A very good choice.
This is how Terence van Gestel (CISO) and Janey van Vessem (information security manager) of the Municipality of Tilburg look back on the decision to have their organization participate in the Cyber Barometer. As many as 1214 Tilburg officials filled out the carefully curated online questionnaire that provides insight into employee behavior regarding information security and privacy. The results are now the capstone for their new awareness strategy. Terence and Janey are happy to share their experiences.
At first, Terence was not at all keen on conducting a questionnaire among his colleagues. Fortunately, Janey was just immediately very supportive of the Cyber Barometer and its deployment, “I was very excited. After all, we were at the start of a new program in which we focus on behavioral change to make our organization more digitally secure. A good baseline measurement is very important at such a time. In addition, we knew which information security and privacy issues were at play within municipalities, but we wanted more specific information about the behavior of our employees so that we could really get to work.
When Terence learned more about the Cyber Barometer, he, too, was soon converted: “If you’re asking for people’s time, I think it should really add value. To me, that means that you can actually take action based on the results. To do that, it is important, for example, to exclude socially desirable answers within the questionnaire. Because the Cyber Barometer asks questions in different ways, we were able to achieve that. I am very happy about that. The instrument is simply very well constructed.
Capstone for targeted action
The Cyber Barometer results lead to new insights in several ways. Terence: ‘We have gained insight into themes that require attention organization-wide, but now we also know which themes are relevant for each team. That team X can make a step forward in the area of secure video conferencing, for example. And that team Y is leading the way when it comes to safely sending e-mail messages.’ Janey: “We were also able to measure the effect of a past action or training. For example, we thought that everyone knows what to do in case of a data breach because we gave a training course about it. Yet the Cyber Barometer showed that we still need to put energy into this. Conversely, we saw very positive results on other themes that we recently highlighted.
The many insights from the Cyber Barometer contribute to a targeted action plan. Terence: “The results we now have in our hands are the capstone for our program for the coming period. We use them to determine which topics we will cover in which way and which teams will participate in them. It really makes it much easier to prioritize.’ Janey: ‘Because we now know very well what is needed within the different teams, we are much better able to weave that into our program. That way we can ensure that people only put energy into things that are relevant to them.’
Support and budget
Finally, Terence has another tip for municipalities: “I often hear from medium-sized or smaller municipalities that it is difficult to create support and organize sufficient budget for privacy and information security. The Cyber Barometer can contribute enormously to this. And although we in Tilburg have a reasonable budget, the pot of money won’t stay filled forever. We have to keep investing to maintain sufficient support. We will certainly use the results of the Cyber Barometer for that.’
CYBER BAROMETER OF BROOKLYN PARTNERS
The Cyber Barometer measures via online surveys how employees handle sensitive information in their jobs. Central within the measurements are the three responsibilities employees have in achieving a cyber-secure organization:
- Preventing unsafe situations
- Recognizing unsafe situations
- Acting in the event of unsafe situations
Employees who carry out these three responsibilities diligently have a high level of maturity in security and privacy. The higher the maturity level of employees, the more secure the organization.