willing to pay for it, and companies looking for more scope can look at the revenue they can generate from that," Bertrand said.
He also advised other security leads to think about how departments across the organisation can reuse security capabilities for their own ends.
"There's a couple of key points around using the visibility you have, using the capability you have, and the potential of making it available to other departments," he said.
"Can other people use that? Potentially. [You need to] look at it from the outside in, and think about how I would use the data or the commercial capability."
His third piece of advice, for companies looking at extending their marketing through digital channels, is to examine how examine how security can be a selling point.
"A lot of companies haven't been in that space before and now they're aggressively trying to pursue it in the background, using processes they've been developed and matured internally," Bertrand said.
"[But they're] using the same sorts of distribution and communication methods that exist today. The internet's not like that."
Stress to your business that security allows an organisation to layer controls over digital marketing channels so it can achieve its KPIs, Bertrand said.
"If you're looking at a web analytics perspective, say you have a whole bunch of bot behaviour that is not from a customer but is represented as a customer," Bertrand said.
"If that's just raw, you're potentially making a lot of product decisions based on data that is incorrect and isn't valid.
"If you can align yourself to cost of sales or customer churn and make a demonstrable change to those, then you can add some real value back to the organisation."
Getting on board?
Bertrand said attitudes to cybersecurity appear to be changing at boardroom level.
"If you're looking at Australian boards, in the conversations I've been having, it's becoming something they can't ignore," Bertrand said.
"Over time you have more people who know the risks and how to treat it."
However, he noted that attitude was dependent on the type of industry the board's organisation operated in.
"In some places, like our site, we're already there. They get it and they feel the pain directly," Bertrand said.
"For other types of organisations, such as engineering organisations, certainly it's a harder sell. And that's still an education process. But I think it won't take as much time as perhaps we've been looking at.
"It's down to your customer segment and what they're demanding. If you've got a heavily regulated customer than that's going to be an easier sell because you're helping them deal with those regulatory pain points."
"There's lots of organisations that are now so heavily reliant on how well they can innovate in the digital space or IT, and the efficiencies they can gain, so it might happen by stealth in a lot of regards."