After writing “Cybersecurity Baseline: Is it worth it as an MSP?” I found that there was much more to discuss regarding the steps taken to implement a Cybersecurity Baseline and wanted to dive a little deeper into the conversation. In this post I will be focusing on the first step: leadership buy-in. This is by far the most important step throughout the whole process for many different reasons that we will touch base on in the following sections. Let’s start by identifying what leadership buy-in is.
What is Leadership Buy-In?
Leadership buy-in can simply be defined as getting support/approval from leadership. There is much more to it than that of course but, when talking about the Baseline, it means getting your Senior Leaders to believe in the process and support you with whatever is needed to get it done. It can be things as simple as the time needed to develop the Baseline or as high level as driving its importance throughout the company. Next, we will discuss reasons on why leadership buy-in is important.
Why is Leadership Buy-In Important?
As I stated in the introduction, this is by far the most important step in the entire process. The main reasons for this are Approval and Legitimacy. Getting approval may seem obvious since you need approval to make or implement any business changes. However, getting approval also means that you have talked with Leadership, pitched to them your idea and they “Approve” or “Commit” to the process. This is huge since Leaders value the process enough to give up one of their most valued resources: TIME. You will need an ample amount of time to plan, design, test and implement the process. The other reason, Legitimacy, is important because it shows the company that the Leaders see value in this and states that everyone should take it seriously. Now, how do you get Leadership to Buy-In?
How to Obtain Leadership Buy-In?
In essence, you need to “sell” it to them. You must understand what is important to the Leadership Team, specifically the final decision maker, and develop the Baseline around that. An example would be a business owner’s fear of getting hacked. You would then tailor how you present it and show how the baseline can minimize the risks. You will also need to be able to anticipate the owner’s questions and attempt to have answers ready for them. This is not always easy because risks are constantly changing, and you may not have direct communication with who you are “selling” the Baseline to. If you don’t have direct communication and you are not sure how to tailor your presentation, always focus on how it can improve the business and help protect the bottom line. In the next blog, we will discuss Step 2-Picking a Cybersecurity Framework.