Compliance as a strategy has been one of my bugbears in information security for as long as I can remember. Even when I was a junior professional in the field, I understood the limitations of what we juniors lovingly called the “tick-and-bash” approach — the practice of ticking boxes to confirm that the organization followed a process and therefore making the following of the process the end goal in itself. As a security leader, I’ve experienced firsthand, and now from my clients, the dangers of allocating precious resources to ticking a box. It limits your view of what’s possible, it consumes your resources — which can and should be used elsewhere — and it misses out on the why we do it in the first place, which is ultimately to reduce risk to the organization and increase trust.
In spite of all of this, never has my frustration been as deep as when I began covering the security awareness and training (SA&T) market. I learned through customer reference interviews for our inaugural Forrester Wave™: Security Awareness And Training Solutions, Q1 2020, that many organizations had two solutions for SA&T: 1) a modern, innovative solution focused on changing behavior and instilling a security culture; and 2) another product designed to train people for one hour once a year to meet those illusive “compliance requirements” and satisfy auditors. What?! That means organizations were paying for two separate licenses and diminishing security’s reputation with the compliance-driven product often provided by legacy vendors whose offerings are out of date and out of touch with users.
Worse yet, we have reason to believe that some organizations aren’t doing enough for SA&T compliance in the first place. From our data, a surprising number of organizations did not have an SA&T program. If effective security is a priority, where’s the enabling security training? Not only is it good practice, but our initial research into the breadth of SA&T compliance regulations suggests that there’s most likely a regulation (or several) for everyone. Like an Oprah Winfrey show, “You get a regulation, and you get a regulation!” as there are specific SA&T regulations for industries, locations, etc. With that in mind, it’s alarming that so many organizations may not be meeting compliance standards.
I have deep concerns with this, especially as we are in a time where I’m seeing a significant elevation in the conversation in the past year and a half. After receiving hundreds of briefings, strategy days, and multiple discussions with my CISO clients and sifting through thousands of lines of vendor responses to my questions, I see a well-needed disruption — and I love disruption! We need SA&T to not just train people for the sake of training them — behavior and culture change have moved beyond being performative to fostering real action. Disruptive and emerging SA&T solutions have multiple purposes beyond training, including to:
- Use data to drive change. Select the right provider, or a mix of providers, to open your security program to opportunities such as using behavioral risk data to focus security program improvement. We can do so much better now than by using perfunctory metrics such as training completion rates and Net Promoter Score℠ (NPS). Some solutions, for example, now measure the actual human risk score based on actual behavior extracted from security tools (such as password manager adoption or VPN use), not just whether they passed or failed a test. Others can help you measure how your SA&T solution is contributing to your overall security program (by reducing incidents relating to phishing, for example).
- Develop right-sized responses and interventions. Bombarding all users with the same amount of training on the same topics and at the same frequency is wasteful of employee time and productivity. Choose vendors that demonstrate your ability to create individualized learning paths or those that curate training or interventions depending on the user’s behavior. Also, there are now vendors that help you map the security culture so that you can influence the required change only where it’s required and nowhere else.
How can you leapfrog to this exciting and disruptive future of SA&T for human risk management and right-sized responses? How can you simultaneously meet all these compliance requirements, especially when many specify your audiences (e.g., all personnel), the time that you’re required to train, and specific (and at times irrelevant) topics — some even seem to go as far as dictating how you train (e.g., commercial training). The team at Forrester and I are currently digging into this question. We would love to speak to anyone who has managed to move beyond compliance to achieve the goals of changing behavior and instilling a security-positive culture, while at the same time meeting their compliance obligations. We want to know:
- What compliance requirements for SA&T do you have to follow?
- What have been the benefits as well as the downsides of these requirements?
- Do you have separate solutions for training and for affecting behavior and culture change? Why did you make that decision?
- How do you affect behavior and culture change?
- What behavior or culture change have you seen from your SA&T efforts?
- For those who are focusing on behavior and culture change versus pure training, how have you convinced your auditors that you are meeting your compliance obligations?