To kick off the new year, I wanted to take a step back and look at our top seven blog posts from 2019. Join me as I revisit our industry’s chief concerns, review what we learned and think about how we can help make 2020 an even more secure year.

#7: SSAP Credential

sans security badge

Starting off at number seven was our official announcement of the SANS Security Awareness Professional (SSAP) certification.  This was the number one request we were hearing from the community, including people attending the Security Awareness Summits, and we were super-excited to deliver the first industry-wide credential recognizing security awareness, engagement and culture experts in our field. The SSAP credential signifies, documents and certifies that the holder has met the requirements to elevate and measure the overall security behavior of the workforce as an expert in this growing field. Today, the SSAP is the most effective, comprehensive way to advance a career managing human risk as part of a security awareness program.

#6 NIST Has Spoken – Death to Password Complexity

list security icon

Next on our list is a years-old favorite. Originally published in 2017, and still one of our most popular posts, this blog takes on the passionate topic of passwords.  Not only do passwords represent a high risk, but they can often be a complex, high-cost behavior.  In the past several years there has been a fundamental push to make passwords simpler for people.  This post explores why complexity is now dead, and how pass-phrases are the new standard.

#5: Congressional Report on Equifax Hack

us government capital icon

In 2017 Equifax was hacked, compromising over 140 million records that contained all types of sensitive information, such as Social Security numbers, financial details and home addresses. A watershed breach, in 2019 the U.S. Congress released its own detailed analysis, one of the best and most extensive reports to date. In our blog, we examine why the breach really happened and key takeaways to mitigate a similar occurrence.

#4: Time for Password Expiration to Die


After three years, this also continues to be one of our most popular blog posts.  As mentioned previously, passwords are a hot topic, and regular password change is one of the most heated.  Twenty years ago password expiration had its time and place. Now it just inflicts tremendous pain and a high cost to a workforce with very little, if any, value.  This is the perfect example of what happens when organizations do not leverage human risk assessments when developing their security awareness training — you should always have a good reason for every behavior you teach.

#3: Applying Security Awareness to the Cyber Kill Chain


Our industry has created a variety of models to define and address cybersecurity from a technical perspective. Yet far too often organizations and security professionals perceive cybersecurity purely as a challenge that can only be addressed with technical solutions.  However, we can use these very same models to demonstrate how we can also apply the human perspective to cybersecurity training programs.  In this post, we explain how you can apply security awareness training to each step of the Cyber Kill Chain.

#2: Getting Started in Cybersecurity with a non-Technical Background.

cyber security hero

As a history major who road “Main Battle Tanks” for fun, I’m thrilled that this is one of our top blog posts.  Yes, our field needs technical experts with degrees in computer science, computer engineering, mathematics and other highly technical fields.  But we are also realizing our field desperately needs other skills, like marketing, communications, organizational change and behavioral economics. Just as was Auguste Gusteau’s motto in the animated film Ratatouille, Anyone can cook” — in cybersecurity, “Anyone can geek.” This post explores how those of us who do not have a technical background can get started in cybersecurity and the unique advantages we bring to a security awareness program.

#1: Career Roadmap in Security Awareness and Culture

career roadmap

Though the last blog post of 2019, this one is quickly becoming one of the most popular.  The field of security awareness training is beginning to truly mature, to include official job titles and career paths.  This Career Roadmap details the different SANS courses an individual can take to start, grow and develop their career in human security, starting from Security Awareness Manager and advancing all the way to Chief Information Security Officer (CISO).