On August 4, the 2019 SANS Security Awareness Report aggregated data from 1,570 security-aware professionals from around the world. The main purpose of this annual report is to outline what enables organizations to create thriving projects, identify potential traps, and study how to solve these issues. The data in the report also helps organizations manage their risks in the human sources, including the maturity, funding, and staffing of security awareness programs. Here are the key findings for 2019:
- The title of the person performing the security awareness project is also an influencing factor. The survey found that less than 10% of job titles have the words “awareness” or “training.” This reflects the non-comprehensive nature of the position and the overall immaturity of the security-conscious industry.
- Leadership support is a key factor in project success. The report also highlights the importance of leadership understanding of peer investment in information security. The report investigates various impediments and enablers of awareness programs. The strongest supporters of these projects are IT and security, followed by legal and senior leadership. The main obstacles came from the operations and finance departments. This is because most awareness programs have significant budgetary and operational impacts on the organization.
- According to the report, time and staffing are the main challenges faced by security awareness professionals, and more than 75% of security awareness professionals say they spend less than half of their time on security awareness. At the same time, survey data show that there is a strong correlation between the number of people working on an awareness program and the maturity of the awareness program. The more employees there are, the more mature the project becomes.
- Survey this year shows that 80% of security awareness professionals have a technical background. This is both an advantage and a challenge, as “technicians” often lack the soft skills to effectively communicate risk. Therefore, achieving the maturity of security awareness is a difficult task. The data in the report also shows that the best way to solve the artificial cyber risks in the organization is to invest in systematic training.
Since this report is for helping organizations identify what successful awareness programs are doing effectively and what failing or immature awareness programs could improve upon, the Security Awareness Maturity Model is addressed. The Security Awareness Maturity Model is established in 2011 by over 200 awareness professionals. With this model, organizations will easily identify where their security awareness program is currently at and outline the path to get to where they want to be. The model is based on five distinct stages:
- Non-Existent: This lowest stage represents that employees could easily fall victim to cyber attacks as they have no idea their actions have a direct impact on the security of the organization. In another word, employees do not know or understand organization policies.
- Compliance Focused: This stage represents that employees are unsure about the organizational policies and their specific role in protecting information assets. It meets specific compliance or audit requirements with training that is limited to an annual or ad-hoc basis.
- Promoting Awareness & Behavior Change: This stage represents that employees understand and follow organization policies and actively recognize, prevent, and report incidents because of the training topics having the greatest impact in supporting the organization’s mission and focuses on those key topics. Besides, the training includes continual reinforcement throughout the year.
- Long-Term Sustainment & Culture Change: This stage represents that the program and cybersecurity are an established part of the organization’s culture due to the processes, resources, and leadership support in place for the long-term lifecycle, including at least an annual review and update of the program.
- Robust Metrics Framework: This stage represents that there is the ability to track progress and measure impact. This stage simply reinforces that to truly have a mature program, organizations must not only be changing behavior and culture but have the metrics to demonstrate that change.
Contact LIFARS Immediately for
Your Security Awareness Training