carbonite logo

Commonly searched topics:

backupcloud backupaccount sign in

Article · Aug 22, 2018

How to talk to management about IT security

Color illustration of an information technology manager holding mobile devices.

These days, ransomware attacks and data breaches are in the news so often, you’d think IT security would be an easy sell to C-level execs. However, many continue to balk at IT spending—especially on technology that doesn’t have a direct impact on driving revenue. So, data protection is often perceived in the same way that insurance is. It’s required, it’s important, but you may never need it. As a result, many execs consider it an unfortunate cost of doing business.

If you are serious about hardening IT security, you’ll need to change that perception. To get buy-in from management, you need to demonstrate the value an effective data protection strategy can deliver. One way you can do this is to change the focus of the conversation from data loss to business downtime

Data loss is kind of a nebulous expression when you think about it. On one hand, it could mean losing a few Word docs. On the other, it might be an entire database, server or data center. Restoring a couple files is relatively painless. Restoring an entire server? Well, that’s a completely different story.

As an IT professional, you understand the difference between these two scenarios all too well—restore time. However, it is unlikely that your organization’s management grasps exactly how long it takes to restore a large database. They probably also don’t realize that business operations may be offline until the restore is complete. Especially if you are relying on an older backup solution.

Here are three important discussion points to help frame the conversation:

1. Downtime equals revenue loss. Ask execs how much revenue the business generates per hour or per day. Then, multiply that by the length of time it would take to restore business operations using your current backup solution. That’s potential revenue lost, and chances are, it’s a large number.

In other words, speak their language. C-level executives probably don’t care about real-time replication, but they do care about the health of the business. And, they know that every hour counts when it comes to meeting financial goals. Be certain management understands that cyberattacks often lead to extended downtime—which directly translates to lost revenue.

2. Ransomware is a great topic to illustrate the impact of downtime for a couple of reasons. First, as noted above, its constantly in the news. So, execs are undoubtedly familiar with the threat. 

Second, ransomware creates business downtime by design. The malware encrypts files, denying users access and demanding ransom. And, most strains are designed to spread across networks, encrypting data on desktops, laptops and servers as it goes. If left unchecked, ransomware can easily halt business operations for an extended period.

Finally, ransomware is a growing threat. According to recent research from IT research firm Cybersecurity Ventures, business ransomware attacks will occur every 14 seconds by end of 2019.

3. Anti-virus alone is not enough. Anti-virus is obviously an essential piece of your IT security strategy. It is your first line of defense, detecting and stopping cyberattacks before they can do any damage. However, anti-virus alone is not enough. Why? Because, ransomware, and other forms of malware, are constantly being updated to evade detection by anti-virus software. 

That’s where backup comes in. Modern backup solutions allow users to rapidly restore data to a clean state with minimal data loss. This is your second layer of defense, allowing you to quickly resume normal operations and avoid costly business downtime.

It’s all about the value prop

So, when you pitch IT security improvements to management, focus the discussion on business value rather than technology. A strong data protection strategy:

  • prevents revenue loss due to business downtime
  • prevents hidden costs of downtime, such as loss of customer confidence and churn.
  • allows your business to generate revenue while competitors are offline (competitive advantage)

This is the stuff that matters to executives. Focusing on what they care about goes a long way towards getting approval for IT security spending.


Andrew Burton

Andrew Burton is a Senior Writer on the Corporate Marketing team at Carbonite. He blogs about Carbonite happenings and IT industry trends.

Related content