Experian: How to Get Cybersecurity Buy-In from a Clueless C-Suite

Experian, the consumer credit company, recently released its recent data breach preparedness study which found that nearly one-half (49 percent) of C-level executives are clueless about their company’s data breach plans. This statistic is doubly disheartening to CISOs who already fear losing their jobs after a data breach. The question is: What can CISOs, partners and MSSPs do to change this situation for the better for all concerned?

The report found a number of issues that may one day become reasons for a CISO’s head to roll, albeit often unfairly. Of the C-Level executives that Experian surveyed:

• Fifty-two percent rated their plans as very effective, slightly over the 49 percent that said so in 2017
• Only 36 percent feel prepared to respond to a data breach involving business confidential information and intellectual property.
• More than half (59 percent) aren’t confident that they could handle ransomware, possibly signaling a loss of faith in their security staff or investments.
• Only 36 percent are complying with the EU’s General Data Protection Regulation (GDPR), despite the risk of heavy fines and penalties.
• Less than one-quarter (21 percent) feel confident in their ability to minimize the financial and reputational consequences of a data breach.
• Only four in 10 say they’re effective at preventing the loss of customers and keep business partners’ trust and confidence after a breach.
• Fifty-three percent don’t have a cyber insurance policy that can help recoup expenses and cover damages.

Despite continued efforts to raise C-level executives’ awareness of threats and get their buy-in on budgets, tools, training and breach response, CISOs’ words often fall on deaf ears. The problem of how to get through to them remains a difficult challenge.

Experian’s Michael Bruemmer

Channel Futures’ MSSP Insider went beyond the survey to get Experian’s thoughts on closing the gap between security pros, CISOs, MSSPs, and C-Level executives. Here is what Michael Bruemmer, VP of data-breach resolution at Experian, had to say.

Channel Futures’ MSSP Insider: C-level executives have tuned out on security briefings for so long. How can security pros get them to engage now?

Michael Bruemmer: Invite senior executives from key departments that would be a part of an incident response such as human resources, public relations, customer relationship management and operations to participate in data-breach preparation review meetings and drills to enhance their knowledge in the category.

Those executives do understand the importance of protecting the company, customers and partners, so take the time to meet with them and update the executives on the latest preparations the company is considering and implementing. This will enable [them] to be proactive in planning instead of reactive to data breaches.

In addition, use that time to advance cybersecurity plans. By showcasing the next steps to the executive, you will be able to share your vision and gain their support for protecting the company’s reputation in the future. Creating a dialogue with senior executives about cybersecurity practices will enable you to discuss the company investing in the latest technologies to prevent and detect breaches.

CFMI: What are other impacts of developing a C-level cooperative strategy instead of delivering traditional security briefings?

MB: Companies that engage and educate C-suite executive see the benefits of …