ECRM Education and Training Plans, Policies, and Procedures

Blog #11 of ~15 in ECRM Framework & Strategy Series

ECRM Education and Training Plans, Policies, and Procedure

If you are starting this ECRM Framework & Strategy Series here, with Blog #11, you may wish to review some previous posts:

• #1, Introduction – Overseeing the Development of Your ECRM Framework and Strategy
• #2, Getting Started with the Development of Your ECRM Framework and Strategy
• #3, Setting ECRM Guiding Principles, Aligning Business and ECRM Strategic Objectives, and Clarifying Governance
• #4, Basic Cyber Risk Management Terminology
• #5, Selecting and Adopting an ECRM Framework, Process, and Maturity Model
• #6, Risk Rating and Risk Appetite

(For the complete list of all posts in this ECRM Framework & Strategy Series, please see Introduction – Overseeing the Development of Your ECRM Framework and Strategy.)

In each post in the series, I cover one or more aspects of developing your Enterprise Cyber Risk Management (ECRM) Framework and Strategy and associated sections of the Table of Contents of an ECRM Framework and Strategy document.

This series aims to explain what content is needed in each area and provide a good head start on developing and documenting your ECRM Framework and Strategy. 

Introduction

The topic of the ECRM Framework and Strategy and related documentation covered in this post is:

19. ECRM Education and Training Plan, Policies, and Procedures

(For the complete Table of Contents, please see Introduction – Overseeing the Development of Your ECRM Framework and Strategy.)

Completing the work outlined throughout this ECRM Framework & Strategy Series positions your organization to establish, implement, and mature your ECRM program. For many organizations, doing so represents a transformational program. Any significant business transformation is about behavior change, which usually begins with C-suite leaders and the board.

In Selecting and Adopting an ECRM Framework, Process, and Maturity Model, I discussed five critical core capabilities of your organization—governance, people, processes, technology, and engagement—that organizations must develop to ensure your ECRM transformation is successful. Education and training are relevant to establishing all these capabilities.

The plans, policies, and procedures developed in your ECRM Framework and Strategy require the appropriate amount of education and training across and up and down the organization. Education and training are essential to any change management program, such as implementing a new ECRM program.

This post focuses on plans, policies, and procedures to provide appropriate education and training to ensure the success of your ECRM program.  First, we define our terms as education and training are different.  

To educate means “to develop the faculties and powers of (a person) by teaching, instruction, or schooling.”[1]

To train means “to give the discipline and instruction, drill, practice, etc., designed to impart proficiency or efficiency.”[2]

Education is more about knowledge; training is more about task skills and abilities.

Most likely, your C-suite and board will be educated on ECRM. Your frontline workforce members and managers will be trained on ECRM.  Groups in between will likely receive a mix of education and training. In all cases, education and training ensure everyone understands and buys into what is expected of them.

Your ECRM Education and Training Plans, Policies, and Procedures should spell out how you will conduct ECRM Education and Training when it will be delivered, by whom it will be performed, and what materials and methods will be used.

Finally, your ECRM Education and Training Plans, Policies, and Procedures focus on enterprise cyber risk management and what is needed to implement and sustain your program.  It is not the same as, nor a replacement for, security awareness training.

ECRM Education and Training Policy

Your ECRM Education and Training policy should indicate what you plan to do, why you plan to do so, the values of your organization, and what is expected of members of your workforce.  Think of policies as higher-level aspirational statements emphasizing “what” and “why.”  That is, what your course of action will be and why you’ve chosen this course of action. Your policy statement establishes your good faith intent.

Following is an example of an ECRM Education and Training policy statement:

[YOUR COMPANY NAME HERE] is committed to establishing, implementing, and maturing an enterprise cyber risk management (ECRM) program, safeguarding all sensitive stakeholder data, systems, and devices against compromising confidentiality, integrity, and availability.  International, Federal, state, and local laws and regulations have established standards by which acceptable ECRM, privacy, security, and compliance will be achieved.  To support our commitment to ECRM, all workforce members, including executive management and the board of directors of [YOUR COMPANY NAME HERE], will receive appropriate ECRM education and training, as detailed in our ECRM Education and Training plans and procedures.

All workforce members must attend ECRM education and training appropriate to their role and pass knowledge and competency checks upon completion. In some instances, training will include active on-the-job training.

ECRM Education and Training Procedures

Procedures provide the required actions to deliver on your policy. If policies are higher-level addressing “what” and “why,” procedures provide the much-needed detail as to “how,” “by whom,” “when,” “where,” “using what,” etc., the policy will be implemented. You should expand and elaborate on these elements and steps such that those responsible for receiving education and training and those responsible for delivering it will successfully conduct risk monitoring if they follow all your process steps in your documented procedures. 

In terms of content, all the topics in your ECRM Framework and Strategy documentation are candidates for various education and training plans.  For example, providing education sessions on these topics would be relevant for all members of the workforce to provide awareness of what the program entails:

• ECRM Guiding Principles
• Scope of The ECRM Strategy
• Business Strategic Objectives
• ECRM Strategic Objectives
• Responsibility for and Governance of the ECRM Strategy
• Basic Cyber Risk Management Terminology
• ECRM Framework, Process, and Maturity Model
• Risk Rating and Risk Appetite

While awareness of the respective standards, policies, and procedures for the topics below is essential for all workforce members, skills training would be more appropriate for those responsible for completing the following ECRM process steps:

• Risk Framing
• Risk Assessment
• Risk Response
• Risk Monitoring

ECRM Education and Training Plans

ECRM education and training are critical, regardless of the organization’s size. The education and training amount and type will depend on the robustness of your ECRM program and possibly regulatory requirements.

