Security Awareness Programs Need Full-Time Staff
Security Awareness Programs Need Full-Time Staff
Security awareness programs are more likely to be successful when they have full-time employees who communicate effectively with workers and company leaders.
Characteristics of Security Awareness Maturity Model, Part I
Non-existent: There’s no program, and employees have no idea that they are targets and that their actions have a direct impact on security.
Compliance-Focused: Program is designed to meet specific compliance or audit requirements, and training is limited to an annual or ad hoc basis.
Promoting Awareness and Behavior Change: Program identifies training topics with great impact; content is communicated in an engaging, positive way; and employees understand and follow policies, and recognize, prevent and report incidents.
Characteristics of Security Awareness Maturity Model, Part II
Long-Term Sustainment and Culture Change: Processes, resources and leadership support are in place, and cyber-security is an established part of the culture.
Metrics Framework: Program uses this framework to track progress and measure impact, so the program continuously improves and demonstrates ROI.
Characteristics of Security Awareness Maturity Model, Part II
Long-Term Sustainment and Culture Change: Processes, resources and leadership support are in place, and cyber-security is an established part of the culture.
Metrics Framework: Program uses this framework to track progress and measure impact, so the program continuously improves and demonstrates ROI.
Maturity of Average Security Awareness Program
Nonexistent: 8%.
Compliance-focused: 27%.
Promoting awareness and behavior change: 55%.
Long-term sustainment and culture change: 10%.
Metrics framework: less than 1%.
Biggest Challenges to Security Awareness Programs
Communication: 16%.
Employee engagement: 14%.
Time: 13%.
Culture: 12%.
Resources: 12%.
Upper management support: 11%.
Other: 9%.
Money: 6%.
Enforceability of program: 4%.
Staff: 2%
Lacking Resources and Time
58% of respondents said a lack of resources and time hinders security awareness programs. The more time and people available, the more successful an awareness program will be.
Having Part-Time Workers Hinders Success
Only 8% of awareness professionals are dedicated full-time to security awareness initiatives, and 75% spend a quarter or less of their time on awareness.
Full-Time Employees Help Ensure SuccessThe more full-time employees that are dedicated to a security awareness program, the more successful it will be—even if those hours are divided among different people.
Money Is Not the Problem
The report’s data shows that while the budget does affect the maturity of a program, the correlation of money and maturity is not as compelling as the correlation between time and maturity.
Communication Is Essential
Communication is critical to a successful security awareness program. That requires talking to and engaging with employees, connecting with leaders, and demonstrating the organizational value of security awareness.