If you’re reading this, you’re likely on the front lines of your company’s security operations.
You’re the Director of Information Security, the SOC Manager, or the Security Awareness Lead who actually sees the daily barrage of sophisticated social engineering attacks hitting your workforce.
You know that your current security awareness training (SAT) isn’t stopping actual threats. You know that sending employees an annual compliance video and a generic email template about a password reset is completely detached from the reality of modern, AI-driven social engineering.
But there’s a problem: In your organization, the Chief Information Security Officer (CISO) holds the budget, and that budget is likely tied up in technical controls.
How do you convince a technically minded executive to invest in human-led cybersecurity?
To get a budget, you have to stop talking about training and start talking about risk management. CISOs don’t want to buy more compliance videos. They want actual, measurable risk reduction.
This guide provides the frameworks, including a copy-and-paste justification template, to help you secure buy-in for a modern human risk management (HRM) strategy.
Step 1: Change the Vocabulary
When pitching a new approach, never use old vocabulary. If you tell your CISO, “We need a new tool to improve our phishing click rates,” you’ve already lost the budget battle.
CISOs know that click rate is a vanity metric. A low click rate on an incredibly easy, predictable phishing simulation proves nothing about the organization’s actual resilience against a targeted attack.
You need to pivot the conversation. Frame modern HRM as the focal point for social engineering defense (SED).
Use this key phrase: “We need to shift our human defense from a compliance checkbox to an operational security control.”
Explain that you’re not trying to buy a better video library. You’re trying to build a human sensor network. Technical controls are designed to filter the noise, but humans are the only dynamic sensors capable of catching the highly contextual, AI-generated threats that slip through the perimeter. You’re pitching an upgrade to this ‘sensor’ network.
Step 2: Highlight the Technical Blind Spots
CISOs are bombarded with vendor pitches every day. Create urgency by providing hard evidence that the organization’s current technical controls, which include the tools the CISO already spent money on, are actively falling behind today’s attack vectors.
You need to highlight the specific blind spots that only human risk management can fix.
#1. Unmanaged Channels
Technical controls are excellent at securing the corporate perimeter. But what happens when the attacker bypasses that perimeter entirely?
Adversaries utilize a multi-channel siege. They target an employee with smishing, send a malicious document via WhatsApp, or initiate a conversation on LinkedIn under the guise of a recruiter. Your technical controls have zero visibility into these unmanaged channels.
The only thing standing between the attacker and a compromised credential in these scenarios is the employee’s intuition and behavioral training.
#2. AI’s Massive Threat
Explain that the threat model has fundamentally changed in the last 18 months. Attackers are using phishing-as-a-service (PhaaS) platforms and generative AI to launch hyper-realistic attacks at scale.
Bring up the rise of vishing, or voice phishing. Point out recent industry breaches where attackers used AI voice cloning or basic social engineering to trick IT help desks into resetting multi-factor authentication (MFA) tokens.
If your organization implements hardware security keys, but your help desk can be manipulated into bypassing them over the phone, your technical controls are void.
Step 3: Align with the CISO’s Top Priorities
CISOs are tasked with managing business risk and defending the budget to the board.
If you want them to approve a platform for human risk management, map the platform’s value directly to the CISO’s top priorities.
- Reducing SOC Alert Fatigue and Burnout: A modern HRM platform with in-the-moment micro-coaching significantly reduces the number of successful compromises. By training employees to report accurately, you provide the SOC with high-fidelity, actionable threat intelligence, saving analysts countless hours of triage.
- Navigating Cyber Liability Insurance: Insurers want proof of continuous risk assessment and active threat mitigation. An advanced HRM platform that tracks behavioral changes and simulates real-world attacks provides the CISO with insights to negotiate better premiums and ensure compliance payouts aren’t challenged.
- Proving ROI to the Board: Legacy SAT and simulations provide oversimplified board metrics. Modern HRM provides actual risk reduction analytics. You can give your CISO a dashboard that tells the entire story.
Here’s a Justification Letter Template for Human Risk Management
Ready to make the pitch? Copy and paste the template below. Just customize the bracketed information to fit your organization’s specific context.
Subject: Proposal: Modernizing Social Engineering Defense
Hi [CISO Name],
I’m writing to propose a strategic shift in how we manage human risk and defend against social engineering attacks.
Currently, our technical perimeter is robust, but our recent incident logs and broader industry trends show a clear pattern: Adversaries are bypassing these controls by targeting our employees through unmanaged channels, specifically SMS, voice (vishing), and collaboration tools.
Our contract with [Current SAT Provider] is up for renewal on [Date]. While they have served us for compliance, renewing our current "check-the-box" approach isn’t in our best interest. Legacy security awareness training (SAT) relies on static videos and predictable templates that don't prepare our workforce for the multi-channel, AI-driven attacks they face today.
To be clear, I am not suggesting we move away from training entirely. Instead, I am proposing we transition to a modern Human Risk Management (HRM) platform.
I’ve been looking for a solution that provides:
- Multi-Channel Simulations: The ability to safely test our employees against SMS, voice, and targeted executive impersonation attacks, matching the real-world tactics, techniques, and procedures we see in the wild.
- Operational Efficiency: Automated, in-the-moment micro-coaching for employees who fail simulations, correcting behavior instantly and reducing the volume of successful compromises our analysts have to remediate.
- Board-Level Risk Analytics: Moving beyond click rates to provide tangible metrics on risk reduction by department and role, which will also strengthen our posture for cyber liability insurance renewals.
We’ll significantly reduce the blast radius when our technical controls are inevitably bypassed.
I’ve identified a few leading vendors in this space and would like 15 minutes during our next 1:1 to discuss allocating budget for a proof of concept this quarter.
Thanks,
[Your Name]
Stop Blaming Employees. Start Fixing the System
Pitching human risk management is about changing your organization’s security culture. The cybersecurity industry has relied on shaming employees for too long, blaming them for falling victim to sophisticated psychological manipulation.
Your employees aren’t the weakest link. But they are your primary attack surface, so with the right investment in HRM, they can become your most resilient defense layer.
Using the framework above, you can help your CISO recognize the strategic imperative to move beyond legacy security awareness training.
Doppel is built specifically to address this business case, empowering security teams to move from passive compliance to active social-engineering defense. The platform’s AI-powered, multi-channel simulations, automated micro-coaching, and deep executive-level analytics finally prove to your CISO and the board that your investment in the human element is worth every penny.
Need help building your specific business case? Get a demo with Doppel, and we’ll show you exactly how our platform delivers measurable ROI for your security operations.
