National Institute of Standards and Technology (NIST) is part of the US Department of Commerce. Its role includes researching and publishing standards and guidelines that many US departments depend on and are required to follow. Their SP800 (Special Publications) series of documentation focuses on cybersecurity-related guidelines and requirements. In 2003 NIST published SP800-50 titled "Building an Information Technology Security Awareness and Training Program." This document was NIST’s attempt to address security awareness and training. Over time it was recognized that the document had become outdated, and a new version was required. As such, NIST released last month (August 2023) a vastly updated version called SP800-50r1 "Building a Cybersecurity and Privacy Learning Program." In this blog post I’ll share my thoughts on this updated version.
Disclaimer: I’ll be reviewing the document from the perspective of my personal focus - managing human risk.
I and others were hoping that this new version published would shift its focus from compliance training to more about secure behaviors, security culture and ultimately managing human risk. Unfortunately, instead of taking a human risk focus it expanded its emphasis on compliance by adding privacy as a key goal. Long story short, if you are interested in better managing your organization’s human risk, this is not the resource for you. If you are interested in developing a training program with a focus on compliance and privacy, then this is the document for you.
Before I go any further, let me say I have the highest regard for NIST, as their technical documentation is outstanding and often the benchmark organizations around the world follow, including its Cybersecurity Framework. In addition, the team at NIST has the very tough challenge trying to meet the requirements of a vast, complicated and ever-changing government. However, with that said, it appears to me now that the SP800-50 publications were never intended to be about human risk.
We will start with some simple data points. The words "Learning" and "Privacy" are mentioned in the document a total of 880 times. In contrast, the words "Secure Behaviors," "Security Culture," "Manage Risk," "Managing Risk," "Risk Management," "Reduce Risk," and "Reducing Risk" are mentioned a combined total 21 times.
Overall, this document is really about defining and meeting training requirements. This is not necessarily a bad thing. In many ways, managing human risk often begins with training your workforce. However, the original SP800-50 was already very compliance-focused; with the new addition of privacy in this revised document, I feel it's even more compliance-focused.
The document focuses on addressing your organization’s “skills gap” but does not really define what that means - anything from your staff understanding your Acceptable Use Policy to meeting compliance and privacy requirements. I did find references sprinkled throughout the document about how the training can help reduce risk, such as training people on deploying and using multi-factor authentication (MFA). However, the vast majority of the document is about training to meet policy, compliance, and privacy requirements.
My biggest concern with the NIST approach is the role of the Learning Program Manager. Based on how this role is defined in SP800-50r1, the Learning Program Manager will most likely report to Compliance, Audit, Legal, Human Resources, or Training. The individual will most likely be isolated from the security team, have little exposure to key security data, not understand the concepts of risk management, nor be involved with the security team or any of their risk management processes. Their goal will be compliance and privacy.
What I Was Hoping For
I was hoping for a document that focused more on enabling your workforce to exhibit secure behaviors, create a stronger security culture, and ultimately more effectively manage human risk. Here are some steps you can follow to accomplish that:
- Begin by defining what is human risk. Specifically, lay out why people have become the primary attack vector and why the human element has become such an important part of managing an organization’s overall risk.
- Define a role to be overall responsible for human risk. Have that individual be part of the security team and report directly to the CISO. Give the role the title of something like Security Behavior and Culture, Security Influence and Engagement, or Human Risk Officer. Even better, this would not be an individual but rather a team of people partnering with the security team to manage the organization’s overall risk.
- This individual/team would lead the effort (working with the security team) in using a data-driven approach to identify the organization’s top human risks. For me this is what NIST means by “skills gap.”
- This individual/team would lead the effort (working with different departments) in identifying the knowledge, skills, and behaviors that manage those risks.
- This individual/team would then lead the effort in building, managing, and measuring a program (to include training) that would engage, motivate, and enable the workforce in exhibiting those behaviors. Metrics would then be used to measure those behaviors, and ultimately the reduction in risk.
Finally, I was hoping the document would explain how training is just the first in many steps to managing human risk and cover other key elements such as designing policies and processes to be easier to follow, simplifying security communications for your workforce, leveraging marketing models to engage and motivate your workforce, etc. I knew it was a long shot, but a part of me was even hoping to see certain models such as the BJ Fogg Behavior model, ADDIE Instructional Design model or the ADKAR Organizational Change model.
Unfortunately, it was not to happen. The good news is you still have the opportunity to provide your feedback and thoughts to NIST on the document (we already have). For now, if you are interested in Compliance or Privacy training, this document is for you. If you are concerned about managing human risk, I’m afraid we have to look elsewhere.