# #

May 26, 2021

5 Tips for Proving the ROI of Your Security Awareness Training

“What’s the ROI?” they demand, every time you ask for more support for your cybersecurity awareness training program.

Let’s be honest… that’s frustrating. Constantly pleading for the help and funding you need is enough to irritate any Security Awareness Program Owner. 

The top execs and your CISO want to see what they’ll get for throwing more funds into security education— but proving return on investment in cybersecurity training is no simple feat, as you’re all-too-aware of. 

Here are five tips for showing the ROI of your security awareness training initiative:

1. Consider the cost of NOT requiring training.

Take a step back and consider what could happen if you didn’t have the support you needed… Let’s say your budget proposal totally flops and you only get a fraction of what you asked for. Where are the gaps? What are the risks?

Consider the cost of being taken to court for a breach. Assign a number to your data and private information and what a leak might cost you in terms of reputational and financial loss. 

But before you take big, scary statistics to your CISO and the C-suite, remember that creating fear within your organization around security is often NOT the best approach for long-term perception change around cybersecurity. By leaning too heavily into scare tactics, you’re creating a negative mindset around security. In reality, showing all the ways your campaign could create a positive impact is the smarter strategy for shifting the culture around security. 

Do this by pushing the real return of long-term behavioral change and how slow nurturing today can lead to incredible organizational unity around security in your company’s future. Learn more about this modern approach to security awareness training here. 

Let’s be clear: we’re not saying to blindly ignore the negative impact of poor security education. Instead, we’re suggesting you root your pitch in the positive by focusing on forecasted growth vs. loss. 

2. Clearly define your metrics for success/KPIs.

It’s not that you’re not making an impact. You know you are! But the big dogs want numbers. They want projections. They want tangible proof you’re moving the needle.

It’s time to give them more than just the standard phishing campaign click-through rate. 

Before you can prove the broader ROI, it’s crucial you and the execs are on the same page about both what success looks like and what you’re responsible for tracking. 

In our blog, 6 Metrics To Track In Your Cybersecurity Awareness Training Campaign, we outline a few core metrics, including:

  • Security Training Module Completion
  • Awareness Training Quiz/Test Results
  • The Performance Of High-Risk Individuals
  • Engagement Activities Outside Of Training
  • Phishing Campaign/Clicks
  • Overall Security Score or Risk Rating

3. Align your OKRs with the security team at large.

While it’s great to come to the table with your own plan, you have to remember that you’re not in this alone. IT has its hands in your security too, they should be working in cooperation with your awareness-focused team.

At the end of the year, set up a meeting with IT to chat about your individual OKRs. How can you align your goals with theirs and vice versa? The more overlap and teamwork, the less begging and borrowing you’ll need for your awareness training budget. 

Below are a few core security concerns both teams should care about. How can you each support each other to improve your overall security posture? Schedule monthly meetings to stay on the same page all year long and build a case for next year’s budget:
phishing

4. Don’t underestimate improvements in perceived safety.

Be careful not to get so caught up in proving your awareness program’s ROI with measurable metrics that you forget to step back and look at the big picture. Sure, employees may be completing the training modules and attending lunch and learns, but how do they really feel about your company’s security?

Perception is everything— and if employees are just going through the motions of watching training videos, without seeing the true value, they won’t carry what they’ve learned into the workplace. 

Get a pulse on how your teams are receiving your training by sending out anonymous surveys or polls before and after every monthly campaign. Maybe certain subjects like privacy appeal to employees more than others. Find out why. Perhaps privacy hits home and employees like applying what they learned to their personal lives, increasing the digital privacy of their children’s social media accounts. Discovering this motivation is huge; it gives you the insight you need to mold campaigns around their personal interests so that on-the-job security training becomes valuable on and off the clock. 

In your polls after training, ask them if they feel better prepared to recognize the threats they just learned about. Also, ask about areas where they think they need more support. 

Consider adding questions about how likely they are to report a suspicious email on a scale of 1-5, or an open-ended inquiry about how they feel about this month’s training, overall. The feedback you receive may surprise you and give you an incredible direction for improving your approach moving forward.

5. Develop your own internal “Overall Security Score.” 

Lastly: the solution you’ve been waiting for. Someone’s finally developed software for calculating your ROI for you— almost like a credit score for cybersecurity awareness. 

Here at Living Security, we call it a “Risk Rating,” and in our blog, 6 Metrics To Track In Your Cybersecurity Awareness Training Campaign, we drill into what it means. Give it a read and discover the power of categorizing departments/individuals with High, Medium or Low risk scores— siloed down by their understanding of various cybersecurity topics. 

Now that’s the way you speak the C-suites’ language.

security score

Don’t Shoulder it Alone

With the right tools to calculate your impact and proper support, you can rest easy knowing you’re leaving an impression on your company’s culture around cybersecurity. 

Here at Living Security, we’re the whole package. We have modern Netflix-style security training videos to keep your team engaged, the software that automatically generates reports for proving the ROI and resources specially written for Security Awareness Program Owners like you.

With our Campaign in a Box package, you’ll receive a bundle of instant messages, emails, and other pieces of content to get your team excited about your upcoming training— so you can stop stressing about writing and focus your energy on other critical parts of your campaign. 

Request our security initiative resources today.

# # # # # # # # # # # #