Security Awareness Programs Need Full-Time Staff
-
Security Awareness Programs Need Full-Time Staff
Security awareness programs are more likely to be successful when they have full-time employees who communicate effectively with workers and company leaders. -
Characteristics of Security Awareness Maturity Model, Part I
Non-existent: There's no program, and employees have no idea that they are targets and that their actions have a direct impact on security. Compliance-Focused: Program is designed to meet specific compliance or audit requirements, and training is limited to an annual or ad hoc basis. Promoting Awareness and Behavior Change: Program identifies training topics with great impact; content is communicated in an engaging, positive way; and employees understand and follow policies, and recognize, prevent and report incidents. -
Characteristics of Security Awareness Maturity Model, Part II
Long-Term Sustainment and Culture Change: Processes, resources and leadership support are in place, and cyber-security is an established part of the culture. Metrics Framework: Program uses this framework to track progress and measure impact, so the program continuously improves and demonstrates ROI. Characteristics of Security Awareness Maturity Model, Part II Long-Term Sustainment and Culture Change: Processes, resources and leadership support are in place, and cyber-security is an established part of the culture. Metrics Framework: Program uses this framework to track progress and measure impact, so the program continuously improves and demonstrates ROI. -
Maturity of Average Security Awareness Program
Nonexistent: 8%. Compliance-focused: 27%. Promoting awareness and behavior change: 55%. Long-term sustainment and culture change: 10%. Metrics framework: less than 1%. -
Biggest Challenges to Security Awareness Programs
Communication: 16%. Employee engagement: 14%. Time: 13%. Culture: 12%. Resources: 12%. Upper management support: 11%. Other: 9%. Money: 6%. Enforceability of program: 4%. Staff: 2% -
Lacking Resources and Time
58% of respondents said a lack of resources and time hinders security awareness programs. The more time and people available, the more successful an awareness program will be. -
Having Part-Time Workers Hinders Success
Only 8% of awareness professionals are dedicated full-time to security awareness initiatives, and 75% spend a quarter or less of their time on awareness. -
Full-Time Employees Help Ensure Success
The more full-time employees that are dedicated to a security awareness program, the more successful it will beāeven if those hours are divided among different people. -
Money Is Not the Problem
The report's data shows that while the budget does affect the maturity of a program, the correlation of money and maturity is not as compelling as the correlation between time and maturity. -
Communication Is Essential
Communication is critical to a successful security awareness program. That requires talking to and engaging with employees, connecting with leaders, and demonstrating the organizational value of security awareness.
The number of full-time employees devoted to security awareness programs and their ability to effectively communicate to and engage with employees are two main reasons why security awareness programs either thrive or fail, says a new report. Furthermore, women are twice as likely as men to be dedicated full-time to security awareness. The findings were made by the SANS Institute in its survey, "2017 Security Awareness Report." "Ultimately, we, the security community need to stop blaming employees as the security problem and start blaming ourselves," the report says, "It's up to us to understand what the root causes are in failing to change human behavior and address those issues." The report attempts to do just that and outlines steps and recommendations to improve the time devoted to, and the communications about, security awareness programs. Findings are based on responses of 1,084 professionals in 58 countries who helped build, manage or contribute to their organization's security awareness program. Security awareness success is based on the SANS Institute's Security Awareness Maturity Model described on the first two slides.