SANS 2015 Security Awareness Report

We are very excited to announce the release of the 2015 Security Awareness Report.  This report details the findings from the Security Awareness Survey taken in October, 2014 by 220 security awareness officers.  This report will help you gain the management support and resources you need to be successful, and enable you to benchmark your awareness program against other organizations in your industry.  This report would not be possible without the help of the community.  We would especially like to thank Bob Rudis of the Verizon DBIR team and Lance Hayden of Cisco for all their amazing support.  Below is the summary of the report.  You can download the full report from our resources website.

  1. SUPPORT IS ESSENTIAL: We found a direct correlation: the more time and resources security awareness officers have, the more mature their program is. Unfortunately, only 5% of the respondents work on their security awareness program full time. In addition, the vast majority of security awareness budgets are under $10,000. It is clear that security awareness programs will continue to fail until they get the same emphasis and support as technical controls. To address this, we have to better educate senior leadership that cyber security is far more than just bits and bytes; it also includes the human element.
  2. SOFT SKILLS ARE LACKING: More than 75% of the awareness programs surveyed are run by people with highly technical backgrounds, such as IT admins or security analysts, but with little experience in softer skills, such as communications, change management, learning theory or human behavior. In addition, people limited to just technical backgrounds may be prone to view security strictly through a technical lens, while failing to account for the human factor. Organizations need to invest in and train their security awareness officers on the softer skills required for any security awareness program, or provide them access to the people who can deliver those diverse skills. In addition, we found that most security awareness programs lie somewhere in an information technology-centric chain. The question becomes, is this where security awareness programs should be?
  3. SECURITY AWARENESS IS STILL IN ITS INFANCY: Using the Security Awareness Maturity Model, we found that half of the organizations surveyed currently do not have an awareness program or have an immature program that is solely focused on compliance. Only 5% of respondents felt that they had a highly mature awareness program that not only was actively changing behavior and culture, but also had the metrics to prove it. In addition, we found that one of the top challenges organizations face in 2015 is making people aware they are targets. This implies that we are still in the beginning stages of creating secure cultures. If we are going to effectively change behavior, employees must feel a sense of urgency and understand not only that they are targets, but that their actions play a key role in securing the organization.