How Forward-Thinking Organizations Turn Compliance into a Culture of Empowerment and Cyber Resilience

In recent years numerous regulations have been created to protect individuals, emphasising the importance of security and awareness, , including NIS2, DORA, GDPR, and even the AI Act. Organizations can implement policies to achieve compliance with these regulations, but that doesn’t necessarily guarantee they’ll be carried out flawlessly on the work floor. There’s always a disparity between documented procedures and actual practice. 

Ultimately, individuals are responsible for turning these policies into action, while organizational management must provide the necessary resources and support to make this possible.. This is why regulations like NIS2, GDPR and the AI act make organizing awareness training for your employees part of compliance. Should a cyberattack occur despite these efforts, you can demonstrate that you did your best to improve security awareness across the organization. 

However, security awareness should be more than merely checking a box to fulfill compliance obligations. This security-conscious mindset needs to be embedded within the organization. Employees should develop an appreciation for these regulations, understanding that they are not designed to complicate their lives but to equip them with practical tools to protect both the organization and themselves. 

Building a Security-Aware Culture: The Foundation of Regulations and Cyber Resilience  

It’s important to realize that cyber threats are asymmetric: cyber criminals only need to take advantage of one individual’s mistake to be able to launch a successful attack. Your organization, on the other hand, needs to be sure that every employee takes security measures seriously to strengthen your first line of defense. According to various studies, over 80% of all organizational data breaches are the result of unsuspecting employee errors. 

That’s why it’s imperative that everyone within your organization, from the receptionist to the CEO, receives at least foundational security awareness training. This introductory training doesn’t need to go into the specifics of NIS2, DORA, GDPR, or the AI Act, as they all share common fundamental principles that employees must consider to avoid errors. It’s critical that participants are allowed to ask questions and receive guidance relevant to their daily activities. 

From Awareness to Action: How Targeted Compliance Training Strengthens Cyber Resilience  

Naturally, each regulation has its unique requirements. Therefore, you need to supplement foundational security awareness training with tailored modules. For example, since nearly every organization processes personal data, employees should know what they can and can’t do according to GDPR. Additionally, the AI Act requires any employee interacting with AI to have AI literacy training. 

Furthermore, a lot of aspects of security awareness are specific to the business context. For example, your IT department has different concerns than the HR department. Training should therefore be tailored to these distinct business requirements, providing information that is immediately applicable. The objective is for everyone to develop robust security instincts. For instance, if an HR employee has access to specific personal data not needed for their role, they should recognize the importance of reporting this to have their access rights restricted to strengthen this first line of defense. Access that is not granted can’t be compromised. 

Testing Readiness Through Tabletop Exercises: Turning Policy into Practice 

A third effective approach to cultivating awareness is through tabletop exercises, which simulate emergency scenarios. Compare this to a fire drill, where staff behaves as if there is a real fire to test procedures. Similarly, you can simulate a minor incident, a data subject access request, or a major data breach, and test the efficacy of procedures and the preparedness of participants. 

Tabletop exercises serve as an excellent stress test to identify inefficiencies or gaps in your organization’s incident response processes. But they are also valuable for employees in new roles, helping them learn their responsibilities and bridge the gap between policy and practical application. 

Conducting multiple tabletop exercises of varying severity levels is recommended. For example, simulating a minor incident raises awareness of how even seemingly innocuous events can escalate if not addressed, while simulating a major incident focuses more on communication, requiring participants to collaborate in developing a response strategy. This collaboration exercise provides a head start when they face an actual incident later on, as it allows them to draw on their previous discussions. 

Empowered People, Stronger Compliance: Embedding Security Thinking Across the Organization 

Compliance extends beyond telling people what they can’t do. It’s a way for people to perform their job more effectively and confidently. The key to achieving this is helping employees understand the rationale behind procedures. Awareness is the crucial factor.