A good training programme is a cost-effective way to reduce cybersecurity risk, but it needs executive support to succeed. A senior employee at one of Australia’s top universities received a seemingly innocuous email. He did not click on or download anything he was not meant to — simply previewing an email attachment was enough for hackers to steal a password, gain access to the network and swipe an unknown quantity of data.
Security awareness training plays a vital role in helping employees learn how to identify and prevent this type of attack. It is often seen as a nice to have, but a good training programme is a cost-effective way of improving information security risk.
Most security awareness programmes, however, lack the necessary people and capital resources required to fully engage the enterprise. They are also undermined when they don’t have executive sponsorship.
Lack of leadership support for your security awareness training programme can have a significant impact on the security team’s ability to get the key messages across throughout the organisation.
If the CEO announces a series of data protection workshops, employees are more likely to see the meetings as vital. Without the CEO’s endorsement, the sessions hold less urgency and may become just more messaging to ignore or another set of meetings to endure.
#1 Connect to business
Position a security awareness programme as a cornerstone of any effort intended to achieve strategic business outcomes. Demonstrate how the programme is an enabler or a complementary initiative for other strategic programmes.
Suppose a key focus for your organisation is a high degree of service availability. This can be adversely affected by the introduction of malware, and a common vector for intrusion is a USB memory device. Educating your staff around good habits with these devices, in conjunction with other controls, can help you avoid this potential scenario.
Articulate the inherent value, benefit and time savings in a language that will resonate with executives. This demonstrates that you understand their world and what’s in it for them if the programme is successful.
#2 Specific examples
The most effective way to connect programme outcomes to achieving business goals is to use specific, relevant examples — whether about your company, competitors, recent events or other industry reports.
Cautionary tales are often also effective in making an impression on an audience. With cyber intrusions now commonplace, most leaders can easily demonstrate how a business objective could have benefited from additional security or how an event could have been prevented by heightened awareness.
#3 Measurable data
Show the need for a security awareness programme by using measurable, contextualised data. Having defensible qualitative or quantitative data points helps to articulate the effectiveness of your programme in the language the audience understands. This presents security as the management of business risks, rather than as a confrontation of cyberthreats.
Give executives a reason to care about security. Find meaningful triggers for stakeholders that help them realise that effective security is good for all — the organisation, its executive, clients, shareholders and other external stakeholders, too.
Key takeaways
- Security awareness training plays a vital role in helping employees learn how to identify and prevent attacks.
- Lack of leadership support for security awareness training programmes can have significant impact on getting key messages across the organisation.
- Articulate inherent value, benefit and time savings in a language that will resonate with executives.
- Cautionary tales are often also effective in making an impression on an audience.
- Show the need for a security awareness programme by using measurable, contextualised data.
Most security awareness programmes, lack resources to fully engage the enterprise and are also undermined when they do not have executive sponsorship.