Lars S.

Andrew R. The maturity of our ISMS actually lets me point the auditor towards certain controls I want to see listed in the audit report. In fact, I got the budget for SoSafe because of an audit report (and partly because of NIS2). We have a really strict auditor, and every finding will end up in the report — but if I want the auditor to put their finger on a specific problem, it's always been possible to "boost" the focus on that control to get that management attention. Edit: Maybe during my first audit i felt some kind of "fear" but with experience it shifts towards "yet another challenge".

In my experience, it's important to "make security easy," be present, create opportunities for dialogue, and keep colleagues involved in security measures. At the same time, we need to utilize technology to "make insecure behavior hard." "Trust but verify" never worked for me because if you know your organization and culture, you don't need to verify. You already know the security gaps, and the struggle is more about how to close them. Edit: Some thoughts: Trust ist important, but it has a time limit and requires to be regular renewed. Trust is subjective and cant really be measured and therefore cant be a base for decision makings.

Melissa G. In my opinion, it is all about linking the security processes. If incident management, risk management and implementing measures are not linked, the reaction becomes slow and then the result will be the mentioned 19days. If the root cause is a human risk, then awareness measures should follow immediately if the risk evaluation is high or very high for the organisation. The key point is how urgent and concrete the risk is. For an high and immediate risk, 19 days is far too long. For a more abstract or long‑term risk, 19 days sounds "fair". For me the reaction time needs to defined and evaluted by the inherent risk (incl. the orginal threat)

Dr. G. -- mainly policies and training. We are currently rolling out purview to restrict the use of certain labeled documents by AI Services/DLP. In regards to OpenClaw it wont help a lot. 🤔

Melissa G. Dr. G. -- to be honest, currently I am focused not on attackers using AI, its more about colleagues early adopting AI without clear guidelines. In particular colleagues experimenting and maybe even granting Openclaw access and rights to systems and services keeps me up at night. OpenClaw led to a high dynamic with missing awareness to the security implications.

Hi Robert, how long was the awareness campaign active before you questioned the employees? I will definitely look into adopting it once some time has passed.

Lets give it a try 🙂 Something that looks phishy would definitely be an email telling Santa that Christmas Day has been postponed or that there’s a “new global delivery address” for all gifts. To keep his workforce cyber aware during the off-season, I would recommend introducing security challenges adapted to the season. for example in summer: "Spot the most phishing mails an win a security beach towl" - just to keep everybody engaged and informed.

Melissa G. - tbh I'm not entirely sure how to integrate these insights into my security measures. Adapting simulation activities to specific timeframes doesn’t seem right to me. At the moment, my thoughts are leaning toward incorporating them into my security communication strategy. I currently publish an internal security newsletter (Security Schnipsel) every month. I’m considering switching to something like a “Monday Morning Security Briefing.” However that would require a lot of effort. 🤔

Hey Robert K. - Thanks a lot for the insights and the idea. Currently i am preparing an executive presentation at my company regarding our progress with sosafe. Analyzing the raw data helps a lot to gain further insights. 🙂 Sharing is caring (and as data owner i classified them as "non sensitiv" 😉 ) + "early hours" are critical + Monday is critical because of the weekends

Melissa G. It will be displayed on a digital screen in our cafeteria or entrance area. The official announcement and recognication will take place in person during an (quaterly) infomation event. 🙂