Wow, I am so happy to share this news with you! In the Cyber Security Culture in Organisations report by ENISA, they propose a process on building security culture that is based directly off the Security Culture Framework. The report goes to great length to describe each element, and even divide them into smaller parts to make it easier to implement.
Why is this such a big deal? ENISA is the EU’s security unit, focusing on policy-making and sharing best practices. When ENISA recommends a process or method, EU listens. And when EU listens, things starts to happen. Being referred to and recommended by ENISA means that the SCF is officially being used by policymakers, and recommended as a best-practice. To all of us using the SCF, all around the world, this is confirmation that we are doing the right thing. Perhaps now it will be easier to get more funding for your security culture programme?
In addition to building on the SCF, ENISA recommends measuring security culture using the CLTRe Toolkit. In these GDPR-days, measuring security culture becomes more important too – in Article 32, 1d, GDPR requires organisations to measure the effectiveness of their controls, also the organizational. This requirement means that not only do you have to do some activities, you also need to show that the activities have an effect. Exactly what the SCF is designed to help you with, and the CLTRe Toolkit measures.
I want to thank you all for making this possible. It has been a long process, as you all know, and something to celebrate during the next Security Culture conference!