Security Awareness: walking the line between technology and teaching in part time

One of the fundamental issues in cybersecurity is the still wide spread lack of understanding for its importance. Everyone knows that a warded lock can easily be opened, even with a simple “tool” such as a hairpin. Considering that too many people still use passwords such as “12345678” or “password”, that knowledge does not seem to extend to cybersecurity. This is why increasing security awareness plays an important role in securing businesses. A new report now shows that while progress is being made, security awareness programs are far away from being effective.

The report, published by Security Awareness company SANS, analyzes the data of over 1,500 security awareness professionals from around the world to benchmark how organizations are managing human risk and provides data-driven action items to mature awareness programs.

“Cybersecurity is no longer just about technology but people; managing human risk.  Awareness programs enable security teams to do just that by not only guiding how people think about security but how they act, from the Board of Directors on down,” said Lance Spitzner, SANS Security Awareness Director and co-author of the report. “This report enables security professionals to make data-driven decisions on how they can most effectively engage the workforce and manage human risk.”

Hope is not a strategy

A higher engagement from the workforce is definitely needed, that much becomes clear when reading the report. But management also needs to consider security awareness an asset rather as a liability. That most businesses don’t assign the priority that security awareness needs becomes obvious when taking a look at some of the key findings of the report:

• Workforce: Most professionals engaged in security awareness are spending less than half their time on the topic – which means it is usually not their main job. Another finding from the reports backs this conclusion: Security awareness responsibilities are very commonly assigned to staff with highly technical backgrounds who may lack the skills needed to effectively engage their workforce in simple-to-understand terms.
• Challenges: Because security awareness is often a part-time job only, most professional engaged in training activities are lacking the time to manage the awareness program. In addition, a lack of personnel makes it difficult to work on and implement those trainings.
• Personnel: The report also shows that those programs which were effective and actually changed the behaviour of engaged users had at least 2.5 FTEs (Full-Time Equivalent) dedicated to helping manage their awareness program.  Those impacting culture and having the metrics framework to prove it on average had 3.5 FTEs.
• Compensation: Even though a technical background might not be ideal for engaging the workforce, professionals with a technical background who are working on security awareness are still making up to $10.000 more on average than those with non-technical background. On average, the salary for a full time security training professional was found to be $103.000

“Security awareness programs have evolved from a limited compliance focus to becoming a key part of an organization’s ability to manage human cyber risk,” said Dan deBeaubien, SANS Security Awareness Director and co-author of the report. “While security awareness programs are gaining executive support, there is still a long way to go before enough personnel, resources and tools are allocated to this effort.”

The report comes at a time were the Corona-Crisis unsparingly disclosed the shortcomings of security measures at a lot of companies, specifically small and medium sized businesses, who too often engaged in security negligence rather than establishing a sound plan to protect their business. Out of those measures, security awareness might the one thing companies should focus on most. During last year’s cybersecurity awareness month, we interviewed Jelle Wieringa, Security Advocate at KnowBe4 who attested to this. We also talked to Lance Spitzner, Director at SANS Institute and co-author of this year’s report who showed the numbers to back this claim. Simply stated, it has never been more important to effectively create and maintain a cyber secure workforce and a vibrant security culture.