Issue link: https://insights.oneneck.com/i/1476866
4 WAYS TO ENGAGE YOUR EXECUTIVE TEAM Here are some of the things you should focus on to get your executive team's attention: • Tie your program to compliance requirements – Security awareness training is a requirement for most regulatory best practices. Don't be afraid to use this, and break down ways you want to do it to support your industry regulations. • Spotlight current events and stories about organizations that are similar to yours – While you don't want to be seen to be fearmongering, relating your stories back to something or some organization that your executives can connect to will help to make the messaging more real. The closer to home and more real the threat becomes, the more your executives will feel they have duty of care to respond. • Map your program to established best practices – Tying into things like the NIST Cybersecurity Framework, the National Association of Corporate Directors guidance on cybersecurity, or any industry-specific guidance that relates to your organization will show due diligence and the due care required to run this type of program. USE A SMART GOAL-SETTING FRAMEWORK Your executives need to know you have a plan to make your security awareness training initiative work. They will want to see you have intention behind what you're proposing. With intentional thought comes greater possibilities for success. The more methodical you are about how you approach pitching to your executive team, the greater the chances of success you'll have when seeking the buy-in you need. But as the buy-in begins, there will be questions around how to measure the success of a security awareness training program. So, having some preliminary goals in mind will help provide executives with something tangible they can feel like they can hold you accountable to. There are several goal setting systems out there, but if you don't have a favorite system already, then try looking at your goals in a SMART way. Your goals should be: • Specific • Measurable • Actionable • Relevant • Time-keyed What do we mean by this? Here's a couple of examples to get you thinking. Saying "we want to reduce our Phish-prone™ Percentage" or "we want engaged employees so they are more aware of risk around phishing," may be true, but they're very non-specific. However, saying "we want to reduce our Phish-prone Percentage from 30% to 15% within the next 3-4 months," is what you're after because it ticks all the SMART goal boxes. The goal is specific in that you can measure your progress, it's actionable by tying to steps in your overall proposal, it's relevant by relating to the goals of your executives, and by setting yourself a timeline it's time- keyed. Once you hit that SMART goal you will show a real impact for the organization. Presenting your program in this way will give you a far greater chance of getting your executives on board.