A common challenge I'm seeing organizations have, both small and large, is how to engage people in their security awareness program. Some common limitations I'm seeing include ...
- Security awareness training is not required. To be honest I was surprised by this. Even large organizations that have a low risk tolerance often did not have required training. Or if the training is required, only the bare minimum.
- Corporate limits how often you can communicate with employees. For example, corporate may not allow your security awareness team to email employees, as they are attempting to reduce the amount of internal email people have to read.
- Limited budget.