Selling Security Awareness Training to the Board

Selling security awareness training to your board

Security is everyone’s problem these days. With cybercrime damages expected to come in at around $6 trillion by 2021, it is hardly surprising that cybersecurity has become a board-level topic. But boards do not typically include security knowledgeable individuals. So, how do we engage the board in what may seem to be an uninspiring and dry topic like cybersecurity – particularly around security awareness training?

In this article, we will look at why board members need to see cybersecurity as a strategic part of business operations. We will also look at how security awareness training can offer a great way to combat cyber threats.

Why is cybersecurity important to the board?

Cybersecurity is no longer something that only impacts your IT team or Head of Information Security. When a security incident hits an organisation, it can sting to the tune of £2.48 million – this being the average cost of a cyber-attack in 2017.

These costs can be felt right across the organisation, from marketing to finance to IT to the individual worker. Costs incurred from a cyber-attack depend on the goal of the cybercriminal, but typically include:

• Exposed data records of employees and customers
• Stolen intellectual property and leakage of company sensitive information
• Downtime due to IT systems being affected
• Repair costs
• Ransomware payments
• Loss of brand loyalty
• Fines and class actions (including against directors and board members)
• Share price impact

Many of the costs incurred by a security incident are indefinable. Loss of brand loyalty, for example, is difficult to qualify in the long term and costly to reinstate, once lost.

The board directors, both executive and non-executive, have a duty to ensure the ongoing success of a company. If this success is jeopardised by the impact of cybersecurity threats, this threat then becomes an intrinsic part of the governance decisions of the company by board members.

How can you sell security awareness to your board members?

In a 2016 Ponemon Institute study, which looked at risk management, they found that 63% of executives felt they did not have accountability or responsibility for cyber security. The study also found that 50% of respondents felt that risk management was not aligned with business goals and that board directors were not engaged in the process. There needs to be a shift in perception to accommodate a shift in strategy to then mitigate cyber-risk.

Cybersecurity threats touch the board along with everyone else in an organisation. They are a general threat to effective and successful business operations. Because modern cybercriminals use multiple types of methods to circumvent security, countermeasures have to be multi-layered too – this means using a mix of technological approaches as well as using human factors like training and awareness.

The starting point of mitigating cybersecurity threats is with knowledge. Ignorance is the oil that lubricates the wheels of the cybercriminal. Security awareness is about creating a deeply woven culture of security in an organisation – a culture that incorporates everyone, from board directors to shop floor workers. In fact, the tone for cybersecurity awareness must begin at the top.

The view of tone at the top is backed up by analysts, Gartner. They reiterate the importance of engaging the board members with your enterprise security strategy. In a recent look at boards and cybersecurity risk, Gartner pointed out the importance of aligning the message you give to the board about security, with the business goals. Security awareness training for all, including board members, can help to bring this message together and include the voices of the board in your overall security strategy – enforcing and crystallising it. In effect, board members become evangelists for security awareness across the organisation.

Ways in which security awareness training helps your board

Once security awareness training has been customised for the needs of your organisation and aligned with your goals you will see major benefits in its use. Security awareness training empowers everyone across your company. Done well, it can enhance your operations by enabling the safe use of new technologies by mitigating risk.

Ways in which security awareness training helps the board include:

A secure worker is a happy worker: A Cyber Security incident impacts workers and affects morale. People get worried about their jobs and the blame game begins. Sometimes the incident directly affects the workers themselves. This was the case with Sports Direct in 2016, where 30,000 employee’s personal data was compromised in a cyber-attack. The company came under heavy criticism when they neglected to inform their employees about the exposed data. Building security awareness training programs that fit with our business goals will create a safer working environment, protecting not only corporate data but employee data too.

Getting your money back: Security awareness training programs are built to optimise a return on investment. As the costs of a cyber-attack soar, creating company-wide awareness which can prevent a cyber-attack, is money well-spent. Security awareness is an investment against the extreme cost of a data breach.

Saving the board’s bacon: Board members have a duty to shareholders and one thing that is often affected adversely by a cyber-attack is share price. When British Airways was hit by a data breach affecting 380,000 customers their share price instantly dropped by 4%.  Research has found that, on average, share prices drop by 1.8% and up to 15% after a data breach – and, this is on a permanent basis.

Cutting through compliance: Data protection and data privacy have become the expected norm across all companies of all sizes and types. Board members now have a direct duty of care with respect to compliance issues like the General Data Protection Regulation (GDPR). Article 70 of the GDPR states that “The Board shall ensure the consistent application of this Regulation”.  With fines as high as 4% of global revenue or 20 million euros, whichever is higher, the incentive for board members to use methods such as security awareness training to manage cyber security risk is ever more important.

Things you can do to make that security awareness sale

You’ve gathered all of the facts and are ready to pitch the idea of a company-wide security awareness program to the board, but what sort of areas should you focus on?

1. Create an ‘at-a-glance’ view of the cybersecurity landscape with costs and numbers. Use a graphic designer to create an infographic if possible. Use these numbers to show three key areas – Risk, Cost, Impact.
2. Pre-existing metrics around cyber threats are always useful. You may already have some data on a previous cyber-attack to show the board. You may be able to extrapolate this to show how a future attack might now impact the business. However, without a systematic set of metrics that a full-blown security awareness training program provides, this will be limited.
3. Instead, you may find that presenting a ‘dummy run’ of the effect of a cyber-attack on your organisation, can help the board picture the problem. You can do this as a story board to show which parts of the company would be affected and to what extent.
4. Be positive and plan. A board needs to have a plan of action to tackle issues. Show the board how using security awareness programs across the organisation can work – how each department will have the program aligned to their operational needs and the types of options available to your company.
5. Talk about risk management and how education and knowledge can be used to de-risk everyday operations by changing poor behaviour that cybercriminals rely on.

Security awareness training top down

The fix for modern cybersecurity issues is about people as much as it is about technology. Your board must become a catalyst for change by setting the tone for security at the top. As regulations tighten up on the board members around duty of care, now is the perfect time to sell security awareness training to your board.