What advice can you offer security leaders currently trying to win executive support to create a secure behavior and culture program? How should they frame the business case for an SBCP?
Sort by:
The easiest way to win support is to show them the data. Compare the number of breaches or incidents due to external hacking, like getting through the firewall, to the number that occurred due to social engineering or email compromise. The numbers are usually skewed. The easiest and cheapest way to protect an organization is through security awareness programs. If the highest risk is someone clicking on something they shouldn't, preventing that click is a much better return on investment.
I agree with Lawrence. We also did a baseline comparison of our college with others and the US higher education sector, which has a better security posture than Canada. We aimed to go above and beyond the Canadian levels. It's always about a risk management conversation. We demonstrated the cost-benefit analysis. For example, we might spend 100,000 on security, but it could potentially save us $5M if a breach were to happen. We used metrics to show where we are and where we want to be.<br><br>
I concur with both Lawrence and John. My additions would be to keep the approach personal, maintain the status of a trusted advisor, and highlight the human element. Effective communication with upper management is crucial.
Security awareness in most org is seen as a check in the box compliance requirement and a bit as nice to have. For me, security is part of value system, much like integrity is or focus on workforce engagement might be. And because culture bases itself on how human behaviours play ou, it's not easy. Takes time.
Here's what helped me in gai ing exec support
> using Awareness programs as employee engagement avenue. It's not just about sending awareness emails but about brining people in for virtual or in-person contests. HR leaders love it and become your marketeers
> while it depends on your CxO's outlook, in my case a candid discussion with the CEO and COO helped in showing value of how several pitfalls can be avoided (like phishing ) and thus business loss
> nothing like getting the top management as your spokesperson. I've had the fortunate opportunity that the couple of CEO and MDs I've worked with willingly share their personal stories on them being targeted and what users should watch out for. I also jokingly refer this to another 60s of fame within the org (for them)
> research like Verizon data breach report and contents from conferences like RSA help enumerate topics that campaigns should cover to safe guard organizations and that the CxO must also be informed about
This is one of those programs where you have to ensure that the executives have the current threat information and trends based on the type of organization you're in. I get a lot of my data from industry reports and Infragard, which I encourage every CISO to be affiliated with. We also need support from the board and CEO level.
I do an in-person training for our board of directors each year and we talk about trends and necessary investments. Communication is key. When things change, as they often do in our world, continually communicating with the executive level about what's going on and how the security program can help address those threats is crucial.