Building Competence for Evolving Information Security Expectations

Organizations responsible for managing information security often reach a similar point in their journey. After strengthening technical controls and improving internal processes, new questions begin to emerge.

How should privacy be managed across systems and partners?
How should emerging technologies such as artificial intelligence be governed responsibly?
How can teams maintain consistency as expectations from customers, regulators, and leadership continue to expand?

These questions illustrate an important shift. Information security is no longer only about protecting systems. It increasingly connects with areas such as privacy information management and the governance of emerging technologies such as AI management systems.

In this environment, organizations cannot predict every new requirement that may emerge. What they can do is strengthen internal competence so teams are able to adapt as expectations evolve.

Why competence matters

Many organizations invest heavily in security technologies. Firewalls, monitoring systems, and identity management controls are essential components of a modern security program. However, technology alone does not determine how effectively risks are managed.

Information security is implemented and maintained by people. Decisions about data handling, access rights, vendor interactions, and incident response depend on the knowledge and judgment of employees across the organization.

Insights from DNV’s ViewPoint research on information security management indicate that many organizations increasingly recognize the importance of training, governance, and internal competence as key elements in strengthening their security posture.

When employees lack clarity about responsibilities or procedures, even well-designed technical controls may be applied inconsistently. For this reason, strengthening competence across the organization has become an essential component of effective information security management.

Developing capability across the organization

Competence in information security does not apply only to technical specialists. Many roles interact with information systems, customer data, or digital processes in ways that influence security outcomes.

A structured capability approach often includes:

  • Ongoing training and awareness for employees
  • Role-specific education for teams responsible for data governance and IT operations
  • Internal subject matter experts who can guide colleagues and answer questions
  • Leadership engagement that reinforces consistent security practices

Training may take different forms depending on the organization. Some companies use short awareness modules or e-learning programs, while others implement structured training aligned with recognized frameworks such as ISO/IEC 27001 information security management systems.

Organizations often combine training initiatives with broader programs such as DNV’s information security and IT service management services to strengthen internal capability and support long-term governance.

The role of management systems

Maintaining competence across an organization requires structure. Without defined processes, training and awareness efforts may become inconsistent as organizations grow or adopt new technologies.

International standards such as ISO/IEC 27001 provide a framework for building structured information security management systems.

These systems integrate:

  • risk identification and assessment
  • governance processes and responsibilities
  • implementation of security controls
  • monitoring and continual improvement

Within this framework, organizations must ensure that personnel performing roles affecting information security are appropriately trained and aware of their responsibilities.

This structured approach helps maintain consistency even as organizations expand operations, adopt cloud technologies, or integrate new digital services.

Preparing for evolving expectations

Expectations related to information security continue to expand. Customers increasingly request evidence of security practices during supplier approval processes or contract negotiations.

Widely recognized frameworks such as the NIST Cybersecurity Framework emphasize structured risk management, governance, and continuous improvement as essential elements of modern cybersecurity programs.

Organizations are also paying increasing attention to privacy governance and the responsible use of emerging technologies. As digital ecosystems expand, organizations must be prepared to respond to new requirements and expectations from customers, partners, and regulators.

Instead of attempting to anticipate every future requirement, many organizations focus on strengthening internal capability so they can respond effectively as expectations evolve.

Competence development plays an important role in that effort. When teams understand the principles behind risk management, governance, and security controls, they are better prepared to adapt to new frameworks, technologies, or regulatory developments.

A practical path forward

Building competence does not require a large transformation program. Many organizations begin with practical steps such as training initiatives, awareness programs, or internal capability development aligned with recognized frameworks.

Tools such as DNV’s online information security self-assessment can help organizations evaluate their current level of readiness and identify areas for improvement.

Over time, these efforts support the implementation of structured management systems that bring together governance, risk management, and continuous improvement.

In an environment where expectations around digital trust continue to evolve, organizations that invest in competence are often better prepared to respond with clarity and confidence.

3/3/2026 10:36:00 PM