Your Security Awareness Training program is critical in securing your organization. How do you secure the budget AND the support necessary to implement a complete Security Awareness Training Program?
It broadly breaks down into three categories - Cost, ROI and User Experience. As always, your Executives are cost-conscious and returns-focused. They also want to protect the employee experience at each step. To gain support from your Executives, you’ll need the right information delivered in a compelling format.
The facts on cyber breaches are well-published - nearly every single cyber attack involves Phishing or Social Engineering to compromise your network. Removing the risk of your people being Phished or “socially engineered” in some way, a complete Security Awareness Training program can reduce your risk of risk of socially engineered cyber threats by up to 70 percent.1 Yes, we get it. That sounds high. But removing Social Engineering and Phishing risks virtually eliminates a hacker’s options. So, let’s explore that ROI.
Typically, your Security Awareness Training software license cost is relatively small compared to other Cyber Security initiatives. That’s the good news. It’s important to highlight that the license is only a piece of the total cost of a complete Security Awareness Training program. The sneakier cost is in Time. The weekly/monthly hours required to manage your program must be budgeted for, whether it’s adding a role to an existing employee or a new hire. You’ll want to ensure your manager is on board with any new time commitments and related expenses.
Most competing platforms will take at least 15 hours per month (based on 250 users) to manage successfully. This can easily become a point of conflict with other priorities if expectations are not set upfront. In the event you choose a vendor without complete automation, professional labor cost typically runs around 1-1.5x the cost of your license (again, at 250 users). When added up, this equates to approximately $7,200 in recurring labor expense to manage2 a successful, complete Security Awareness Training program.
All-in, these costs in dollars and labor are well worth the investment.
Labor hours can be a huge hidden cost in managing your complete Security Awareness Training program.
2. Return on Investment (ROI)
Security Awareness Training program ROIs can vary widely, depending on your vendor choice and level of management. Broadly, ROI can range from approximately 50-550%3. That’s a HUGE spread. And much of that spread can be explained by the difference between selecting a manual or an automated platform. Utilizing a fully-automated platform removes the Labor cost.
This offers strong support to a fully-managed or automated Security Awareness Platform. As explained in the above section, an automated program can cut your TCO by a full 50%+.
It’s worth highlighting here than any estimated cost of an attack does must include several important considerations, including:
- Loss of Revenue from network downtime
- Reputational Loss from news headlines and breach notification
- Remediation cost
- Replacement hardware
The overall value of the program is only increased by reducing these risks.
ROI for Security Awareness Training is large, and it can vary widely, depending on the amount of labor required to manage your program.
3. User Experience
Executives are typically mindful of the employee experience, and this includes interactions with IT and Security products. You want to demonstrate the user experience to your management. This allows them to understand how Phishing tests will be treated and how delightful (or burdensome, in some cases) Training courses will be.
It’s best to simply demonstrate the End User Experience with example Phishing emails and Training courses. This can be done through short video demos, pdf presentations or actual tests. It’s typically easiest and most information to use short videos. Not surprisingly, your executives don’t like a surprise Phish test all too much! Still, they need it just as much as everyone else. It’s simply best to wait until you’ve gained Executive buy-in to launch Phishing tests.
Don’t surprise your Executives! Short videos often work best to demonstrate the end user experience.
1 Data from Aberdeen Group found here: https://thedefenceworks.com/blog/does-security-awareness-training-work/ (as of June 16, 2020)
2 Assuming 250 Users equates 15 hours per month and $40/hour labor cost for a manual platform
3 See Osterman Research White Paper, “The ROI of Security Awareness Training”, August, 2019