How to Sell Your Security Awareness Program to Your CISO & the C-Suite

Posted by Denmark Francisco
June 16, 2021

Share Article

It’s time to adjust your security awareness program, but with big changes usually comes a big budget. 

Therein lies the rub: the constant tug of war, asking for what you need only to be cost challenged by the C-suite—and sometimes even your own CISO…

While getting funds to make impactful improvements may seem far out of reach, it’s not impossible. In fact, it’s often about adjusting your proposal or talking to the C-suite in their language.

Let us explain. Here’s some advice for selling your initiative to the big dogs:

Understand what your CISO prioritizes.

If you are a Security Awareness Program Owner working under a Chief Information Security Officer (CISO), you know that all budgetary requests go through your CISO first, before it comes across the execs’ desks. 

With this in mind, it’s crucial to shift your mindset before handing your budgetary request to your CISO. Remember, you two are working towards the same big picture goal of improving your company’s security and that you both want to see the awareness program succeed. Instead of seeing your CISO as a bottleneck to your awareness campaign plans, view them as an advocate for your cause.

We also recommend you take the time to get familiar with your CISO’s core motivations, which will likely differ from some of your own. While you are focused on your own cybersecurity metrics—like your phishing or NSCAM campaign—your CISO has their own set of challenges—like pleasing the C-suite and holding responsibility for the company’s holistic security. Sometimes as a program owner, it’s easy to fixate on phishing click rates and harder to remember these aren’t the only metrics that matter to your CISO, who needs more data to present to the C-suite...

Understand what drives executive management.

As if winning over your CISO wasn’t enough, you also have executive management to worry about. You might assume everyone’s on the same page, but the C-suite often puts importance on very different things than Security Awareness Program Owners. CISOs want to see all the money you’re saving them, that compliance is being met, and that you’re reducing employee error—just to name a few.

While projecting the financial and reputational impact of a breach might pique their interest—after all, the C-suite doesn’t want to lose money or customers—this fear-based approach is often too abstract. “They’re just projections, right? That won’t happen to us,” the execs might think. These higher-ups aren’t cybersecurity experts and need help understanding the scope of a problem: or why it’s so important to get additional resources for your awareness program

Without a full understanding of what you’re actually doing or working towards, the C-suite may only look for improvements on a chart as an indication of the program’s success. The phishing click rate is swooping down closer to zero. That must be good! But oftentimes these metrics aren’t enough to determine an awareness program’s success, only covering one small part of your job. The C-suite needs to grasp the importance of changing the entire culture of cybersecurity within the org and see your program as more than just a phishing campaign.

First and foremost, sell the business value.

Both your CISO and the C-suite want to see the business value of your security initiative, explained in terms they can relate to. While you’re worrying about metrics subjective to execs like passwords, phishing, etc., the C-suite is zoning out. That’s because these awareness program metrics often don’t hold the same value to the business-focused persona—or someone far removed from the cybersecurity niche.

The good news is, these metrics still matter! But it’s all about how you use them. 

Remember that the C-suite cares about their business at large, which is why you must connect your subjective program metrics to larger foundational business metrics.

security awareness program

How can your training double-team as an educational resource that ALSO supports business enablement, increasing employee productivity? How are you capturing and quantifying long-term employee behavior change around cybersecurity, beyond the phishing campaign? 

All these considerations help to open the conversation up from an exclusive security concern to a broader business investment opportunity. Then, it becomes more than security risk management alone; the budgetary pitch evolves into human risk management at large—one that your awareness program is supporting in addition to improving security. That’s how you win the C-suite. Connecting awareness metrics to organizational growth. 

Resources Every Program Owner Needs

Proving the business value of your cybersecurity initiative is no small feat. Sometimes a helping hand from a trusted partner is exactly what you need to take care of the menial day-to-day tasks so you can focus on bigger picture strategy and campaign monitoring.

That’s why we designed Campaign in a Box

It’s a bundle of pre-packaged security awareness content, ready for you to copy and paste to share with employees. It contains monthly-themed campaigns with pre-written informative blogs, chat messages, emails, and more to educate and consistently support your trainees. Spend less time manually orchestrating and more time automating the process with a little help from Living Security. 

 

Subscribe Now

Additional Reading