Many IT and IS departments are aware of the struggle of balancing budgets and getting support for implementing best security practices from their organization’s workforce.

Security can be a daunting task especially when convenience is in opposition to sufficient security. The question is, how can IT and IS departments move towards a security minded workforce with all of the barriers that get in the way?

A good first step is getting Executives in your organization onboard with the importance of IT security. If those at the top are willing to support security best practices, then you will have the resources to enforce those practices for the rest of the workforce.


Here are some ways that could help get security buy-in from the leaders of your organization:


Due to the sheer number of ransomware attacks that have been in the news, it won’t be difficult to find examples of organizations similar to your own that have dealt with an attack. The cost of a ransomware attack can be astronomical. The ransom itself and the settlement fees are costly but the hit to reputation can be even more detrimental. When trying increase buy-in for a new initiative, try presenting leaders with the cost of the average attack and remind them of the  settlement and investigation that will take place after. This should help them understand the risk they are taking by not implementing things like best password practices or monitoring solutions.


Many people do not understand how easy it can be for a threat actor to gain access to an organization’s environment. Present why your organization is at risk for an attack. This could be due to poor password practices with no MFA, a lack of patch management resources and auditing solutions, or a relaxed BYOD policy– just to name a few! Demonstrating how these practices can leave your organization open to potential vulnerabilities may increase buy-in for additional funds and training you’ve been pushing for.


When you receive alerts from security organizations regarding attacks ensure that they are being dispersed appropriately – including organizational leadership!

Those in leadership roles are not typically subscribed to the same organizations that send security alerts and they may be unaware of constant security risks. Keeping them educated on the current threats can help leadership understand why it is important to implement best practices and proper solutions.


If you are already working with BlueOrange then you know we provide a detailed report, along with a PowerPoint presentation, that outlines risks, priorities, and recommendations for your organization. The report is then followed up with a remediation plan. Make a point to book time with leadership to review the results of the SRA and discuss the remediation plan. If requested, a BOC representative familiar with your project will present those findings to your leadership team! Having an outside opinion from security experts will show an unbiased take on your organization’s security posture.

Some findings may require expensive solutions to mitigate your risk; however, if leadership is aware of the risk, a plan can be implemented to include those solutions in the budget. Until then, you can implement workforce education, and implement processes to begin to mitigate risk.


Creating an educated workforce – with security always leading in the decision-making process – will take time, and requires a shift in company culture in some cases. Work with your IT team to establish relevant topics to present to leadership keeping in mind the level of technical expertise of your audience.