After a rash of massive data breaches in the last few years, organizations of all shapes and sizes are investing in awareness training for employees. The general consensus is that humans need to be reinforced with education in order prevent more security incidents.

The consensus is correct. But what it often ignores is that executives and C-level personnel fall under that umbrella as well. Awareness training goes well beyond checking the compliance box and filing the appropriate papers to avoid legal issues. Information security is a people issue. And that includes all people.

Here are four reasons why executives of all levels should participate in their company’s security awareness programs.


To lead by example.

Do as I say, not as I do is a horrible way to run an awareness program. We get that you, the executive, have a lot of responsibility and therefore not a lot of time. So, squeezing in training that is required of your employees and not of you is far down on the list (or not on the list at all).

But the irony in that is cybercriminals are counting on you being busy and not having a lot of time. Busy people tend to react quickly. Those compulsions play right into the hands of social engineers.

Besides, collaboration within security awareness programs is one the best ways to ensure its success. Working together, learning together, creates a culture of resilient human firewalls who grow together. When execs participate in that culture, it sends a message to the rest of the team that this is important for everyone. And no one is above it.

Execs are a top target.

The economy of cybercrime is built on access. Whether that be access to financial accounts or trade secrets or personally identifiable information, those with the keys hold the most power and therefore are the most valuable targets.

This is where the term whale phishing comes from. Whale phishers specifically target high-profile individuals at large corporations. These individuals have influence over several employees, often have access to entire databases of information, and have the power to approve transfers of money or data.

It makes sense that cybercriminals would go after those with the highest access. It also makes sense that those at the top seem insulated, but nothing could be farther from the truth. Whale phishing campaigns are a lot more sophisticated than standard, run-of-the-mill phishing attacks. They are designed with executives in mind! Everyone is a target and everyone benefits from awareness participation.

Because the learning process never stops.

There is no such thing as one-and-done education. Even doctors still study long after they open their own practices. Why? Because information changes. Processes change. And humans forget.

A continuous learning cycle is the best way to build up your organization’s defenses against cybercrime. The learning must never stop. In addition to yearly compliance training, it’s important to reestablish policies and modify current procedures to fit the ever-changing landscape of cyber-attacks. And who better to lead that charge than executives?

Furthermore, regular participation is the only way to curb old habits, which have a tendency to stick around. And tying back into the lead by example idea, executives that routinely participate in awareness programs send a message that says, “if it’s good enough for me, it’s good enough for you.” Thereby eliminating the resistance many programs face when it comes to required training.

The stakes are higher for execs than anyone else.

“It takes 20 years to build a reputation and five minutes to ruin it. If you think about it like that, you’ll do things differently.” – Warren Buffet

Nothing gets a boardroom talking like a CEO losing his or her job because of a massive data breach. The most immediate reaction is throw the task of setting up and running a SAP on the plate of someone that has no time and few resources. It’s a start, but nothing shields you from the consequences for when a security incident occurs.

Note the unmistakable presence of the word “when” in that statement. The responsibility to be cyber-smart workers falls on every individual, to be sure. But when the “when” happens, the blame will fall at the feet of those in charge. Consequences range from embarrassment to firings to lawyers—none of it ideal. So, like everyone else, executives need to consider what’s at stake for them, their companies, and their employees.

Take the Buffet quote above and replace “five minutes” with “one click”. If we all think about it like that, well, you already know. That sentiment only comes from collaborative awareness programs, which means company-wide participation, from the top to the bottom.

Justin Bonnema

Lead Writer at SAC
Justin left the music business to focus on his true passion: writing. A talented writer and detailed researcher, he’s involved in every department here at SAC to make sure all content is fresh and up-to-date. In his spare time, Justin writes about fantasy football for and practices mixology (he makes a mean margarita).