Before you can gain buy-in from management you need to understand what motivates them. Securing their reputation and protecting their bottom line will usually draw their interest. As a middle rank, you have an important job to do. You gather valuable information from customers, suppliers and colleagues to determine opportunities and/or needs of the company. Furthermore, it's clear that a well delivered security awareness training solution is a must-have.
Share the Facts
This is an excellent time to share your research and help leadership realize that investing in security awareness training is a priority for every business. For example, a recent report from the Ponemon Institute states that the average 10,000 employee company spends $3.7 million a year dealing with phishing attacks and that companies who engage in security awareness training programs typically see an average improvement of 64% with employees' security behaviors.
How's Your Company Doing?
Now that you have caught their attention, have management take a look at where your company falls. Give them some tools to assess their security posture. For instance, try a password checker tool to assess password strength. There's a variety of resources available to gauge both strengths and weaknesses within your company. This quick and easy assessment provides valuable insight regarding the big picture of your company's security posture.
Provide Best Practices
Now that you have gained the attention and focus of the leadership team, educate management on what some of your competitors are doing to prevent a security incident. Research how your competitors protect their reputation and their bottom line. Chances are they take their security very seriously and invest in the education of their employees. Compare different service providers and see which security training solution is the most comprehensive. Determine which company can offer you the best reporting and analytics, the most up-to-date engaging content and the best training deployment support.
Get into the Details
You've compared your company's actions to your competitors and reviewed different security awareness providers. It's time to get specific and it also doesn't hurt to get a little personal. Start by making a connection to their own life. For example, think of what a lifestyle is like for a CEO. Often you will find that they travel frequently. As a result they own various mobile devices and will be checking emails and accessing confidential documents from a variety of places. Use this knowledge to make a connection with them on the need to provide appropriate security awareness training to every single employee. They realize that most of us are always online and often juggling combining personal and work-related tasks.
Then get into the details of the plan. What is the plan? Discuss who should be involved and how the security awareness campaign will be communicated and deployed. Determine how often employees be required to take the training courses and what is a reasonable amount of time to take them away from their everyday work responsibilities for security related educational purposes. Explain how progress will be measured so that you can see the return on investment for the company. Management will not be ready to invest until you have a thorough and solid plan in place.
Bring in an Expert
Often it pays to bring in a respected cybersecurity professional. Work with a cybersecurity firm who brings experienced and credentialed cybersecurity professionals on the scoping call to answer detailed and technical questions that often arise. When looking at training, engage with a company who is willing to offer customized options and allow you to speak directly with their deployment team.
Just like getting "buy-in" on any investment proposal, those who come prepared have the most success. Don't forget to take the security assessment in the paragraph above. This insight is very valuable to have in advance of the big talk.
Written by Michelle Stamps
Michelle has over 10 years of experience in marketing and business development across various industries including government and non-profit. Her background in writing, facilitating presentations and event planning allows her to use her creative skill-set and her relationship building skills strengthens her ability to understand the human element role in cybersecurity and to support positive behavior change. Whether she is out in the community, blogging or developing the next social post for TechGuard, she believes in telling the company’s story and uses relatable, real-life examples to connect with our clients. If you know Michelle outside of work, you would know that she loves sunny days and tropical places.