If your job includes cybersecurity, chances are you’ve heard the word “adaptive” within the last year.
The recently released NIST Cybersecurity Framework offers a broad and comprehensive model for better managing and reducing cybersecurity risks. The Framework also showcases the concept of “adaptive” as the top tier of cybersecurity management programs. Industry leaders consider the Framework as a guide for smart, responsible cybersecurity practices, though the document is not a mandatory set of rules.
PriceWaterhouseCoopers, in their white paper “Why You Should Adopt the NIST Cybersecurity Framework,” wrote: “organizations that adopt the Framework at the highest possible risk-tolerance level may be better positioned to comply with future cybersecurity and privacy regulations.”
Federal agencies and state governments are currently in the lead for framework implementation, with private industry being encouraged to follow suit.
“As more U.S. federal agencies and state governments adopt the Framework, and strongly encourage private sector organizations to implement its approach, there can be little doubt that the Framework has or will soon evolve into the de facto standard for cybersecurity—still voluntary, but nonetheless, the standard,” said international law firm McDermott Will & Emery in their article “Where Are We Now? The NIST Cybersecurity Framework One Year Later.”
Adaptive Meets Awareness
Trying to apply the top-tier adaptive concept to a security awareness program, though, will likely be the source of some headaches. And for good reason. Anyone who has tried to implement an adaptive, ongoing cybersecurity education program recognizes what a difficult challenge creating such a program really is. We’re talking about a highly flexible, visible program, woven into the organizational culture.
Though striving for adaptability in this arena is challenging, the value it brings to the organization as a whole is well worth it. Here are five benefits of an adaptive security awareness program:
- You can respond quickly to new threats
This one is pretty obvious, and is perhaps the top reason for seeking a truly adaptive program. Cybersecurity threats are ever-evolving, as anyone who works in the industry will tell you. With an adaptive awareness program, additional educational content can be implemented quickly in response to new threats. “Adapt to survive” is more than a catchy phrase; it’s vital.
- Your program will be risk-aligned
From the start, an adaptive program will be based on sound research into what your organization’s risks are. This means the frequent, context-specific use of analytical tools to understand risk and communicating changes in risk to stakeholders and end users. Once your risks are known, designing an awareness program to address these factors is just that much easier.
- You get what’s needed to the right people
Different types of employees, all with different specialties, will benefit most from awareness programs tailored to them. An adaptive program will include multiple training elements, including role- and risk-based elements, that are customized to meet individual employee needs and your unique corporate culture. The more relevant an awareness program is to a specific employee, the more likely he or she is to retain what they’ve learned.
- You know how to reinforce your training
The best awareness program in the world will fall short without measures in place to keep those principles at the top of your employees’ minds. Your employees may have completed interactive training on phishing threats or malware, but what happens six months from now? This is where effective training reinforcement comes in. An adaptive program will include regular deployment of a wide range of communications, such as videos, posters, and games, aligned with known and emerging risks as revealed through regular program analysis.
- You can answer the ROI question
Any good adaptive program involves a process of continual analysis and improvement. Sounds like the perfect opportunity to provide proof that your program is working to the ones signing the checks, doesn’t it? With a truly adaptive program, you’ll have a built-in set of analysis tools, be they regular employee knowledge assessments or phishing simulations, to show the program’s benefits. These data will come in handy the next time your CEO asks you why you’re paying so much for training.
Developing a security awareness culture involves many factors, but the foundation of all should be adaptability. With this as your goal, you’ll be well on your way to a program that is predictive of risks, can continuously be improved upon, and that becomes part of the organizational culture through constant reinforcement.
Can you call your program adaptive? Take our program maturity assessment survey to find out.