.png)
If you ask me, all successful security awareness strategies start with the gaps and the analysis of those gaps. Seek to understand before you can be understood, and all that jazz. It's not easy. Right? If you knew where the gaps were, you'd have fixed them (in an ideal world). Your identified gaps may not be the same as someone else's. When you engage professional services, they'll often start with gap analysis, and Culture Gem is no different. I always begin any engagement by looking at what you have and where the holes are. I often wonder if people think this is buzzword nonsense that they could have done by themselves, and if they should pay for it.
The answer to this is down to the person asking the question. I don't know about you, but I've solved so many problems when I show them to someone else; I don't always need their help, but talking through the thing with someone who doesn't know about it makes you think differently about the problem. It often helps to look at a problem with a fresh pair of eyes, to see the wood for the trees. If you can remove all your preconceptions from a problem, you may not need that fresh pair of eyes. None of us are all-seeing, all-knowing beings, though.
So, let's take a moment to consider what you are looking for when it comes to security awareness gap analysis:
You have a strategy, often fed down from some business values and missions, that rarely considers security. You are required to shoehorn, squish, and bend your objectivity around, all while delivering the business goals of customer retention, sales, or whatever else is important to the board, without considering security as driving all of those things. So, do you have gaps in your strategy? Probably!
There is no hard and fast rule on which gaps you should fill with training or even a definitive course list that says you must train people in x, y and z. None! Nowhere! Yet, to meet most regulations, certifications or accreditations, you must regularly train people on data protection, information governance, and information security. So, do you have a gap in your training material catalogue? Probably!
You have a tool selected by someone, maybe an IT someone, maybe a security someone, maybe a Learning and Development or HR someone. This tool will have been selected by an individual or a small group to meet a compliance requirement. I will bet money that that tool wasn't selected by the many; the workforce required to use it. It'll be an off-the-shelf product produced for the mass market, created by some nerds who understand psychology or the course's subject matter. Or it'll have been made in-house, by some creative people, with the input of some compliance people who've got a really good handle on the subject matter but not information design or learning styles. So, do you have gaps in your tool? Probably!
You have a curriculum defined by a someone or a small group, maybe a vendor, maybe some compliance person. The curriculum will have been plucked from thin air based on past employment or educational experience. Or an understanding of a requirement that says you must regularly train people on data protection, information governance, and information security. So, do you have gaps in your curriculum? Probably!
You have an engagement and pass rate of 80%. 80% of people do mandatory training and score 80% or more. It may surprise you that 80% isn't a requirement that is written down anywhere. Still, somehow, we've got this stuck into our programmes that 80% means good. We're doing enough compliance training to fill the gap. Yet, the figure of "90% of data breaches are down to phishing" is banded around. Wait, we are compliant because 80% of people scored 80% on their compliance training, which may or may not have included phishing. So, do you have a gap in your success metrics? Probably!
I could go on, but I think you get it. If you have these gaps, you have a good starting point to analyse and address the issues, but how many of you have just realised the reality of the gaps you didn't know were there? However, addressing and solving the issues can be very different. I mentioned an ideal world earlier because it takes more work, there are extenuating circumstances. Budgets. Resources. Skills. Time. The list is endless. So how can you do the best with what you have?
Firstly, look at what you have! Sounds simple enough. Does your strategy look at security holistically and risk mitigation through awareness and culture? Maybe it says these words, but does it really do these things? Are you delivering the stuff you need to deliver to do what you wrote on the tin? Do you use risk to define training? Or is the risk stuff confidential, and need to know, so the people defining the training don't know what they are mitigating against? Do you use root cause analysis and near misses to inform the security awareness strategy, curriculum, campaigns, activity, delivery etc.? Is this need-to-know so the Security Awareness people can not meet regulatory requirements or carry out training needs analysis? Does your tool do what your people need it to do? Is it pitched at the right level for them? Is the material? Or did you buy the thing that neatly fit your budget or made sense to you? Are you confident that 80% of 80% is good enough?
These are challenging questions to ask from the inside looking in. It's as easy as asking someone if your baby is ugly and expecting an honest reply. And let's be honest, this is someone's baby. They have poured their blood, sweat and tears into this and nurtured, fought for, and loved it (we hope). They may fight you to the death over questioning the beauty of their baby, and if they do, they aren't doing what is right for your company. Gap analysis allows you to look objectively at it, and sometimes you can't see the wood for the trees, but it is a hugely valuable exercise. It always hurts less when someone you have no connection with tells you your baby is ugly or could do with a haircut or a bath. Sometimes you're just too close to see it, and 80% is good enough without the gap analysis.