If you want senior executives to buy into cybersecurity, you need to prove the value cybersecurity brings to the core business. Read your organization’s annual reports, corporate governance documents, shareholder statements and the like. These documents will give you a better sense for what drives your organization and, in turn, what your executives are thinking about.

You’ll likely find that cybersecurity shows up in these documents but not around specific attacks, zero-days and APTs. You’ll see verbiage about material harm. You may see risk statements around maintaining effective cybersecurity controls, protecting confidentiality and privacy, and the need to safeguard sensitive data.

New ISACA and CMMI Institute research on cybersecurity culture is full of attention-grabbing perspectives and stats regarding the value of a strong cybersecurity culture, such as reduced cyber incidents, stronger customer trust and better brand reputation. This study made me think about how a cybersecurity culture is really created and what a cybersecurity team needs to be able to prove within its organization to earn the support and resources required for a cybersecurity culture.

In the study, 27 percent of respondents report that “a lack of senior executive buy-in or understanding” is one of the primary factors inhibiting a strong culture of cybersecurity.

Gaining that buy-in likely requires proving that the cybersecurity investments that are being made are addressing these overarching concerns in a measurable, quantitative and evidence-based way. By clearly illustrating what’s working, what’s not and what needs to be done to fix it with evidence, you’re showing leadership that you not only understand the business risks, but you know how to measure and communicate those risks effectively, so business decision-makers can act upon them. If you want their buy-in, give them the proof they need to understand and act.


29 percent of respondents indicate “a lack of funding” is one of the primary factors inhibiting a strong culture of cybersecurity.

Now we’re moving past theoretical buy-in. At some point, you actually need money to effect change. Third-party auditors, the board’s audit committee, etc., work closely with the finance team. Every dollar being spent on cybersecurity is a dollar not being spent on the core business. So, one of the jobs of audit, finance and the cybersecurity team is to make sure that the dollars being spent on cybersecurity are adequate and effective in providing value.

As mentioned earlier, these groups are looking for proof that the cybersecurity tools in place are adding enough value to mitigate an acceptable level of cyber risk. In short, they want proof that the money going into cybersecurity is actually producing value and that any additional money being requested is truly necessary for adequate protection.

If you want money, be able to validate the cybersecurity effectiveness of what you’ve got. Show leadership the proof. Clearly outline where the gaps are, and then you can make a business case for greater investment to close those gaps. Now a business decision can be made, considering all your evidence, along with all the other non-cybersecurity business requirement evidence from business units such as sales, finance and operations, to determine the best use of funds.


43 percent of respondents say that “executive champions who speak up for security” are a primary factor in empowering a culture of cybersecurity.

This championing enabler for cybersecurity should be a byproduct of providing the needed proof in the first two sections. As a business leader, if I believe in what you are doing because of the supplied evidence, and I’m willing to invest dollars because your measures are empiric, understandable and compelling, then I’m far more likely to champion your cybersecurity cause throughout the organization.

Executives want an appropriate level of protection. Too far beyond appropriate and that’s waste, and executives that waste aren’t executives for long. By arming executives with proof to champion your cybersecurity cause, you can gain an ally to work with the audit committees and risk committees. Focus on articulating the value of cybersecurity and the necessity for changes you’ve proven are required to ensure protection for the organization’s sensitive assets and data.

The two inhibitors and enabler I explored have something in common: they are directly impacted by decision-makers outside of the cybersecurity team. These decision-makers might include auditors, CFOs, CEOs, boards and other business leaders. Business leaders evaluate risk for a living – cyber risk is just one flavor of risk. When they are making decisions around cybersecurity such as where to invest, how much to invest and how to prioritize, business leaders want to be armed with evidence just like they do for other types of risk. They don’t want to base these decisions on a best guess regarding cybersecurity effectiveness. Business leaders need evidence-based metrics and quantifiable data. They want quantitative proof before they engage their time and organizational resources, regardless of how strong the qualitative argument might be.

It’s the cybersecurity team’s responsibility to provide the proof necessary for business leaders to make decisions that impact the culture of cybersecurity. From executive buy-in and funding to having champions speak on cybersecurity’s behalf, business leaders won’t engage without seeing evidence illustrating the value cybersecurity is bringing and the effectiveness of dollars spent on cybersecurity tools and resources.

Prove cybersecurity effectiveness to obtain the resources needed to create a culture of cybersecurity. By proving cybersecurity effectiveness, cybersecurity becomes strategic to the business and will in turn benefit the core business in areas like reducing cyber incidents, building stronger customer trust and safeguarding brand reputation.