No Target is Too Small

If you’re reading this article, the odds are that I don’t have to convince you. You’re probably already working in the tech industry. You’re likely dealing with a client or employer who doesn’t understand why their processes should be slowed down because you think it would be better cyber security. They don’t even know what cyber security really is. It’s a difficult situation, especially if the decision to take such measures is left to non-technical managers & owners.

The Cyber Security Black Hole

Whether you’re a consultant or an employee in a company’s IT department, few things are more frustrating than to have your security recommendations pushed aside by those who don’t understand them. Sometimes the implementation cost is too high. Other times, the slowdown to production is unacceptable to management. Even more infuriating is when those same managers, CEOs, & owners who shoot down your recommendations point the finger at you (or the IT department) when something gets exploited – especially if that exploit wouldn’t have happened had they listened in the first place. Unfortunately, these types of scenarios are frequently our own fault.




Cyber security professionals and other technical people are really good at knowing their jobs. Unfortunately, we also have a reputation for expecting everyone else to be more technical than their job requires. Getting through to these clients & managers requires 3 things:

• Learning how to illustrate risk
• Knowing the business you support
• Building relationships with the company leaders

Learning How to Illustrate Risk – Know the Business You Support

CEOs, CFOs, owners, and other managers really only understand one thing: money. Their jobs are to make sure that the company makes money either for stockholders or internal stakeholders. To get through to them, it’s important for a consultant or cyber security expert to understand how the company works from a global perspective. Whether you like it or not, a good IT person actually has to learn more about their company than just the technology part. How’s the money made? What’s the effect if a system becomes unavailable? Who makes the decisions in different departments?




Knowing how the company works is critical to being able to adequately define the risk of not practicing good cyber security procedures. What parts of the operation rely on each system? Perhaps there are written procedures that don’t provide an alternative way to do a critical task in the absence of a working system. For many of us, this means stepping out of our comfort zones and exploring the work of our company or clients outside of just their IT environment.

Build Relationships

The IT guys are some of the only folks in a company who can suddenly find themselves in the office of a CEO without an appointment. Nobody turns away the IT support. Learn to take advantage of these times by asking real questions about the company. Ask managers & other leaders in the company questions like:

• What are the challenges you’re facing lately?
• How are company sales looking this year?
• What area of production is your current bottleneck?
• Where are you losing the most money?

Although some managers won’t be forthright with this type of information, anything you get can be a tool down the road. It gives you information that you can use to more adequately determine what really happens to the company if a certain function is lost. Sometimes this information isn’t even clear to managers until a cyber security specialist points them out.




It also lets the company leaders know that the person who pushes cyber security is actually interested in how the business works. That goes a long way to developing trust. Ultimately, that’s your goal: get company leaders to trust you enough that they’ll take your word for it when it comes to cyber security.

Putting it Together to Communicate to Non-Technical Leaders

Take a look at these two examples of the same proposition to a CEO to see the difference:

We need to institute a segregated network for all of our legacy systems to protect them from attacks from the Internet. We’ll need approximately 5 new layer 3 switches & configuration time to set them up. The total cost in additional labor and hardware is going to be about $22,000.

The above statement would likely not be received very well by a company CEO. All he hears is, “I wanna spend money for tech stuff.” From his perspective, everything is working right now. Why fix what isn’t broke?

We have 7 systems right now that are so old, they can easily be attacked from the Internet. There’s no way to patch them because the software manufacturer stopped supporting it years ago. Two of those systems are critical to production of the company’s main product. If those systems go down, it would cost $40,000 in lost production in the first day alone plus whatever customer confidence is lost in our delivery schedule as the company would fall behind to fill orders. We can protect them with a segregated network but the extra hardware and labor is going cost about $22,000 to accomplish it correctly. There might be some ways to cut the cost a little, but with the amount of money at stake, it’s best that we just do it right from the start.

Now this statement (and I’ve used something very similar before) is more likely to get someone’s attention. But you can’t do it without knowing the business you support. Learning what goals are important to the decision makers & communicating to them how cyber security will help them achieve those goals is the key to getting them on board with your plans.

Understanding a Rejection

Finally, there may also be times where a manager or CEO still decides to just not take your recommendations into account even after you’ve done everything you can do to convince them. One of the things I’ve learned over the years is that once you know the business you support, sometimes it will actually make sense. Perhaps the cost of the solution is much higher than the loss that would result from an exploit or perhaps the company is planning a change that would make a vulnerable system obsolete anyway. If you do a good job of building those relationships, the leaders who reject your idea will give you good reasons for doing so and you’ll be able to sleep at night knowing you did your part.

The post Dealing With Clients Who Don’t Get Cyber Security appeared first on CGS Computers.