NEW SANS Stay Sharp Training - Live Online: Quickly sharpen your skills with 2-day management courses. Save 25% thru tomorrow!


Subscribe to SANS Newsletters

Join the SANS Community to receive the latest curated cyber security news, vulnerabilities and mitigations, training opportunities, and our webcast schedule.

More soft skills are needed for leading today's security awareness programs says Spitzner

Organisations need the right people and skills to enable security awareness to reduce the human error leading to today's security breaches

  • UK
  • April 8, 2015

Ahead of SANS Secure Europe 2015, the region's largest annual InfoSec training event; Lance Spitzner, Director, SANS Institute suggests that the recent 2015 Security Awareness Report highlights that security awareness programs are still in their infancy and many lack the soft skills needed to ensure successful implementation.

"In many cases, the wrong people are leading security awareness programmes or lack the training they need to be successful," says Spitzner, an internationally recognised leader in the field of cyber threat research and security training and awareness "The majority are from highly technical backgrounds and lack skills such as communication and an understanding of human behaviour."

More than 75% of the awareness programs surveyed are run by people with highly technical backgrounds, such as IT admins or security analysts, but with little experience in softer skills, such as communications, change management, learning theory or human behaviour. In addition, people limited to just technical backgrounds may be prone to view security strictly from a technical perspective.

"There is a role for IT and for other stakeholders such as auditors but they should contribute to the definition of sensible policies. Organisations need to invest in and train their security awareness officers on the softer skills required for any security awareness program, or provide them access to the people who can deliver those diverse skills."

Another key finding was that awareness programmes are still immature, "We found that half of the organisations surveyed currently do not have an awareness program or have an immature program that is solely focused on compliance. Only 5% of respondents felt that they had a highly mature awareness program that not only was actively changing behaviour and culture, but also had the metrics to prove it."

The survey was conducted last October by the SANS Institute during National Cyber Security Awareness Month and included approximately 225 respondents with analysis carried out by Bob Rudis of the Verizon DBIR team and validated by community reviews including experts at Charles Schwab, Cisco Systems and Cyber Risk Aware amongst others.

The report found the top two challenges facing security awareness officers are employee engagement and lack of support from senior management. "They need to understand that their organisation cannot effectively mitigate risk if security is treated only as a technical issue; the human issue must be addressed also," says Spitzner.

The report also makes several recommendations including the advice that any organisation with over 10,000 employees should have at least one person dedicated to running the security awareness program. "Giving the person in charge of security awareness multiple responsibilities destroys his or her ability to focus and the consequences speak for themselves," says Spitzner pointing to "human error" as consistently in the top 3 of root causes of breaches as identified by the influential Data Breach Investigation Report (DBIR) which has examined over 100,000 security incidents over the last decade.

Spitzner will be running the 2-day "MGT433: Securing The Human: How to Build, Maintain and Measure a High-Impact Awareness Program" at this year's Secure Europe which takes place in Amsterdam during May. For more information on the report, please visit and for more details on Sans Secure Europe 2015 or to register, please visit

Media Contact

About SANS Institute

The SANS Institute was established in 1989 as a cooperative research and education organization. Today, SANS is the most trusted and, by far, the largest provider of cyber security training and certification to professionals in government and commercial institutions worldwide. Renowned SANS instructors teach more than 60 courses at In-Person and Live Online cyber security training events, and more than 50 courses are available anytime, anywhere with our OnDemand platform. GIAC, an affiliate of the SANS Institute, validates practitioner skills through more than 35 hands-on, technical certifications in cyber security. The SANS Technology Institute, a regionally accredited independent subsidiary, offers a master’s degree, graduate certificates, and an undergraduate certificate in cyber security. SANS Security Awareness, a division of SANS, provides organizations with a complete and comprehensive security awareness solution, enabling them to easily and effectively manage their ‘human’ cybersecurity risk. SANS also delivers a wide variety of free resources to the InfoSec community including consensus projects, research reports, webcasts, podcasts, and newsletters; it also operates the Internet's early warning system – the Internet Storm Center. At the heart of SANS are the many security practitioners, representing varied global organizations from corporations to universities, working together to support and educate the global information security community. (