Very mature security programs often leave little wiggle room for adjustment. The lines have long been drawn in the sand, and even the slightest modifications are met with resistance by the team who designed the very program you’re trying to change.
But even well-organized programs need improvements eventually. How do you convince your organization at large that change is good—and that your new approach is likely to succeed?
Here’s how to effectively adjust your security awareness program and get everyone on board with the results to come:
1. Recognize who funds your program.
At the end of the day, your cybersecurity awareness program is only possible because of the people who cut the checks. It’s your executive management team who backs the program’s budgetary funding, and they are the ones you ultimately have to convince of your changes.
They see cyber threats as compliance penalties and news headlines but rarely do they understand the technological vulnerabilities behind an attack and how these mistakes could have been avoided with better security awareness training.
They need to understand the implications of an attack without the tech-talk barrier and be shown step by step how to prevent these mistakes within your org. But even if you get them to see the true threat, you still have another hurdle to overcome: getting them to see how it translates into things they care about.
Let’s face it; even if the C-suite knows what phishing is, it’s hard for them to take that subjective concept and connect it to how it could directly affect operations.
Leadership cares about business enablement and capturing the long-term behavioral change of your company’s security posture at large. Unfortunately, these are harder to track and prove that you’re affecting, but they’re the exact things you need to talk about to pique their interest in improving your cybersecurity awareness program.
Ask yourself, “How can I connect my awareness program initiatives and metrics to the C-suites’ larger operational goals?” and you’re sure to leave a more memorable impression.
3. Change your entire company culture around cybersecurity.
We say this so matter-of-factly—as if it’s something you can do just like that! We understand that changing culture takes time and consistency, but for many organizations, it’s a necessary step in changing your awareness program itself.
If cybersecurity is currently met with disinterest, take a step back to reflect on your delivery. Are you pushing a narrative of fear and shame by highlighting all the things employees do wrong instead of the things they do right? Do you emphasize your own organizational security over the broader goal of educating employees’ home cybersecurity (the latter of which will ultimately get them more interested)? This may be holding back your program’s success more than you think...
Creating lasting behavioral change takes a lot of time and careful nurturing. Remember that this process may take years to fully implement, but that shouldn’t discourage you from working towards quick wins that can make an immediate impact.