It’s been 20 years since the National Institute of Standards and Technology (NIST) released its guidance on building enterprise security awareness and training programs. A lot has changed since then.
With new attack types, the advent of cloud applications, the work-from-anywhere era, and generative AI, NIST has realized that their previous idea of effective training is no longer effective.
Plus, as research shows, human error is the number one cause of data breaches year after year. Despite organizations investing in cybersecurity training, their efforts have yielded little return.
To help companies boost their training programs, NIST released a draft version of their updated training guidance: Building a Cybersecurity and Privacy Learning Program.
Although this guidance is in draft form, it should be published in 2024 with minimal changes.
If you want to get ahead of the curve to ensure your cybersecurity and privacy training regime is as successful as it can be, follow NIST’s latest training guidance.
What’s new in NIST’s training guidance?
NIST has released its draft training guidance with a few primary goals in mind. Namely, it wants to:
- Combine privacy with cybersecurity in learning programs, rather than treating them as separate entities.
- Introduce a life cycle model that encourages ongoing, continuous training (which is proven to be more effective for behavior change), rather than treating training as an annual or quarterly box-ticking exercise.
- Focus on building a culture of security and privacy in organizations.
- Help organizations better address the challenge of measuring the impact of their learning programs.
In essence, NIST wants companies to embed privacy and security training into their day-to-day activities, so that employees become the first line of defense against cybersecurity risks, rather than the weakest link in the chain.
What does this look like in practice? And, how can cybersecurity leaders actually measure the return on investment for training and awareness?
Put NIST’s guidance into practice
A while back, the Polymer team realized that cybersecurity training needed a revamp.
Inspired by Richard Thaler’s psychological nudge theory, we saw an opportunity to engrain cybersecurity and privacy training into modern workflows. When a data policy is violated in tools like Slack, Google Drive, Zendesk, or ChatGPT, Polymer can warn employees and provide context about the violation. Employees can also receive additional training and take action on their violations via email nudges.
Rather than distracting employees from their work, these automated point-of-violation notifications provide bite-sized training about data policies in real-time.
Beyond just education, the Polymer platform also delivers enforcement in the form of powerful AI-enhanced data protection. Based on predefined policies, Polymer DLP can take various remediation actions within your cloud apps to ensure data security and compliance 24/7.
Better still, we designed Polymer DLP with ROI in mind. Polymer’s platform risk score is a unique metric that quantifies the presence of sensitive data in your cloud app or AI tool.
As you use our platform overtime, you’ll be able to quickly and easily demonstrate its effectiveness as data exposure risk drops dramatically.
Take your training up a notch
It will only be a few months before NIST’s latest guidance becomes official, but why wait until then to improve your privacy and security awareness efforts?
Our low-code platform takes minutes to deploy and improve your organization’s security posture. Combining behavior-based training theory and cutting-edge AI, Polymer DLP helps you eradicate the privacy and cybersecurity risks of human error while creating a culture of security.
Ready to get started? Request a demo today.