We have a national day or month for just about everything. Some of my personal favorites include National IPA Day (first Thursday in August), National Waffle Day (August 24), National Rescue Dog Day (May 20), and National Insider Threat Awareness Month (September). Following along those lines, October (as you likely know) is Cybersecurity Awareness Month (CAM), and this year’s theme is “Secure Our World” — an ambitious vision.
When we discussed what we’d do for CAM this year, my colleague and fellow Forrester Vice President and Research Director Amy DeMartine responded, “It has to be said: Don’t we treat every month as Cybersecurity Awareness Month?” She has an excellent point. Perennial security issues such as phishing and social engineering demonstrate that we need to be security-aware all the time — not just once a year.
Making cybersecurity a year-round priority for everyone, not just security teams, requires that we rethink how we do security awareness training (SA&T). Instead of focusing on awareness, we need to change behaviors and reinforce security culture all year round. One of our top recommendations for 2023 is to move from SA&T to adaptive human protection with human risk management. Doing this requires moving beyond compliance-based security awareness and instilling a security culture.
The US Cybersecurity and Infrastructure Security Agency (CISA), as part of its CAM program, provides tools for individuals and businesses to stay safe online. Among the recommendations for businesses, the CISA discusses building a strong cybersecurity culture. Its recommendations include the following:
- Use basic cybersecurity training.
- Identify available cybersecurity training resources.
- Stay current on cybersecurity events and incidents.
- Encourage employees to make good choices online.
These are all good recommendations but don’t go far enough to protect enterprises. One of the issues with cybersecurity training is that it’s too basic — and is typically only done once a year. My Forrester colleague Jinan Budge embraces the concept of adaptive human protection. Forrester defines adaptive human protection as:
People, processes, and technologies working together to detect and anticipate human security behaviors and adjust policies, training, and technologies to protect humans in a way that requires minimal or no effort on their part.
Adaptive human protection requires moving beyond compliance-based training and adding capabilities that make it difficult for users to make poor security decisions. For example, security vendors are now including training in their products so that they “nudge” users at times when they are making crucial security decisions. Human risk platforms are measuring security culture instead of only reporting about failed phishing tests and awareness training completion.
Targeting training toward individual users and addressing human risk based on what the user is doing changes behaviors, makes cybersecurity part of daily decision-making, and gives security leaders the ability to quantify and manage human-related risk as they would any other risks.
Here are some Forrester resources to aid you as you work on your own CAM initiatives:
Win The Hearts And Minds Of Security-Fatigued Stakeholders — This blog discusses how to work across the organization to build a strong security culture.
Applying 2022’s Security Lessons To 2023 Threats — In this podcast episode, Principal Analysts Sandy Carielli and Brian Wrozek share how last year’s security lessons learned apply to this year’s biggest threats.
Healing The Breach Between Tech And Security Leaders — In this podcast episode, VP and Principal Analyst Jinan Budge shares insights on how to bridge the divide between tech executives and security leaders.
Planning Guide 2024: Security And Risk — This complimentary copy of our annual planning guide for security and risk leaders can help you plan your security spending for the year ahead.
Key Findings From Forrester’s 2022 Data Breach Benchmarks — This blog provides an overview of research that breaks down data breaches across seven industries and related key takeaways for security leaders.
A Sneak Peek Into The Future Of Security Awareness And Training — This blog covers disrupting the status quo to deliver behavioral and cultural change.
Influence And Engage Employees — This report focuses on influence and engagement activities for users to replace traditional security awareness training.
Top Recommendations For Your Security Program, 2023 — This report provides recommendations for handling security challenges over the next 12 months.
Top Cybersecurity Threats in 2023 — This report covers the top five cybersecurity threats in 2023 and what to do about them.
Forrester clients can schedule an inquiry or guidance session with our analysts to do a deeper dive on your security program, building a security culture, or transforming your SA&T initiatives.
Meet Us At Security & Risk Forum 2023
Want even more information on how to build a stronger security program in your organization? Check out the agenda for our upcoming Security & Risk Forum, taking place November 14–15 in Washington, D.C. We’ll have 25 sessions led by Forrester analysts who will be available for one-on-one meetings during the event, as well.