Create A Clear Education Strategy BEFORE Asking Executives for Training and Awareness Support

Information security, privacy, and compliance practitioners must obtain the support of executive management to be successful. So how do you do this?
I talk about this in the first section of the first article of my October issue of “IT Compliance in Realtime Journal.”
Here is the unformatted version of the first section of the first article; download the PDF to see a much nicer-looking version…


An information security and privacy program will have great challenges and will not be successful without the clear support of executive management. Executives must provide not only financial support to effectively develop the program but also visible support to demonstrate to the workforce the importance and necessity of information security and privacy efforts. Information security, privacy, and compliance practitioners must obtain the support of executive management to be successful. So how do you do this?
Create a Clear Education Strategy
First create a documented information security and privacy education strategy that includes your objectives for awareness and training. Be sure to include estimates for necessary personnel, materials, time schedules, and any other associated costs, such as videos, manuals, training content, training facilities, and so on. A big mistake that most information security and privacy practitioners make is that they ask for resources for their training and awareness efforts without solid numbers or documented activities to support why they need the resources. Most managers will, understandably, not give a blank check to you just because you say you need the resources. So you must plan and document–and be specific–about the activities you that you want to conduct for awareness and training as well as the necessary resources required. In addition, provide justification for why such activities will benefit your business.
Ask executive management to provide funds to support the organization’s training and awareness of compliance requirements in addition to those funds available for demonstrating a standard of due care for your organization. If personnel do not perceive that there is strong support from senior management for the training and awareness activities, it is likely you will encounter passive resistance from a significant percentage. They may not attend training for which they were scheduled, may ignore your requests to read and acknowledge policies and procedures, may ignore awareness activities, or may blatantly violate policies and procedures. It is important to prevent this resistance by having executive management clearly communicate the importance of everyone’s participation prior to your training and awareness rollout.
You will find executives who already believe that information security and privacy education is an important endeavor and will be readily willing to financially support training efforts. However, a larger proportion will probably believe that such efforts should not take much, if any, budget and that personnel should learn about security and privacy issues as an effect of performing their job responsibilities. It is crucial to the success of your education program to first and foremost convince your executive management that information security and privacy is valuable and an essential part of doing successful business.

Let me know what you think!

Tags: , , , , , , , ,

Leave a Reply