TechGuard Blog

Building Your Primary Defense Strategy Through a Security Awareness Program

How should I start?

The question going through most business leaders and policymaker's minds, is often, “Where do I start?” Creating a solid plan and making it as extensible to your future growth as possible is usually the best approach. The first thing you should do is start with a standard. When deciding on a standard, you first need to understand the different compliance mandates you might be under. A company that deals with healthcare information will have to follow HIPAA standards, but might not necessarily have to comply with payment card processing standards like PCI-DSS. Generally, the best framework to start with is going to be NIST.

What is NIST?

NIST stands for the National Institute of Standards and Technology. It is the U.S. national laboratory that promotes innovation and industrial competitiveness throughout several industries. It sets measurement standards, as well as performs research through building frameworks that help organizations structure their operations and security awareness programs. NIST usually follows a best practice approach and provides mappings to many other frameworks throughout the compliance industry.

Aligning your defenses to the NIST standard.

Security and IT personnel realize that training the workforce is a critical layer of defense in an organization’s cybersecurity program. Knowing is half the battle. However, business leaders often wonder how to implement and run a training program. Finding a set of topics that are hot in the industry and cross-referencing them to a widely used training framework is often the best approach. Using well-established frameworks as the core of your security awareness program is where NIST comes into play. Throughout this article, we will uncover guidelines and discover how you can use NIST to design a program that can lower your attack surface by giving your employees the knowledge to defend themselves and your company. NIST Special Publication 800-50 promotes nine topics regarding security awareness.

  • Phishing
  • Password security
  • Safe web browsing
  • Social engineering
  • Malware
  • Mobile security
  • Physical security
  • Removable media
  • Working remotely

Each of these topics has detailed sub-sections that offer detailed recommendations to baseline training for employees across your organization.

This excerpt taken from NIST Special Publication 800-50, provides valuable insight on reporting and monitoring compliance:

“Once the program has been implemented, processes must be put in place to monitor compliance and effectiveness. An automated tracking system should be designed to capture key information regarding program activity (e.g., courses, dates, audience, costs, sources).”

Tracking and reporting tools assist program managers to find and remediate knowledge gaps by providing continuous updates as they work to improve their training curriculum.

The NIST cybersecurity framework listed above has useful materials for designing your security awareness and training program. The problem for most organizations becomes the lack of time and personnel to build an entire program mapped to NIST best practices from the bottom up. This is why our security awareness and training platform directly aligns with NIST standards and recommendations. Our content is mainly derived from NIST standards because these are generally considered the best all-round approach to security awareness. Our curriculum comes from a proprietary IQ platform that makes compliance tracking easy to follow and mature.

Individualized weapons against cyber-attacks.

Our training also provides a variety of educational modules for all industries and employee positions. You can build a custom training curriculum from 2,000+ training resources aligned to the nine core security behaviors or use a baseline training program built from NIST recommendations. Either way, you’ll have the flexibility to educate employees on each core security topic while focusing on the most relevant security information for each employee.

Tracking the effectiveness of your front-line.

Our reporting allows you to track the progress of your employees on an individual and an organizational basis. This approach targets specific comprehension individualized for each core security behavior. Allowing you to quantify your security training compliance against NIST guidelines is made effortless using this technique. Individuals that require this training can be monitored through dashboards to make sure they stay within compliance. These results can then be exported when audit time rolls around or when key stakeholders are checking up on the program.

Giving your workforce a shield to protect themselves.

Making sure your employee's training regimen aligns with your organizational goals and compliance needs is going to be incredibly important when planning your program. Our security awareness and training platform align you with the resources you need to design a path to NIST compliance. Following NIST recommendations are made easy allowing you to focus on the maturity of your program and empowering your employees to defend your business and reduce security incidents.

Written by Grant Codak

Grant has over a decade of IT experience spanning a variety of domains with a focus on defensive security. Grant is currently a Cybersecurity Expert at TechGuard Security where he performs a wide variety of proactive security services, including penetration testing. He also holds the following certifications: CISSP, CEH, Security+, Network+, A+, and Metasploit Pro Certified Specialist. Recent responsibilities include, a Senior Web Security Engineer at a Fortune 50 organization along with a variety of application administration roles in security operations. His past project work includes, web tool development as well as firewall and web proxy migrations. Currently at TechGuard Security, Grant conducts audit control assessments, penetration tests, vulnerability assessments and social engineering exercises. Grant ties his knowledge together with his deep understanding of network operations and security architecture to deliver approachable report analysis to clients. Grant is also a nature enthusiast and enjoys mountain biking, hiking and kayaking.