Education and training are not one-time activities, but ongoing, evolving processes as your organization’s needs, policies, and procedures change. Education and training should be tailored to job needs.   It must be customized and based on job responsibilities. Training must be focused on the successful establishment, implementation, and maturation of your ECRM program.

ECRM Education and Training plans should vary by audience, be refreshed with different frequencies, and be reinforced with reminders and regular updates. For example, in Chapter 9 of Stop the Cyber Bleeding[3], I discuss ongoing board of directors’ education occurring whenever the board discusses ECRM and comprising both an examination of relevant current events as well as educational activities/subjects that may include:

• Hiring outside experts to brief the board on ECRM 101.
• Having internal advisors, such as your chief audit executive or general counsel, provide in-depth briefings.
• Engaging outside counsel to discuss the legal implications of a breach.
• Engaging your organization’s executive risk insurance broker to discuss potential gaps, clashes, and redundancies in your liability policy portfolio.
• Engaging outside and inside experts to forecast the cyber risk landscape one, three, and five years out.
• Inviting external advisors, such as FBI representatives or relevant regulatory agency staff, to discuss the cyber risk environment.
• Providing a briefing on the NACD Cyber-Risk Oversight Certificate (https://www.nacdonline.org) to validate the importance of ECRM and encourage board members to pursue continuing education in cyber risk.
• Providing a briefing on the NIST Cybersecurity Framework, including information on how adopting the Framework encourages the integration of ECRM into the overall business strategy.
• Conducting desktop exercises on incident response and business continuity.

What materials you use to conduct your education and training will vary.  There may be certain off-the-shelf content that you can use.  You may wish to develop your own. Content may be delivered live and in-person, virtually, or both.  I encourage engagement and discussion as much as possible.

A workforce knowledgeable in the organization’s ECRM program is an essential defense against cybersecurity threats. An education and training program that routinely keeps the workforce trained and updated based on the organization’s risk monitoring report (see Risk Monitoring Standards, Policies, and Procedures) can be your best defense. 

Guidelines for Creating ECRM Education and Training Plans, Policies, and Procedures

• Leverage your cross-functional ECRM Working Group to serve as your development task force.
• Use your Business Strategic Objectives and ECRM Strategic Objectives to guide your work.
• Get educated – incorporate all applicable regulatory mandates and requirements into your plans, policies, and procedures.
• Utilize your organization’s standard policy and procedure template.
• Evaluate “build vs. buy” alternatives for education and training materials.
• Create an overall program plan to develop, review, and approve each plan.
• Incorporate change management considerations into your education and training plans.
• Create a review-revise-approve-communication process.
• Integrate ECRM Education and Training into colleague onboarding and ongoing training.
• Establish maintenance processes to stay current.

Summary

It is essential to include a section in your ECRM Framework and Strategy document that covers the education and training elements above and how you will conduct your education and training. Too many organizations have perfunctory training programs that could be much more exciting and engaging. Refrain from squandering all the effort you invested in developing your ECRM Framework and Strategy—help everyone in the organization know what is expected of them.

The chief output of the work discussed in this post is your ECRM Education and Training Plans, Policies, and Procedures.

In Disclosure of a Registrant’s Risk Management, Strategy, and Governance Regarding Cybersecurity Risks, I discuss the SEC proposed rulemaking requiring registrants to provide more consistent and informative disclosure regarding their cybersecurity risk management and strategy.  Your ECRM Education and Training Plans, Policies, and Procedures will help meet this disclosure requirement.

You can visit my YouTube channel, Stop the Cyber Bleeding | Putting ECRM Into Action, which includes brief video clips covering many of the topics in this series. These approximately thirty videos may be incorporated into your training. It may help guide the development of your ECRM Framework and Strategy. The channel can be accessed and subscribed to at https://www.youtube.com/@stopthecyberbleeding/videos.

In the next post in this ECRM Framework & Strategy Series, I will discuss ECRM Automation and Technology Tools Standards, Policies, and Procedures <<future hotlink>>, an essential input into making informed risk treatment decisions.

Questions Management and Board Should Ask and Discuss

1. Has your organization agreed upon and documented an ECRM Education and Training policy?
2. Has your organization agreed upon and documented ECRM Education and Training procedures?
3. Has your organization agreed upon and documented ECRM Education and Training plans?
4. Does your board’s ECRM agenda include a discussion of relevant current events?
5. Does your board’s ECRM agenda include an educational component for the board? What topics would be best for your organization, given the current state of your ECRM program?
6. Does your organization facilitate educational opportunities on ECRM for the board outside of board meetings?
7. Do you have the internal resources with the appropriate skills, knowledge, and experience to facilitate the development of your ECRM Education and Training Standards, Policies, and Procedures?
8. Would engaging an experienced, reputable ECRM partner be valuable to establishing, implementing, and maturing your organization’s ECRM Education and Training Standards, Policies, and Procedures?
9. Do your ECRM Education and Training Standards, Policies, and Procedures meet the future requirements of SEC Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure Proposed Rule Changes today?

Endnotes

[1] Educate. Dictionary.com. (n.d.) Accessed February 27, 2023. Available at https://www.dictionary.com/browse/educate

[2] Train. Dictionary.com. (n.d.) Accessed February 27, 2023. Available at https://www.dictionary.com/browse/train

[3] Chaput, Bob. “Stop The Cyber Bleeding: What Healthcare Executives and Board Members Must Know About Enterprise Cyber Risk Management (ECRM).” 2021. Clearwater. Available at https://amzn.to/33qr17n