Going to get a bit reflective in this one! Most organisations treat policy development and security awareness training as separate exercises – and often regard them as separate functions entirely. Policies get drafted to reactively meet compliance requirements, and training programmes (if they even exist) follow task-based one-size fits all approaches that serve to generally up-skill, but also alienate. This disconnect misses a significant opportunity: when properly integrated, policy and training create a security culture that’s both robust and genuinely aligned with your organisation’s specific needs and risk positioning.
There’s a clear binary position to take when we focus on technical controls for our hardware or networking: The device is either up to date or it isn’t – the MFA is enabled or it isn’t. These types of control are easy to validate, and easy to reflect on and validate managerially. People try to cram policy into this box, but it’s not really possible; policy is a cultural control just like security awareness training. The focus should be on education and effective communication. This means that the measurements of effectiveness are likely to be intersubjective – meaning that the answer is shared and sits between multiple minds! Policy – and training, are best thought of as relationships.
Policy serves as a communication tool to map out the mission or motivations of an organisation, then connect these down to the relevant functional objectives that inform the more binary controls. This is where we see an invitation for tension – in smaller teams a policy posture doesn’t feel as relevant as everyone feels on the same page day to day. Policy becomes an abstraction of relationships that are well attuned, so the idea of needing to use documented policy feels like an abstracting force rather than an explanatory one. In larger organisations, these relationships don’t scale, and so policy starts to serve a clear purpose of keeping disparate minds across various work functions aligned.
Nevertheless, small teams that sit inside larger organisations have a similar feeling. Even though a policy posture is required, people who don’t work at the strategic level feel they have a good common sense relationship to the people and the work they surround themselves with day to day, so the policy posture feels irrelevant.
The friction then becomes obvious and observable: a strategic team builds out a policy function, often as a growing pain as part of a legal or risk function, or to meet external growth requirements, compliance certifications, or regulatory demands. This doesn’t feel mapped well to the day-to-day experience of work by folks at the operative level. This can almost feel like a punishment for staff who have their hard-earned common sense and have been getting along just fine without all the policy, which is inevitably seen as fluff.
The Value of Properly Drafted Policies
Let me be clear though: Policies are very useful when they’ve been drafted appropriately. They give clear and accountable boundaries on acceptable behaviour, produce a mechanism for identifying areas for structured and continuous improvement, and serve as a map of the mission and purpose of an organisation to enable growth with specialised team members or core functions that may not be conversationally aligned.
Policies can effectively connect this mission to the minutia and day-to-day controls needed to protect ongoing efforts to pursue this mission. They also provide the obvious legal and procedural protections we know they exist to serve, rather than the big blocky policy packs drafted by lawyers that I’m sure we’ve all been subjected to at one point or another.
The Two Pain Points
Any policy drive will have two pain points. First, the policies need to be accurate, understandable, and easy to read. Second, the policies need to be ingested and understood by the team so that they’re live documents that have an impact on the way of thinking of the team.
We’ve covered how you can tackle the first problem. We rely on the effectiveness of the IASME Cyber Assurance Standard, which is essentially a digital maturity roadmap with useful templates and a clear path towards a comprehensive cyber security policy posture. Check out our blog on this here.
The second problem is vital to address: staff need to be actually connected to this effort. Not just because of the effort you’ve put into building it, but because the team are the body of the organisation. They are the most important part of the system here! This is where you want to look at a security awareness programme.
Security Awareness Programme Options
There are numerous options when it comes to building, maintaining, or maturing a security awareness programme. Digital platforms allow for a task-based approach, normally pursuing a standard curriculum that tackles basic digital hygiene, phishing awareness, and why antivirus and backups are important. If this broad-base approach suits your needs for generally upskilling directors and general employees, then look at the certified training from the NCSC. It’s a formal list of provisions that meet the NCSC’s exacting standards, so you know the training will match up with national objectives in protecting UK Plc.
If you’re looking for an opportunity to more closely align your staff with your policy, or have a focus on building a more holistic security programme wherein there’s a true connection between your documentation and your training, then you should consider ADAS. We provide a unique approach that tailors and delivers a training programme based upon conversations with your directors and leadership, and ingests all of your policy documentation to produce the training material.
This approach has the unique added benefit of serving to validate that all attendees can be said to understand your information security policy. This approach involves your trainer reading over your entire policy body, speaking with directors, and delivering a dialogue-rich training session in a casual and approachable environment. In our experience, this has been the best way to identify cultural blind spots or potential negligent insiders, and our approach here is communication-centred, rather than an online multiple choice portal, or a death by PowerPoint experience!
It’s also worth adding that we plant a tree for every attendee, which is mentioned on the certificate of attendance. Read more about this here.
The Bigger Picture
Security often falls as an ancillary function to risk management, so a bigger-picture offering of security awareness and culture building should lean on this understanding. Your efforts in other key areas like policy should be validated and understood to ensure that your staff are aligned to your exact risk positioning on discretionary security decisions, and that your policy is reflective of the positioning of staff. Opting not to integrate policy efforts with a security awareness program is a missed opportunity and ultimately can be a waste of effort on your part.
If you think there’s some value to add to your organisation based on this way of thinking, then reach out to say hello and learn more. We’d love to have a conversation about how we’d be positioned to support your team in both its policy and security awareness needs.