CEOs are often the busiest people in any organization. As security professionals, we should respect that: but what can we do when our CEO won’t take security awareness training? This is not uncommon but it can be a hard nut for security professionals to crack. We probably don’t top many lists of best for human empathy, and that combined with the full schedules of a typical CEO means things can become (mutually) frustrating. However, there are some great arguments for getting everyone in an organization – be they high or low – to take security awareness training. Before looking at these, let’s consider some common reasons (all of which I have encountered) a CEO or other senior professional does not take their training.
They argue that they already know the basics They say that they just don’t see the point They are always too busy They just avoid taking it.
Each can be countered with some compelling responses. Parts of the following can of course be combined. When their excuse is: they already know. Your response might be: Cyber is always changing. None of us will always be prepared for the sudden shifts that take place in cyber world based on what we already know. For example, a particular piece of software or hardware that is used by the organization may have a vulnerability that is exploited without warning by hackers. This might be countered through changing a particular processes or by workarounds, so that associates can achieve objectives in different ways. Any such change needs to be explained through security awareness training. Laws affecting cyber issues and the interpretations of them change too, perhaps making a process that had involved the handling of personal data no longer acceptable. Any such changes need to be mapped into awareness training, including (if necessary) through special presentations. This might need to be done quite quickly if a legal infraction could lead to financial or reputational loss. When their excuse is: there seems no point. Your response might be: Certain laws and regulations require training. There is actually no alternative since failure to do it can ultimately lead to legal sanctions being taken against companies and to individuals who fail to comply. For example, if your organization is a corporation covered by the provisions of GLBA, it is required to implement training under that Act’s Safeguards Rule. If it is a healthcare organization covered by HIPAA, its associates will require training under that Act’s Administrative Requirements. If it is an organization handling electronic funds then it will require security training under the PCI DSS provisions (which some states have subsumed into their own laws). Even if an organization’s security training requirements are not directly identified within a law or regulations, its contract clauses with other entities may require it to comply with these (or other) laws and regulations. For instance, an organization that becomes part of a supply chain for government/military could be bound contractually to certain DoD standards of security. That may mean that its formerly easygoing approach to security might have to be substantially upgraded to comply with a full range of new confidential handling arrangements. Clearly, staff would need training to meet these changes since any failure to do so could result in the contract being lost or terminated, with the added possibility of defense secrets being compromised. Outside the strictures of defense security standards, organizations may have contract partnerships (for example within a supply chain) that include special security requirements (e.g. in the handling of personal data). These too might require higher levels of security oversight than the organization is used to, as well as requiring such standard business obligations as due care and due diligence to be demonstrated. Certain standards require senior management commitment. For example, any organization seeking to comply with the ISO/IEC 27001 standard for information security management must demonstrate leadership commitment to all of the standard’s requirements, including training. An organization with a CEO who cannot see the value of security training is going to face complications when trying to convince an assessor or auditor that their organization is compliant. When the excuse is: they are too busy. It can be difficult to tell whether your CEO really is too busy or is actually adhering to the objections highlighted above. This is where the effective application of soft skills is called for, your goal being to win over your CEO by applying some of the arguments given above in a short meeting. Patience and persistence may be needed to achieve this. However, prior to taking this path, an honest review of your training and awareness methods and materials will help your arguments. Are they up-to-date, to the point and relevant? An effective review of your approach and materials will help to persuade a skeptical CEO that you do understand the value of their time, but need to ensure that security has a compelling claim upon it. It can be a very heavy task to change a well-worn set of cyber awareness materials that are familiar and trusted. But in the same way that cyber threats change, security professionals must be open minded about how good their materials are at getting security points over. So be ahead of the game by carefully considering the following:- Is your training and awareness up- to-date? Accepting that time is a valuable commodity, we need to consider ever more inventive ways of presenting security training so it is integrated into business messages (while not forgetting to make sure the effectiveness of the training can be measured). Every effort should be made to ensure that security training is kept up to date, is relevant and timely and adds value to the organization’s work (if you have trouble with that last one, consider how it helps the organization to manage its legal, regulatory and contractual risks). Is the content too long or too rich? Perhaps the training materials were provided (possibly at some cost) by a third party, and require disproportionate time and cost to change? There might be a case here for simplifying the content and taking it under a corporate wing, where security managers have more direct accountability for its messages. Is it all still relevant? In particular, does it cover all of the services that every member of the organization uses? Writers of security materials need to stay constantly in touch with the latest trends in cyber security, not least because some staff (even CEOs) might be ahead in their personal understanding of the subject. However, they also need to be ahead of the curve in understanding the organization’s business processes, so their security knowledge demonstrably matches it. If I had made every effort to address all of these points, I believe I would be comfortable facing down the most obdurate CEO over their taking up security training. However, if after all this a CEO is still unwilling or reluctant to undergo it, then I would have to ask myself: could I work in an organization where its leader refuses to support a security essential?