Security Awareness Programs Need Full-Time Staff

Security Awareness Programs Need Full-Time Staff

Security Awareness Programs Need Full-Time StaffSecurity Awareness Programs Need Full-Time Staff

Security awareness programs are more likely to be successful when they have full-time employees who communicate effectively with workers and company leaders.

Characteristics of Security Awareness Maturity Model, Part ICharacteristics of Security Awareness Maturity Model, Part I

Non-existent: There’s no program, and employees have no idea that they are targets and that their actions have a direct impact on security.
Compliance-Focused: Program is designed to meet specific compliance or audit requirements, and training is limited to an annual or ad hoc basis.
Promoting Awareness and Behavior Change: Program identifies training topics with great impact; content is communicated in an engaging, positive way; and employees understand and follow policies, and recognize, prevent and report incidents.

Characteristics of Security Awareness Maturity Model, Part IICharacteristics of Security Awareness Maturity Model, Part II

Long-Term Sustainment and Culture Change: Processes, resources and leadership support are in place, and cyber-security is an established part of the culture.
Metrics Framework: Program uses this framework to track progress and measure impact, so the program continuously improves and demonstrates ROI.
Characteristics of Security Awareness Maturity Model, Part II
Long-Term Sustainment and Culture Change: Processes, resources and leadership support are in place, and cyber-security is an established part of the culture.
Metrics Framework: Program uses this framework to track progress and measure impact, so the program continuously improves and demonstrates ROI.

Maturity of Average Security Awareness ProgramMaturity of Average Security Awareness Program

Nonexistent: 8%.
Compliance-focused: 27%.
Promoting awareness and behavior change: 55%.
Long-term sustainment and culture change: 10%.
Metrics framework: less than 1%.

Biggest Challenges to Security Awareness ProgramsBiggest Challenges to Security Awareness Programs

Communication: 16%.
Employee engagement: 14%.
Time: 13%.
Culture: 12%.
Resources: 12%.
Upper management support: 11%.
Other: 9%.
Money: 6%.
Enforceability of program: 4%.
Staff: 2%

Lacking Resources and TimeLacking Resources and Time

58% of respondents said a lack of resources and time hinders security awareness programs. The more time and people available, the more successful an awareness program will be.

Having Part-Time Workers Hinders SuccessHaving Part-Time Workers Hinders Success

Only 8% of awareness professionals are dedicated full-time to security awareness initiatives, and 75% spend a quarter or less of their time on awareness.

Full-Time Employees Help Ensure SuccessFull-Time Employees Help Ensure Success

The more full-time employees that are dedicated to a security awareness program, the more successful it will be—even if those hours are divided among different people.

Money Is Not the ProblemMoney Is Not the Problem

The report’s data shows that while the budget does affect the maturity of a program, the correlation of money and maturity is not as compelling as the correlation between time and maturity.

Communication Is EssentialCommunication Is Essential

Communication is critical to a successful security awareness program. That requires talking to and engaging with employees, connecting with leaders, and demonstrating the organizational value of security awareness.

Karen A. Frenkel
Karen A. Frenkel is a contributor to CIO Insight. She covers cybersecurity topics such as digital transformation, vulnerabilities, phishing, malware, and information governance.

Latest Articles