Remember that the ultimate goal of an APT is to steal or destroy an enterprise's most critical assets: intellectual property, trade secrets, and customer or business partner information. That means that when you're having an APT conversation with a C-level executive, you should frame it in terms that make sense to that stakeholder, rather than repeat the technical threat conversation you'd have with a security practitioner.
For a CEO or CMO, a good place to to start is company reputation. If critical assets are compromised by an APT, it could mean ruining that reputation and damaging relationships with key customers. For a CFO, it could mean a financial model of risk assessment -- CFOs respond best to cold facts and hard numbers about the true value of security. And no CIO or CISO wants to be the hand on the tiller when an APT knocks out critical infrastructure.
Each conversation with the C-suite is a different one, but each is important to how well your company protects itself against APTs. The long-term threat posed by an APT means executives have to think of security as strategic to the organization. That's a much bigger shift in thinking than simply buying a new security product.
-- Wade Williamson, Sr Security Analyst