August 24, 2022 — With CyberSecurity Awareness month fast approaching, information security professionals and data protection managers will be looking at how to secure board-level buy-in for company-wide cybersecurity awareness campaigns. Often, this is the biggest hurdle for any cyber awareness campaign as senior leadership weighs the costs and benefits of investing in the security of their business.
Today we will be looking at some top tips for changing the tide on board-level buy-in.
What are the obstacles to Board-level buy-in and how to address them?
According to a study, by AT&T, board members covet data security as their number one concern, however, 75% of these boards do not actively put stock into internal cybersecurity campaigns.
With average data breach costs soaring to $4.4 million in 2022, the need to elevate cybersecurity initiatives on the boardroom agenda is increasing.
Why is there an understanding of the importance of cybersecurity awareness but no impetus to follow up with company-wide campaigns and initiatives?
1. Monetary Hurdles
Cybersecurity awareness providers can use behavior research tools and surveys to properly assess what areas of your company need to be addressed with training and development. This can then help you to present where and what your budget needs to be spent on, thus reassuring board members with facts and actionable insight and analysis. By doing this, you also instantly involve board members in the decision process.
2. Fear of change
One of the biggest hurdles to board buy-in is the fear of change and the comfort of following a tried and tested formula. People don’t like change and breaking leadership habits is very difficult to do.
In order to break this status quo, you need to increase board members involvement in security activities and simulations, especially considering recent developments in cybersecurity regulations.
When you do this, you can show your board members how easy it is to make mistakes and costly errors under the current protocols and teachings. When you root scenarios in relatable and personal examples, the risks associated with a cybersecurity event becomes clear for all board members.
3. Lack of security awareness
There is nothing harder than selling a new and improved security awareness campaign to your board members, especially if they have no security awareness at all. Why would they want to invest a portion of their finances in something that they do not understand? And why should the rest of your workers take security awareness seriously if their managers do not give it a second thought? It is meant to be a team effort after all, isn’t it?
This is a simple fix but requires hands-on work from an organization’s information security officer and/or data protection officer, with the help of your chosen training provider. You need to work to a trickle-down approach. First begin with focus groups and simulated training for board-level members, keeping a focus on the financial and legal ramifications companies face as a result of breaches. Position cybersecurity awareness as a proactive part of your organization with focus on Return on Investment (ROI), whilst highlighting how much more painful it is to be reactive to cybersecurity breaches.
How to engage Board members in the cybersecurity awareness conversation
When you implement a cybersecurity awareness campaign that is supported and planned out by the board, you increase the chances of company-wide buy-in and knowledge retention. So, how will you engage board members in the conversation? By speaking their language.
Sell it to them!
You need to encourage your board to focus on the risks and threat actors that target organizations every single day, but you also need to realize you are selling them something. When you are selling to your board, actualize the problems their employees face and use board-level language such as risk terminology and KPIs (Key Performance Indicators). board members want to see stone-cold numbers and measurable data to justify their investment.
Educate them regularly
The biggest reason board members struggle to support cybersecurity awareness initiatives is a lack of knowledge on the issue. If you are in charge of board buy-in, you need to regularly communicate cybersecurity insights, headlines, and stories with your board. They need to understand, in an easy-to-digest way, how cybersecurity is vital to the existence of their organization. Upskilling the board should always be a primary goal in any cybersecurity campaign!
It’s an investment, not a loss!
Board members want to hear things like ‘driving consistency’, ‘streamlining processes’, ‘minimizing human errors’, ‘avoiding reputational damage’, and ‘improving workflow’. Make it clear to your board members that they are making an investment which will lead to increased efficiency in the workforce and savings in the financial sheets. Begin with the message that cybersecurity is not a cost, it is an investment!
Bring in the pros
It is also highly beneficial to bring in the knowledge of a respected and experienced cybersecurity professional/consultant to add evidence to your board presentation. Cybersecurity professionals can run scoping workshops and team activities with your board to answer both company-specific questions and any technical questions that may arise.
Board-level buy-in is key to promoting a secure organization from top to bottom. Remember that your executives are still people, so it is important to communicate your objectives clearly, how your security awareness campaign addresses holes in your security culture and how it keeps your organization safe from cybercrime.