As almost any IT manager can tell you, the C-Suite folks don’t always understand the world in which the IT folks operate. To too many C-Suiters, IT is a necessary evil with a department full of people who are always asking for money. And, in counterpoint, IT folks often can’t see past the technology to understand why the C-Suiters are saying no.
Today’s Focus: Getting the Big Wigs On Board with Security Awareness Training
Interestingly enough, in many instances, IT isn’t turned away because the C-Suiters got their degrees from the Scrouge McDuck School of Hoarding Cash. Rather, it’s because there’s a lack of understanding of why the request is not only important but more important than other requests stacked on their desks.
And when it comes to security awareness training – well, that’s sometimes an even harder concept for the number crunchers because there is no tangible “thing” to track. Plus, they’ve probably already invested in firewalls and anti-virus programs, so they likely think security is covered.
So how do you help the people with the checkbooks see the value of Security Awareness Training? Put it in terms they understand.
The Numbers Game
The folks occupying the C-Suite like numbers, so do your homework ahead of time and be prepared to chat figures.
Money is an obvious motivator. Management needs the company to make money because that’s how it grows, provides services, and pays people like you. Whether it’s being forced to pay ransomware or a loss of revenue by being offline for a day, security breaches cost big bucks. According to security vendor RiskIQ, a security breach costs an average of $7.20 per minute. And it takes many minutes to remediate a breach and many more to regain the trust of customers.
Come with Data
Be prepared to discuss current statistics regarding the impact of cybersecurity breaches. A quick snapshot can be found in RiskIQ’s Evil Internet Minute 2021, but also do some research so you can tailor it to your company and industry. If you’re a widget manufacturer and present numbers based on the healthcare industry, you’re going to lose the buy-in before you even get started.
Present the Numbers
Put together some figures to present to the people upstairs so they can see the impact, financial and otherwise, of being breached. Include things like how long it would take to get things up and running again and the cost associated with that, as well as costs associated with lawyers (you’ll need them in the event of a breach), data restore, sales loss, and any other numbers you deem relevant. You may not have exact numbers for things like payroll, but you can still put together a talk track of what it would look like to have all your employees sitting around knitting while you (and the extra ten IT people you have to bring in to help) get things back online.
It takes years to grow a brand and to get consumers to trust it. And just like in our personal lives, if trust is tested, it’s hard to get back. Notifying clients that their data was compromised because Judy in shipping clicked on the link to claim her “free” cruise is not something any C-Suiter wants to do, so emphasize how training your employees to be vigilant human firewalls is actually serving to protect the reputation of the business.
It Won’t Happen to Us
The “It won’t happen to us” mentality is one of the hardest things to break through, but one of the most important. Many people are under the impression that hackers don’t bother with smaller companies or companies that don’t have a lot of traditionally “valuable” data, but that just isn’t true anymore. Hackers are interested in hacking, period. There is information and value to be gained from even the smallest players and they have learned how to mine it successfully. These days, it’s not a matter of if it will happen, it’s when.
Discuss Security Awareness Training
In the IT world, we talk about SAT like it’s something everyone knows about, but that is often not the case. Take the time to clearly outline what security awareness training is and why it’s important.
Explain the Process
Security Awareness Training Programs sounds like they could easily come with a 500-page manual, two mid-terms, and a final. But most programs, such as KnowBe4, are designed to be consumed in short snippets so as to not detract from work productivity. Outline how your proposed program would work and the time investment required so that the C-levels can see it’s not going to be the reason a project doesn’t get done.
Present Best Practices
Remember how your mom was always yelling at you to shut the door, turn off the lights, and stop standing in front of the refrigerator? Why was she doing that? Because regular reminders are needed to build habits.
Your employees are the ones holding the doors open, literally and figuratively, to hackers. They too need to be reminded about best practices. Just like it wouldn’t have helped to call the family together once and say, “Hey, no more leaving the lights on because it costs us money and then we can’t do fun things,” it doesn’t help much to have a one-time meeting to say, “Don’t click on suspicious emails.” Outside of the fact that half your employees will be watching cute cat videos during that meeting, one-time statements rarely serve as ever-present reminders. What does work is ongoing, regular security awareness training designed to keep best practices top of mind.
Identify the Potential Payoff
When conducted regularly, SAT programs generally see more than 60% improvement in employee cyber behaviors. We’ve seen this with clients running our KnowBe4 SAT Program. We frequently see 25-50% of employees falling for the first simulated phishing attack we run, but after training, this drops dramatically. One client even told us recently that not only did no one fail their simulated phishing attack, but that every single employee checked with their administrator to verify the authenticity of the email before clicking. Had that been a real phish, the hacker would have been shut down thanks to the employees being in the know.
SAT as a Benefit?
When companies implement SAT Programs, it’s generally to protect the business. But your employees have an added benefit – what they learn about cybersecurity and best practices can be used in their personal lives. They’ll learn to protect their own data and can share what they’ve learned with family and friends. Education is the gift that keeps on giving.
Call in the Gurus
Still need a little help convincing the C-Suiters that SAT Programs are worth the investment? Call in your IT experts and schedule a demo of a SAT Program. Seeing the programs in action might be just what the C-Suiters need to give you the green light.
Be Part of the Solution
C-Suiters have the daunting task of trying to make the best decisions for the company, utilizing resources in the most efficient and effective manner, with the ultimate goal to earn returns and protect the business. Get C-level buy-in by outlining the benefits, addressing the costs, and backing your plan with data and examples. And let them know you really all have the same goal: Protecting the company so it can thrive.