No Result
View All Result
SUBSCRIBE | NO FEES, NO PAYWALLS
MANAGE MY SUBSCRIPTION
NEWSLETTER
Corporate Compliance Insights
  • Home
  • About
    • About CCI
    • Writing for CCI
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Explore Topics
    • See All Articles
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Well-Being at Work
    • Leadership and Career
    • Opinion
  • Vendor News
  • Career Connection
  • Events
    • Calendar
    • Submit an Event
  • Library
    • Whitepapers & Reports
    • eBooks
    • CCI Press & Compliance Bookshelf
  • Podcasts
  • Videos
  • Subscribe
  • Home
  • About
    • About CCI
    • Writing for CCI
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Explore Topics
    • See All Articles
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Well-Being at Work
    • Leadership and Career
    • Opinion
  • Vendor News
  • Career Connection
  • Events
    • Calendar
    • Submit an Event
  • Library
    • Whitepapers & Reports
    • eBooks
    • CCI Press & Compliance Bookshelf
  • Podcasts
  • Videos
  • Subscribe
No Result
View All Result
Corporate Compliance Insights
Home Cybersecurity
Sponsored

Gaining Executive Support for Your Security Awareness Training Program

A Little Common Language and Data Can Go a Long Way

by Perry Carpenter
February 7, 2022
in Cybersecurity
Illustration of a professional giving a presentation

You know the resources and commitment required for a successful cybersecurity program. But your company’s leaders might not. Communicating what they need to know calls for both art and science. Arm yourself with data, common language and a pitch that shows that your goals align with theirs too. 

Sponsored

Cybersecurity attacks and breaches are becoming more frightening each day. A majority of breaches, according to Boston Consulting Group, can be traced back to human error, while 23 percent result from inadequate security technology. When you think about it, it makes complete sense – cybersecurity should be more about people and less about technology. After all, it’s people that deal with emails, data, software and devices. And humans will always be vulnerable to cyber-attacks that leverage deceit and deception. 

Most phishing scams rely on a blend of deception and truth. They are usually based on the sender pretending they are someone they’re not, asking for something they don’t need, sent to someone they don’t know. Add in spear phishing and some of the “truths” begin to rear up – seemingly legitimate requests being appropriately made of the right person within an organization. Add in business email compromise (BEC) attacks and you might even see the “truth” of the phishing email coming from the sender’s actual email account.

The good news is that security leaders seem to recognize this problem and that’s why security awareness training is a top priority for 2022. Having said that, security training is so wrapped up in corporate culture that — without executive support — it is doomed to fail. Not only are you asking for more budget, but you’re asking for an even more valuable resource: employees’ attention, time and commitment. 

Below are recommendations to capture executive attention and garner support.

1) Focus on What’s in It for Them

Output of security awareness training is one thing that’s going to matter to leaders. One can either focus on a positive angle, a negative angle or both. For example, one can talk about avoiding pain – data doesn’t get exposed, personnel don’t get compromised, the company avoids embarrassment and reputational damage. Humans tend to respond to loss aversion, so that’s one tool that can always be leveraged. 

On the flip side, there are many positive aspects one can talk confidently about. For example, increased resilience to cyber-attacks which, in turn, creates a far more stable and productive environment. The more you tie security training to the business goals and objectives of an executive, the better chances you have at securing their support. 

2) Outline Clear Connections

Always be on the lookout for ways to align your program to your organization’s initiatives, strategy and overall vision. For example, you can tie training to compliance, audit and regulatory requirements. (Most regulations mandate training.) You can use current events and stories, especially ones that relate to your business, industry or organization with similar demographics. Don’t be afraid to dip in a bit of negative emotion or negative consequences. Don’t, however, do so in a way that makes you sound like an alarmist or fear monger. Map your program to industry best practices like the NIST Cybersecurity Framework or the five core principles highlighted by the National Association of Corporate Directors (NACD) on cyber risk oversight. Highlight areas where you fall short.

