Circle 01
Circle 02
Circle 03

Join our mailing list

Subscribe to the TSC newsletter to receive exclusive news and advice
  • 22 June 2023
  • 8 min read

CISO Guide: 8 step corporate framework to lobby budgets and transform cyber security culture

Explore the current challenges faced by CISOs, ways to change the conversation in the boardroom, and an effective corporate communications guide for better security outcomes.
CIS Os corporate comms header

With every passing day, week and month, organisations face an ever-growing range of cyber threats that can compromise sensitive client/customer data, disrupt daily operations, and damage reputations.

Chief Information Security Officers play a critical role in defending against these threats – not just as the head of your organisation’s training and awareness initiatives, but also as the prime influencer of security culture and employee behaviours. However, we know from many years of experience that CISOs often encounter challenges in securing the necessary resources and board support to effectively protect their organisations – even as cyber attack rates rise and new emerging technology such as AI language models and metaverse worlds widen attack surfaces.

Today, we will explore the current challenges faced by CISOs, outlines ways to change the conversation in the boardroom, and emphasises the importance of tying business objectives to cyber security goals for better security outcomes.

What is holding CISOs back?

1. An ever-evolving threat landscape: CISOs must navigate an ever-changing landscape of cyber threats, including sophisticated malware, AI-backed ransomware campaigns, targeted and dedicated phishing attacks, and insider threats. Staying ahead of these threats requires continuous monitoring of the threat landscape, proactive security measures, and robust incident response plans. Depending on the size and focus of your organisation at the moment, CISOs may not have the greatest resources available to them to assess the threat landscape and make complimentary changes and additions to their awareness and training program to compensate. Working with a tried and tested cyber security awareness and training partner, when internal resources are stretched thin, is a sure fire way to stay clued into the threat landscape in order to sidestep emerging cyber threats.

2. Resource constraints: Many CISOs struggle to secure adequate resources to implement comprehensive cyber security programs. Budgetary limitations, competing priorities at board level, and a lack of awareness about the potential impact of cyber threats often lead to inadequate investments in security infrastructure, personnel, and training. It is the CISOs responsibility to present cyber security risks and threats to board members in a way they can empathise with. Limited technical expertise among board members and the perception of cyber security as a technical issue rather than a business concern can hinder support for necessary security initiatives. This is why, producing and providing quality analytical data via a comprehensive security awareness and behaviour research tool is one way CISOs can realise cyber security threats in a relatable way for C-suite executives.

3. Organisational security culture: Establishing a strong security culture throughout the organisation is crucial for effective cyber security. However, resistance to change, complacency, and a lack of employee awareness and accountability can undermine security efforts. Culture change within an organisation is a deeply personal and targeted campaign that requires a macro top-down analysis of your security culture but also individual and targeted solutions to plug gaps across your entire workforce.

Change the conversation in the boardroom and win greater support

1. Speak their language: To gain board support, CISOs must effectively communicate the impact of cyber threats in business terms and ways c-suite executives can empathise with. Presenting cyber security risks in the context of potential financial losses, regulatory compliance, brand reputation, and customer trust is how you will resonate with board members and help justify budget allocations. One must also be ready to use breach case studies to contextualise the ramifications of a cyber attack or breach for board members, with bonus engagement reserved for breach case studies within the same industry. A massive bonus of speaking on a C-suite level is making board members a part of the conversation from the get-go, with increased board buy-in directly translatable to increased cyber security awareness levels.

2. Tie cyber security goals to business objectives: For many board members, every monetary decision is informed by how it will, first and foremost, benefit the organisation. CISOs should demonstrate how cyber security initiatives directly contribute to achieving the organisation's strategic objectives rather than focusing on cyber security health levels. By tying security goals to core business functions such as revenue generation, customer satisfaction, and operational efficiency, CISOs can emphasise the importance of cyber security as a business enabler rather than a pesky compliance cost.

3. Provide actionable metrics and risk assessments: Board members often rely on data and metrics to make informed decisions on a whole host of decisions – cyber security awareness and training is no different. CISOs should develop comprehensive risk assessments – internally or externally via a security awareness partner – that quantifies potential threats and company-specific vulnerabilities, estimate the financial impact of security incidents, and highlight the cost-effectiveness of potential security measures. Presenting metrics that show the return on investment (ROI) for cyber security initiatives is very powerful and influential in helping to secure board buy-in.

4. Educate and raise awareness: CISOs must actively educate board members about the evolving cyber threat landscape, emerging trends, and the potential impact on the organisation. However, we recommend installing a separate and unique cyber security and awareness initiative for board members in comparison to your wider workforce. Use regular manager masterclasses, board member workshops, and high-level training sessions to help board members better understand the risks, the value of investments in cyber security, and the need for ongoing support.

