Cómo exponer a la gerencia el valor de la seguridad de la información

Cómo exponer a la gerencia el valor de la seguridad de la información

Cyber security has always been an unsought goods like, insurance, which is useful only when something bad happens. And It’s always been challenging for security leaders to communicate the value of cybersecurity investments to board and peers. Furthermore, everyone in an organization has their own perspective when it comes to cyber security. That’s partly why security professionals find it difficult to convince management for budget approval.

The value of cybersecurity should be crystal clear to life sciences and health care boards and leadership. Cybersecurity attacks and data breaches seem to be in the headlines almost daily, and sobering statistics are everywhere.

Security leaders are faced with placing a value on things that haven’t even happened, like data breaches, service disruptions and loss of customers. They need to justify security investment and acquire budget to protect organizations from the growing list of threats that could impact the future of the business.

Then there’s the problem of speaking a different language. Cybersecurity metrics are often communicated in complex, technical language that is difficult for the CEO or other business functions to understand. But translating cyber risk into business risk has never been more important, as many organizations face significant budget cuts amid COVID-19.

A comprehensive cybersecurity program is a business-critical function. With three tips, CIOs and CISOs can better communicate cybersecurity ROI by stressing why these programs are a must-have for their organizations, demonstrating the business value of security solutions and building a strong security culture.

Cybersecurity should not be treated as a siloed department, but rather an integrated part of overall business functions. One way to communicate the far-reaching value of a cybersecurity strategy is to walk leadership through the consequences of a data breach — loss of customers, data, revenue, intellectual property and more — as these consequences directly affect a business’s bottom line. By connecting the dots for non-IT executives, they’ll be able to better acknowledge the importance of strong security practices.

Create a Positive Security Culture

Engaging the whole organization to help them understand the value of a cybersecurity program is not easy. Technical risks are often difficult to translate across departments. Meanwhile, policies and procedures that ensure good security habits can be seen as an impediment to employee productivity.

This is why a positive security culture is so important. By using techniques like gamification, positive reinforcement, or interactive content like videos and podcasts to promote security practices, CISOs can engage fellow employees and get more buy-in from executives. These strategies help everyone, regardless of department or level of seniority, understand the risks and responsibilities regarding security and how each employee plays a crucial role.

One major benefit of a positive security culture is that it creates in-house evangelists who can demonstrate the value of cybersecurity. It will also empower security-aware employees to become the organization’s greatest cybersecurity asset. Simple human error causes the majority of security breaches. Getting employees invested in security contributes to overall data protection and cybersecurity objectives.

Ultimately, communicating the value of cybersecurity depends on translating cyber risk into business risk, and making security a guiding principle for your larger organization. With risks and challenges related to remote working becoming the new normal for many organizations, it’s critical that IT leaders engage all employees in shared cybersecurity awareness.


Situations are changing, as boards and management are understanding the importance of security. Now it’s the security leader’s responsibility to communicate the importance of cyber security effectively. This has become very important during the pandemic when huge risks of cyber breaches are looming and organizations cut costs due to slowing business to survive the pandemic.

Communicating the value (and necessity) of cybersecurity measures to your larger organization isn’t easy. Not only are technical risks hard to translate across departments, but policies and procedures can often be seen as a hindrance to employee productivity.

But, if you can engage with the larger organization and create a positive security culture, you’ll have a better chance of getting buy-in from C-level executives. How?

More and more, CISOs are relying on gamification, positive reinforcement, and interactive content like videos and podcasts to promote their strategies. Whatever the method or medium, the most important thing is that risks and responsibilities – which the entire organization bears the burden of – are communicated so that everyone, regardless of department or level of seniority, can understand.

The benefits of this are two-fold. Not only will you demonstrate the value of cybersecurity via in-house evangelists, but you’ll also empower security-aware employees to become your biggest cybersecurity asset.


(1) Gartner
(2) KPMG
(3) security Tech

Picture: <a href=’https://www.freepik.es/fotos/icono’>Foto de Icono creado por 8photo – www.freepik.es</a>