How do you get main board buy-in for your Cyber Security Policy: Three "easy" steps

I recently blogged on the value of using fairy tales to help educate children on Internet Safety. I have also promised to publish my script on why cybersecurity should be part of Marketing Strategy, not “just” regulatory compliance or information security. Most cases for cybersecurity budgets are based on myth and legend and no longer reach the main board because they are seen as irrelevant to the threats currently facing the organisation.

Putting the issues in marketing context (getting customer more customers to deal on-line with you and not your competitors) will help but you also need to demonstrate that you really do understand what is entailed if you are to get a hearing, let alone a favourable hearing, from the main board. There is a way – but it is high risk becauses it invokes the second of the ancient chinese curses:

Not just: “May you live in interesting times”

But also the far more serious curse of: “May you come to the attention of important people” – because you will do so … !

It also leads to the deadliest of them: “May you get what you ask for” – because then you will have to deliver on the the expectations that you have created.

The first and most important step is the most difficult.

Offer to secure the most sensitive data in the entire organisation: that on the personal systems used by the Chief Executive’s Personal Assistant (including for private use, because coming in via friend and family is now one of the most common routes for spear-phishing). If she (it is usually a she) baulks, offer to secure the personal systems of whichever of the personal assistants to the Board that she and her peers volunteer.  

Once you have succeeded (to the extent that the other PAs to the other board members  believe you have succeeded and want the same for themselves), you are ready for the second step – which is to secure their systems, and those of the non-execs (possibly trickier, but essential).
The third step is to organise awaydays for Directors and their children and grand-children on personal internet safety, using a variation on the Childnet Lunch and Learn  programme. It does not really matter how many of the Board actually attend themselves, they will hear the result. Now you are ready to secure the systems of the board themselves, knowing that they are now likely to follow the spirit, not just the letter, of good personal internet safety policy.

You are also ready to get clearance to roll the personal internet safety programme (and associated information security practice) out to ALL staff and contractors, as a core part of a corporate cyber (and information) security strategy that is both credible and likely to be effective – because it really does have buy-in from the top down.

Those with experience  of the practice, as well as the theory, of how organisations function will have appreciated that steps 1)  and 2) will entail a rather more robust audit of the organisations information security processes than any outside consultancy is likely to undertake. More-over the approach will be different (albeit complementary) – as you drill down the ways via which your normal controls can be bypassed given a breach at the top (as well as the practicalities of securing the systems of those who think they are different and know better – like main board directors or teenagers).    

Once you have delivered step 3) your troubles really begin. You will now have to deliver against the expectations that you have created, given the humans you have (or can acquire and train) and the technologies that it is legal for you to use. But at least you are likely to have the budgets and the top level engagement that everyone says they want – without appreciating the consequences.