3) Leverage Metrics Where Possible

One of the ideal ways of communicating with leadership is using metrics. You want to highlight that you are methodical about your approach and that you are not somehow shooting from the hip. You are more likely to secure time, budget and resources from leadership teams if you show intentional thought rather than random actions that can make leaders less confident about your strategy. Start by presenting the current level of security awareness, your ideal benchmark and the plan and timeline you have in place to get there. There are a number of goal-setting frameworks to use for composing your overall message. Goals should be exciting, relevant, specific and meaningful to the organization. For example, you can reduce Phish-Prone Percentage in employees by X percent or improve performance in simulation exercises – which indicates that employees are more engaged and aware of the risks and threats around them.

4) Use Analogies

Find analogies you can use when talking about your program and the commitment that’s going to be needed. Be a storyteller. Executive teams need to understand that this isn’t something that can be installed like a firewall or some other system where you load up, configure and just let run. This is an ongoing management of a human security issue. The reason people retire financially secure isn’t because they win the lottery at the end of their life – it’s because of something like the magic of compound interest. Similarly, talk about time and consistency and the impact they can make in a security program. Culture isn’t formed overnight, it takes strategy, investment, and consistency that will pay-off in the long run. 

5) Do Your Homework

For each executive you need a buy-in from, you need a bit of research around what that person values, what that person’s department values, the things that they would be concerned about when it comes to the way you might deliver training and so on. You want to have thought through as much of that as possible so that you can adopt their own nomenclature. Pitch your program in a way that addresses their objections proactively instead of raising them. Ultimately, if you know what their concerns are, you can start building your defense against that or you can start to continue to come back to them until it’s resolved.

Remember, executive teams are people too. The better you communicate your objectives, and the better understanding you have of their needs and the organization’s welfare, the better your chances are at winning executive support for your security awareness training.

About KnowBe4

KnowBe4, the provider of the world’s largest security awareness training and simulated phishing platform, is used by more than 41,000 organizations and more than 25 million users around the globe. Founded by IT and data security specialist Stu Sjouwerman, KnowBe4 helps organizations address the human element of security by raising awareness about ransomware, CEO fraud and other social engineering tactics through a new-school approach to awareness training on security. Kevin Mitnick, an internationally recognized cybersecurity specialist and KnowBe4’s Chief Hacking Officer, helped design the KnowBe4 training based on his well-documented social engineering tactics. Tens of thousands of organizations rely on KnowBe4 to mobilize their end users as the last line of defense.


Tags: Cyber RiskCybercrimeRansomwareTraining
Previous Post

Hogan Lovells FCA Guide: 2021 and the Road Ahead

Next Post

CCOs Say the Opaque Nature of DOJ Incentives Makes Self-Reporting a Hard Sell

Perry Carpenter

Perry Carpenter

Perry Carpenter is co-author of the recently published, “The Security Culture Playbook: An Executive Guide To Reducing Risk and Developing Your Human Defense Layer,” his second Wiley book publication on the subject. He is chief evangelist and security officer for KnowBe4.

Related Posts

castle pixel art

Building a Defense-in-Depth Culture to Combat Phishing

by Perry Carpenter
March 22, 2023

Phishing attempts are only growing more sophisticated by the day, and effective cybersecurity means defending all the vectors of attack,...

risk tunnel

From Regulation to Volume, There Is No Light at the End of the Data Privacy Tunnel

by Jim DeLoach
March 15, 2023

Data proliferation and data privacy regulatory activity across the globe have created the need for focused boardroom discussions. An underpinning...

2023 EEOC and Employers: Investigating Harassment and Discrimination

2023 EEOC and Employers: Investigating Harassment and Discrimination

by Aarti Maharaj
March 14, 2023

With employment discrimination on the rise, EEOC encourages employers to provide anti-harassment training to their employees and managers and to...

