- Security awareness programs often lack the resources to be effective
- To gain executive support of your security awareness program, employ three tactics:
- Connect security requirements to business objectives.
- Tie program outcomes to specific business goals.
- Use measurable, contextualized data to prove the use case.
A senior employee at one of Australia’s top universities received a seemingly innocuous email. He didn’t click on or download anything he wasn’t meant to — simply previewing an email attachment was enough for hackers to steal a password, gain access to the network and swipe an unknown quantity of data.
Security awareness training plays a vital role in helping employees learn how to identify and prevent this type of attack. It is often seen as a “nice to have,” but a good training program is a cost-effective way of improving information security risk.
Download eBook: Top Security & Risk Management Trends 2021
Most security awareness programs, however, lack the necessary people and capital resources required to fully engage the enterprise. They are also undermined when they don’t have executive sponsorship.
“Lack of leadership support for your security awareness training program can have a significant impact on the security team’s ability to get the key messages across throughout the organization,” says Richard Addiscott, Senior Director Analyst, Gartner.
If the CEO announces a series of data protection workshops, employees are more likely to see the meetings as vital. Without the CEO’s endorsement, the sessions hold less urgency and may become just more messaging to ignore or another set of meetings to endure.
Here are three ways to gain executive support for your security awareness training program.
1. Connect security requirements to business objectives
Position a security awareness program as a cornerstone of any effort intended to achieve strategic business outcomes. Demonstrate how the program is an enabler or a complementary initiative for other strategic programs.
Suppose a key focus for your organization is a high degree of service availability. This can be adversely affected by the introduction of malware, and a common vector for intrusion is a USB memory device. Educating your staff around good habits with these devices, in conjunction with other controls, can help you avoid this potential scenario.
Articulate the inherent value, benefit and time savings in a language that will resonate with executives. This demonstrates that you understand their world and what’s in it for them if the program is successful.
2. Provide specific examples
The most effective way to connect program outcomes to achieving business goals is to use specific, relevant examples — whether about your company, competitors, recent events or other industry reports.
Cautionary tales are often also effective in making an impression on an audience. With cyber intrusions now commonplace, most leaders can easily demonstrate how a business objective could have benefited from additional security or how an event could have been prevented by heightened awareness.
Explore conference: Gartner Security & Risk Management Summit
3. Use measurable data
Show the need for a security awareness program by using measurable, contextualized data. Having defensible qualitative or quantitative data points helps to articulate the effectiveness of your program in the language the audience understands. This presents security as the management of business risks, rather than as a confrontation of cyberthreats.
“Give executives a reason to care about security,” Addiscott says. “Find meaningful triggers for stakeholders that help them realize that effective security is good for all — the organization, its executive, clients, shareholders and other external stakeholders, too.”