CISO: How to motivate investments in information security

Written by
Maria Svanberg
Reading time
3 min

There is no doubt that cyber threats of various kinds will increase in the future. Per Gustavsson, CISO at Stratsys, is convinced that all companies and organizations will be affected sooner or later. Increased investments in time and money will be required. If the company management isn't already on board, now is the time to gather compelling arguments.

Upcoming regulations and legal requirements

The need for stronger security legislation has grown in recent years, leading to new regulations. The Security Protection Act must be followed by all companies engaged in security-sensitive operations. The NIS (Network and Information Security) directive came into effect in 2018 and concerns cybersecurity in the EU on a global level, aiming to promote security measures and ensure that EU member states protect critical infrastructure. In 2020, new EU guidelines on cybersecurity for banks were implemented, and in 2023, DORA (Digital Operational Resilience Act) was introduced to strengthen the financial sector's digital operational resilience.

Thanks to the General Data Protection Regulation (GDPR), information security and data protection became issues that needed to be addressed higher up in the organization. What forced companies to act was the presence of fines.

- I believe that management will 'chase' their organization in the same way as with GDPR. Regulatory authorities will impose significant fines for both NIS2 and DORA, but with a big difference; the panic many felt with GDPR is now easier to manage as most organizations have a structure in place, says Per Gustavsson.

Per Gustavsson, CISO at Stratsys

A systematic approach to information security

There is generally a better understanding of the importance of information security today, argues Per Gustavsson. However, it can still be challenging for you as a CISO to convince the board or management team to prioritize the necessary investments.

A strong argument for investing in information security is that your customers place increasing importance on security today..

A strong argument for investing in information security is that your customers place increasing importance on security today, and that it will only become more critical in the future. Fundamental to good preparedness is having a well-functioning systematic approach to information security, which usually includes certification according to ISO-27001.

With an ISO certification, you have clear incentives for the company's product to be safe, and information security is prioritized. Your company will thus stand stronger against potential competitors who are not certified. If you have important intellectual property rights, such as source code, drawings, chemical formulas, or anything else valuable, you want to protect them.

- Companies investing in information security should be as natural as a private person investing in home insurance, says Per Gustavsson.

Protect that which is business critical

In an organization where a CIO is responsible for IT systems, security, etc., they need to balance many different priorities. To effectively sell investments in information security to a CIO, you need to highlight how these can not only improve security but also contribute to the company's overall goals and strategies.

Present your arguments in a detailed cost analysis, starting from what you turnover and what it would cost you to stand still. If you cannot deliver your service repeatedly, how big a loss of customers would you see? Weigh investments against the risk of loss. Say you are exposed to a cyberattack that causes you to lose two million a year. If the investment in a new security system that analyzes threats is more expensive than the loss, the investment is not profitable. Then, a cheaper alternative should be prioritized with other processes and systems.

Information security may seem expensive in the short term (and as something that only costs a lot of money and provides little value). Still, it's important to note that it often leads to significant long-term savings. The investments needed depend on the type of operation conducted, but protecting what’s business-critical must be central. SaaS companies developing software need to protect their cloud service and its development. Architectural firms need to protect their drafting office and what they create. The company may need to hire staff, bring in consultants, and invest in technical equipment, penetration tests, or software. The challenge is not justifying an investment but identifying the right investment based on the critical business.

“Culture beats process every time”

However, don't think the company is safe just because you've invested in a groundbreaking security system. The question is not if something will happen but when. All companies will be exposed at some point; you may even have been affected already without noticing. How well the organisation handles crisis situations determines how severe the damage will be. So, besides having a systematic approach to information security, a dedicated CISO, and appropriate systems, it's about the culture and the people in the organization.

"'s about the culture and the people in the organization"

- Culture beats process every time. That is, if you have a strong corporate culture, you can trust that everyone does their job and knows how to act in different security issues. With the right strategies in place and a transparent, open culture, an employee who has done something wrong will call me directly, which is exactly what I want, says Per Gustavsson.

Discover Stratsys solution for Information Security & Privacy

Investing in information security is not just about compliance and avoiding fines; it's about protecting what's critical to your business and its future. Explore how Stratsys can help strengthen your organization's digital resilience and ensure compliance with the latest regulations, visit our product page for more information.