9 highly effective ways to talk to your CEO about prioritizing website security

Online security threats are a rapidly growing menace. I know it, you know it, more than 37 million Ashley Madison users know it. So why is your CEO keeping the purse strings drawn tight? Your online business needs protection! Security often falls to the CIO, CTO, CISO, or even just an IT manager, and then everyone else might only pay attention when there’s a security breach.

Company websites are full of sensitive and valuable data. If you’re an IT professional responsible for your company’s website security, you need to take control of your online security as soon as possible, and you need the CEO on your side. Here are 9 highly effective ways to get your CEO’s attention about the importance of cybersecurity.

1. Speak the language of CEOs

If you’re a tech person, you probably know all about unsecured ports, cross-site scripting (XSS), and reversing the polarity of the neutron flow, but that’s not how CEOs talk. In order to convey the importance of cybersecurity, it’s up to you to explain complicated technical details in a comprehensible way to someone who’s more geared toward revenue and reputation. CEOs don’t have the time to listen to long drawn-out explanations. In other words, it’s up to you to explain website security issues and why it’s important as effectively as possible.

Any half-competent CEO probably has a pretty good idea of how important website security is, but disagreements rise when it comes to putting a number to that, which means taking away from other priorities such as marketing and promotion.

2. Emphasise the reputation damage caused by security failures

Security breaches can permanently tarnish a company’s reputation, or disrupt commerce, or initiate a devastating chain reaction of the two. The three are closely interconnected.

Once your website is hacked, its reputation is now at risk. Whether that’s due to being taken offline by DDoS attack, malware infection, or a devastating data dump exposing all your correspondence and customer information, people will lose faith in your business.

3. Explain that your company may be held liable for security breaches

If you ran an unsanitary restaurant and gave all of your customers food poisoning, you could be held legally responsible for that. Likewise, if online customers trust their data to your website and you don’t take appropriate steps to secure that data, shouldn’t you be held accountable for any breaches that occur?

Letting your customers down due to website security incompetence could make your company legally responsible for the damages. In the US, the Federal Trade Commission (FTC) has the authority to regulate and fine businesses that lose customer data to hackers through “unfair” or “deceptive” business practices. Or, your users could even sue you for negligence or breach of contract.

So if you fail to take care of your customers’ data, it’s on you. If the unthinkable happens (as it does daily), you should be able to say you tried everything.

4. Connect headline-grabbing security breaches with your situation

Every week, a new data breach or other catastrophic cybersecurity failure hits the headlines, and popular culture is taking increased notice of these online threats. Your CEO is probably already talking about Hillary Clinton’s email scandal, or wondering whether his Corvette is vulnerable to hackers.

Connecting your own company’s unique security needs with what’s going on in the headlines is a great way to reach higher-ups. It provides an opportunity to deepen understanding and give your own insider knowledge about mistakes made, techniques used, and the significance of security solutions that might have prevented these headline-grabbing breaches and how they could address issues directly affecting your own business.

5. Emphasise the point that all websites are vulnerable

The risk of talking about these prominent hacking examples is it might also backfire and make people feel invulnerable.

No, truthfully any website is prone to cyber threats. It’s inevitable that your site will be attacked. Despite the rise of hacktivism and state-sponsored cyberwarfare, most cyber attacks are impersonal and relatively unsophisticated. Anyone with a bit of sense and a lack of conscience can go online, hire a mercenary botnet, and take down your site or hold it for ransom. Why target you? Simply because your site had detectable vulnerabilities. By taking precautions, you can drive up the costs and the effort needed to outsmart your defenses, and that will discourage most attacks.

6. Foster a culture of cybersecurity communication

Cybersecurity is the responsibility of every employee, and they need a CEO who leads by example. A healthy cybersecurity culture is created through training and seminars, emergency plans and protocols for security breaches, and having a clear line of communication to implement company-wide solutions at the first sign of suspicious activity. Effective security communication may save you a fortune.

7. Explain the potential security threats your website faces

Your CEO needs a solid understanding of the biggest threats facing online businesses. It’s one thing to know about the risk of DDoS attack, but it’s entirely different to understand the threat it represents in real life and what it could do to your business.

As well as identifying the attacks that could be leveled against your site, it is also useful to be aware of particularly attractive hacking targets in your website, which could be video files, financial records, customer contact information, or just your own connectivity resources.

8. Present suitable solutions for your CEO

Not all solutions are equal, and a high price doesn’t necessarily mean the best protection. The needs of a powerful corporation and the smallest startup SMB are very different.

In narrowing down the options to present to your CEO, it’s important to consider price, obviously, but also what specific features you’re getting for that price and what is most appropriate to propose. There is a large market full of affordable web application security solutions, and many of them offer free trials and limited option plans, or charge you based on website traffic rather than access to protection features.

9. Introduce the advantages of a security solution

No security system is 100 percent impregnable, but what they offer beyond protection is control. Control over your website, control over visitor access.

A good website security solution should include tools allowing you to analyze visitor activity, locate suspicious IPs, and filter out bad traffic while avoiding false positives that could turn away legitimate customers. Having all these controls don’t hermetically seal you against all threats, but at least they level the playing field and help increase your awareness.