More and more business leaders have come to appreciate that cybersecurity threats are among the most significant business risks and that cultivating a strong security culture is vital to achieving short and long-term business goals. Despite this, there is still some uncertainty in terms of who is responsible for leading the charge when it comes to security.
In this article, we share primary research results from the Media Sonar research team that explore how a “top-down approach” leads to a better security culture throughout the organization.
We asked 776 security professionals who they think it is most important for organizations to have buy-in from regarding the importance of security. 63% responded with the executive team or board members.
It Starts with the Board and Executives.
An organization’s executives and board members must appreciate how critical their support and oversight are in building and maturing their security program. Security must always start at the top and go down through the center. Otherwise, you will be fighting uphill the whole time. Once the CEO, CFO, chief legal counsel, etc., are on board, the program can be strategized, and tactics for its implementation can be devised downstream to involve lower-level employees and customers.
Not only do executives and board members need to approve and fund the security initiatives, but they also need to set an example by actively promoting and participating in security-related activities. Oftentimes, executives decide to exclude themselves from attending tutorials and training because they are higher up in the organization and put a priority on other initiatives. If executives show that participation is not necessary, the rest of the organization will not feel motivated to participate either. Our research results below show that executives are starting to move in this direction, with 44% of executives frequently promoting the importance of security within their organization.
In a survey of 247 security professionals, 44% said that their executives promote the importance of security initiatives all the time, and only 8% of executives never do.
Challenges of Getting Executive and Board Buy-In
Because of growing demands and evolving day-to-day responsibilities, getting and maintaining executive and board-level buy-in presents challenges. Our research found that the key challenge of getting executive and board members to buy in is the costs that are associated with a security program.
When it comes to building an effective cybersecurity program, it’s all about three core elements—ensuring you have the people, processes, and technologies in place to secure your organization. That requires investment, and the reality is, implementing effective cybersecurity isn’t easy, and it’s not cheap. Plus, the initial investment is only part of the battle. After you get the green light, it’s now a matter of consistently demonstrating the return and value in order to maintain that initial investment.
In a survey of 263 security professionals, 48% said the biggest challenge they face when getting executive and board buy-in for security initiatives is that they don’t want to spend the money.
Strategies for Getting Executive and Board Buy-In
The key to getting buy-in from executives and board members is aligning cybersecurity risks to the organization’s business objectives and overall risk appetite. By putting it in business impact terms and giving real-world examples, you’ll be able to demonstrate better what could happen if they don’t invest in their security posture. Instead of waiting for a severe real-life security incident, there are a few practical ways to proactively demonstrate the importance of taking security seriously.
- Find successful attacks that happened to organizations similar to yours. Explain what happened, why, and the damages and costs that resulted (financial, brand, reputation, etc.)
- Leverage services that show your executives indicators of attempted breaches or other security vulnerabilities that involve your organization. For example, Media Sonar Digital Risk Assessments provides an analyst-generated report summarizing where your organization’s assets are already exposed and at risk.
- Create simulated attacks, such as a fake phishing email or ransomware link, to see if your employees will engage. If the attack is successful, you can show your executives and board members that an attack is possible and demonstrate the damages that can occur in the worst-case scenario without cyber defenses. If your already-established security processes are effective, you can show that the measures you have in place are making an impact and that continuing to invest will allow you to develop those tactics further.
- With consumers becoming increasingly concerned about security and privacy, there is an opportunity for organizations to use their security investments as a competitive advantage. If you can communicate customer expectations and how security can help drive more revenue and give your organization a competitive edge, the more likely it may be that your key stakeholders will tune in on what you say.
Challenges of Getting Employee Buy-In
Now that we’ve covered strategies for overcoming the challenges of getting executive and board-level buy-in, we can move downstream to employee buy-in. Getting and maintaining employee buy-in is critical, as their day-to-day actions can make or break the success of the security program. But, achieving employee buy-in comes with its unique challenges. Our research results below show that the three main challenges to getting employee buy-in are employees thinking security isn’t their responsibility, assuming they aren’t a target, and thinking that security measures get in the way of them doing their job. Unfortunately, only 8% of the security professionals we surveyed have employee buy-in within their organization.
We asked 361 security professionals about their main challenge when getting employees to buy into security initiatives. 33% said it’s because employees think they’re not responsible, and 32% said its because employees assume their organization isn’t a target. Only 8% of respondents believe their employees have bought in already.
Strategies for Getting Employee Buy-In
Organizations must identify what security measures employees are pushing back on and communicate the benefit to the employee and how it can improve their productivity rather than interfere with their day-to-day job. Security should be transparent to employees, and it should not be optional. A lot of literature is available that offers best practices for driving security adoption rates among employees. Here are a few tips that organizations can leverage to get and maintain employee buy-in.
- The lack of understanding and complexity of security often contributes to lower levels of buy-in from employees. Starting with the basics of security and offering practical steps they can take, such as creating stronger passwords, using multi-factor authentication, and keeping up with the latest software updates, can go a long way in establishing a baseline understanding and building their confidence as you move on to more complex topics.
- Consistent training and security awareness activities are essential for ongoing employee buy-in. Too often, organizations perform security training once a year, just enough to check a box. Delivering smaller, easy-to-consume training consistently throughout the year can help drive engagement and adoption.
- It is essential to communicate that it isn’t just the company data at risk; the employees’ personal information is also a target. Not only can an incident result in financial and brand damages to the company, but it can also negatively impact individual employees and their data.
- Promoting security initiatives right when employees join the organization shows how security is a top priority for your organization. Embedding your security procedures and policies into your onboarding process is a great way to instill the importance of security among new hires.
- Celebrating when employees take proper security measures rather than punishing those who make a mistake can significantly impact employee buy-in. If you run simulated security attacks, share the scenarios of those that were successful rather than condemning those who were unsuccessful. Creating a culture of fear and consequences will result in employees being less transparent in reporting security incidents and less motivated to adopt your organization’s security measures.
Everyone Has a Responsibility.
At the end of the day, security must be supported, reinforced, and expected at all levels. But, there needs to be a strategy for cultivating a security culture throughout the entire organization. Security is about making tough decisions. Without board and executive buy-in, it can be challenging to make these tough decisions, and nothing permanent can happen. While establishing executive and board-level buy-in can be difficult, it goes a long way in strengthening your security posture at each level of the organization.