With Cyber Security Awareness month fast approaching, information security professionals and data protection managers will be looking at how to secure board-level buy-in for company-wide cybersecurity awareness campaigns. Often, this is the biggest hurdle for any cyber awareness campaign as senior leadership weighs the costs and benefits of investing in the security of their business.
Today we will be looking at some top tips for changing the tide on board-level buy-in.
What are the obstacles to Board-level buy-in and how to address them?
According to a study, by AT&T, board members covet data security as their number one concern, however, 75% of these boards do not actively put stock into internal cybersecurity campaigns.
With average data breach costs soaring to $4.4 million in 2022, the need to elevate cybersecurity initiatives on the boardroom agenda is increasing.
Why is there an understanding of the importance of cybersecurity awareness but no impetus to follow up with company-wide campaigns and initiatives?
1. Monetary Hurdles
Cybersecurity awareness providers can use behaviour research tools and surveys to properly assess what areas of your company need to be addressed with training and development. This can then help you to present where and what your budget needs to be spent on, thus reassuring board members with facts and actionable insight and analysis. By doing this, you also instantly involve board members in the decision process.
2. Fear of change
One of the biggest hurdles to board buy-in is the fear of change and the comfort of following a tried and tested formula. People don’t like change and breaking leadership habits is very difficult to do.
In order to break this status quo, you need to increase board members involvement in security activities and simulations, especially considering recent developments in cybersecurity regulations.
When you do this, you can show your board members how easy it is to make mistakes and costly errors under the current protocols and teachings. When you root scenarios in relatable and personal examples, the risks associated with a cybersecurity event becomes clear for all board members.
3. Lack of security awareness
There is nothing harder than selling a new and improved security awareness campaign to your board members, especially if they have no security awareness at all. Why would they want to invest a portion of their finances in something that they do not understand? And why should the rest of your workers take security awareness seriously if their managers do not give it a second thought? It is meant to be a team effort after all, isn’t it?
This is a simple fix but requires hands-on work from an organisation’s information security officer and/or data protection officer, with the help of your chosen training provider. You need to work to a trickle-down approach. First begin with focus groups and simulated training for board-level members, keeping a focus on the financial and legal ramifications companies face as a result of breaches. Position cybersecurity awareness as a proactive part of your organisation with focus on Return on Investment (ROI), whilst highlighting how much more painful it is to be reactive to cybersecurity breaches.
How to engage Board members in the cybersecurity awareness conversation
When you implement a cybersecurity awareness campaign that is supported and planned out by the board, you increase the chances of company-wide buy-in and knowledge retention. So, how will you engage board members in the conversation? By speaking their language.
Sell it to them!
You need to encourage your board to focus on the risks and threat actors that target organisations every single day, but you also need to realise you are selling them something. When you are selling to your board, actualise the problems their employees face and use board-level language such as risk terminology and KPIs (Key Performance Indicators). board members want to see stone cold numbers and measurable data to justify their investment.
Educate them regularly
The biggest reason board-members struggle to support cybersecurity awareness initiatives is a lack of knowledge on the issue. If you are in charge of board buy-in, you need to regularly communicate cybersecurity insights, headlines, and stories with your board. They need to understand, in an easy-to-digest way, how cybersecurity is vital to the existence of their organisation. Upskilling the board should always be a primary goal in any cybersecurity campaign!
It's an investment, not a loss!
Board members want to hear things like ‘driving consistency’, ‘streamlining processes’, ‘minimising human errors’, ‘avoiding reputational damage’, and ‘improving workflow’. Make it clear to your board members that they are making an investment which will lead to increased efficiency in the workforce and savings in the financial sheets. Begin with the message that cybersecurity is not a cost, it is an investment!
Bring in the pros
It is also highly beneficial to bring in the knowledge of a respected and experienced cybersecurity professional/consultant to add evidence to your board presentation. Cybersecurity professionals can run scoping workshops and team activities with your board to answer both company-specific questions and any technical questions that may arise.
Board-level buy-in is key to promoting a secure organisation from top to bottom. Remember that your executives are still people, so it is important to communicate your objectives clearly, how your security awareness campaign addresses holes in your security culture and how it keeps your organisation safe from cybercrime.
About the Author: Zoe Edmeades is the co-owner and Managing Director of The Security Company (International) Limited. Zoe works with global organisations to support their security culture journey, creating business plans to ensure both TSC and their clients continue to grow, be competitive and profitable. Operating in the world of security since 2007, Zoe saw cybersecurity was growing into behemoth and wanted to be at the forefront of it. Zoe started at TSC as a Project Manager, moving to Head of Projects in 2009 following completion of the Accelerated Talent Development Programme at Cranfield University, before finally becoming Managing Director in 2012.
Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.