A security awareness program not only needs to prioritize and focus on behaviors that pose the most risk, but it also needs to be engaging, it needs to thrive, and it needs to subsequently be measurable. It’s no wonder that establishing a mature security awareness program is a challenging endeavor.
The was created to empower security awareness professionals to data-driven decisions to improve their security awareness programs.
In this year’s report, data was analyzed from over 1,700 respondents, providing even greater insight into how to benchmark and mature a security awareness program. Gain insight to the top five challenges in managing human risk and how the most mature awareness programs overcome those challenges:
1. Time, Not Budget is Key
Time is the most precious resource for awareness professionals and it was reported as one of an awareness officer’s biggest challenge. From partnering and collaborating with others, to project management and metrics, you will never have enough time. Try to leverage your budget to hire staff or contract out work to others.
2. Full-Time Employees
Many organizations still treat security awareness as a part time job, which can result in failing to change human behavior. A mature awareness program needs at least 1.9 Full-Time Employees (FTEs) dedicated to an awareness program if you’re looking to foster lasting behavior change. Employing adequate, qualified, and dedicated cyber security awareness staff if paramount to your organization’s success.
3. Soft Skills
Security awareness professionals often lack the soft skills necessary for effective communication and cross-departmental engagement. Pursue someone from your communications department into your security team or hire staff who possess strong soft skills in backgrounds, such as marketing or journalism, to help support your communicative efforts.
4. Leadership Support
The data* strongly identifies that long-term leadership support is key to a successful awareness program. As such, dedicate 4 hours a month to collecting metrics and use that data to communicate to leadership the impact awareness is having. Utilize a champion who can help you craft that monthly message.
Survey respondents* concluded that Finance and Operations were the two most common department blockers for awareness programs. Work with operations to minimize the impact, such as training on the fewest topics possible and using pull methods where the workforce comes to you for content or training. Use strategic metrics to demonstrate to the finance department how the awareness program is a low-cost way to dramatically improve overall security posture.
To discover more and share this information with your organization, we’ve created a visual representation of these findings.
*These findings are based on the SANS 2018 Security Awareness Report. This report was analyzed by The Kogod Cybersecurity Governance Center (KCGC) and written by SANS Security Awareness. The data submitted by 1,718 security awareness professionals from around the world to identify and benchmark how organizations are managing their human cyber security risk.