Looking at some of the CIS controls one of which states
'Perform a skills gap analysis
to understand the skills and behaviours workforce members are not adhering to, using this information to build a baseline education road map'.
What kind of evidence and techniques would you use in the skills gap in order to start to build up your education road map? There must be some methodical way of identifying the skills gap?
And secondly what exactly does your security awareness program entail for new employees and existing? E.g. what are the subject to, what do they have to complete, how often, who records and monitors results etc.