During my years at Mandiant, I responded to a lot of breaches for a wide variety of organizations. Every breach case had one thing in common – the customer was compliant.
While compliance is a requirement for many organizations, compliance does not equal security. I was recently talking to a CISO who has divided his department into two teams – one focused on security and the other focused on compliance. The security team deals with emerging threats to the network, while the compliance team deals with regulations. It’s an interesting strategy, and one that reflects how separate compliance and security concerns have become.
Security awareness has traditionally been associated with the compliance side of security, but to be truly effective, it needs to focus on current threats and evolve with the threat landscape.
Compliance is useful in that it forces organizations to focus on security, but security departments should no longer view compliance as anything more than what it is – the floor, not the ceiling. Depending on your requirements, you may have to require awareness training to be compliant. Organizations often achieve compliance through annual training or assessments that have little positive impact on an organization, and can sometimes create a negative perception of security awareness. Compliance-driven training will only require that you prove people have completed the training, it won’t require any proof that employees can apply information provided during training. Checking off the security awareness box on your compliance checklist is necessary and it may feel comforting, but it’s a false sense of security.
“Checking off the security awareness box on your compliance checklist is necessary and it may feel comforting, but it’s a false sense of security.”
I understand that compliance is not going away, and that for many CISOs addressing it consumes a large part of their budget and time, so how do you break out of the compliance mindset? For security awareness, start by presenting training material that addresses relevant and emerging threats. As we mentioned in a previous post, training employees on topics like password complexity overloads them with information that does little to improve security. Training on topics like this may be an easy way to fulfill compliance, but training that empowers your employees by giving them knowledge they can apply will truly improve your security posture. Regulations fail to address security concerns because they are rigid and don’t adapt to new tactics; however, users can be trained to be dynamic threat detectors.
Just as organizations have unique needs; humans have different needs as well. Applying a one-size-fits-all approach to training will meet compliance needs, but it won’t be as effective as continuous training with multiple education modes; thus appealing to a variety of learning styles. Your security awareness program needs to evolve beyond annual training into a living, continuous program. Make security awareness part of your organization’s culture by conducting training periodically and varying the presentation of that training content to ensure you resonate with everyone in the organization.
While compliance struggles to keep pace with emerging threats, security awareness that succeeds in improving employee behavior could keep you ahead of the curve. The adversaries are dynamic, creative humans, having security-aware employees with the skills to identify anomalous activity as a strategic objective will go much farther than checking the box.