Is there a framework for board and employee engagement?

Yael Nagler, Yass Partners, has detailed a simple yet effective structure that CISOs can use to frame corporate cyber security communications for maximum effectiveness. Let’s quickly run through a slightly adjusted 8 step process with supplementary advice from TSC.

  • Step 1: Build trust

Trust with board members develops when there is evidence that you are performing quality work reliably and board members can therefore value your input at their decision-making level. This is the first step in this 10 step framework as it is a long-term trait CISOs have to build by doing their job well over a period of time. In order to influence monetary decisions, you need to be a valued member of your organisation.

  • Step 2: Clear communication

As a CISO, you have to ask yourself a few questions: What is the message that you want to communicate? How will your audience digest your message? And how will you adjust your delivery channels to target different demographics? Once you know the answers to these questions, you can form a long term awareness and training program that is malleable to adjustments as a result of emerging threats.

  • Step 3: Collaborate

A key part of cyber security awareness is being a collaborator. CISOs need to learn how their employees and differing demographics within the workforce learn. Collaborating not just with employees but also with the HR department will ensure that your training and awareness program is as effective as it can be. Furthermore, appearing as a collaborator and approachable security advocate will result in employees feeling like they can rely on you. People want to work with colleagues that they feel are on their side and invested in their success. Regardless of the tone that they bring to you, assuming positive intent will disarm and reduce friction quickly to accelerate outcomes.

  • Step 4: Feedback and improve

Taking feedback is beneficial on two fronts. The first is obvious; you give yourself the chance to improve your training and awareness program with tangible feedback from the very people you are trying to influence. The second benefit is culture related; when you accept corporate feedback you indicate to employees and board members that you’re interested in tailoring your campaigns to them and their needs environment. In other words, you are showing that you care. Feedback directly leads to more impactful training and awareness initiatives that slowly but surely plugs security gaps.

  • Step 5. Highlight your value

Many CISOs and security decision makers are fantastic and effective at formulating and implementing a cyber security training and awareness programme, but many overlook a key step in impactful corporate communications: highlighting your value. Make sure employees and board members are kept abreast and well-informed of what you are doing, when you are doing them and the results therein. By keeping your actions in the collective consciousness, you give your awareness communications a stronger foundation of trust and support to launch from

  • Step 6: Recognise security champions

Recognising positive outcomes and security champions will not only create a competitive environment in the long-term, it will also accelerate trust. It is also a good way for CISOs to build rapport with departments that they may be physically disconnected from or not connected with on a day-to-day basis.

  • Step 7: Connect the dots

One hopes, by this stage and after following the previous steps, you will have built a level of trust and influence across your organisation. The next step is connecting disconnected departments in order to form this string cyber security culture that we have been aiming for. Up until now, you will have focused on targeting demographics with specific communications but now you have to tie it all together. How do you do this? By contextualising how cyber security is an organisation-wide responsibility where every gear must interlock and complement each other. It’s no use having the most cyber secure reception team if your sales department is displaying lax behaviours.

  • Level 8: Keep focus on the long-term initiatives

You must ensure that you are in it for the long term. Demonstrate, through action, that you’re committed to the culture and the employees in your organisation. By positioning yourself as the cyber security steward of the company, you demonstrate that you are here to stay and so are the cyber security protocols and behaviours you are implementing. This step is an evolution of earlier in the process when we looked to build trust and authority within your organisation. Confirming that your vision is aligned with the vision of your organisation is a sure-fire way to ensure respect at board level.


CISOs face numerous challenges in defending organisations from cyber threats, but by changing the conversation in the boardroom and engaging with business leaders, they can secure the necessary resources and transform their organisation's security culture.

By aligning cyber security goals with business objectives, leveraging actionable behavioural metrics, educating board members, and following a corporate communications framework, CISOs can gain the support needed to establish robust cyber security programs that protect the organisation's critical assets and enable business growth in an increasingly digital world.

If you would like informationabout how The Security Company can help you to deliver analytical behaviour research and how we help support CISOs as an extension of their cyber security team  ... please contact our Head of Business Development and Sales,  Jenny Mandley.

The Security Company's vast library of customised and non-customised products and services are tailored for small, medium and large organisations and are available in a variety of languages. We also offer bespoke solutions for organisations that desire training and awareness materials built from the ground up.

Written by
Nas Ali
Cyber security and awareness content creator focused on emerging threats and the next wave of cyber security risks like AI, deepfakes and tech 4.0 initiatives in order to build towards a more secure organisational culture.
View Profile

See how we can help you protect your organisation today?

Circle 01
Circle 02
Circle 03

Join our mailing list

Subscribe to the TSC newsletter to receive exclusive news and advice