Security Awareness Programs Need Full-Time Staff

 
 
By Karen A. Frenkel  |  Posted 06-21-2017 Email
 
 
 
 
 
 
 
 
 
  • Previous
    Security Awareness Programs Need Full-Time Staff
    Next

    Security Awareness Programs Need Full-Time Staff

    Security awareness programs are more likely to be successful when they have full-time employees who communicate effectively with workers and company leaders.
  • Previous
    Characteristics of Security Awareness Maturity Model, Part I
    Next

    Characteristics of Security Awareness Maturity Model, Part I

    Non-existent: There's no program, and employees have no idea that they are targets and that their actions have a direct impact on security. Compliance-Focused: Program is designed to meet specific compliance or audit requirements, and training is limited to an annual or ad hoc basis. Promoting Awareness and Behavior Change: Program identifies training topics with great impact; content is communicated in an engaging, positive way; and employees understand and follow policies, and recognize, prevent and report incidents.
  • Previous
    Characteristics of Security Awareness Maturity Model, Part II
    Next

    Characteristics of Security Awareness Maturity Model, Part II

    Long-Term Sustainment and Culture Change: Processes, resources and leadership support are in place, and cyber-security is an established part of the culture. Metrics Framework: Program uses this framework to track progress and measure impact, so the program continuously improves and demonstrates ROI. Characteristics of Security Awareness Maturity Model, Part II Long-Term Sustainment and Culture Change: Processes, resources and leadership support are in place, and cyber-security is an established part of the culture. Metrics Framework: Program uses this framework to track progress and measure impact, so the program continuously improves and demonstrates ROI.
  • Previous
    Maturity of Average Security Awareness Program
    Next

    Maturity of Average Security Awareness Program

    Nonexistent: 8%. Compliance-focused: 27%. Promoting awareness and behavior change: 55%. Long-term sustainment and culture change: 10%. Metrics framework: less than 1%.
  • Previous
    Biggest Challenges to Security Awareness Programs
    Next

    Biggest Challenges to Security Awareness Programs

    Communication: 16%. Employee engagement: 14%. Time: 13%. Culture: 12%. Resources: 12%. Upper management support: 11%. Other: 9%. Money: 6%. Enforceability of program: 4%. Staff: 2%
  • Previous
    Lacking Resources and Time
    Next

    Lacking Resources and Time

    58% of respondents said a lack of resources and time hinders security awareness programs. The more time and people available, the more successful an awareness program will be.
  • Previous
    Having Part-Time Workers Hinders Success
    Next

    Having Part-Time Workers Hinders Success

    Only 8% of awareness professionals are dedicated full-time to security awareness initiatives, and 75% spend a quarter or less of their time on awareness.
  • Previous
    Full-Time Employees Help Ensure Success
    Next

    Full-Time Employees Help Ensure Success

    The more full-time employees that are dedicated to a security awareness program, the more successful it will be—even if those hours are divided among different people.
  • Previous
    Money Is Not the Problem
    Next

    Money Is Not the Problem

    The report's data shows that while the budget does affect the maturity of a program, the correlation of money and maturity is not as compelling as the correlation between time and maturity.
  • Previous
    Communication Is Essential
    Next

    Communication Is Essential

    Communication is critical to a successful security awareness program. That requires talking to and engaging with employees, connecting with leaders, and demonstrating the organizational value of security awareness.
 

The number of full-time employees devoted to security awareness programs and their ability to effectively communicate to and engage with employees are two main reasons why security awareness programs either thrive or fail, says a new report. Furthermore, women are twice as likely as men to be dedicated full-time to security awareness. The findings were made by the SANS Institute in its survey, "2017 Security Awareness Report." "Ultimately, we, the security community need to stop blaming employees as the security problem and start blaming ourselves," the report says, "It's up to us to understand what the root causes are in failing to change human behavior and address those issues." The report attempts to do just that and outlines steps and recommendations to improve the time devoted to, and the communications about, security awareness programs. Findings are based on responses of 1,084 professionals in 58 countries who helped build, manage or contribute to their organization's security awareness program. Security awareness success is based on the SANS Institute's Security Awareness Maturity Model described on the first two slides.

 
 
 
 
 
Karen A. Frenkel writes about technology and innovation and lives in New York City.

 
 
 
 
 
 

Submit a Comment

Loading Comments...
 
Manage your Newsletters: Login Register