Exploring the maturity of corporate security awareness programs
Cyber security awareness programs are beginning to gain ground among businesses, but many of the professionals responsible for their implementation are challenged by a lack of time, budget and resources, according to a new SANS Security Awareness report.
The report also highlights a clear correlation between the level of support given to security awareness by the organisation’s leadership and the maturity of that program within the organisation.
“In light of recent large breaches such as those suffered by Equifax, Yahoo!, and the WannaCry ransomware attack on the NHS, and with new regulations like the GDPR throwing data protection into sharp focus, there’s a new sense of urgency around cyber security that’s stimulating both support and change.” says Lance Spitzner, Director, SANS Security Awareness. “Security awareness can be challenging, but it’s necessary, and it’s worth the effort,” he continues.
Working with researchers from The Kogod Cybersecurity Governance Center (KCGC) of Initiative at American University’s Kogod School of Business (KSB), the survey found:
- The defence industry is the most mature, reporting over 10% at the highest stage in the Security Awareness Maturity Module, with the manufacturing industry the least mature, reporting only 2%
- Finance and Operations departments are the largest blockers to building or maturing a security awareness program
- The majority of awareness professionals come from a technical background, with less than 20% coming from non-technical fields such as communications, marketing, legal or HR.
“The report reveals that a clear majority (80%) of security awareness professionals see their awareness program activity as being only a portion of their overall job responsibilities,” says Dan DeBeaubien, Product Director for SANS Security Awareness. “Many claim to have no budget for an awareness program or to not know what their budget is, and most lack the skills or background required to effectively communicate the program to and engage with the workforce.”
The makings of a successful security awareness program
A mature awareness is program is one that actively engages it’s workforce and focuses on the key behaviors that manage the most human risk. Lance Spitzner outlined the following indicators of a strong program for Help Net Security readers:
- At least two Full Time Employees dedicated to running the program, four is much more effective.
- A positive program that not only your workforce enjoys, but one where they take materials and lessons learned home and share with family and friends.
- A program that has done a risk analysis to understand and prioritize their top human risks.
- A program that has clearly defined goals and the ability to measure those goals.