How should I report Progress of my Security Awareness Training to the C-suite? (VIDEO)

By Omer Taran
image March 17, 2021 image 3 MIN READ

We’ve talked before about measuring progress rather than sheer participation to prove the worth of your security awareness training. Here’s how to prepare yourself for a meeting with the C-suite, including the metrics that really matter.

Sidestepping the Focus on the Click Rate

When you speak to the board, it can feel natural to reach for a click rate metric to show how serious the problem of phishing is inside the company or in certain teams. After all, management teams do love their numbers! The problem is, click rate doesn’t tell you anything about how your security awareness program is working, and it doesn’t help the board recognize progress is, or how you’re measuring it.

Balancing the Data with the Story

The important question to remember is, “What story am I telling over time?” At the start of any security awareness program, you will likely have one or more goals in mind. This could be anything from improving the security culture of your organization to minimizing the number of high-risk employees or raising awareness about the growing or unique dangers of phishing scams overall.

Whichever your narrative is, look for the metrics that will help you to tell this story, showing exactly where your organization needs help, and how you’re going to prove progress over time. If your data is standalone, without a compelling narrative – it will not show worth. Start with the story, and then use the data over time to explain how you’re making your goals happen.

Robust Metrics that Prove the Worth of Your Training

Here are three examples of data that will do more than just show participation, and will allow you to tell the story of success to the c-suite.

Employees trained over time: Your story here involves the maturity and efficacy of your training program. The more employees that click on simulations, the more are being trained. The value of this metric is greater than simply saying “we have a constant 10% click rate” as that metric wouldn’t consider if it’s the same 10% or a different 10% each time. Instead, ‘employees trained over time’ proves that you’re slowly training a critical mass of the organization.

Mean time between failures: Just like in its industrial setting, MTBF shows the resilience of an organization. In machinery, it’s used to measure the amount of time since the machine failed last, and the same practice can support your narrative with the board. Over time, if you see that employees are falling for the simulations less and less and that these mistakes are getting fewer and further between, you’re proving that employees are getting knowledge from the program, and best of all – retaining it.

The ratio of high-risk employees: Lastly, let’s think about the proportion of high-risk employees over time. Our formula at CybeReady offers resistance to standard fluctuations, such as new employees who may enter the business and skew the data. In this case, even if they have a 30% click rate, this doesn’t make them high risk, just new. When calculated with these factors built into the algorithm, showing a reduction in high-risk employees can prove to the board that your organization is more secure overall.

Still wondering how is best to report your SAT results to the management? Read the full video transcript here:

Management is interested in ROI

Management is interested in seeing ROI. They want to see their investment at work. What is your goal when reporting a security awareness program? You have two goals. The first is that your managers would acknowledge the good work that you’ve done, and second, that you’ll be able to harness them into fulfilling things that are challenging for you.

First show what is working

How do we do that? You first need to show what is working in your program. You need to show what is progress and how you plan to measure it. With the data, you’ll be able to show both sides of the story, what has been working, but also where you need assistance.

The data has to be served underneath the canopy of a story

That data has to be served underneath the canopy of a story. Show that you have reduced the high-risk employee group, show that you’ve enrolled new employees continuously, show that employees are engaged, show that there’s a security awareness culture in the organization. Show all of this, first of all, tell all of this, and then and only then, provide the data points that support it.

Robust security awareness programs sidestep the ‘easy’ metrics such as click-rate and look to gather data that can show a true reflection of organizational progress and employee learning. Want to discuss which metrics would fit your ideal narrative? Schedule a call.