# #

March 29, 2021

How to Get Cybersecurity Training Budget Buy-In from Your CISO

An engaging security awareness program changes year-after-year, molding its content around new threats while keeping things fresh. After all, no one wants to rewatch the same training videos they saw last year— nor will they be fooled by the same phishing email they received twice!

The yearly overhaul of your security awareness initiative means that Security Awareness Program Owners like you need to be strategic... since big changes often mean determining a different security awareness budget each year. 

It can be nerve-racking organizing a new annual proposal for your Chief Information Security Officer (CISO)— hoping to get the green light to take to the big wigs. In this post, we’re here to explain why it doesn’t have to be. Here are a few tips to win the heart and mind of your all-too-important CISO when submitting an IT security awareness budget. 

Understand that your CISO’s playing for the same team.

We get it, your CISO is your boss. You want to do your job well and impress them, but proposing your new security awareness budget doesn’t have to be intimidating. It’s important to remember that your CISO wants your program to succeed just as much as you and has your organization's overall best interests in mind.

If you’re getting budgetary pushback, remember that you and your boss are both playing on the same team. Your CISO is your coach (not your rival!) and you’re the top player, helping to orchestrate the moves. Instead of arguing with the person calling the final shots, ask your CISO how you can rework the plan to balance both of your objectives and concerns.

Winning over your CISO is one thing. To spark interest amongst your stakeholders or the C-suite, you’ll need to take a different approach. Earn organization-wide buy-in for your security initiative with these tips.

Remember, CISOs want to see the value.

While organizing your IT budget proposal, you may find it difficult to prove the ROI of your initiatives. It’s no secret that cybersecurity awareness training effectiveness isn’t easy to measure, but it’s your job to assign value to your goals. 

Remember that your CISO needs to take this proposal to the executives for final approval and that you must speak in terms of what the C-suite wants from the security program. Speak to the desires of both your CISO and top management by:

Showing Trend Support 

It looks good to be on top of the latest cybersecurity awareness training trends—that is, so long as they’re supported by solid data. Prove that your initiatives are cutting-edge while founded on proof by including important statistics and findings from other industry leaders. 

You may get buy-in for your short training video series by sharing a study that shows microlearning creates 50% more engagement. Or you might recommend a cyber escape room and include social proof, listing a few other big companies like Mastercard who are using them for both team building and security education. 

Providing ROI Projections

When your CISO takes your security awareness training proposal to the C-suite, they’ll want to know their return on investment before approving any budget. The top dogs think in terms of money savings and risk reduction, so work with your CISO to calculate some projections for your efforts (or the true cost of not doing something). 

A few core metrics to keep in mind are your developmental costs (how long it’ll take you and employees to complete the training), revenue loss should you have downtime recovering from a breach, reputational loss, etc. You may also want to include comparative pricing, to prove you’re getting more bang for your buck by investing in one security training vendor vs. another, for example. 

When talking ROI, this is the perfect opportunity to bring your CISO in for guidance and validation of your sources and calculations. You don’t want them doing the math for you, but they can and should be involved in the process.

Creating a Plan for Tracking

Shockingly in this day and age, many organizations are still doing a poor job tracking their security awareness program’s results. But without proper tracking, you have flimsy ground to stand on when proving the success of your initiative. That means trouble next year when trying to get a new security awareness budget approved!

Not only should you be tracking your company’s progress to impress your CISO and C-suite, but you also need this information to make proactive long-term improvements to your program. The bottom line is, you need this info to make data-driven decisions and make your training even more engaging, educational and effective all around!

Really want to impress your CISO? Here are 10 questions they don’t always know the answer to. If you can help them find a solution within your proposal, you’re sure to “wow.”

Remind yourself that your CISO wants you to have the resources you need to succeed.

Sometimes it can be intimidating to ask for better cybersecurity tools or tracking because it feels like you’re taking away from your educational budget. But why do you think they tell you during flight safety training to put on your own air mask before helping your neighbor? In order to empower your team, you first must have the resources you need to properly help them.

When planning your security awareness budget, don’t be afraid to ask for the software and support you need to do your job effectively. If you need to work with a partner for assigning metrics to your program’s success, scope that into your IT budget. If you need a better training module that’s more modern and relevant, don’t settle for less than what you think will truly make an impact.

Getting Started Has Never Been Easier 

It’s your responsibility to find the best educational cybersecurity materials and to measure their effectiveness, but it’s not necessarily your job to generate all the supportive resources yourself.

That’s why we designed Campaign in a Box

Think of it like a starter toolkit for Security Awareness Program Owners, providing them with themed monthly initiatives, including blogs, emails, and other pre-written content to educate your team without the heavy lift.

# # # # # # # # # # # #