You know the resources and commitment required for a successful cybersecurity program. But your company’s leaders might not. Communicating what they need to know calls for both art and science. Arm yourself with data, common language and a pitch that shows that your goals align with theirs too.
Cybersecurity attacks and breaches are becoming more frightening each day. A majority of breaches, according to Boston Consulting Group, can be traced back to human error, while 23 percent result from inadequate security technology. When you think about it, it makes complete sense – cybersecurity should be more about people and less about technology. After all, it’s people that deal with emails, data, software and devices. And humans will always be vulnerable to cyber-attacks that leverage deceit and deception.
Most phishing scams rely on a blend of deception and truth. They are usually based on the sender pretending they are someone they’re not, asking for something they don’t need, sent to someone they don’t know. Add in spear phishing and some of the “truths” begin to rear up – seemingly legitimate requests being appropriately made of the right person within an organization. Add in business email compromise (BEC) attacks and you might even see the “truth” of the phishing email coming from the sender’s actual email account.
The good news is that security leaders seem to recognize this problem and that’s why security awareness training is a top priority for 2022. Having said that, security training is so wrapped up in corporate culture that — without executive support — it is doomed to fail. Not only are you asking for more budget, but you’re asking for an even more valuable resource: employees’ attention, time and commitment.
Below are recommendations to capture executive attention and garner support.
1) Focus on What’s in It for Them
Output of security awareness training is one thing that’s going to matter to leaders. One can either focus on a positive angle, a negative angle or both. For example, one can talk about avoiding pain – data doesn’t get exposed, personnel don’t get compromised, the company avoids embarrassment and reputational damage. Humans tend to respond to loss aversion, so that’s one tool that can always be leveraged.
On the flip side, there are many positive aspects one can talk confidently about. For example, increased resilience to cyber-attacks which, in turn, creates a far more stable and productive environment. The more you tie security training to the business goals and objectives of an executive, the better chances you have at securing their support.
2) Outline Clear Connections
Always be on the lookout for ways to align your program to your organization’s initiatives, strategy and overall vision. For example, you can tie training to compliance, audit and regulatory requirements. (Most regulations mandate training.) You can use current events and stories, especially ones that relate to your business, industry or organization with similar demographics. Don’t be afraid to dip in a bit of negative emotion or negative consequences. Don’t, however, do so in a way that makes you sound like an alarmist or fear monger. Map your program to industry best practices like the NIST Cybersecurity Framework or the five core principles highlighted by the National Association of Corporate Directors (NACD) on cyber risk oversight. Highlight areas where you fall short.
3) Leverage Metrics Where Possible
One of the ideal ways of communicating with leadership is using metrics. You want to highlight that you are methodical about your approach and that you are not somehow shooting from the hip. You are more likely to secure time, budget and resources from leadership teams if you show intentional thought rather than random actions that can make leaders less confident about your strategy. Start by presenting the current level of security awareness, your ideal benchmark and the plan and timeline you have in place to get there. There are a number of goal-setting frameworks to use for composing your overall message. Goals should be exciting, relevant, specific and meaningful to the organization. For example, you can reduce Phish-Prone Percentage in employees by X percent or improve performance in simulation exercises – which indicates that employees are more engaged and aware of the risks and threats around them.
4) Use Analogies
Find analogies you can use when talking about your program and the commitment that’s going to be needed. Be a storyteller. Executive teams need to understand that this isn’t something that can be installed like a firewall or some other system where you load up, configure and just let run. This is an ongoing management of a human security issue. The reason people retire financially secure isn’t because they win the lottery at the end of their life – it’s because of something like the magic of compound interest. Similarly, talk about time and consistency and the impact they can make in a security program. Culture isn’t formed overnight, it takes strategy, investment, and consistency that will pay-off in the long run.
5) Do Your Homework
For each executive you need a buy-in from, you need a bit of research around what that person values, what that person’s department values, the things that they would be concerned about when it comes to the way you might deliver training and so on. You want to have thought through as much of that as possible so that you can adopt their own nomenclature. Pitch your program in a way that addresses their objections proactively instead of raising them. Ultimately, if you know what their concerns are, you can start building your defense against that or you can start to continue to come back to them until it’s resolved.
Remember, executive teams are people too. The better you communicate your objectives, and the better understanding you have of their needs and the organization’s welfare, the better your chances are at winning executive support for your security awareness training.