Cloud Security

How to Sell Max Cybersecurity to C-Suite: Virtualization Review

How to Sell Max Cybersecurity to C-Suite: Virtualization Review
Written by ga_dahmani
How to Sell Max Cybersecurity to C-Suite: Virtualization Review


Don’t Get Fired: How to Sell Max Cybersecurity to Senior Management

“No one is going to get fired for buying too much security in the current age.”

Those wise words come from IT consultant Dave Kawula, speaking at a recent presentation on hybrid cloud security.

But while you won’t get fired for buying too much security, you might get fired for not buying enough security. And you may be fired for not buying enough security, even after recommending such a purchase to C-suite execs who turned you down for financial reasons. Then he gets hit by a multi-million dollar ransomware attack and the suits are looking for heads to roll, having completely forgotten to turn down his request.

Guess what? Her heads won’t roll.

Look, there’s an art to dealing with the C-suite about quotes and security requests: You have to convince them and protect yourself in the process.

“Where you will be fired,” Kawula continued, “is where you will have the opportunity to implement [max security] and chose not to, because of a cost, because when the business comes back to you and they say, ‘Well, you really didn’t explain the threat well enough; if we had really known it was that serious, we would have pulled the trigger on that PO’. Don’t get to that point.”

With that, he passed the presentation on to his partner, John O’Neill Sr., who is practiced in the art of C-suite negotiations to convince executives not to shoot themselves in their corporate feet, asking for their input to the fullest. level. of protection it must provide to the infrastructure.

“I’m laughing a bit, because I don’t think there’s a maximum, right?” replied O’Neill Sr. “You have to do exactly what you said, and you have to layer and layer upon layer, and you have to articulate the risk. Because exactly what you described is exactly what I’ve seen happen over and over again. I’ve seen to people in IT, who I know, who went to their bosses and said, ‘Hey, you know, we have a risk here, we need to buy this.’ And, ‘No, we just don’t have the budget for that,’ or whatever. And then when the bad event happens, management forgets that discussion ever happened. And they describe it exactly as it did, ‘Well, you just didn’t articulate the risk well enough.’

KawulaSenior Managing Consultant for TriCon Elite Consulting, and O’Neil Mr.Chief Technologist at AWS Solutions, shared their experience and wisdom gained over many years in the trenches of IT at a half-day online event recently hosted by Virtualization and cloud review titled “Hybrid Cloud Security Summit,” which is now available for viewing on demand.

C-level strategies
“So some of the strategies that I use when working with the C-level teams, the boards, is that I don’t just give them a summary or my opinion,” O’Neill Sr. continued. “I bring in insurance events (our broker or our auditors) and say, ‘Hey, can you give me some examples of other clients where their cybersecurity insurance wasn’t renewed due to some event? An example of an audit that failed because the proper levels of security weren’t put in place?’ protection?’

“And I put those things out to CEOs and boards of directors. Not in long-worded descriptions, but basically like, ‘Hey, you know, if you look at this year, and our actual insurance broker says they’ve processed claims for a thousand million dollars this year due to security events involving malware.’ And then I show them data where I say, “Okay, of the 100 events…about 15 percent of those companies never survived. They didn’t work again.” Okay. And when he describes that kind of thing, and he does it succinctly, he gets that C-level support that says, ‘No, we’re going to do this.’

“And then I show them data where I say, ‘Okay, out of the 100 events… about 15 percent of those businesses never survived. They didn’t go back into business.'”

John O’Neill Sr.Chief Technologist, AWS Solutions

“And actually, Dave, you know this, I’ve been pretty successful at this where I get the C-level support that’s really needed to convince the lower level, the middle management level. So the department heads, those kind of things, that say, ‘No, you’re not going to disrupt our production time, you’re not going to disrupt our shipping schedules or whatever.’ It’s the C-level executives or the orders from the boards of directors that come down and say: ‘No, we’re going to do this.’ Or as you described earlier, where we talk about isolating, analyzing and reacting, selling that to the C-suite is critical to making it able to change modality and change the mindset of an organization as a whole.”

Difficult conversations: ‘You are not the best friend of many managers’
Kawula noted that IT security professionals need to have many other difficult conversations beyond the C-suite as they seek to navigate today’s ransomware- and malware-ridden cloud environments.

“The unfortunate reality is that sometimes you need to make tough decisions. You need to lock down user accounts, you need to say, ‘No, this is the third time you’ve done this, you’re going to retrain before your account is reactivated'”.

david kawulaManaging Principal Consultant, TriCon Elite Consulting

“Anyone who works in cybersecurity today knows that they are not the best friend of many managers within the organization,” Kawula said. “Because the unfortunate reality is that sometimes you need to make tough decisions. You need to lock down user accounts, you need to say, ‘No, this is the third time you’ve done this, you’re going to retrain before your account. is reactivated.’ And if users aren’t going to abide by the kind of rules of engagement, sometimes, you know, those users find other workplaces, right?”

More Conversations: The Good Guy
Continuing on the subject of communications, the duo noted that a positive conversation that can bear fruit is with your Internet Service Provider, who is worth building a good relationship with before a cyberattack that, shall we say, causes you to need quickly repopulate your data. . O’Neill Sr. pointed out that in such data transfer cases, speed is crucial.

“And that doesn’t mean you have to break the bank by buying more WAN speed,” he said. “If early in the process, when you had to fail in the cloud, if you contact your provider, tell them what’s going on, have an event and ask them to help you partner with you and temporarily allow you to increase your bandwidth, those kinds of conversations, they often will. And they will do it with little or no charge because they want to have you as a long-term customer. And they know this is a one-time event. And it’s a real way for them to shine. Now, I’m going to tell you that if you call some national helpdesk where you’re going to get level 1 support for, say, a national cable provider or something like that, you’re probably not going to have much luck. with your connectivity providers’ account executives long before anything happens, so you know who to call, when and where. I’ll be ready to act.”

Kawula reiterated that advice in response to an audience member who asked for advice on negotiating with ISPs in an emergency. “It’s negotiating in advance,” he answered. “Have those conversations in advance. Don’t wait for the emergency, that you’re trying to locate someone. Have those negotiations in advance.”

and insurance companies
One last type of conversation a security professional might need is with insurance companies that are cracking down on cyberattack policy rules and regulations, which can lead to a truly horrible experience.

A High-Level Cyber ​​Insurance Policy Checklist
[Click on image for larger view.] A High-Level Cyber ​​Insurance Policy Checklist

This issue was reviewed in a discussion about testing backups.

“I want to point out that because a lot of people don’t realize this, in this year 2022, we’re starting to see a lot more activity not just on cyber insurer requirements and external tax audit requirements, that sort of thing. , but also in other areas,” said O’Neill Sr., noting that those other areas could be outside the traditional security perimeter in today’s hybrid cloud environments.

About the author


Leave a Comment