To Gain Leadership Support, Stop Talking About What You Do – Instead Talk About Why You Do It

Security awareness and culture professionals are some of the most passionate people I know. We care deeply about protecting our people, promoting secure behaviors, and building resilient organization cultures. But here’s the problem: when it comes to gaining leadership support, passion alone won’t cut it. Neither will posters, phishing click rates, or your latest training metrics.

If you want long-term, meaningful support from leadership, stop talking in terms of what you do—and start talking in terms of why you do it.

You’re Not Running a Training Program. You’re Managing Human Risk.

Security awareness isn’t about newsletters, computer-based training, or simulated phishing campaigns. Those are just tools. What we’re really doing is risk management. And that’s the language leadership speaks.

Executives don’t need to know every detail of your latest engagement campaign. They need to know how your work reduces the risk of cyber incident or enables innovation. They want to see how your efforts protect the organization’s mission while supporting speed, trust, and resilience. When you frame your work through that lens, you stop sounding like you’re in the entertainment business and start sounding like a strategic partner.

The Three Questions Leadership Actually Cares About

Instead of listing your latest initiatives, prepare to answer these three questions:

1. How are you helping reduce risk?

Make it clear that your work directly addresses one of the fastest-growing attack vectors: people. Start by first by demonstrating how you collaborate with Cyber Threat Intelligence, Incident Response, and Security Operations teams to identify your organization’s top human risks. Show how you use data to drive risk management decisions.

Focus on four or five top human risks such as social engineering, account takeovers, or sensitive data handling, and identify the key behaviors that mitigate those risks. Then, map your initiatives directly to driving those behaviors. When you demonstrate how your efforts are managing your organization’s top human risks, you’re no longer just checking boxes—you’re actively improving the security posture.

2. How are you enabling the business to move faster or safer?

Organizations don’t stand still—they’re constantly adopting new technologies, launching new products, and expanding into new markets. Every change introduces new risks. A mature security culture doesn’t slow the business down—it clears the path. Help leadership understand how your work enables secure cloud adoption, responsible AI usage, or increased customer trust.

3. How does this support our mission?

Tie your work directly to the organization’s strategic goals. Learn what your leaders care about. Are you protecting intellectual property in a highly competitive market? Enabling remote work? Helping developers innovate securely and faster? Always connect your work to the outcomes that matters to leadership.

Shift Your Narrative from Activity to Impact

One of the biggest takeaways from the 2025 Security Awareness Report is that how we talk about our work matters. Too often, security awareness professionals describe themselves by what they’re doing:

“We just launched our monthly micro-trainings, published new posters, and ran a phishing simulation last week.”

That may all be true—and valuable—but it sounds like a list of tasks.

Now compare it to this:

“Our goal is to reduce account takeovers by promoting stronger password behaviors and improve detection by empowering employees to recognize and report suspicious activity. We’ve already seen a 40% increase in incident reporting, which is helping our security team detect and respond to threats faster.”

This version is outcome-driven. It focuses on why the work matters. And that’s the message that gets leadership to lean in.

Security Culture Is a Long Game—And It Requires Long-Term Support

The most mature programs in this year’s report have one thing in common: sustained leadership support. And that support didn’t come from flashy campaigns. It came from strategic alignment.

When leadership understands that a strong security culture is more than a communications function—that it’s a critical component of protecting the business—you’ll get the resources, access, and influence needed to truly make a lasting impact.

Want to see what’s working for over 2,700 security professionals worldwide?

Download the SANS 2025 Security Awareness Report for the latest data, maturity benchmarks, and actionable insights for building a strong, risk-aligned security culture.

Take the Next Step with SANS Training

If you're looking to level up your program and gain stronger leadership support, the right training can make a big difference. These courses are designed to help you better manage human risk, communicate more effectively with leadership, and build a stronger security culture.

LDR433: Managing Human Risk

If you're responsible for changing behavior and building a mature security culture, this is your course. The LDR433 course walks you through how to identify and prioritize your organization’s top human risks and then shows you how to manage them through measurable, behavior-driven change.

LDR512: Security Leadership Essentials for Managers

The LDR512 course is for anyone looking to better align security with the business. It helps you move beyond technical metrics and speak to leadership in terms of risk, trust, and mission impact. If you want to better justify investments or explain the “why” behind your work, this course is for you. Certification: GIAC Security Leadership (GSLC)

LDR521: Security Culture for Leaders

If your goal is long-term cultural change, the LDR521 course gives you the tools to get there. It focuses on how to embed security into your organization’s values, build stakeholder support, and design a culture strategy that actually sticks. Certification: GIAC Security Culture (GSCL)

Whether you're new to this space or looking to mature your program, these courses will help you move from activity to impact and give you the skills to tell that story in a way leadership will actually care about.