author photo
By Bruce Sussman
Fri | May 10, 2019 | 8:57 AM PDT

How do you sell the importance of cybersecurity to the business? 

How do you get executive buy-in for essential programs like Security Awareness training?

How can you convince your CEO you need budget for a new cybersecurity solution or program?

It is an ongoing struggle we hear about at SecureWorld conferences across North America.

And it's also the topic of this month's Behind the Scenes interview series.

If you are looking for top ways to justify security to your Board or business units, you've come to the right place.

In one of the most valuable interviews we've done in awhile, Dale Zabriskie, Security Awareness Evangelist at Proofpoint Security, reveals a career's worth of  fresh insights.

This is how you sell a security awareness program or any security initiative, really, to the business and the Board. Listen to the complete interview, or read the excerpt from our first question (below):

 [SecureWorld] Security Awareness and the idea of being able to sell a Security Awareness program by speaking the right language. You talked about using your company's annual report as a way to find information to align your security program to.

Will you explain a little bit about how you should do this if you’re in security and trying to push the needle on security or a Security Awareness program?

[Dale Zabriskie] If you're working with a public company, by law those companies have to provide to the Security and Exchange Commission an annual report, also called a 10K, and that can be found on your company's website. It's a public document usually under either investors or under the ‘About.’

They're just down where you'll find it, you'll find an investor section and there will be filings or SEC filings, an annual report link and you'll find in there, that document. In that document is an area or a section called risk factors. And this is again every—all the and reports are the same because this is the structure that's required by the SEC.

And in that risk factor section is where organizations, public companies make statements that say essentially these are risks that we identify in our space, and if any of these happen you cannot sue us because we've already identified them, right? We've said that they are issues were aware of them. And in that risk factor section, you'll find all sorts of things that are germane to the company, its industry, where it does business.

It'll be everything that you can imagine about risk. There's all sorts of operational risk, the customer risk, and credit risk. But fairly near the top in that section, you'll find a statement that talks about cybersecurity being a risk. And in there is verbiage that will state something to the effect of, our systems are subject to misappropriation, to hackers, to viruses, you know could be any number of ways that they say it. But the bottom line is what they're saying is we are subject to risks in the cybersecurity space that could materially harm our business.

And these are things that, at the top of the company, they say are issues. And so what you do then is you are aware of that and you go to, within your own world now, it shows that you're aware of the company and what we're trying to, as a whole, trying to achieve and the things that were trying to avoid. And you can align what you're trying to do with the statements now.

I do this a lot for customers that I speak with, and I actually did this yesterday with a very large global company, and it had some interesting statements in there about human error and people, and so Security Awareness training is all about people.

And so what it does, it just shows your organization and the people that you work with that you're a company person, right, that you're aware of what's going on in the organization. And that what you're trying to do helps to mitigate these risks that have been stated by the company itself.

That's the first step, right, in just aligning your world with the statements that the company is stating are important to it.

[SW] I love that way of showing that you understand the business. And you're just trying to help the business achieve its objectives, right? That's kind of how you're selling it. What if you work for a private company? Where would you find similar types of information?

[Zabriskie] So there's lots of companies that don't have to file that document every year, right? And so what you have to do is take a little more research. And this kind of research, in my opinion, is kind of foundational research.

Whether you're with a private or a public company because it's not just about ’all these bad things are out there’ and 'we need to be aware of them, we need to scrunch them down, we need money to do that.'

The thing to do is to understand what your company's goals are, your business goals. What are they trying to achieve? What business, what financial goals exist within your organization? We want to raise this much money. We want to hit this amount of revenue by this time. We want to change in this way. We want to move into these markets. This kind of information should be available in a number of areas.

Number one, your upper management, your senior management. They're out there talking. These things—do the Google search, do the research, go into LinkedIn, into Facebook. LinkedIn is going to be a little more efficient, but do the research on the people in your organization.

What are they doing? What are they talking about? Where are they at? Who are they associated with? What do you know about them?

This whole approach that I'm talking about is knowing your customer. Your customer is your upper management and senior management in this example. Learn everything you can about them, and on your own company's website you're going to find things like vision statement or a mission statement.

There's going to be verbiage that talks about ’this is what we do.’ This is what we believe in, this is how we approach things. And you need to speak that language. You need to show that what we're trying to do in Security Awareness training is going to help us reach these goals that have been stated.

This moves you away from just being a bit of an island of trying to, you know, ’well people keep clicking.’ ’We need to train them and we need to, you know, stop Susie's clicking so much or whatever it is. Or Bob's over here, he's our poster child.’ It moves it to say, look, we need to work together to help our companies succeed. And one way that I can help us reach the goals that have been stated is to do better things within Security Awareness training.

You see the difference there? It's not just sitting in an alone space just kind of barking out, ‘help, help, we need to do these things’ and blah, blah, blah. It's showing how what you're doing is relative to the organization. So there's lots of information about the company.

Let me give you one experience I had with a private company where they were building a new campus. They were moving a lot of their offices to a new campus of like 600,000 square feet. It was a significant thing. The conversation that we were going to have didn't have anything to do, specifically, with facilities and new construction. But I just brought it up. I said, hey, I see that, I saw in the paper that you guys are building a new facility. How is that going? What kind of stress is that putting on the IT organization? Or InfoSec?

And it opened up a whole new conversation about things of the deployment and with that 600,000 square feet came new people. And and so, I'm just talking about things right? I'm just interested in what's going on in their world.

So take the time to look at what's happening in your company. Read the news about it, read everything you can throughout the website, and individuals that you're working with. Just get to know them, and you'll find little nuggets that you can utilize.

Present your information in a very relative manner, and when you do that, things stick. It just connects when you have a metric or you have something you want to get buy-in. When you make it relative to the individual or to the organization, it will stick.