Skip to main content

Making your company leadership or employees fall in love with cybersecurity is a stretch goal. However, I could probably think of a few CISOs in my network that would love to aim with Cupid’s arrow (Legal disclaimer: bows and arrows are not workplace appropriate or endorsed in any way for cyber risk management).

Love is a strong word, and I think that many cybersecurity professionals would settle for being understood, empowered, and supported with appropriate sponsorship and funding.

While there is no magical method for attaining respect, empowerment, and support within your company, there are some things that leaders and teams can do to improve their position of influence and trust in how cybersecurity is received, perceived, and actioned.

Boosting Engagement of Senior Leadership

Senior leaders have a lot on their plates and their minds. Cybersecurity is fairly unanimously ranked as a top enterprise risk, but often the accountability can still be relegated layers below the CEO and her/his leadership team. Few leaders would likely say cybersecurity is “not important”, but many senior leaders don’t understand the role(s) they should be playing to help.

A little boy in a cupid costume

The “Cupid Arrow” with senior leadership is to help them understand risks and necessary actions more in terms of people and process. Most sensitive data in an organization sprawl well beyond formally managed IT systems (think unstructured electronic office documents being stored and exchanged ad-hoc internally and externally without anyone from IT or security involved).

Business executives need to play an important role in sponsoring the business process and cultural change within their organization focused on securing data.  They also need to help identify what information or processes are most important/critical so a security team can sharpen their focus on what matters most. In most cases, the tool/technology/budget conversations dominate the talk track, and organizations lose sight of what executives can do themselves and within their organizations.

Read more detailed thoughts and approaches on this in: Building Senior Leader Engagement in Cyber Security

Enabling and Activating the Employees and Extended Workforce

Ethical phishing programs and online training are necessary and often helpful for workforce awareness but should not dominate what the workforce experiences from the cyber security team.  Why? These efforts teach employees what NOT to do, but they don’t empower them to understand how to handle and protect their data within their day-to-day jobs, collaborate with the internally approved tools a company has, etc.

Information Security workforce awareness programs need to be organizational culture change initiatives that are run more like an ongoing marketing campaign than an IT tool and training platform roll-out. Efforts need to be tied to the company culture, tailored for high-risk persona groups within the company, and innovative/provocative enough to capture the attention of the busy members of the workforce.

Read more in: Does Your Cybersecurity Workforce Awareness Program Matter


At Reveal Risk, we evaluate, design, and deliver strong processes and results in cyber, privacy, and risk that work efficiently, are fit-for-purpose, and are sustained. If you want assistance building your company’s cyber security strategy, governance, and plan towards desired state maturity, please don’t hesitate to contact us at  


About the Author

Aaron is a former Eli Lilly IT and security senior IT/Security/Audit/Privacy/Risk leader with over 20 years of experience in the pharmaceutical and life sciences sector.  He founded the risk management working group for the H-ISAC (Healthcare Information Security and Analysis Center) which enabled information sharing and benchmarking across pharma, payers, and health care providers. Aaron is a certified Six Sigma blackbelt with career emphasis on building and improving internal processes and controls.​

Leave a Reply