📣@3x
Discover our latest testimonial!: “De Heus - Strong together on security, privacy, and integrity”
Success stories
  Jul 28, 2025  ·

CIBG x Awareways

Building sustainable knowledge for information security

Microleren-in-de-zorg-e1716893355973-600x387
comp

About the organization

The CIBG is an executive agency of the Ministry of Health, Welfare, and Sport. Working for the organization means handling a large volume of confidential data daily, covering various sectors, with a strong focus on healthcare and a keen emphasis on privacy.

 

To ensure security and privacy, the CIBG collaborates with multiple service providers, with Awareways being a key partner for its awareness program – comprising training sessions, the annual assessment, and the phishing strategy, among other components.

file

The need

“Your program was the clear frontrunner during the tender process five years ago,” says Bastiaan. “Since then, we have renewed it each year with great enthusiasm.

 

This reflects not only the quality and impact of the program but also the collaboration. There is close and frequent communication about new components, regular meetings to ensure continuity, and always enough flexibility to tailor the program to the specific needs of the CIBG.”

check

The solution

“Awareways provides a comprehensive solution that demonstrates it’s about more than just compliance,” says Karen Sipsma, Senior Communications Advisor at CIBG. The government organization had a baseline measurement (the Culture Scan) conducted in 2022 and has since carried out a follow-up measurement annually.

 

“We use this to evaluate the program and assign new roles to the focus areas in the next phase,” adds Bastiaan Mol, a colleague and Information Security Officer at CIBG.

Information security as starting point

“We process a vast amount of data every day,” says Karen. “The government rightfully places a strong focus on this, with frameworks like the BIO (Baseline Information Security Government, the fundamental security standard for all levels of government). But within the CIBG, information security has also been a key priority for many years.”

“It is essential to ensure that information is processed securely and that our employees have the right knowledge to do so correctly.”

“In security and privacy, employees are the biggest risk factor,” Bastiaan adds. “I don’t mean that in a negative way—it’s simply a reality that human actions play a crucial role. That makes awareness and training a clear target point.”

“We emphasise repetition because a single training session doesn’t lead to lasting behavioral change—at best, only in the short term. That’s why we work with structured campaigns aimed at both knowledge transfer and behavioural change.”

Image (6)

Behavioural change as a result

“After an internal assessment during the procurement process, Awareways clearly came out on top,” Bastiaan recalls. “The decisive factor was a presentation showcasing a model that integrates knowledge, attitude, and behaviour – clearly rooted in social psychology. It wasn’t just information transfer but training that sticks and genuinely facilitates change.”

“The first-year program confirmed that we made the right choice. The Engine (the predecessor of Wave) allowed us to tailor important topics to the right target groups through different levels: Bronze, Silver, and Gold. Bronze and Silver were mandatory for the entire organisation, while we prioritised Gold for topics like personal data, specifically targeting our HR team.”

Karen adds, “This approach has now evolved in Wave into levels like Basic and Advanced, with shorter modules that make participation even more accessible.”

“That’s a great improvement. What makes Awareways stand out is your flexibility and comprehensive approach – it’s about more than just compliance. The focus is on sustainably building knowledge with the ultimate goal of changing our colleagues’ behaviour.”

“We experience a relatively high turnover of employees,” says Bastiaan, “and we work with many external staff. That’s why repetition is crucial. The Basic and Advanced modules are not only mandatory organisation-wide but have also been integrated into the onboarding process for new colleagues. This ensures that security awareness remains top of mind from day one.”

20231123_Wave_Q2-features_iPhone_EN-400x909
Wave-home-ENG-400x748

The power of repetition

“Take, for example, the phishing strategy we implemented. The results from the first round were fairly good – not quite where they needed to be, but very insightful. The second round saw a slight dip, while the third and final round landed somewhere in between. This clearly shows that ongoing attention is essential, just like with all other aspects of security. It’s not about a one-time intervention but a continuous effort – because cybercriminals are constantly evolving their tactics as well.”

 

That’s why, beyond the Awareways program, the CIBG closely monitors ongoing developments and takes action whenever necessary.

Thinking ahead

“What do we need from a security awareness organisation going forward? Speaking from the CIBG’s perspective, our security department is evolving rapidly. A few years ago, it consisted of just three people, mainly working in a second-line role. Now, we have a team of seven – including our own security and privacy architect – and we’re taking a first-line approach to policy and developments, looking outward before bringing insights inward. With our team at full capacity, we can now clearly define and distribute roles more effectively.”

 

Stronger together

“A strong awareness program also encourages organisations to take their own initiatives and respond to current developments,” says Karen. “We do this through internal communication and our intranet. This could be a post on World Password Day, but also guidance on AI and chatbots, explaining why we approach them with caution. Or even developing an escape room at our location, in collaboration with another party, to engage with important topics in a hands-on way.”

“We had our general director introduce the initiative via video to demonstrate management’s involvement – setting that example is crucial.”

“There’s also significant attention to security awareness within the broader government sector. As a public organisation, we adhere to strict requirements. This program supports us by providing key components that we can tailor to our organisation, allowing us to implement them in a creative and effective way.”

A good awareness program

“What I find especially strong about our collaboration,” Bastiaan concludes, “are the ‘town hall meetings’ organised around Awareways’ periodic assessments. First, an on-site presentation is given to the management team and department heads, providing clear insights into progress, results, and key focus areas. This presentation is then repeated online – sometimes with an engaging guest speaker covering a trending topic – so the entire organization can join in.”

“That’s incredibly valuable because it sparks active discussions. It doesn’t just resonate with security staff but also with business teams, support departments, architects, and developers.”

“Questions like ‘What’s the cause of result X?’ or ‘Why do we approach this issue in a certain way?’ come up naturally. It turns security awareness into a real ‘water cooler topic’ – something people talk about informally at the coffee machine. And that’s the most important thing because that’s when it truly becomes embedded in your organizational culture.”

Microleren-in-de-zorg-e1716893355973-600x387

 

Interested in collaborating with Awareways?

Other success stories

Need support?

picture-2

Daan Verwaaijen

Client Relations

Need support?

Our experts are ready to help you!

Talk to an expert