It’s now common knowledge that most organizations get breached because of human-related factors such as social engineering scams, compromised or stolen credentials, misconfigurations, errors and insider threats. What’s more, organizations are arriving at the glum realization that increased spending on threat detection and response controls doesn’t necessarily translate to foolproof security. What’s needed is a threat prevention strategy that centers on mitigating human-related risks, building a security instinct in employees, and cultivating a culture of security across the enterprise.
According to the latest IBM data security report, high levels of security training can significantly reduce the impact, cost, and frequency of data breaches. But herein lies the challenge: most employee training programs fail due to staff resistance and lack of management support. So how do you convince the C-suite that your cybersecurity awareness training is worth the time and effort?
To cultivate buy-in, CISOs and their security teams should recognize the need to communicate and engage with different levels of people in the organization in a tailored way. Here are some practical strategies to achieve that goal:
1. Gaining support from the C-suite
Convincing leadership is the first step in any change management exercise because they control and approve resources. Leaders hold a power of influence and are a key catalyst for shaping the culture. Start with a value proposition that clearly explains goals and priorities of the exercise. Leaders often prefer things in terms of ROI and KPIs (key performance indicators), so it’s best to make your business plan compelling by explaining the risks, the overall objective, KPIs of the program, benchmarking and industry data, the money and reputation saved, the legal hassles avoided over time due to investments in employee security awareness and behavior. It might also be worthwhile to run a small pilot program or proof-of-concept to illustrate the potential impact.
2. Gaining support from leaders and managers
Managers and team leaders serve as mentors and coaches to employees and help ensure that employees follow the procedures, policies and protocols that are laid out by the organization. They are the ones that are in a prime position to provide evidence-based feedback, identify gaps in training, and promote and reward a culture of positive security behavior. To win support of this group, position cybersecurity training as a key strategic goal and also a means for personal and professional development for employees. Promote training as a tool for team engagement and a platform to highlight the contributions employees make in keeping the organization safe from evolving cyber threats.
3. Gaining support from employees
To drive behavior change in workers, security teams must overcome employee resistance and ensure they accept and commit to the program. They must dispel the notion that cybersecurity is solely the responsibility of IT, explaining how all employees have a duty and the ability to prevent breaches. By creating content that is relevant, personalized, and engaging; by using tactics such as storytelling, gamification, and incentives; by subjecting employees to regular simulated social engineering exercises; by reinforcing security messages and rewarding positive security behavior, organizations can improve employee attitudes towards cybersecurity and make cybersecurity a core part of their culture.
Understanding and delivering on requirements is vital to security training success
When planning, designing, and delivering training, it is critical to consider the perspectives, needs, skill levels, and experiences of users. This step is essential in gaining their support. If people perceive that security training neglects their views and requirements, the training programs will fail to make the desired impact. Learners engage in informal information sharing, which reflects the organization’s culture. Security teams can collaborate closely with business managers to capture feedback from the field and work towards improving learning experiences that meet audience requirements.
It’s also recommended that security teams harness influencers and subject matter experts from within the organization and use their expertise for promoting knowledge sharing, best practices, and desired security behavior among teams and peers.
To achieve a successful and impactful security awareness program, it is important that security teams understand their audiences, address their requirements, and effectively communicate the benefits of security training. Don’t forget that cybersecurity training and maintaining its support among teams is an ongoing and collaborative effort. Building and nurturing a culture of security requires sustained effort in improving training and a commitment from everyone across the organization.