I’m super excited to announce the 2021 SANS Security Awareness Report™ is now available. Inspired by the Verizon DBIR, this report enables organizations to benchmark their security awareness efforts and make data-driven decisions on how to improve and mature their programs. As always, not only does the report share the data and findings, but we also provide actionable steps and lessons learned that you can apply to your own program. As this is the report’s sixth year, I wanted to share not only my thoughts about the report but also some trends.
First and foremost is the theme of this year’s report—Managing Human Risk. We chose this new title on purpose. For most organizations people represent their greatest risk, from phishing attacks and stolen credentials to accidental loss with autocomplete in email or misconfigured Cloud accounts. Security awareness programs are one of the most effective ways organizations can manage their human risk. But for too long Security Awareness has been perceived and treated as a compliance initiative, with success defined by how many people took security training or perhaps by how flashy the training was. As a result, awareness programs were often reporting to, or being driven by, Human Resources, Legal or Compliance. I’m excited to say we are seeing a fundamental shift as leaders are approaching awareness from a security perspective, as an extension of the security team, to help manage their human cyber risk. That is why I’m so excited about this report as it helps accelerate this process.
To help organizations better apply the lessons learned from the report we have include for the first time the Security Awareness Maturity Model™ Indicators Matrix. This matrix enables organizations to identify the maturity level of their awareness program, benchmark that maturity against thousands of other organizations, the metrics they should be using, and the next steps to mature their program. In addition, leadership understands and speaks the language of maturity models, as such tools like these enable security professionals to better communicate how they are managing their organization’s human risk.
One of the key findings from the report is how it emphasizes the importance of dedicating people to manage an awareness program. Similar to reports in the past we have found time, and not budget, is the greatest challenge facing awareness programs. To effectively change and secure human behavior throughout the organization, requires at least 2.5 FTEs (Full Time Equivalents) on average dedicated to the program. To impact culture and have a strong metrics framework requires on average 3.5 FTEs. Managing human risk is ultimately a people problem, and it requires a people solution. You cannot simply buy a box to manage your human risk. Put another way, ask yourself this question—what percentage of your security program’s success depends on your employees following policies and exhibiting secure behaviors? Now ask yourself—how much are you investing in enabling people to do just that? This is one of the reasons why I’m so excited to see more and more job positions posted for security awareness related roles. The more that managing human risk becomes a dedicated, prioritized effort, the more effective organizations will become at managing their human risk.
Even more exciting is for the first time we learned about compensation. The average salary reported was $103,000 USD (keep in mind, this is based on global averages across all industries, so your mileage may vary). This is exciting as it gives us a starting point. However, what surprised us was that salaries were higher for those who were dedicated only part of their time in security awareness ($106,000) while lower for those who were dedicated full-time ($96,000). We found a similar relationship for those who had a technical/security background (higher salary) compared to those without such a background (lower salary).
I believe what these data sets are showing is for those who are dedicated only part of the time to security awareness are often already part of the security team and have other security responsibilities as their primary role. Their higher salary could be a reflection of their technical skills and/or a reflection of their other security responsibilities. Those who are dedicated full-time to awareness often do not have technical backgrounds and as a result are potentially being compensated less. Another reason could be the role of awareness is not prioritized to the level of other security efforts, such as vulnerability management, incident response or endpoint protection. This suggests that while the field of security awareness has matured in the past five years, we still have a long way to go. Awareness still does not hold the credibility of other strategic security priorities, which is concerning as human risk continues to be one of the top drivers of breaches today.
That is why for this year’s report we are recommending that awareness officers with little or no technical or security expertise look into cybersecurity training for career development. Not only will this enable them to better understand risk and communicate with leaders about managing those risks, but by being able to speak in technical terms they may be perceived as more valuable by technical team members. Also, I feel we need to reframe the discussion from “security awareness” to “managing human risk”. Human risk is far more aligned with most organization’s strategic security priorities, far more likely to gain leadership buy-in, and far more likely to resonate with a security team. For years now I’ve been pushing for the technical security community to be aware of their “curse of knowledge” and learn more from and adopt many of the skills and lessons learned from the field of communications, marketing and change management. I now also see the need for (and promoting the idea) those of us with human-based skills may need to start developing our cybersecurity skills.
This blog post just scratches the surface of the report, there is a huge amount of actionable information and we hope you can make the most of it. Grab your free copy today.