Which of the following is the most important reason to solicit feedback from people who have completed security awareness training?

With so many regulations and audit standards requiring organizations to provide critical security-related information and training programs for their employees, it can be shocking that security leaders often encounter high-level "push back" when seeking to implement security awareness and training programs.

To overcome this situation, propose your program in a way that addresses executive concerns, links to corporate objectives, and tells a story. This is accomplished in three steps:

1. Seek first to understand

   Habit five of Stephen Covey's "Seven Habits of Highly Effective People" states, "Seek first to understand, then to be understood." Dr. Covey writes,

   "If you're like most people, you probably seek first to be understood; you want to get your point across. And in doing so, you may ignore the other person completely, pretend that you're listening, selectively hear only certain parts of the conversation or attentively focus on only the words being said, but miss the meaning entirely. So why does this happen? Because most people listen with the intent to reply, not to understand. You listen to yourself as you prepare in your mind what you are going to say, the questions you are going to ask, etc. You filter everything you hear through your life experiences, your frame of reference. You check what you hear against your autobiography and see how it measures up. And consequently, you decide prematurely what the other person means before he/she finishes communicating."

   It is vital to recognize that most business leaders (and end users) simply will not care about security in the same way that a security professional does. People don't care about security for the sake of security alone. What they care about is the result that a sound security strategy can provide and the impacts/risks associated with the lack of a sound security strategy. Use this understanding to inform the methods that you use to engage the organization and business leaders.

2. Take Genuine Interest and See the Motivation Behind Any ConcernsSo, what motivates a business leader? The answer is: business risks and business outcomes. Therefore, it is helpful to position your security awareness and training program in this context. To do this, consider highlighting the following:
   • Issues associated with behavior-related risks. It's important to speak to the traditional factors related to the possibility of data breach and negative PR. But don't stop there — behavior-related risk is broader and gets into areas related to system stability, continuity of operations, employee morale and productivity, proper handling of intellectual property, and more.
   • Regulatory and audit requirements. Here is where you get to highlight the slew of regulations and audit requirements that mandate awareness and training programs.
   • Industry best practice and competitor benchmarking. Decision makers are very interested in understanding where their organization stands relative to peer organizations. A few data points that decision makers may find interesting include: what are the standard topics that organizations like us train on? What is the average phish-prone percentage for organizations like ours, and how do we compare? What are the greatest behavior-related risks for organizations like us? How much do other organizations spend on security awareness and training programs?
   • A sense of respect for everyone's time. Time is your employee's most valuable resource. It's important that your security awareness and training program respect this fact by not exposing employees to information that is irrelevant or unnecessary. Where possible, provide data points to demonstrate that your awareness and training efforts will have a positive payback for the organization.
   • Evidence that you have an informed plan. Give your executive team confidence in your program by eliminating as much uncertainty as possible. Often, security leaders embark on awareness and training programs that are amorphous and without a clear sense of direction. Eliminate uncertainty and/or smooth-out any potential future conflicts by sharing a well-formed plan that removes the guesswork.
3. Connect Your Security Awareness Program to Organizational OutcomesWhere possible, you need to speak the language of "the business" and report in a way that shows relevance to organizational outcomes. Notice that this is directly related to the other points mentioned in this article. In order to report in a relevant way, you first need to understand your organization's targets and the agreed-upon risks.

   When reporting your security awareness successes, continue to remind the executive team why the program is important, and how the activities and metrics connect with the motivations outlined in points 1 and 2, above. In the end, many of the metrics can be the same as you would normally report (for example, course completion rates, phishing test outcomes, and so on), but the difference here is that you are able to put these numbers into context. This context is used to tell the story of how your security awareness and training program is strengthening the overall security culture of the organization, thereby reducing risk, potentially increasing productivity, and having a positive impact on the organization's ability to execute.

"Culture eats strategy for breakfast." - Peter Drucker, Management Consultant, Educator and Author

Maintaining Executive Support for Your Program

Communication Strategy is Key

Any time you are presenting data numbers, don’t leave the interpretation up for chance. The ‘what’ is the data, with every ‘what’ comes a so what? meaning what does that data actually mean? and a now what?, or what do we do in light of that information? Any time you have a what, you need to answer the so what and the now what, otherwise you’re leaving one or both of those things up for interpretation and that’s a chance you cannot afford to take. Your communication strategy throughout the whole process is key. You want to tell a memorable story, the moral being you need security awareness training. Use statistics and charts and graphs to support that story.

Capturing Executive Attention

What’s in it for them - Answer the "so what" question. Answer specifically for each member of the executive team what is going to matter most for them with the output of a security awareness training program. This can be talked about positively - increased resiliency that leads to stabilization of environment, higher employee productivity or negatively - pain that can be avoided when this is done right (data doesn’t get exposed, users don’t get compromised, etc.).

Outline clear connections - Showing connection between the action of training and things that are important for that executive. Could be a specific system, business outcome, specific project, a regulation they are accountable for.

Measurement and stories - Talk about what is going to be measured, how it will be presented, and use that to get into the morality (this is what goes wrong without a security awareness program, here is what can go right, etc.)

Be on the Lookout for Ways To:

• Align your program to the organization’s strategy, mission, and initiatives. This can get heads around the table nodding.
• Tie your program to compliance requirements. For most major security best practices, audit requirements and regulatory requirements, security awareness training IS a requirement.
• Use current events and stories about organizations that are similar to yours in terms of industry, size, or other demographic characteristics. Note: Be careful not to do this in a way that will be perceived as alarmist or as fear mongering. The closer to home it feels, the more real it becomes in their minds.
• Map your program to established industry best practices (such as the NIST Cybersecurity Framework, the National Association of Corporate Directors guidance on cybersecurity, and so on).

Use SMARTER Goals

Show that you are being very intentional about starting your program and you will more likely get the support, budget and resources you need to get it started. Use a SMARTER goal-setting framework, goals should be Specific, Measurable, Actionable, Risky, Time-keyed, Exciting and Relevant.

Goals like "The goal is to reduce our phish-prone percentage" or "To be able to engage employees so they are more aware of the risks and threats around them" are not specific or measurable and are certainly not exciting. An example of a SMARTER goal would be: We are going to reduce our phish-prone percentage from an initial baseline of 30% down to 15% within the next 45 days. You will know for sure whether you’ve hit the goal or not once that 45 days is up. With this framework in mind, it is much easier to build out your training plan and reporting schedule around these types of goals.

Brainstorming Worksheet for Gaining Support

We recommend filling something like the below sheet out for each executive you need to get buy-in from. This isn’t to share with anyone, it’s a tool for you to help before you start meeting with your executive team. Find ways to amplify their value proposition and address or minimize their concerns early on. Try to have one-on-one conversations before you officially ask for support so there are no major surprises when that time comes.

It's a Marathon, not a Sprint

It's very important that you present this as an ongoing program from the very beginning - not a one and done. Think about the difference between an event and an ongoing effort… and the difference between a sprint and a marathon. Time and consistency make a BIG impact in changing behavior for the better.