One of the biggest take-aways (and surprises) for me from the 2015 Security Awareness Report is the lack of soft skills in our field. Over 75% of those leading or supporting a security awareness program had very technical backgrounds, to include IT admins, security analysts and even webmasters (page 8). In addition, we found most security awareness programs falling under the IT chain of command. Once you read the report it really makes sense.
If an organization is concerned about the security of their employees, where do they go? The security team. And who makes up most security teams? Highly skilled and highly technical wizards that live and breathe bits and bytes. However, awareness is ultimately about changing human behavior, and to do that effectively it comes down to communication. If people do not know what they are supposed to do or why, they will neither be motivated nor have the ability to do what you want (see BJ Fogg's Behavior Model). Now, how much training have most security teams had in communications? Probably very little. In fact, security professionals are taught on how to NOT communicate. The less you share, the more secure you are. So, in most cases security professionals are the last people you want leading, or at least communicating, your awareness program. I'm just now beginning to see organizations' recognizing and address this. I know of two Fortune 500 companies that put out job advertisements for Security Awareness Communicators. In addition, I know of one extremely large bio-tech company that has someone from their communications department embedded full-time into the security team.
Long story short, for us to really start securing the human element, I feel we have to develop our softer skills, starting with communication. For security geeks looking to develop their communications kung-fu, a great place to start is the book Made to Stick, by Chip and Dan Heath.
