Often the biggest hurdle a security team has to jump is getting a budget big enough to meet their needs. They’re given a mile-long to do list and exactly enough funding to go a quarter of the way. Then the boss comes shouting down the hallway, “Who’s responsible for this data breach? How come our employees are making poor security decisions? You need to train our users!” The security team throws their hands in the air and try explaining that the budget just didn’t stretch long enough to cover all of the necessary training. But the boss won’t hear it. He wants them to do more more more with less.
So how can you convince your boss to give you the money that will let you do your job?
The answer comes down to motivation.
What motivates anybody to do anything?
Humans are motivated primarily in two ways, both of which can help you convince your boss to increase spending, give your more team members, buy new equipment, etc. And only you can determine which one will work better in your organization. It depends on company culture, the reasons behind needing security awareness training in the first place, and sometimes just the personality of the person making financial decisions.
So what are the two motivators?
Fear and Desire.
These are the reasons you do anything, they are the motivating factors behind every decision you make.
Worried you’ll be late to work so you leave the house a little early. Worry is a form of fear.
Wanting to impress the boss with your hard work ethic, you show up to the office before the others. Want is just another word for desire.
You need to figure out how to use fear and desire to your advantage.
Let’s start with the easier one: fear.
Most organizations are scared to death of data breaches. What would happen if your organization got breached? There’s the possibility of losing a ton of money, losing customer or employee PII, losing the faith of your clients and damaging your reputation. There is not an organization who is not worried, on some level, of a breach. (If you know of one, please tell us what their secret is!) And this fear of financial loss, data loss or reputation damage is what leads to most organizations needing security awareness training. The trouble is if the fear isn’t strong enough, the security awareness program won’t receive the level of priority it truly deserves.
Thus, it becomes your job to scare the living daylights out of the right people.
First, figure out what your organization is most scared of – losing money, data, clients or reputation?
Second, learn which language to use when talking to decision makers. Do they speak Dollars, Identity Theft, Followers…?
Third, do some research. This part requires some legwork and a few hours on Google but since you know what language you need to speak, your search terms have been narrowed for you. Find stats to scare your bosses. Find other organizations who have been made examples and laughing stocks. Find the companies that you don’t want to emulate and use them to you advantage.
It will probably take more than one conversation. Much like awareness training itself, this is not a one-and-done situation. It might take several meetings, it might take cozying up to some other departments to back you up, and it might take putting the research on display more than just once. Think about the scary research out there about tobacco; we know it’s bad for us, we know it causes cancer, we know smoking has cost people their vocal boxes, their lungs, their lives. But often, people are not truly motivated by the fear until they see it first hand, or until they’ve seen the consequences over and over and over and over. Get ready to act like a broken record and get to scarin’ up some money so you can train your users and secure your organization!
Now let’s talk about desire. This approach is tougher but can be successful in the right organization, and can ultimately be very rewarding.
People might be more motivated by desire than by fear. We want to have fun so we drink that wine and eat that cake and drive on congested roads despite any worry, or fear, that we might have that the alcohol could poison our livers, that the cake will pile on the pounds or that the roads could lead to an accident. Many people exercise not because they’re scared of heart disease or Osteoporosis, but because they want to look good and have others desire them. Many people work hard and long hours not because they are worried they will be passed over for promotion but because they desire earning more money.
How does desire work on an organizational – and security awareness oriented – level?
While some organizations fear data breaches and public humiliation, other companies want to be a step ahead of the curve. Their executives want to be on the forefront of progress, with super secure employees who make smart decisions not out of fear of losing their jobs but because they are cyber savvy users. Some organizations are not concerned (aka worried aka fearful) about meeting compliance mandates but actually want an educated army of security aware individuals working the front lines of defense. It looks good. It sounds good. It could end up costing way less in the end if you proactively train users instead of reactively foisting training upon them as punishment for a breach.
Maybe your bosses want to encourage a healthy, happy and secure work environment in which they promote all sorts of professional educational development, not just boring policy-related security training. Maybe your management wants to impress your clientele with its users’ security awareness. Maybe your bosses just want a safer internet for everyone and know that educating users is the place to start.
We all know that effective security awareness training can secure an organization from inside out but sometimes it will take a little extra coercion to get the C-levels to sign off on the money required to do so.
It’s up to you to figure out what motivates your upper levels and then use research to help you exploit that motivation to everyone’s advantage.
Latest posts by Ashley Schwartau (see all)
- Here I Am: My Unexpected InfoSec Career Path - May 30, 2017
- Harry Potter and the Security Prophecy - May 4, 2017
- Use Gamification to Drive Engagement with Monthly Newsletters - January 12, 2017