Security Awareness Programs Need Full-Time Staff
Security awareness programs are more likely to be successful when they have full-time employees who communicate effectively with workers and company leaders.
Non-existent: There’s no program, and employees have no idea that they are targets and that their actions have a direct impact on security.
Compliance-Focused: Program is designed to meet specific compliance or audit requirements, and training is limited to an annual or ad hoc basis.
Promoting Awareness and Behavior Change: Program identifies training topics with great impact; content is communicated in an engaging, positive way; and employees understand and follow policies, and recognize, prevent and report incidents.
Long-Term Sustainment and Culture Change: Processes, resources and leadership support are in place, and cyber-security is an established part of the culture.
Metrics Framework: Program uses this framework to track progress and measure impact, so the program continuously improves and demonstrates ROI.
Characteristics of Security Awareness Maturity Model, Part II
Long-Term Sustainment and Culture Change: Processes, resources and leadership support are in place, and cyber-security is an established part of the culture.
Metrics Framework: Program uses this framework to track progress and measure impact, so the program continuously improves and demonstrates ROI.
Nonexistent: 8%.
Compliance-focused: 27%.
Promoting awareness and behavior change: 55%.
Long-term sustainment and culture change: 10%.
Metrics framework: less than 1%.
Communication: 16%.
Employee engagement: 14%.
Time: 13%.
Culture: 12%.
Resources: 12%.
Upper management support: 11%.
Other: 9%.
Money: 6%.
Enforceability of program: 4%.
Staff: 2%
58% of respondents said a lack of resources and time hinders security awareness programs. The more time and people available, the more successful an awareness program will be.
Only 8% of awareness professionals are dedicated full-time to security awareness initiatives, and 75% spend a quarter or less of their time on awareness.
The more full-time employees that are dedicated to a security awareness program, the more successful it will be—even if those hours are divided among different people.
The report’s data shows that while the budget does affect the maturity of a program, the correlation of money and maturity is not as compelling as the correlation between time and maturity.
Communication is critical to a successful security awareness program. That requires talking to and engaging with employees, connecting with leaders, and demonstrating the organizational value of security awareness.