How to Get Buy-in for a Security Training Budget
We know that for many sectors, like government, healthcare and financial, security awareness training is mandatory. Showing the same video and quiz content year after year for a low price just to check the box is just not sufficient anymore. Our employees are our greatest asset, but can pose serious threats to any organization.
A recent survey published by Proofpoint showed that 67% of CISO respondents considered their employees to be the major causes of data loss. If you already have a budget for training to help reduce these risks, be proactive by switching vendors, refreshing your content, and possibly making a case for an increased budget to deliver a valuable training experience for your team.
3 Tips for CISO Investment in Security Awareness Training
The three tips below will help you gain buy-in from your CISO to invest in useful and a more focused cybersecurity training plan.
Show the Numbers
If the CISO is unpleasantly surprised at the price you propose for security training, you may want to mention that the cost is significantly higher without it. According to the Ponemon Institute’s Cost of a Data Breach Report 2019, the global average total cost of a data breach is $3.92 million dollars. For companies in the United States, that number is even worse: the average American data breach costs $8.19 million.
Investing in training will save you money in the long run. Researchers at ThriveDX newly released the 2022 Global Cybersecurity Awareness Training Study where they stated that almost all organizations surveyed, a total of 97%, reported implementing some type of cybersecurity awareness training measures this past year—mostly using a combination of both phishing simulations and security awareness training.
If you’re asking for a higher budget than previous years or adding new phishing campaigns, show the value of the security training measures you select. Most IT professionals agree that their cybersecurity awareness training programs need expansion. Remember that your CISO is on your team to support your training initiative, so providing solid and supporting evidence on effectiveness makes the approval process quicker and easier.
Capture Recent Trends
Cyber threats are always changing. Stay updated and informed on all tactics being used to steal data and create significant financial losses. When presenting a case to the CISO, make sure to include new topics of instruction that highlight real-world case studies, supporting contributions from the experts and best practices from the valuable security awareness training you select.
According to a recent Forbes report, phishing remains the top threat in almost all cyber-threat statistics out there—driven more recently by the targeting of mobile devices. Phishing began taking an all-time high in 2021—with an average of 300,000 attacks a month. Use recent publications and statistics to express your reasoning for wanting to purchase customized phishing emails several times a year. You can also use phishing as an assessment tool to then prescribe social engineering lessons for those who need it.
You team should experience an annual training update with new and refreshed media, examples of real incidents and interactive learning tools. To keep them engaged and up to date, select modules and lessons that capture recent topics that are relevant to their areas of work. By focusing on recent threats and the tools necessary to identify them, the learning process becomes more targeted and effective—even if it costs more.
Close the Gap
A necessary component in selecting best-fit options for your team is to conduct a gap analysis in cybersecurity preparedness. Collect information on reported incidents from the last twelve months, review new threats and identify any gaps when it comes to safeguarding your institution. A thorough investigation of these important details is needed to present the reasons behind purchasing new and updated training.
Once you identify the areas of needed instruction, you can then make a strong case for the new security training package by explaining how the organization will benefit from your proposed plan. Explain how each team member’s progress will be tracked, the areas that will be covered and how much you expect this to positively impact the entire company. With sound evidence in forms of reporting and tracking, you may be able to illustrate success in numbers.
Mitigating security risks has a huge pay-off. Take the time to schedule brainstorming sessions with your IT team to collect their feedback on cybersecurity deficiencies and main topics of concern. They can point out several risk factors and offer solutions you had never considered. Together you can explore frameworks to build protection, detection and as a result—design effective recovery and security training plans.
Annual Security Awareness Training with ERMProtect
At ERMProtect, our team performs deep-dive assessments of the cybersecurity posture of organizations, their vendors and / or merger targets. We identify gaps, prioritize improvements, and help implement solutions. Call us today at
(800) 259-9660 or click here to speak with a Security Awareness Training Expert.
Get a curated briefing of the week's biggest cyber news every Friday.
Turn your employees into a human firewall with our innovative Security Awareness Training.
Our e-learning modules take the boring out of security training.
Intelligence and Insights
Leaning on PCI Compliance Companies to Navigate the Maze of PCI Compliance
Selecting the Right PCI QSA Company