Imagine this scene, so familiar to every IT professional: you’re standing in front of the board of directors. You have five minutes to explain why the company needs a significant budget for “something” that, at best, will make nothing will happen. For years, the struggle for cyber security funding resembled Sisyphean work. It has now come to an end.
The advent of new pan-European regulations – DORA (Digital Operational Resilience Act) and the NIS2 directive – is not another technical innovation that can be ignored. It is a powerful business argument that permanently moves the security discussion from the server room straight into the boardroom.
They give IT professionals the language and tools to finally break through to C-level awareness. It’s no longer a conversation about technology, it’s a conversation about the survival and future of the business.
New rules of the game
Until now, many decisions on cyber security could be postponed. Now it is no longer a request, it is a firm legal obligation. DORA, targeting the financial sector, and NIS2, extending requirements to key sectors of the economy, introduce fundamental changes.
Above all, the new regulations establish personal liability of executives for any negligence, an argument that effectively attracts attention. Moreover, the aim of the regulations is not to avoid attacks per se, but to ensure business continuity even during a major crisis.
The biggest revolution, however, is in the approach to partners. Securing only your own company is today like installing a titanium door in a house with paper walls. Both directives make it clear: you are only as secure as your weakest supplier.
It is in the supply chain that today’s biggest, often invisible risks lurk, which management must understand and manage.
How do you translate technical language into benefit language?
The key to success is to abandon technical jargon in favour of language that every board member understands: the language of risk, money and strategy.
The first step is to change perspective and start talking about the risk, not the technology. Management does not need to know the difference between EDR and XDR. Instead, it needs to understand what business risks it is accepting by not investing in modern tools.
Rather than asking for a ‘sophisticated log correlation system’, present a business scenario: “If our key supplier is hacked, we will find out about the leak of our customers’ data from the media.
It’s a risk of reputational damage and fines in the millions. We need a tool that gives us early warning.”
Secondly, use the language of money, not percentages. It is worth replacing abstract concepts such as ‘uptime’ with concrete financial losses. Instead of talking about ensuring server availability of 99.99%, it is better to ask: “Every hour our sales platform is out of order is a loss of £50,000 in revenue. DORA requires us to have a contingency plan. How much loss can we afford before we react?”.
Thirdly, the discussion should be about real threats, not hypothetical possibilities. Thanks to modern threat analysis tools (threat intelligence), it is no longer necessary to rely on assumptions. Instead of warning of a “theoretical phishing risk”, hard data can be presented: “Our analytical systems show that a hacking group specialising in attacks on companies in our industry is now extremely active. Last month they attacked our main competitor. It’s not a question of ‘if’, but ‘when’ they will try it on us.”
Action plan in 3 steps
Theory is important, but action is what counts. Instead of presenting the board with a problem, come with a plan ready to go. An effective approach starts with preparing a ‘risk map’. On it, identify three to five key suppliers without whom the company cannot function, and briefly describe how the failure of each one affects finances and operations.
The next step is to create an ‘argument sheet’ for each identified risk. This should be a one-page summary in business language, explaining the problem, its financial implications and the proposed solution along with the cost.
Finally, rather than asking for a general budget increase, propose specific, measurable targets, such as conducting a security audit of key partners by the end of the quarter to reduce operational risk by a certain percentage.
A great opportunity
DORA and NIS2 is not another problem to be solved. It is a unique opportunity. It’s a moment when IT professionals, armed with hard business arguments, can finally take the strategic seat at the table they deserve.
The doors to the boardroom are now open wider than ever before. Don’t wait for someone to invite you in. Prepare your arguments, speak the language of business and lead your company towards true cyber resilience.
