How to get executive buy-in to your cyber security awareness program

If you don’t have executive buy-in from the start of your cyber security awareness program, it will be much harder to get high employee engagement. Employees model their behavior off of their managers. If the C-levels don’t do their training it creates an employee buy-in waterfall, trickling down to managers, then to mid-level employees, all the way down until entry-level employees don’t care to complete their training either.

That’s why, before even beginning to implement your training, you need to ensure your executives are on board. But, I know not all of us are starting from scratch. If you have already started your program and are realizing your executives aren’t “bought in” there’s still a way to turn it around. 

How? Let’s take a look.

Photo by Rodeo Project Management Software on Unsplash

Not to mention, if the executives understand the importance of cyber security training, you’re more likely to get easier funding to support the initiatives you know you need. If they don’t believe it’s important or will save them money in the long run, you won’t be left with much to work with to create a successful security program. 

The executive buy-in truth table

When it comes to getting top-level executives on board with your cyber security program, there are four possible scenarios: they do the training, they talk about the training but don’t do it, they do the training but don’t talk about it, or they don’t do either one of those things. This is what I call the executive truth table. For each scenario, there are steps that you can take to get them involved and invested in your program.

How to get C-level buy-in

Square 2&3: If they do the training or talk about the training

If executives have already begun participating in or discussing training programs, then you know that they understand its importance and value its potential benefits. This is a great start, but you want to get them to square one. You should continue to emphasize how important their role is as top-level decision-makers by talking about why their involvement matters so much both internally and externally. You can even invite them to participate in activities like interviews that can be published on internal communication channels and in newsletters.

It’s likely that in that conversation your executives will counter back with some excuses:

• “I’m the ____. I don’t have time to do it.”: It may be that your training is too long, and takes too much time. Consider shortening your training to only a few minutes a week so executives can fit it into their busy schedule and this excuse won’t be valid anymore. 
• “I do it myself, but I don’t know what to say to get other people to do it.”: What resources can you provide your executive with? Do you have case studies they could share? Sometimes they just haven’t had the time to promote it. You can offer help in getting their message out.
• “I do it myself, but I don’t want to nag my team. They are busy.”: How can you reframe your training so it’s less of a chore, and more of an enabler? Gamifying your sessions could allow your executive the opportunity to talk about completing the training in a fun way (ex. Getting to the top of the leaderboard). Or consider emphasizing what their team could cost the company if these conversations aren’t had. You can even use analogies like “the brakes on a car”… How fast would you drive a Lamborghini if it had no brakes?

Although they say they recognize and support the importance of security awareness, executives can be just as reluctant to “face the peril” of actually doing the training as any other employees. If the training is boring, or it is irrelevant or unhelpful, executives will naturally look for any reason to disengage from it, and say “It’s just not that relevant to me, in my position.”

So, the training must be engaging enough to hold the attention of even the busiest executives. They must feel that it is not a one-time event that they have to endure. Instead, the only way to positively impact security culture is if the security awareness training is highly interactive, with relevant exercises provided in small chunks, on an ongoing basis, that provide frequent value. 

Click Armor gamifies your training so employees can enjoy short, weekly challenges instead of hours of training a month. Book a chat with us. 

Square 4: What to do if they don’t do the training or promote it?

Unfortunately, some executives may not be willing or able to participate in any capacity. In this case, you need to figure out what beliefs they hold that could be preventing them from taking action on this issue. Once you figure out their barriers, you can work to get them to square two or three, then eventually to square one. It’s important to note that you aren’t trying to get them into square one immediately, small steps will work better in this case. 

Executive interviews

My strategy that I find works best is to use executive interviews. These are meant to be done before creating or trying to change your program, so you can understand their perspective, experiences, and expectations. So, if you are one of the lucky ones starting from the beginning, make sure to implement these right away so you can build a program with CEO buy-in from the beginning. 

If you have already built the program, you can still host executive interviews in the context of a “security awareness revitalization” initiative. Tell them that you are interviewing as many executives as possible, and ask them about: (1) their previous experiences with training; (2) what they think of the current training; (3) what they think of the barriers are to implementing a successful program; and (4), what they’d want to see in an ideal program. Not only do you now hold a treasure trove of C-level perspectives, but your executives also feel more involved in the program, and will be more likely to complete and promote the training. 

Emphasize statistics

In the interview meetings, start by sharing some short case studies of successful implementations as well as data highlighting costs associated with a lack of proper preparation for potential threats. By finding look-alike organizations or competitors who have been affected by a breach, your executives might start to let go of their “it would never happen to me” attitude, and begin to face the reality of a potential breach. 

It’s also common for executives to underestimate the costs of security breaches. Re-emphasize the disastrous effects by using statistics from reports like this one from IBM. Your executives might be more inclined to promote the training when they learn that a breach costs a business over 4 million dollars, on average. 

Bring in a third party

If nothing else seems to work, consider bringing in a third-party expert who has experience working with senior management teams regarding cyber security issues. Having an outside perspective can often provide new insights into presenting solutions which may be received better by senior leadership teams than ideas presented by internal resources alone. 

To summarize these thoughts, executive buy-in for your organization’s cyber security awareness program is critical for ensuring every individual within your company understands its importance and participates actively in defending against potential threats.

It’s never too late to turn your program around and gain your executives’ support. But, with strong leadership driving progress toward a clear goal of gaining executive support on this issue from the very start, you can ensure that cyber security remains a priority for everyone involved.

Scott Wright is CEO of Click Armor, the gamified simulation platform that helps businesses avoid breaches by engaging employees to improve their proficiency in making decisions for cyber security risk and corporate compliance. He has over 20 years of cyber security coaching experience and was creator of the Honey Stick Project for Smartphones as a demonstration in measuring human vulnerabilities.