5 Tips To Get Budget Approval For Security Awareness Training

As a System- or Network Admin or IT Security Manager you know that Security Awareness Training is a crucial part of ‘Defense-in-depth’ to keep your organization secure. Microsoft just reported that a whopping 45% of malware infections are caused by social engineering. But that same awareness has often not yet filtered up into top management, who simply do not know the dangers of (spear-) phishing yet.

So it can be a challenge to get the approval and receive the budget to run a security awareness program. Here are five helpful hints and tips to get that OK!

1) Your Organization’s Compliance Requirements

You’d be surprised to know there are over 8,500 different Local, State and Federal standards and requirements that your organization might need to comply with, many of these requiring security awareness training. Check out this “Security Awareness Compliance Requirements” page, with a list of the most important standards and legislation that require your organization to do regular security awareness training. Providing evidence that training is required by law is often an effective strategy to get budget.

2) Employee Questionnaire

Ask your employees how much they know about security in your organization. Chances are they simply do not know about your policies, your security team, and what the bad guys are up to. Here is a sample security awareness questionnaire at Surveymonkey with 11 short questions you can use for your own survey. Making it much longer is going to cause problems getting it filled out by employees. Providing the results to upper management might open their eyes about the often sorry state of security awareness and is good ammo to get the OK.

3) Data Loss Threat

In the last few years a wave of new legislation has been rolled out that requires organizations to protect various types of data. Some examples are: Personally Identifiable Information (PII), Payment Card Industry (PCI), etc. The OSF Dataloss website has a database with a continuously updated list of data breaches you can search. Showing examples to management of breaches in your own industry often makes it more real that this happens all the time. The last thing your CEO wants to see is tomorrow morning’s front page with news that all your customer records have been stolen and are for sale on the Internet.

4) Let Their Own ‘Thought Leaders’ Tell Them

It often helps to convince management if the data comes from an independent source they trust. If the Wall Street Journal tells them this is a real problem that needs to be addressed, their ears might perk up and suddenly they are interested in this problem. Lucky for us, the WSJ is on the ball, and they have regularly published articles about the threat of social engineering and in the first one, KnowBe4 was even mentioned!

Wall Street Journal: What’s a Company’s Biggest Security Risk? You. (Sep, 2011)
Wall Street Journal: Hackers Press the ‘Schmooze’ Button. (Oct, 2011)
InformationWeek Report: Justifying Security Training (Nov, 2011)

5) Show The Payback Is Just Two Months (or less)

We have a special ROI page on our website that gives you three ways to present the Return On Investment on training: