Welcome to the 2018 Security Awareness Report. We could not be more excited to share this wealth of information with you. The goal of this report is to enable you to make data-driven decisions on not only how to mature your security awareness program but also to benchmark your program against others. This year's report is our 4th annual report and is based on data from over 1,700 security awareness professionals from around the world.*
Over the coming weeks we will be sharing detailed findings and lessons learned from the report; however, here are some quick highlights you can grab now.
- People, not Budget, are Key: The data repeatedly show that you need at least 1.9 Full Time Employees (FTEs) managing your awareness program to effectively change behavior at an organizational level. You need 3.9 FTEs to change culture and have the metrics framework to measure that change. Far too many awareness programs fail because organizations approach security awareness as a part-time effort.
- Maintaining Leadership Support: The most mature awareness programs consistently have the greatest level of leadership support. The key to that support is demonstrating value to leadership. We recommend that you dedicate at least 4 hours a month to collecting metrics on your program and communicating those metrics (and success stories) to your leadership. Not sure how to communicate those findings? Find a champion in your organization to help craft your message to leadership. Struggling with leadership to get that new hire? Share this report with them and show them pages 21-22.
- Soft Skills: Once again we found that a lack of soft skills contributed to the failure of many awareness programs. Far too often these programs are led by people with highly technical skills. While these individuals understand technology and the behaviors people need to securely use technology, they have no skills or experience in how to communicate those behaviors and engage their workforce. Stop hiring computer science majors to lead your awareness program and start hiring marketing or communications majors with a passion to learn and help others.
The field of security awareness is still very immature. Over 70% of awareness professionals do not know what their budget is for next year; the vast majority of job titles for security awareness have nothing to do with awareness, culture or behavior; and far too many people are part time in this field. Fortunately, we are seeing more organizations understanding that cybersecurity is not just a technical challenge but is also a human one, and they are beginning to invest more in awareness programs. We are also seeing that the biggest supporters of security awareness are key departments such as information security and communications.
*This report was produced based on survey data from 1,718 respondents globally. The data was then analyzed by the The Kogod Cybersecurity Governance Center (KCGC) and the report written by us at SANS Security Awareness. For more information, or if you have feedback about the report, you can contact us at SecurityAwareness@sans.org.