/* ---- Google Analytics Code Below */

Tuesday, November 08, 2022

Being Future Ready

Thoughts from Forrester, thoughts on future readiness,

Being Future Ready: From Security Awareness & Training To Adaptive Human Protection

Jinan Budge, VP, Principal Analyst   in Forrester,   NOV 8 2022

In October 2022, Forrester’s Guide To Global SA&T Regulations And Standards revealed an impetus for a better future, and I shared with you all a sneak peak into the future of security awareness and training.

And today, I am THRILLED to finally announce to you the Future of Security Awareness and Training (Forrester clients can access here). The research examines the major expected changes in security awareness and training in the short, medium, and long term. Without further ado, here’s the situation:

In the long term, Adaptive Human Protection will create freedom for employees. A widely accepted cybersecurity mantra is that “Security is everyone’s responsibility” — but the goal of adaptive human protection is to move past that. This starts by instilling a security culture, eliminating needless compliance activity, and adding capabilities so humans will be hard-pressed to make wrong decisions. This allows you to imagine a future where you can safely jettison practices that were once required but are now superfluous. Once cybersecurity is no longer everyone’s responsibility, employees can get on with their daily activities and meet their digital aspirations while remaining protected from cyberthreats — even if they make a mistake.

The thing is, this future is realistically years in the future for most, so in the meanwhile, cue human risk management..

The medium-term focus on human risk management will overcome SA&T’s shortcomings. Make it the goal of the SA&T program to positively influence employee security behavior, instill a security culture, and manage human risk by taking six crucial steps: 1) expand your behavioral baseline beyond phishing and incidents; 2) measure effectiveness not completion; 3) quantify the human risk based on behavior (not scores!); 4) initiate real-time risk-based interventions; 5) if you must use content, be intentional and transformative; and 6) codify security culture.

In the meanwhile, though…. '

Posted by at
Labels: ,

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)