Executive engagement: Get support for your security awareness program from the top-down

Executive engagement is a game changer for your security awareness program. With it, you can easily build a successful program with as few speed bumps and barriers as possible. Without it, you’ll struggle to move forward with any plans and reach any of the people you need in the organization.

Photo by Smartworks Coworking on Unsplash

Beyond training, engaged executives also share security stories and lingo in their everyday conversations and encourage employees to do the same. This leads their employees to feel safe to confide in their executives and ask any questions they have about security. Because of their understanding and appreciation for the importance of security, engaged executives are also more likely to easily approve budgets and give any other support needed to security executives. Engaged executives should always be aware of what is going on in their security awareness program and in the security awareness world. 

Why it’s important 

Executives are more likely to have access to important data and larger networks within their organizations, making them the biggest targets for attackers. Attackers know that executives are the jackpot for information and are therefore more likely to invest more time into making their attack look real. This means executives are more likely to be spear phished and need the most training of anyone in order to protect the business. 

Besides the major targets on their backs, executives also have the most influence of anyone over all employees in the organization. For this reason, their impact on security culture can be incredible. Their conversations, attitudes, and actions set the tone for the rest of the organization. If the executives talk about the importance of completing training on time (and setting aside time to do so), managers are more likely to follow suit. If executives claim that training is a “waste of time” and they have never done it, that mentality will spread down the organization from manager to director to new employees until every employee has the same mentality. 

Lastly, their ability to easily approve budgets and access to employee time will make your job ten times easier if they are on your side. If they know the true benefits and ROI of having a successful security awareness program, you’ll find yourself with more money and more tools to use to make your program the best it can be.

The barriers

The biggest barrier to gaining top-down support is the beliefs that already exist within the board. Some common beliefs are “We don’t have time.”, “It’s not our job.”, “It’s not important.”, and “It’s a waste of money.”. Later in this blog, we’ll tell you to address these beliefs in order to gain the executive’s support. 

Another tricky part can be gaining access to your executives in the first place. As a security professional, you might fall quite far down on the organizational structure and have to go through a director of HR or IT and a manager or two before you get to the executive table. It’s never a great idea to go around your boss to another boss, so try working your way up, gaining support along the way, until you get in front of the executive room. 

How to engage your executives

Show them cases & numbers

Executives are inherently focused on results and return on investment. Showcasing real-world breach cases, complete with concrete financial and reputational consequences, will capture their attention. For example, when they learn that a breach costs a business over 4 million dollars on average, their mindsets are probably going to change. 

Host a meeting requiring all executives’ attention and create a presentation that demonstrates how investing in security awareness can mitigate these risks and potentially save the organization significant financial losses while safeguarding its reputation. Make sure you include cases from the same industry, maybe even of your competitors, so they can see that “But it’ll never happen to us!” is not a good enough security practice. 

Beforehand, you may consider doing 1-on-1 interviews with the executives to fully understand where their misconceptions come from and to make them feel more involved in the process. 

Create training based on their specific security risks 

Executives often prioritize strategic decisions over operational details. To engage them effectively, offer training that highlights the security risks most relevant to their roles. Whether it’s social engineering, insider threats, or regulatory compliance, providing targeted insights helps them understand the direct impact on the organization’s objectives. 

This will further demonstrate that training isn’t something to just be “checked off” by every person in the organization, but rather a tool tailored to each specific role that will actively protect the business from losing money. 

Use Click Armor’s new customized group training feature to create executive-only training or department-specific training. Book a call with us to learn more.

Foster an executive-involved environment

To nurture executive engagement, create an environment where security is a regular topic of discussion. Incorporate security measures into board meetings or establish bi-weekly dedicated security discussions. Keeping communication continuous ensures executives are updated on the latest threats and the organization’s security posture.

Highlighting the importance of executives as role models is also crucial. When leaders visibly prioritize security, employees are more likely to follow suit. Executives should set the tone by consistently adhering to security practices and policies. Try encouraging executives to take on these roles by showing the impact they have by setting KPIs to reflect on in your regular meetings. 

Offer guidance for casual integration 

Encourage executives to seamlessly integrate security into everyday conversations. By discussing security measures and concerns openly, executives send a clear message that security is a priority. Help your executives work these topics into everyday conversations by giving easy conversation starters that they can use in their meetings like: “How did you find the training yesterday?”, “Did you guys receive that weird email yesterday?”, or “Did you see what happened to ____ company?”. 

Another great way to encourage this is to share relevant articles, videos, and event links with executives. This positions them as knowledge resources for their teams, allowing them to share valuable insights and keep security at the forefront of discussions.

It’s also important to assist executives in creating processes for incident or suspicion reporting. This not only demonstrates their commitment to addressing security issues promptly but also empowers employees to be proactive in reporting potential threats.

Engaging executives in your security awareness program is crucial for fostering a culture of security within your organization – all year round. By tailoring training, showcasing tangible ROI, fostering an executive-involved environment, and providing advice on leading by example, you can ensure that your executives become strong advocates for security awareness throughout the organization.

Scott Wright is CEO of Click Armor, the gamified simulation platform that helps businesses avoid breaches by engaging employees to improve their proficiency in making decisions for cyber security risk and corporate compliance. He has over 20 years of cyber security coaching experience and was creator of the Honey Stick Project for Smartphones as a demonstration in measuring human vulnerabilities.