Every IT professional knows it’s not enough to come up with an effective security strategy – you also have to convince your boss to sign off on it. This can be easier said than done. Sometimes otherwise very intelligent leaders just don’t seem to “get it” when it comes to the importance of cyber security. Whether you report to the Director of IT or the CEO, here are some quotes to get your boss to finally take IT security seriously.
When Your Boss Doesn’t Want to Spend the Money
“If you spend more time on coffee than on IT security, you will be hacked. What’s more, you deserve to be hacked.”
– Richard Clarke
White House Cybersecurity Advisor, 1992-2003
Nobody deserves to be hacked. That said, security is like everything else: you get what you pay for. Use this quote as a reminder for your boss to put their money with their mouth is.
When Your Boss Thinks Security is “Just an IT Issue”
“Thinking of cybersecurity solely as an IT issue is like believing that a company’s entire workforce, from the CEO down, is just one big HR issue.”
– Steven Chabinsky
Global Chair of Data, Privacy & Cybersecurity at White & Case LLP
For people in the C-suite, it’s tempting to compartmentalize everything. But when security is reduced to just the IT department, it’s a major mistake. Every person at the company is a potential avenue for a security breach, and therefore everyone must be trained and all of their systems secured in order to have any chance at achieving true security.
When Your Boss Doesn’t Get the Stakes
“It takes 20 years to build a reputation and few minutes of cyber-incident to ruin it.”
– Stéphane Nappo
Global Chief Information Security Officer
Société Générale International Banking
Executives and founders have generally been putting in long hours to build their organization over the course of decades. This quote is powerful because it frames the risk of a cyber security incident in terms of those years of hard work.
When Your Boss Thinks There’s an “Easy Button”
“There’s no silver bullet solution with cyber security, a layered defense is the only viable defense.”
– James Scott
Institute for Critical Infrastructure Technology
Some bosses think that there should be a single tool or solution that automatically “takes care of the security thing.” But there is no silver bullet, no easy button, and no pre-packaged solution for security. True security can only be achieved with a broad collection of complementary tools and daily vigilance from both admins and users – in other words, a layered defense.
When Your Boss Isn’t Looking Long-Term
“One of the tests of leadership is the ability to recognize a problem before it becomes an emergency.”
– Arnold H. Glasow
Author & Businessman
Every boss has the desire to be a great leader and that means having great vision. The best leaders see where things are headed long before they arrive and “skate to where the puck is going to be” (credit to Wayne Gretzky). You can use the quote above to frame a proactive approach to security as a “test of leadership” that they’ll want to pass.
When Your Boss Says It’s Too Risky
“There are risks and costs to a program of action — but they are far less than the long range cost of comfortable inaction.”
– John F. Kennedy
35th President of the United States
Oddly enough, leaders will sometimes find the risk in a security measure. These supposed risks may have to do with wasted time, ill-spent money, and security fatigue. The JFK quote above acknowledges that there are inevitably risks in any action, but they are often worth it.
When Your Boss Thinks You’re Doing Too Much Already
“Security is always excessive until it’s not enough.”
– Robbie Sinclair
Head of Security, Country Energy, NSW Australia
Has your boss ever told you to just “relax” about a certain security threat? Have they bristled at your requests to institute security measures and regular trainings? This quote has an artful way of reminding bosses and users alike why you’re insistence on following security best practices may sometimes border on excessive. There’s a fine line between too much and not enough.
When Your Boss Needs a Wake-Up Call
“There was this absolutely horrible moment where I realized there was absolutely nothing at all that I could do.”
– Amy Pascal
Former CEO of Sony Pictures
This isn’t as much a great standalone quote as it is a window into what it feels like to be the CEO when a major cyber attack occurs. Imagine how Amy Pascal must have felt that morning in 2014 when she woke up and saw Sony Pictures on the news as the victim of a major breach. Fair or not, Pascal’s career would never be the same again – and the ‘former’ in front of her title is likely to speak volumes to your boss.
When Your Boss Thinks They’re Above The Law
“A business will have good security if its corporate culture is correct. That depends on one thing: tone at the top. There will be no grassroots effort to overwhelm corporate neglect.”
– William Malik
VP and Research Area Director for Information Security at Gartner
Good bosses know that their behavior trickles down to the rest of the employees at the company. They’re not just making executive decisions, but also modeling culture. But even though most leaders understand this concept, many see security as an exception. For instance, they’ll think that MFA shouldn’t need to be required on their laptop. When your boss thinks they don’t need to follow your security rules, use this quote to bring them too their senses.
When All Else Fails…
“The best way to get management excited about a disaster plan is to burn down the building across the street.”
– Dan Erwin
Security Officer, Dow Chemical Co.
OK, so obviously we’re not actually advocating for you to commit arson (and we’re pretty sure that Dan Erwin isn’t either). His point is valid though: there’s no better wake up call then a near-miss. Instead of causing a security incident at the building across the street, find an example of an organization similar to your own that has experienced a painful breach. Sharing that story with your boss will likely make an impact.
More IT Security Resources
We hope that you’ve found these quotes helpful – and we hope that they convince your boss to begin taking IT security seriously. But we also understand that a pithy quote isn’t going to do anything to help prevent a cyber attack.
For more practical instruction, we’ve compiled some insights from our security team into a guide called Security Training 101: Employee Education Essentials.
At JumpCloud®, we’re a company that lives and breathes security every day. Our customers entrust us to unify their identities and provision user access to all of their IT resources – from their laptops to their apps, files, and networks. So we must hold our practices, our protocols, our employees, and even our bosses to the highest standards of security.
You can learn more about JumpCloud and how our cloud-based directory helps organizations secure their IT infrastructure on our product page. JumpCloud’s security features include system policies, password complexity management, multi-factor authentication, full disk encryption, RADIUS networking, SSH key management, and more. If this sounds useful, request a demo.