Finally Get Company-Wide Buy-in for Your Cybersecurity Initiative

Posted by Denmark Francisco
February 04, 2021

Share Article

Security Awareness Program Owners everywhere struggle with the same tired battle: convincing management and employees to care about cybersecurity training. 

Despite your best efforts to prove its value, each year it seems the C-suite cuts your security budget— leaving team leads and employees with boring, outdated awareness training. It’s no wonder these mandatory modules are met with resistance and create a vicious cycle of lack of buy-in year-after-year. 

One of the reasons you aren’t sparking interest in cybersecurity may be that you’re failing to adjust your security pitch for your audience. Each department makes up a different piece in your cybersecurity puzzle, shaped by their own unique motivations, and jammed into place.

Instead, find every department the right fit with these tips.

Executive Management Buy-in

In order to get the budget you need, you must start at the very top of the corporate pyramid— with your CEO or president’s support. 

Without this kind of executive backing, you won’t have the necessary resources to put your security initiatives in motion. 

Execs Offer You ADVOCACY

When speaking to your execs, know that they need education. To them, cyberthreats simply equal scary breach headlines and costly compliance penalties. The logistics of how these compromises occur isn’t something they typically understand.

It’s your job to explain the narrative behind common attacks and to help them see your current risk landscape for what it really is. Offer complete visibility of your security weaknesses from pentest results, without all the tech talk, by sharing and breaking down the Executive Summary. 

But don’t hit them with the bad without a promise of the good. Spoon-feed them the solutions— neatly packaged in this year’s security initiative. With the right awareness and breadcrumbs towards the path to improvement, you can lead the C-suite along the path to success. 

Exercises to Earn Buy-in

  • Play Game of Threats, a helpful activity that simulates cyber attacks, forcing execs to make important decisions under a timer to replicate your enterprise’s preparedness for real life threats.
  • Provide a list of cybersecurity FAQs to boards and executives, which acts a great reference point for them to get their answers without “embarrassment” asking someone from IT.
  • Enroll in an educational virtual reality experience, an experiential learning experience that stimulates exec’s core senses and may lead to better understanding and retention.

Business & Tech Leader Buy-in

As a Security Awareness Program Owner, you need the support of your Chief Information Security Officer (CISO) or Chief Information Officer (CIO) to make any moves. You also have line-of-business (LOB) owners, sourcing and vendor management, and other leaders to consider along the way. 

Most folks on this part of the corporate ladder already understand the importance of your enterprise’s security. But what they need is to work alongside you as advocates of your shared mission. They need to fill the role of your team players and cheerleaders, helping to facilitate and advise your most ambitious initiatives. 

Business & Tech Leads Provide SUPPORT

These players are all stretched and ready to go— looking to you for their next moves, Coach. They want a good game plan for the company’s security initiative and are there to help you meet your goals. 

It’s your job to prove the value of your big ideas and encourage them to help you at project-level achieve them.

Exercises to Earn Buy-in

Employee Buy-in

Too often,  IT and execs alike villainize employees— painting them as your enterprise’s weakest links. After all, they’re the ones who fall for phishing exploits and get the network infected with malware. They’re the ones who are so easily fooled.

Sure, there’s no doubt that employees who don’t receive the proper education and tools can be a real threat to your security. But whose fault is that exactly if you didn’t give them the tools they need to succeed? When properly supported, your employees are actually your greatest strength!

Employees Need AWARENESS to Support

It’s time to stop treating your team like your security’s biggest problem and start championing them as your proud protectors. Give them the education they need to stop threats with relevant, engaging and consistent security awareness training. 

During your training modules, reward your employees for their progress and create a culture of “when you know better, do better” verses punishing them for mistakes during the learning process. 

Discover how to engage both their hearts and minds and eliminate toxic fear-based motivation here. 

Exercises to Earn Buy-in

Stakeholder Buy-in

At the very bottom of your enterprise’s pyramid is your foundational stakeholders. These are your customers, suppliers, government agencies and regulators who want to know that your business is taking responsibility for its security— and, therefore, the security of the private information they entrust you with. 

Stakeholders Want TRUST

Those at the bottom of the totem pole need the peace of mind that the data they share with your business won’t be compromised. They want proof you care about their privacy and to know at a high-level some security initiatives you have in place to qualm any worries. 

Exercises to Earn Buy-in

  • Share bespoke cyber safety hub resources, customized for your particular stakeholder.
  • Make time for dedicated sessions for business bankers, to update them on your latest and greatest cybersecurity initiatives.
  • Provide stakeholders their very own customer phishing education training access, reminding them that their weaknesses could also be yours. 

Build a Culture of Security

As a final thought:

  • Executives need to be advocated with security visibility and tech-driven decisions
  • Business leaders need their investments rationalized to assure security buy-in
  • Employees need consistent access to security education and awareness
  • External stakeholders need to feel you have everything under control

Want more tips on managing your human risks in cybersecurity? Download Forrester’s 2021 report for more high-level yet high-value insights, today. 

 

Subscribe To Learn How To Prevent Cybersecurity Breaches

Additional Reading