“How can I prove I spent well”
Last week a colleague relayed his story of a board meeting that went bad. He’d worked hard prepping the business case. But was rebuked with a chorus of. “I’ve seen all the horror stories.” “How much will that actually mitigate the risk.” And “when I talk to the shareholders how can I prove I spent well?”
He was presenting something that was:
A) his area of responsibility, and
B) within his budget.
So why the inquisition?
Because, it was to run a security behaviours programme. But why does the human-side of security attract such a high level of scrutiny?
Is there really a difference between how often we’re asked to prove RoI for awareness vs tech?
It’s easy for my opinion to be ‘yes’. But perhaps my judgement is flawed having worked in awareness for so long?
So, I set out to gain more balanced view. A Twitter poll, Linkedin discussion and conversations with clients and colleagues, revealed my gut reaction to be sound. But perhaps not as conclusive as I first thought!
On average half the people I asked said they’re asked more often to prove RoI for awareness. With the remaining split one-quarter ‘tech’, and one quarter ‘about the same’.
People accompanied their ‘vote’ with comments such as:
“whilst I agree that we should measure RoI, it’s definitely a question posed more often about awareness.”
And “it differs depending on the organisational culture, some are more receptive to employee initiatives than others.”
To “I was once asked by the FD, what I was going to do with people who have poor security behaviours? Hall them all into a room and fire them?”
Why are we 50% more likely to be asked to prove RoI for security awareness vs security tech spends?
1- People think they understand people – this is something everyone on the globe can claim experience in! However, merely being a person should not qualify one as a self-proclaimed expert!
The people you meet in the board room may well have perception biases, that can make your job difficult! For example:
- Implicit biases – people hold attitudes towards others or associate stereotypes, without being aware of it.
- Attribution biases – people blame their failings on others but think that others are responsible for their own failings.
- Selective perception biases – people have expectations about how others will or should behave.
2 – But people don’t think they understand tech – you’re more likely to hear, ‘I’m not a technology expert, I trust you to make the right decision’.
3 – Tech can be black and white – we can measure the effectiveness of technology in a more binary fashion. We can provide statistics in ways the board is used seeing, e.g. figures and percentages.
4 – But defining meaningful metrics for awareness is more challenging – details such as, ‘all our people have been through awareness training,’ ‘there was a 10% click through rate on our last phishing simulation’ are likely to be met with – ‘so what,’ unless we can clearly articulate the link to business objectives.
The odds suggest we are likely to be asked to prove RoI for security awareness. So how can we prepare?
One powerful and simple technique to measure RoI for awareness
Having some background in behavioural psychology I know there are many models we can use to measure and determine likelihood of change:
Maturity models. Influencing factors. Environmental factors. Indicators of change. Sub-groups. Targeting. Motivating factors. Whilst I appreciate, and value, these models have a place we can over complicate matters.
I urge you, keep it simple!
What anyone really wants to know is. If I do/say this to person A, will the outcome be B. And can I prove it?
There is a simple way, and it’s about recruiting your workforce to help you.
I’ve worked with many businesses to set-up, retain and motivate Security Champions. When done well Security Champions become your eyes and ears.
Security Champions can:
- Determine risk at a grassroots level.
- Observe and feedback on actual behaviours.
- Influence change to process and practices.
Working with a group of Champions, determine a small number of focussed and clearly defined behaviours. Identify how your Champions can witness what people are SAYING and DOING differently. Use this qualitative data alongside your traditional statistics to provide a richer view of how people are changing as a result of your security awareness programme.
One of our clients was able to tell a story of how a break-in was stopped having focussed on the behaviour ‘I take responsibility and report the weaknesses I notice’.
If you want to learn more about Security Champions, I wrote a series of blogs and created resources which are available on the Layer 8 website https://layer8ltd.wpengine.com/resources/. Including case studies and pitch creation.
I’d love to hear from you – what are your experiences in the disparity between proving RoI for awareness vs tech. And what are your tips to prove RoI for awareness when you need to?