#GartnerSEC: Ensuring Buy-In for Security Awareness

Ensure management adoption and employee engagement in your security awareness program by delivering suitable content in an understandable language.

Speaking at the Gartner Security and Risk Virtual Summit, senior director Brian Reed said that getting investment and support for a security awareness program “depends on persuasive justification, and negotiation skills.”

Asking why gaining support is so important, Reed said that COVID-19 lockdown “provided a unique example of how security can meet the needs of a crisis and an upheaval” and it would be a shame to “waste a crisis” so companies should use this as a security awareness teaching moment.

“The majority of the cost of security awareness is going to come in people and capital, the capital spend requires spending not just on a security awareness tool, but in delivering that content,” he said. “A lot of the organizational negotiation may center around how much training an organization needs, or what the time investment you may need from participants is. Reed said this is worth considering, as well as what the rewards and consequences are.

“There is also the notion that it is always someone else’s problem and not necessarily mine,” he said, saying charts to determine roles and responsibilities can help resolve these issues from the beginning, as well as highlight skills and competencies that the organization has or is missing. He said typically people fall into one of three types:

  • People who will not do the right thing no matter what they are told
  • People who will do the right thing provided they are told what the right thing is
  • People who will do the right thing instinctively every time

Reed said the vast majority are in the middle section, and will do the right thing provided they are told what the right thing is and if they can be shown and empowered to do the right thing. The third group could also be identified as potential security champions, when other employees do not feel comfortable going to the security or IT teams.

When it comes to organizational buy-in, Reed said this is critical for when you’ve got your users on board, “and you’re accurately setting expectations.” The main ways to get buy-in across the organization include respecting the user’s time and speaking in a language that both security and management understand “as there is often a disconnect with the language being used at a business and technical level.”

Another factor is to utilize active listening techniques to demonstrate that you’ve heard the audience’s concerns, and you’re building the case for security awareness by addressing their concerns and actively pursuing resolutions.

He went on to explain that a program should be tailored for a specific country or culture, and that “seduction is a better tool than imposing security awareness programs out of fear” as you want to induce people into knowing this is can be an enabler for your business and not just another compliance training effort.

Reed concluded by saying we should “embrace and celebrate our organization’s history, and we must recognize what progress and transition looks like, and ultimately we should answer the questions of purpose and value and tie them to our security strategy.”

What’s Hot on Infosecurity Magazine?