Working with hundreds of security awareness programs has taught me one thing, people are key. One of the quickest ways I can determine if an awareness program is going to be successful is by asking how many people are dedicated to the awareness program. Budget is not the indicator, fancy metrics are not the indicator, people are the indicator. If you have just 30% of one person's time dedicated to your awareness program, you will fail. Could you image the results if one-third of one person is all you dedicated to your EndPoint security or Incident Response efforts? If you want to change organizational behavior (Stage 3 of the Security Awareness Maturity Model) you need at least 1.4 FTEs (Full Time Employees) dedicated to your awareness program. If you want to go beyond behavior and change culture and measure that change, you need at least 2.6 FTEs. And that is for organizations with 5,000 employees. How do we know this? Simple, we have hard data from over 1,000 security awareness professionals in the 2017 Security Awareness Report.
It is frustrating when an organization proudly states they have 50 people on their security team, only then to say out of those 50 people only one part-time person runs the entire awareness program. How can you effectively secure the HumanOS when it represents less than 2% of an organization's security effort? If you want to make a difference with your awareness program, invest in people. Can't get the support you need for being full time or hiring more staff? Start by sharing the 2017 Security Awareness Report with your leaders. They will not only see how your program compares to other organizations, but they will see those findings are backed by hard data.
Want to learn more about getting leadership support for your awareness program? Check out these upcoming training events.
