Security Awareness Maturity Model

A common challenge many security awareness programs face is getting the support they need from leadership.  The data from the 2017 Security Awareness Report proves that not only is this support a challenge, but critical to success.  But how can you get that support you need?  Simple, talk to them in their terms.  The top rated talk at this year's US Security Awareness Summit was Kevin Magee's talk on how to communicate to Board of Directors about cybersecurity.  What made his talk so impactful was he  started off with who a Board member was, how they thought, and how they approached cybersecurity.  Long story short, many senior leaders do not under cybersecurity, and not only are they not used to that, but they don't like it.  They are however, results oriented, data focused, P&L obsessed and business inclined. The key is talking in high-level business terms that they care about.  Coach them on the basics.  What is human risk, and how does managing that risk support support your organization's mission.  You do know your organization's mission, right?  One of my favorite other tips from Keven was communicate to your board what questions they should be asking management about human cybersecurity, such as:

  • What are our top human risks?
  • What are the key behaviors we need to change to manage those risks?
  • How many people on our security team? How many of those are dedicated to managing human risk?
  • Do we have anyone in security with soft skills?

One of the key tools that Kevin, and many others emphasize, is to leverage the Security Awareness Maturity Model to communicate to leaders how mature (or immature) your program is, how your maturity compares to others, and the path you will take to develop your program. Leaders know and understand maturity models, you are speaking their language. My favorite example of this is Janet Roberts when she was the Awareness Officer for American Express.  She tells the story of how she had the Security Awareness Roadmap poster hanging in her cubicle.  When some executives were visiting her they asked her about the poster.  She explained the maturity model, where their program was in relation to the model, and where she wanted to take it.  As a result of her walking leadership through the model, she was able to get far more support than she had before.

Finally, a great resource is the free Cyber Balance Sheet report, which is a data driven look at how Board members want their security teams to communicate to them.  Ultimately, the success of your awareness program depends on the support from your leaders.  Far too often awareness officers neglect that.  We recommend you spend 4 hours a month putting together metrics and success stories and communicate those to your leaders.  Remind leadership the value of your work. The investment you put into communicating to leadership, including leveraging the Security Awareness Maturity Model, will go much farther to your program's success than any other 4 hours a month.

Want to learn more about the Maturity Model, gaining leadership support and other steps to building a high-impact awareness program?  Consider the two day MGT433 course or join us at the European Security Awareness Summit this Dec in London.