Why aiming beyond compliance with your awareness program reduces risk
I was speaking with an associate today about how the current security awareness market is filled with training solutions that help organizations achieve compliance, but which fall short on showing assurance of reduced risk. For many business managers, compliance is considered to be "enough". But I think this is a short-sighted, and potentially expensive mindset for CISO's to have.
I pointed out to my colleague that just because an organization can show compliance, or is certified to a standard, it doesn't mean they are not at risk. Whether they are doing training to pass a SOC2 compliance audit, or to achieve ISO27001 certification, the ability to pass a checklist of training objectives for various security control areas often has little correlation to the real risks they are facing from non-compliant employee behavior after the audit.
In any situation where compliance can be shown, there is always the question of whether or not the processes in place are mature enough to sustain compliance. It's much better to have a level of assurance behind the compliance checklist that means there is some reason to believe that the compliance exercise itself wasn't the only reason the organization passed an audit.
If you're going to spend the money on compliance, why not get as much value out of the process as you can?
For example, if you can educate staff using gamified learning, you not only create a more engaged workforce that retains the guidance covered in the program, but it should also yield data from activities in various threat scenarios that relates specifically to the learning objectives from controls in the standard.
So, if your compliance program doesn't engage employees - and we've spoken to many individuals who clearly have a negative view of compliance training programs - then not only is there a risk that employees will make mistakes because they did not absorb the content from the compliance training, the money spent on that compliance training may well have been wasted. You likely won't be able to prove that it did any good at all.
On the other hand, if you've used a gamified learning program, the higher level of maturity achieved should yield data that shows better employee participation than with traditional learning programs, meaning employees are paying attention to the content, and they are reducing the risk of a breach or future non-compliance penalty.
So, when security awareness compliance training is on the agenda for boards of directors or C-suite managers, the first question should be, “Is this just a cost center that we need to minimize, or is it a valuable assurance activity that helps us in managing risk, while also allowing us to gain compliance?”