2018 SANS Security Awareness Report - Time

Earlier this month we announced the release of the 2018 Security Awareness Report.  You can find an overview of the report in this blog post here.  For this week we are going to do a deep dive on one of the key findings, time.  Specifically, the data shows us that time and not budget is your key resource for success.  First, too many awareness programs fail because they are treated as a part time effort.  Over 80% of people involved in security awareness spend half of their time or less managing human risk.  Only 11% would be considered full-time or almost full-time.  Can you imagine a Security Operations Center or your Incident Response team consisting of only one or two part time people?  The first step to building a mature awareness program is investing in people to build, manage and maintain it. So, how many people do you need?  Well, it depends on how mature you want to build your program.  Leveraging the Security Awareness Maturity Model, you can determine how many people you need to achieve each of the five stages.  Below are the average number of combined FTEs (Full Time Employees) needed to achieve each level. 

  1. Non-existent: 0.8
  2. Compliance:  1.6
  3. Behavior Change:  1.9
  4. Sustain and Culture Change: 2.7
  5. Metrics Framework: 3.7

These numbers are for an average organization of 5,000 people, but to be honest we found the numbers to be rather consistent for organizations, also significantly larger.  At first this does not make sense, you would think that for every X number of employees you would need Y number of awareness people.  However many awareness activities work on economies of scale.  It does not matter how many employees you have, it takes relatively the same amount of time to create a newsletter, distribute a video, select and launch a phishing simulation or collect and communicate metrics to leadership.  You will also notice that the number of FTEs increases dramatically in the last two stages.  Once again, this makes sense.  Achieving stage three (behavior change) typically leverages automated tools such as CBT (Computer Based Training) and Phishing Simulations.  However, to truly scale beyond that you need more people to support more time intensive efforts, such as Ambassador Programs, Gamification, Escape Rooms, Hacking Demos and Check-up Booths.

Managing human risk is not only a people based problem but also a people based solution.  You simply can't just buy technology and expect that to change human behavior.  To truly manage your human risk you need people communicating to and interacting with other departments, leadership and your workforce. And for that, you cannot simply treat awareness as a part time job, you need dedicated resources.  And who should those people be?  That is the subject for our next blog post :)