Sarah Janes offers some tips for making a powerful business case for security awareness training.
When I speak to CISOs and heads of security I hear a common theme. Added to the challenge of a job that is rapidly changing, and a lack of budget and resources, many also have to deal with lack of support from the business. We hear it time and time again: every time you want to do something different or spend a bit of money you have to fight for it.
Sometimes I’m sure it feels like a never-ending fight for survival. Requests for budget for security awareness training are met with: “What will that do for the business?” “You can go ahead as long as it doesn’t cost anything.” “You have my approval as long as it does not take up anybody else’s time.” So as well as being a security expert you now have to be a business expert, skilled in tactics, negotiation and writing business plans. In fact, for the Head of Security, being a strategist is the bulk of the role!
CISOs often find themselves between a rock and a hard place. A recent ThreatTrack survey reported damning claims:
“44% of C-level executives believe CISOs “should be accountable for any organisational data breaches,” but 54% believe CISOs should not be responsible for cybersecurity purchasing decisions.
61% of executives do not believe their CISO would be successful in a leadership role outside of information security.”
The Human Factor in Security
It is becoming widely accepted that the human factor in security is a key ingredient in the security strategy. It is also accepted, by the majority of people that I talk to, that a security awareness campaign needs to be more than a list of dos and don’ts or an annual computer-based training; it needs to be sustainable, ongoing and win hearts and minds – embedded in a change in the security culture of the organisation.
So how do you do that? How do you talk about security culture change, prove that it works and convince the senior management team that it won’t be onerous and expensive?
5 Tips that will Ensure You Get a ‘Yes’
1 – Start from the inside out. Instead of starting with the question, ‘What do I need to protect this organisation from?’ Ask the organisation, ‘What do we need to be able to do?’ Once you know what the most important things are for your business and the individuals within it, you can reposition security and state how it will help do more of those things for longer, e.g. how your business will be more productive.
2 – Find your advocates. Along the way you will talk to people who are interested in security and who take the lead in spreading awareness and behaving securely. Work with them and build relationships.
3 – Run a trial. Utilise your advocates to trial your approach. Make sure that you have feedback lines in place.
4 – Measure it. Define the behaviours that you desire. Make sure you have ways of understanding whether changes have occurred as a result of the trial.
5 – Create your story. Now you can create the most compelling business case of all because it will be:
– based on getting more of what the organisation wants,
– supported by influential advocates,
– backed up by a trial, and
– evidenced by measurement of change.
Where I have worked with organisations that have followed this model, I have, without fail, seen them pitch to senior managers and get approval first time. This approach takes some time and patience but it pays off.
Layer 8 works with organisations to change security behaviours, develop hard-hitting business cases and create compelling stories for change.