After teaching and working with literally hundreds of organizations on their security awareness program, we know its hard, very hard, to build a mature program. By mature we mean going beyond just changing behavior, but creating a secure culture and having the metrics to prove it. A key challenge we see time and time again is there are so many different skills and expertise required: risks analysis, communications, project management, learning theory and behavior modeling to name a few. As a result, we found most organizations had trouble not only defining what success looked like, but how to get there.
That is one of the reasons why we created the Security Awareness Maturity Model. This model was created five years ago based on the input of over 200 security awareness officers. Since then, organizations around the world have leveraged this model in different ways to include:
- Baseline: Organizations use the model to identify how mature their awareness program is. By baselining their programs, organizations can then track, measure and communicate their progress.
- Roadmap: One of the most common challenges we see security awareness teams face is they do not know what path to take. The model enables organizations to identify their short and long term goals, and the steps they need to take to get there. Awareness is hard, however the maturity model provides organizations a tried and tested long-term roadmap.
- Benchmark: Organizations use the model to not only track their progress, but benchmark and compare how mature their awareness programs are to other organizations in their same industry.
- Support: Sometimes we see executive leadership knows their organization has a human problem, however they feel awareness is not the solution. The power of the maturity model is it demonstrates to leadership not only where your awareness program is and where you want to take it, but it proves to them your awareness team has a proven plan on how to get there.
Building a comprehensive, mature awareness program is hard, however we are here to help. Over the coming weeks and months we will be posting a series of blogs on how to leverage the Security Awareness Maturity Model to establish an awareness program that is both easier to maintain and more effective at managing human risk.