{"id":2674,"date":"2025-11-12T11:01:47","date_gmt":"2025-11-12T11:01:47","guid":{"rendered":"https:\/\/amtivo.com\/uk\/standards\/uncategorized\/untagged\/how-to-talk-to-boards-about-cybersecurity-investment\/"},"modified":"2025-12-15T16:18:05","modified_gmt":"2025-12-15T16:18:05","slug":"how-to-talk-to-boards-about-cybersecurity-investment","status":"publish","type":"standard-post-filter","link":"https:\/\/amtivo.com\/uk\/standards\/cyber-essentials\/insights\/how-to-talk-to-boards-about-cybersecurity-investment\/","title":{"rendered":"Boards and Cyber Security – How to Talk About Investment"},"content":{"rendered":"

It\u2019s a common misconception that stopping cyber attacks just means hiring security experts and buying the latest technology. The reality is, most organisations only realise this isn\u2019t enough after they\u2019ve been attacked. Suddenly, cyber security becomes the board\u2019s top priority.<\/strong><\/p>\r\n

Boards often don\u2019t want to spend money on cyber security until something goes wrong. Usually, they don\u2019t see how much damage a cyber attack can cause. Or, nobody has explained the risks to them in a way they understand.<\/p>\r\n

 <\/p>\r\n

Bridging the Gap<\/h2>\r\n

Given how dramatically the risk of cyber attack has risen over the last decade, this is no surprise. Even experienced security professionals have been caught out by the surge in disruptive cyber crime.<\/p>\r\n

What matters is bridging the gap with boards by arguing the case for investment using terms of reference they can process. In large organisations, this falls to roles such as CISOs, CTOs or CIOs, while in smaller organisations, it\u2019ll often be the head of IT or a similar role.<\/p>\r\n

Although some of the language will be different between these environments, the principles remain the same.<\/p>\r\n

Read: How CISO became the most important job in cyber security<\/a><\/p>\r\n

 <\/p>\r\n

Use Simple Language<\/h2>\r\n

Board members are appointed for their business experience and background rather than cyber security or IT knowledge. Their knowledge of cyber security issues will often come from reading about incidents in the media that focus on the impact and damage. The first step is to develop a common language to discuss the issue.<\/p>\r\n

Technical arguments and jargon don\u2019t <\/em>cut it. It\u2019s better to explain an organisation\u2019s security as a series of protections around layers, for example, users, data, devices, applications, the network, and cloud assets. Highlight advancements such as passwordless authentication and AI-driven threat detection, which have become key.<\/p>\r\n

The message is that cyber attacks attempt to breach multiple layers at once, which is why each must be defended on a 24\u00d77 basis using specific policies and technologies.<\/em><\/p>\r\n

 <\/p>\r\n

Boards Understand Risk<\/h2>\r\n

Using threats like ransomware to justify spending can be tricky and often leads to confusion. It is better to describe risk by outlining the vulnerable elements of the organisation\u2019s infrastructure and how each might be better secured. For example, a common threat technique is to attempt to steal credentials using phishing \u2013 a type of cyber attack in which fraudsters impersonate legitimate organisations or individuals to deceive people into disclosing sensitive information such as passwords or personal data. This is a simple tactic whose outcome can be severe.<\/p>\r\n

This can be countered through investment in user training, but also email filtering and authentication. It\u2019s not how these work that matters, but how they prevent a given outcome.<\/p>\r\n

It\u2019s also important to talk about policies, for example, the adoption of principles such as zero trust \u2013 a security approach where no one is trusted by default, and every user or device must be verified every time they try to access resources. Zero trust doesn\u2019t mandate which technologies must be deployed but outlines a trust architecture that must be applied consistently to achieve its objective.<\/p>\r\n

Here are just a few examples of organisations, across various sectors, affected by cyber security incidents, demonstrating the need for robust security measures:<\/p>\r\n