How to Gain Stakeholder Support for Cybersecurity Awareness

Any organization-wide initiative needs broad support from stakeholders across departments or teams in order to be successful. That’s especially true of cybersecurity awareness training (CSAT) programs because every single person in an organization is a potential vulnerability, emphasizes Shaun McAlmont, CEO of NINJIO.

When more than 82 percent of cyberattacks rely on human errorOpens a new window for success, just one colleague can make the difference between security and disaster. They need to understand and buy into that reality. 

Like all non-technical implementation challenges, different approaches will work for different stakeholders. For leaders in the C-suite who focus on resource allocation, it’s important to compare the destructive capacity of cyberattacks with the cost-effectiveness of CSAT, in addition to compiling clear key performance indicators for your CSAT program’s success.

For the broader workforce, CISOs and team leaders can point to the value of cybersecurity awareness as a professional development opportunity and a way to empower workers by demonstrating how they’re capable of keeping the organization safe. CSAT is all about securing long-term behavioral change, and this means providing the right incentives for all stakeholders. 

As cybersecurity touches more aspects of everyone’s work, having a security leadership team that knows how to build and maintain stakeholder support for a CSAT program is crucial. What’s more, we’ve seen first hand the success of companies that shift their thinking from CSAT as something that sits in the IT silo to a core ingredient of the culture. From the top down, cybersecurity is positioned as vital, rewards are given to those who actively know how to mitigate risk by keeping up with their periodic training, and CISOs have direct insight and metrics to track employee progress.

The Defensible Financial Argument for Cybersecurity Awareness

As companies increase their investments in cybersecurity teams, it’s necessary to make clear and compelling arguments for CSAT adoption and adherence. One of the most reliable ways to do this is to highlight the exploding cost of cyberattacks for organizations. According to an IBM reportOpens a new window , the average cost of a data breach for all global markets hit an all-time high of $4.35 million in 2022. In the U.S., it’s a staggering $9.44 million, the highest of any country. Eighty-three percent of the organizations IBM surveyed said they had been breached before.

Several of the costliest and most frequently exploited attack vectors directly implicate employees: a typical phishing attack inflicted $4.91 million in financial damage in 2022, while attacks that relied on stolen or compromised credentials cost $4.5 million on average.

The kind of training that helps thwart these attacks is comparatively cheap. For most organizations, stopping just one attack with a cyber-aware employee would render a positive return on investment. IBM reports that the financial fallout from these attacks is less severe for companies with cybersecurity training programs.

Making a Practical Case for Cybersecurity Awareness

The immediate costs aren’t just financial. IBM also found that cyberattacks take a while to identify and contain: an average of 207 days to uncover the breach and 70 days longer to contain it. Any operational leader can easily understand how much sensitive data could be lost over the course of seven months – and that’s before anyone realizes there’s a problem. Devoting an additional two months of time and money to containment moves the organization farther away from achieving its goals.

What’s more, the reputational damage an organization faces after a cyberattack can be severe. People care about their personal cybersecurity, and that extends to how they interact with companies. An Arcserve reportOpens a new window found that 59 percent of consumers said they would avoid doing business with an organization that experienced a cyberattack in the past year. That figure alone should convince your Chief Marketing Officer and sales leaders that CSAT is worthwhile.

These are all convincing arguments for the establishment of a robust CSAT program, particularly as companies become increasingly cost-conscious in the face of significant economic headwinds. Cybersecurity awareness won’t just help companies avoid the devastating immediate costs of a cyberattack – it will also prevent the loss of consumer trust that can result from these attacks and ensure that the workforce is capable of adapting to an ever-shifting cyberthreat landscape.

See More: Cyber Hygiene: Building Blocks of Protecting Your Attack Surface

Earning Stakeholder Support  across the Organization

Even if your leadership team is on board with your CSAT program, you’ll still need to convince the rank-and-file. The most stubborn myth about cybersecurity is the idea that it is solely the responsibility of IT and security teams with specific technical skill sets that many employees don’t possess. This misconception leads to a sense of powerlessness among employees, who feel like they’re at the mercy of cybercriminals and don’t see their own protection as their responsibility. 

It isn’t just employees who make this mistake – managers and members of the C-suite often insist that cybersecurity is beyond their scope, which means they’re simultaneously increasing the chances that they will be hacked and setting an unhealthy example for their team members.

The first priority for any CSAT program is dispelling these illusions by showing everyone in the company that they don’t just have the ability to prevent cyberattacks – they have a responsibility to do so. But this appeal can’t take the form of boring lectures, PowerPoint presentations, or blast emails. The only way to get employees on board with your CSAT program is to keep them fully invested in the learning process with highly engaging and relevant educational content that will secure sustainable behavioral change.

There are several ways to understand “relevance” when it comes to CSAT programs. First, content should be based on real-world cyberattacks and strategies for stopping them. Second, it should be personalized on the basis of employees’ unique skills and learning styles. And third, it should use tactics such as storytelling and gamification, which will give employees a reason to pay attention. CSAT is all about offering the right incentives to maintain engagement, and these incentives have to be compelling across the entire organization.

Building a Culture of Cybersecurity

The ultimate goal of an effective CSAT program is to make cybersecurity integral to an organization’s culture. Cybersecurity awareness shouldn’t be something employees, managers, and company leaders only consider on the occasions when they’re engaging with CSAT content or explicitly discussing cybersecurity in the workplace. It should inform everything they do – from how they use digital resources to how they communicate and collaborate with colleagues.

Broad stakeholder support is a prerequisite for creating a culture of cybersecurity, as this process requires an ongoing commitment from everyone in the organization. This is where powerful incentives are vital. One of the best ways to improve engagement and retentionOpens a new window is to show employees that the organization and its leadership cares about their individual professional development, and providing opportunities to cultivate their cybersecurity awareness is one way to do so. CSAT can also help organizations focus on accountability by encouraging and rewarding healthy behaviors. There are many tools companies can deploy to maintain accountability, such as phishing tests and personalized assessments of employees’ strengths and weaknesses, and these tools can open lines of communication about areas for improvement.

Cyber threats are constantly evolving as hackers test organizations’ defenses and devise new ways to exploit human vulnerabilities. But just as people can be manipulated and fooled, they can also learn about the latest cybercriminal tactics and use this knowledge to keep the organization safe. However, cybercriminals still only need a single entry point to attack an entire organization – a stark reminder that your CSAT program requires stakeholder commitment across the board.

How are you ensuring that your stakeholders are on board with your CSAT programs? Share with us on FacebookOpens a new window , TwitterOpens a new window , and LinkedInOpens a new window . We’d love to know more from you!

Image Source: Shutterstock

MORE ON CSAT

• Narrowing the Cybersecurity Skills Gap Starts With Security Awareness Training
• Importance of Cybersecurity Awareness for Rural Communities, Minorities, and Small Businesses
• Cybersecurity Awareness Training: 6 Tips To Raise the Bar on Security
• Cybersecurity Learning: Building a Culture of Cyber Awareness