From Policy to Practice in Security Culture: What Security Frameworks Recommend

Policy to Practice in Security CultureRecently I had to prepare for a governance, risk and compliance conference. I promptly realized that although I used to be quite immersed in this field as an ISO 27k implementation consultant and even a short stint as a Payment Card Industry (PCI QSA) auditor years ago, it has been a while since I looked into this.

Let’s dive right in. Most privacy and data protection laws will not specify details such as how to run a cybersecurity program. This would make these too specific and cybersecurity requirements are implied under general provisions such as ‘ensure adequate safeguards’, ‘ensuring ongoing confidentiality, integrity, availability, and resilience’ or similar statements. This is where security frameworks and best practices come in handy, providing a guideline on how to achieve that ‘adequate’ level of protection. 

The ISO/IEC 27000 series is a set of international standards developed to help organizations manage and protect their information assets within the context of an Information Security Management System (ISMS). What I always liked about the ISO 27000 standards is that they are risk based. It works like this: organizations tailor their security program based on their unique risk appetite and the selection of controls are not just about ticking off a predefined list but about addressing their specific organizational risks. For example, if an organization does not face significant physical threats, it may deprioritize controls related to physical security in favor of stronger network security measures.

We can probably agree though that in most organisations the human factor is a significant risk that warrants prioritization. Not because humans are the weakest link, but because they are in the firing line, being targeted by a flurry of social engineering attacks. Sixty-eight percent of all breaches reported in Verizon’s 2024 Data Breach Investigation Report include the human element. This is why creating a security culture and awareness program is part and parcel of pretty much any best practice or security standard out there.

Comparing security frameworks

I wanted to see what the most recent versions of popular security frameworks and best practice standards are saying about managing human risk and did a brief refresher on ISO, NIST and SANS Top 20.

Here's what they have to say about mitigating human risk:

Screenshot 2024-07-10 at 8.22.22 AM

Below are quick and easy summaries that organisations can use as guidance:

Start with a policy

It goes without saying that we need to establish security policies and communicate them effectively to all employees and relevant external parties. When looking at user facing acceptable use policies (AUPs) include specifics on how to use social media as well as emerging technologies, such as generative AI chatbots in a responsible way.

Role-Based Training

Training should be tailored to the specific roles and responsibilities of different personnel within the organization. This makes sense, the more relevant training content is to the audience, the more they will pay attention. For example, a call center environment will not only require different content or security guidance to finance departments, but might also appreciate different channels and content types. By providing content that is personally relevant, like online safety for parents, users are more likely to engage.  

Regular Training and Updates

Conducting regular training sessions keeps people updated on the latest threats, policies, and procedures. Using simulations and practical exercises can help reinforce learning.

Phishing Simulation Campaigns

Phishing simulations should be strategically utilized to create teachable moments based on the principle of "practice makes perfect." By allowing employees to learn from their mistakes in a safe and controlled environment, these simulations can significantly boost self-efficacy. This approach not only helps individuals understand the consequences of phishing attempts but also encourages mindful and deliberate reactions to potential threats. In an analysis of over 32 million users, we found that frequent phishing tests are more impactful on security culture than frequent training, but the increase of frequency of both training and phishing provided the best outcomes. Refer to this KnowBe4 whitepaper for more.

 Record Keeping

Maintaining comprehensive records of all security training activities are necessary to demonstrate compliance and track progress.

Continuous Improvement

Regularly reviewing and updating your security awareness training program is necessary to address emerging threats and incorporate feedback from training sessions. We recommend running a security culture survey or security awareness proficiency assessment to identify gaps or areas that need prioritization every year or at the beginning of major campaigns.

There you have it, by following the above steps in your security awareness and culture programs you should fare well on the next compliance audit.

For additional and practical tips on how to create and effectively run an impactful security culture program, have a look at our 7 Steps For Building a Security Culture checklist.

Free Phishing Security Test

Would your users fall for convincing phishing attacks? Take the first step now and find out before bad actors do. Plus, see how you stack up against your peers with phishing Industry Benchmarks. The Phish-prone percentage is usually higher than you expect and is great ammo to get budget.

PST ResultsHere's how it works:

  • Immediately start your test for up to 100 users (no need to talk to anyone)
  • Select from 20+ languages and customize the phishing test template based on your environment
  • Choose the landing page your users see after they click
  • Show users which red flags they missed, or a 404 page
  • Get a PDF emailed to you in 24 hours with your Phish-prone % and charts to share with management
  • See how your organization compares to others in your industry

Go Phishing Now!

PS: Don't like to click on redirected buttons? Cut & Paste this link in your browser:

Subscribe to Our Blog

Comprehensive Anti-Phishing Guide

Get the latest about social engineering

Subscribe to CyberheistNews