Four Reasons Executives Should Participate in Security Awareness and Training
"Executives are too busy to be involved in our security awareness and training program." We hear this statement a lot with our customers. CISOs are often unwilling or unable to get C-level executives and senior managers to participate in security awareness and training programs. And with only a small percentage of CISOs directly reporting to the board, the challenge is that much greater to get permission to educate the highest levels of staff.
We've compiled four reasons you can use to justify security awareness and training for your organization's executives.
Their Reputation Is at Risk
In recent security breaches, we've seen high-level executives make mistakes that led to breaches. In these cases, an executive's reputation and career are put at risk. It can also become a more newsworthy item, which isn't great for the executive or the organization. Just like security education can help reduce the likelihood of a company breach, it can protect individuals as well.
Additionally, executives need to be careful about whatever items they choose to put into an electronic format. We've all seen the news when some notable person over shares or a company undergoes an event such as a security breach where it is under investigation and communications are released. It usually doesn't end well, and executives should know the risk the next time they're sending a potentially embarrassing email or doing anything that could be exposed at a future date.
Effective Training Takes Very Little Time
With our interactive training modules, each topic takes about 10-15 minutes to complete. It isn't possible to "click through" or memorize the modules, and they automatically require a certain grade to complete. Additionally, you can provide large windows of time for users to complete training, so there is no excuse for your executives to not spend 30 minutes or less every quarter to better secure your company and protect themselves. In the long run their small investment of time can make a tremendous difference.
They're Setting a Good Example for Staff
When executives take training, they're ensuring their department takes training more seriously. For the laggards in their department not completing training, having the head of the department ahead of them is a convincing argument for them to complete their assignments. Even better, it's a great step in creating a culture of more secure behavior.
Executives Are a Group That is Most at Risk
According to Symantec's 2014 Internet Security Threat Report:
“Personal assistants, people working in the media, and senior managers are currently most at risk of being targeted by a spear-phishing campaign, based on observations in 2013.”
We've seen countless phishing attacks that prey on the highest levels of management, and ignoring these staff in training could be a costly oversight and loophole in your end user security plan.
Additionally, executives have more access to sensitive data and systems, making it paramount that they are educated about the risks of handling this information. There have been many examples of this level of access getting executives in hot water, including the recent outcry about Uber privacy violations.
**Updated with additional information**
In Experian's 2015 Data Breach Industry Forecast, they noted:
"Decision-makers at the C-suite level should have an active role in preparing for a data breach and how to respond. They also should increase allocated resources to data security, or else face the consequences of appearing irresponsible to constituents and stakeholders."
Our approach to security awareness training helps improve knowledge retention and drive lasting behavior change. Explore our portfolio of interactive training options, including our new Security Essentials for Executives module. We help you deliver actionable cybersecurity education to employees at all organizational levels.
Subscribe to the Proofpoint Blog