Onboarding Best Practices for Millennial and All Employees

Onboarding Best Practices for Millennial and All Employees

by Aarti Maharaj
March 14, 2023

Reducing turnover and fast-tracking new employees to productivity is a key business imperative. The reality is that about 30 percent...

Next Post
Illustration of business man jumping for a suspended carrot

CCOs Say the Opaque Nature of DOJ Incentives Makes Self-Reporting a Hard Sell

Compliance Job Interview Q&A

Jump to a Topic

AML Anti-Bribery Anti-Corruption Artificial Intelligence (AI) Automation Banking Board of Directors Board Risk Oversight Business Continuity Planning California Consumer Privacy Act (CCPA) Code of Conduct Communications Management Corporate Culture COVID-19 Cryptocurrency Culture of Ethics Cybercrime Cyber Risk Data Analytics Data Breach Data Governance DOJ Download Due Diligence Enterprise Risk Management (ERM) ESG FCPA Enforcement Actions Financial Crime Financial Crimes Enforcement Network (FinCEN) GDPR HIPAA Know Your Customer (KYC) Machine Learning Monitoring RegTech Reputation Risk Risk Assessment SEC Social Media Risk Supply Chain Technology Third Party Risk Management Tone at the Top Training Whistleblowing
No Result
View All Result

Privacy Policy

Founded in 2010, CCI is the web’s premier global independent news source for compliance, ethics, risk and information security. 

Got a news tip? Get in touch. Want a weekly round-up in your inbox? Sign up for free. No subscription fees, no paywalls. 

Follow Us

Browse Topics:

  • CCI Press
  • Compliance
  • Compliance Podcasts
  • Cybersecurity
  • Data Privacy
  • eBooks Published by CCI
  • Ethics
  • FCPA
  • Featured
  • Financial Services
  • Fraud
  • Governance
  • GRC Vendor News
  • HR Compliance
  • Internal Audit
  • Leadership and Career
  • On Demand Webinars
  • Opinion
  • Resource Library
  • Risk
  • Uncategorized
  • Videos
  • Webinars
  • Well-Being
  • Whitepapers

© 2022 Corporate Compliance Insights

No Result
View All Result
  • Home
  • About
    • About CCI
    • Writing for CCI
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Explore Topics
    • See All Articles
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Well-Being at Work
    • Leadership and Career
    • Opinion
  • Vendor News
  • Career Connection
  • Events
    • Calendar
    • Submit an Event
  • Library
    • Whitepapers & Reports
    • eBooks
    • CCI Press & Compliance Bookshelf
  • Podcasts
  • Videos
  • Subscribe

© 2022 Corporate Compliance Insights

Welcome to CCI. This site uses cookies. Please click OK to accept. Privacy Policy
Cookie settingsACCEPT
Manage consent

Privacy Overview

This website uses cookies to improve your experience while you navigate through the website. Out of these, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may affect your browsing experience.
Necessary
Always Enabled
Necessary cookies are absolutely essential for the website to function properly. These cookies ensure basic functionalities and security features of the website, anonymously.
CookieDurationDescription
cookielawinfo-checbox-analytics11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checbox-functional11 monthsThe cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checbox-others11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-necessary11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-performance11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy11 monthsThe cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.
Functional
Functional cookies help to perform certain functionalities like sharing the content of the website on social media platforms, collect feedbacks, and other third-party features.
Performance
Performance cookies are used to understand and analyze the key performance indexes of the website which helps in delivering a better user experience for the visitors.
Analytics
Analytical cookies are used to understand how visitors interact with the website. These cookies help provide information on metrics the number of visitors, bounce rate, traffic source, etc.
Advertisement
Advertisement cookies are used to provide visitors with relevant ads and marketing campaigns. These cookies track visitors across websites and collect information to provide customized ads.
Others
Other uncategorized cookies are those that are being analyzed and have not been classified into a category as yet.
SAVE & ACCEPT