We work with security professionals from all sorts of backgrounds in organisations of all shapes and sizes around the world. Many of them are education and awareness managers (EAMs) and it doesn’t matter where they work, when it comes to security awareness training, the most common complaint we hear is a lack of budget.
Behind the lack of budget is (always!) the lack of a solid business case. Get the business case right, convince the key people of the value of security education and awareness to the organisation, and you find that the budget magically appears and they’re only too happy to invest in a program.
Security awareness training: building a business case
How do you build a business case?
One word: metrics.
Without meaningful metrics that align with your strategy (and if you don’t have a strategy you only have tactical stuff, so you need a strategy), you’ll have a hard time showing how E&A contributes to the business’s overarching strategy.
Moving on from a reliance on compliance
A lot of an organisation’s security education and awareness is driven by legal or regulatory requirements (such as GDPR, NIST, ISO27011 and PCIDSS) and the need to comply with these.
But if the need is always seen as being compliance-driven, you’re always going to be up against it in terms of getting the appropriate level of investment beyond that, and your E&A will be always be a checkbox exercise with the aim of just doing what is legally required.
There is a trend towards making training a requirement and we’re seeing an increase in the incidence of contract clauses that require evidence that you do E&A within your organisation. It’s a promising development, yet most organisations’ investment is tightly aligned with risk to its KPIs. Showing that your security programme is part of that is the first step.
Performing a proper risk assessment between your business’s KPIs and security awareness, behaviour and culture is the first step towards showing its value beyond compliance.
To do this you need to:
- Have a clear set of objectives that are aligned to the organisation’s KPIs
- Be clear on what awareness, behaviour and culture are before you do the risk assessment (our blog on defining security awareness may be a good starting point)
- Carry out a risk assessment doing ABC (our Human Factor Risk Assessment workshop will help you with that)
- Establish some meaningful metrics across your business
Then use these metrics to tell a compelling story to the board and key stakeholders who need to understand the risks to the business of not investing in their ABC, and the true value of making sure the budget is there.
If you’d like to know more about our risk assessment workshop or ask us about any of our work, we’d love to speak to you. Set up a chat here and we’ll be in touch.