Recently I had to prepare for a governance, risk and compliance conference. I promptly realized that although I used to be quite immersed in this field as an ISO 27k implementation consultant and even a short stint as a Payment Card Industry (PCI QSA) auditor years ago, it has been a while since I looked into this.
Let’s dive right in. Most privacy and data protection laws will not specify details such as how to run a cybersecurity program. This would make these too specific and cybersecurity requirements are implied under general provisions such as ‘ensure adequate safeguards’, ‘ensuring ongoing confidentiality, integrity, availability, and resilience’ or similar statements. This is where security frameworks and best practices come in handy, providing a guideline on how to achieve that ‘adequate’ level of protection.
The ISO/IEC 27000 series is a set of international standards developed to help organizations manage and protect their information assets within the context of an Information Security Management System (ISMS). What I always liked about the ISO 27000 standards is that they are risk based. It works like this: organizations tailor their security program based on their unique risk appetite and the selection of controls are not just about ticking off a predefined list but about addressing their specific organizational risks. For example, if an organization does not face significant physical threats, it may deprioritize controls related to physical security in favor of stronger network security measures.
We can probably agree though that in most organisations the human factor is a significant risk that warrants prioritization. Not because humans are the weakest link, but because they are in the firing line, being targeted by a flurry of social engineering attacks. Sixty-eight percent of all breaches reported in Verizon’s 2024 Data Breach Investigation Report include the human element. This is why creating a security culture and awareness program is part and parcel of pretty much any best practice or security standard out there.
Comparing security frameworks
I wanted to see what the most recent versions of popular security frameworks and best practice standards are saying about managing human risk and did a brief refresher on ISO, NIST and SANS Top 20.
Here's what they have to say about mitigating human risk:
Below are quick and easy summaries that organisations can use as guidance:
Start with a policy
It goes without saying that we need to establish security policies and communicate them effectively to all employees and relevant external parties. When looking at user facing acceptable use policies (AUPs) include specifics on how to use social media as well as emerging technologies, such as generative AI chatbots in a responsible way.
Role-Based Training
Training should be tailored to the specific roles and responsibilities of different personnel within the organization. This makes sense, the more relevant training content is to the audience, the more they will pay attention. For example, a call center environment will not only require different content or security guidance to finance departments, but might also appreciate different channels and content types. By providing content that is personally relevant, like online safety for parents, users are more likely to engage.
Regular Training and Updates
Conducting regular training sessions keeps people updated on the latest threats, policies, and procedures. Using simulations and practical exercises can help reinforce learning.
Phishing Simulation Campaigns
Phishing simulations should be strategically utilized to create teachable moments based on the principle of "practice makes perfect." By allowing employees to learn from their mistakes in a safe and controlled environment, these simulations can significantly boost self-efficacy. This approach not only helps individuals understand the consequences of phishing attempts but also encourages mindful and deliberate reactions to potential threats. In an analysis of over 32 million users, we found that frequent phishing tests are more impactful on security culture than frequent training, but the increase of frequency of both training and phishing provided the best outcomes. Refer to this KnowBe4 whitepaper for more.
Record Keeping
Maintaining comprehensive records of all security training activities are necessary to demonstrate compliance and track progress.
Continuous Improvement
Regularly reviewing and updating your security awareness training program is necessary to address emerging threats and incorporate feedback from training sessions. We recommend running a security culture survey or security awareness proficiency assessment to identify gaps or areas that need prioritization every year or at the beginning of major campaigns.
There you have it, by following the above steps in your security awareness and culture programs you should fare well on the next compliance audit.
For additional and practical tips on how to create and effectively run an impactful security culture program, have a look at our 7 Steps For Building a Security Culture checklist.
