From awareness to capability: why cybersecurity starts with people
Cyberattacks are becoming more advanced, but the most vulnerable link often stays the same: people. That is why Kiwa provides training that makes organizations aware of digital and physical risks and shows employees the role they themselves play in cybersecurity. According to Kiwa’s Fabian Dijkman, the key to cybersecurity lies not only in technology but also in behavior and culture. ‘Cybersecurity does not start with technology but with people’s safety awareness.’
Fabian Dijkman, account manager at Kiwa, sees in practice that many organizations only really gain control of cybersecurity when their employees understand that they have an active role. Awareness helps, but according to him it is only the beginning: ‘It makes employees aware of digital and physical risks and activates their role in protecting the organization. But awareness alone is not enough.’
Standards as signposts
In Kiwa’s cybersecurity training, a lot of attention is therefore given to standards like ISO 27001, NEN 7510 and IEC 62443. ‘Not simply to comply with the standard, but because these frameworks help create consistency in behavior and attitude. At Kiwa we believe awareness only has real impact when it is part of a broader learning strategy. A strategy in which standards like ISO 27001, NEN 7510 and IEC 62443 are not seen as the end goal but as signposts. Standards are a shared language for quality and responsibility. Once that language becomes part of daily processes, an organization emerges where quality is continuously monitored, improved and supported by people themselves.’
NIS2 demands demonstrable leadership
Where standards help create a shared language and structure, legislation like NIS2 touches the same core but at the management level. NIS2 requires a demonstrable and robust implementation of cybersecurity measures. Dijkman: ‘Companies that are active in critical chains or provide services to NIS2 obligated organizations are expected to take a proactive strategic approach at the level of executives, directors and top management. Through NIS2 compliance training, executives learn what responsibilities they carry and which steps are needed to control cyber threats and safeguard business continuity.’
From awareness to capability
‘Awareness training is often the first moment when employees really pause to consider their role in digital security. It is a powerful starting point but not the end.’ The real work begins after that, according to Dijkman. ‘Organizations must continue to develop their people. Digital literacy, critical thinking and risk-aware behavior are becoming increasingly important. That goes beyond recognizing phishing emails or choosing strong passwords. Strategically developing human capital ensures that organizations remain agile and reinforce their right to exist.’
Shared responsibility
An organization can only truly become cyber secure when employees feel ownership. ‘People often know what they need to do but do not always feel responsible. Ownership does not arise automatically. It requires involvement, autonomy and seeing that as an employee you really have an impact on the bigger picture.’ Strategic learning helps with that, according to Dijkman. ‘By linking individual learning to organizational goals, a culture emerges in which everyone understands how their actions contribute to security. This turns cybersecurity into a shared responsibility instead of an IT issue.’