The document discusses the importance of developing a security culture within organizations, emphasizing staff awareness as a critical factor in improving information security management. It outlines the necessity for compliance with various standards and regulations, including ISO 27001 and GDPR, and highlights common challenges and strategies for effective security awareness programs. Additionally, it provides insights into implementing training that engages employees and ensures the knowledge is applied in practice.

1. © IT Governance Ltd 2018
Presenter:StefanieRetfalvi,LearningDesign&SolutionsConsultant,ITGovernance
Staff Awareness:
Developing a Security Culture

2. © IT Governance Ltd 2018
Agenda
01
02
03
04
06
07
?
Q&A
05
Cyber Security
Awareness
Programme
Staff Awareness:
Creatinga
SecurityCulture

3. About IT Governance
& Introduction

4. © IT Governance Ltd 2018
About IT Governance

5. © IT Governance Ltd 2018
Introduction
• Stefanie Ildiko RETFALVI
• Learning Design & Solutions Consultant
• International cross-sectorexperience

6. © IT Governance Ltd 2018
Why Staff
Awareness matters

7. © IT Governance Ltd 2018
ISO 27001 7 Support
Persons doing work under the organization’s control shall be aware of:
a) the information security policy;
b) their contribution to the effectiveness of the information security
management system, including
the benefits of improved information security performance; and
c) the implications of not conforming with the information security
management system requirements.

8. © IT Governance Ltd 2018
GDPR Article 39
1. (b) to monitor compliance with this Regulation, with other
Union or Member State data protection provisions and with
the policies of the controller or processor in relation to the
protection of personal data, including the assignment of
responsibilities, awareness-raising and training of staff
involved in processing operations, and the related audits;

9. © IT Governance Ltd 2018
Why it matters
ICO Publication:
“Preparing for the General Data Protection
Regulation (GDPR) - 12 steps to take now.”

10. © IT Governance Ltd 2018
• Learner fatigue.
• Stronger defencee against threats / lower risk thanks to
increased awareness.
• Best ROI due to risk matrix and prioritisation;
• Credibility and trust.
• Empowering of employees to make informed decisions (size
of security function = as large as the organisation).
• The consequences of non-compliance.
More than just Compliance

11. © IT Governance Ltd 2018
Assessing your Culture

12. © IT Governance Ltd 2018
Setting off on your Journey to a Culture of Security Awareness
‘Are we there yet?’

13. © IT Governance Ltd 2018
Identifying Problems
Identifying common drivers for
resistance or gaps in understanding
is the first step to gaining
organisation-wide buy-in.

14. © IT Governance Ltd 2018
Common Challenges

15. © IT Governance Ltd 2018
Security & Mindset
• Viewed as hindering productivity
• Perceived as dry and/or
overwhelming
• Other misconceptions

16. © IT Governance Ltd 2018
Quality &
Compliance
Learning & Development
& Internal Communications

17. © IT Governance Ltd 2018
Generating a Culture Shift

18. © IT Governance Ltd 2018
Security affects Everyone
• C-suite, senior management buy-in (leading
by example)
• DPOs, CISOs, CIOs
• Business process owners
• HR, Change Management, Internal Comms
• Organisation-wide buy-in

19. © IT Governance Ltd 2018
• Understand your audience(s)
• Align your strategy and your culture
• Make use of proven engagement techniques
• Be opportunistic
Planning Change

20. © IT Governance Ltd 2018
Implementing a Security Awareness Programme
It is important to offer a
modern mix of different
security-focused learning and
communications tools to
address individuals’ diverse
needs and preferences.

21. © IT Governance Ltd 2018
To attain the highest levels of employee
engagement, it is important to generate
personal investment and motivation for
adopting best practice.
Gaining organisation-wide Buy-in

22. © IT Governance Ltd 2018
Example

23. © IT Governance Ltd 2018
Delivering Knowledge
For optimal knowledge retention,
information needs to be clear,
accessible and easy to digest.

24. © IT Governance Ltd 2018
Example

25. © IT Governance Ltd 2018
Encouraging Knowledge Transfer to the Workplace
It is not enough to know what best
practice involves. Employees need
to apply their obtained knowledge in
their everyday activities.

26. © IT Governance Ltd 2018
Sample Solution
These should:
• Be meaningful, encouraging deep reflection and the transfer
of acquired knowledge to the workplace;
• Make learners active participants, by challenging them to
recall key information in relevant contexts; and
• Prompt participants to identify risks and apply best practice
in situations that could arise in real life on the job.

27. © IT Governance Ltd 2018
Example

28. © IT Governance Ltd 2018
Monitoring Progress &
Measuring Success

29. © IT Governance Ltd 2018
Continual monitoring of progress will
ensure that everyone has achieved the
required level of knowledge,
understanding and engagement.
Evaluation

30. © IT Governance Ltd 2018
Example

31. © IT Governance Ltd 2018
Once the programme is finished, it is
important to ensure that security
remains at the forefront of
individuals’ minds.
Continuous Reinforcement

32. © IT Governance Ltd 2018
Useful References

33. © IT Governance Ltd 2018
Useful References
• IT Governance: www.itgovernance.co.uk/blog#
• CIPD website: www.cipd.co.uk/
• WFPMA website: www.wfpma.com/
• PWC: www.pwc.com/gx/en/services/audit-assurance/risk-
assurance/game-changers/culture-behaviours.html
• HP Enterprise: www.riscs.org.uk/wp-
content/uploads/2015/12/Awareness-is-Only-the-First-Step.pdf

34. © IT Governance Ltd 2018
Conclusion &
Your Turn! Q&A

35. © IT Governance Ltd 2018
Conclusion

36. © IT Governance Ltd 2018
Call us
+44 (0)333 800 7000
Email us
servicecentre@itgovernance.co.uk
Visit our website
www.itgovernance.co.uk
Like us on Facebook
/ITGovernanceLtd
Follow us on Twitter
/itgovernance
Join us on LinkedIn
/company/it-governance
Read our blog
www.itgovernance.co.uk/blog
Stay in touch!

37. © IT Governance Ltd 2018
Queries?
Understanding?
Clarification?
Your Turn!