Every year SANS Institute survey’s thousands of security awareness practitioners around the world to benchmark and better understand how organizations manage their human risk. The survey data is used to create a free report providing findings and data-driven action items you can use to mature your security program and increase your cybersecurity team’s skills and confidence. For 2023, we are excited to publish the 8th edition of the report. It contains data from almost 2,000 security awareness practitioners from over 80 countries, one of the largest data sets we have ever had. Below are some key findings and take aways from the 2023 report, [get your free report now].
Measuring Program Maturity
As a best practice, once a year, every organization should conduct an exercise using the Security Awareness Maturity Model to measure the maturity of their security awareness/culture program. The outputs of this exercise are used to identify the drivers that will provide the greatest impact to your program’s maturity and success. The number one driver of program maturity is defined by the number of Full Time Employees (FTEs) on your security awareness team. FTEs, in this exercise, means the number of people contributing to your program. If you have two people working half time on your security awareness/culture program, that adds up to one FTE. Managing human risk is ultimately a people problem, and people are the solution. You cannot simply throw more technology in your environment and expect to manage human risk. The more people on your security awareness team, the more effectively you can engage your workforce, change people’s behavior, and ultimately create and measure a strong security culture.
To grow your security awareness team, you need to communicate to leadership the value (and cost savings) your team brings, day in and day out, to the organization. The most common mistake awareness teams make is communicating in terms of all the security awareness training activities they are managing. Instead, security awareness teams must communicate in terms of how they are managing human risk and how the program aligns and supports leadership’s strategic priorities. The report goes into much more detail, providing action items you can take to grow your team.
Top Human Risks
This year we wanted to better understand organizations’ top human risk concerns and on what priorities their security awareness teams are focusing. The number one top risk identified is social engineering attacks, or what we call the *ishings – Phishing (email-based attacks), Vishing (phone-based attacks), and Smishing (messaging-based attacks).
What surprised us is not that social engineering topped the list, but that it was perceived as much more of a risk, even compared to all other human risks combined, including passwords. Regardless of the cyber attacker identity, skill level, resources, or motivation, social engineering is the simplest and most effective way for most cyber attackers to gain a foothold into any organization.
A common question we are asked is What is average compensation for this growing field? To answer this question, our 2023 report takes a much deeper dive into compensation by further breaking down salaries into not only region and industry, but also job title. One of the most interesting findings was that for the first time, this year’s survey found that security awareness practitioners specializing in human risk (as defined by their job title) are paid more than those with titles not focused on human risk. Globally, the salaries of awareness professionals whose title reflects a human-risk focus average $104,157 compared to $97,350 for professionals with all other roles. In North America, the average salary of awareness professionals whose title reflects a human focus average $122,486, versus $115,366 for professionals with unrelated job titles. You can find far greater details and breakdowns in the report, including multiple action items you can employ to increase your cybersecurity team’s skills and confidence and your compensation and career growth.
To learn more about maturing your security awareness program and growing your career, download a FREE copy of the SANS 2023 Security Awareness Report: Managing Human Risk.
To learn more about human risk management, consider sending your security awareness team to the SANS Institute’s In-Person or Online MGT433: Managing Human Risk course.