The 2021 annual SANS Security Awareness Report enables organizations to understand their program maturity, improve their security awareness programs and benchmark those programs against others. The SANS Institute conducted a global survey of over 1,500 qualified security awareness professionals from 91 countries.
The findings reported that over 80% of security professionals spend half or less of their time on cyber security awareness program, indicating security awareness is a part time effort. The two top challenges for building a mature awareness program was lack of time to manage the program and lack of personal to work on and implement the program.
The survey data revealed a strong correlation to the amount of people dedicated to running an awareness program to the maturity of an awareness program and indicated a nearly linear relation between the two.
A key component of a mature awareness program’s success is a strong partnership and working relationship with key departments within the organization. Awareness programs typically receive strong support from departments such as Security, Information Technology, Human Resources, and Audit, and from senior leadership. These supporters often provide assistance, approval, or resources to enable the program’s execution.
The research received a better understanding of just how many people it takes to build and maintain a mature awareness program, using full-time equivalents (FTEs) as a measure. For example, if you have three people each dedicating half (50%) of their time to your awareness program, that will total 1.5 FTEs dedicated to your awareness program.
The data indicates that larger organizations have more FTEs not just because of the larger workforce, but because they are often doing more within their program, such as more diverse engagement efforts, advanced metrics reporting, host multiple security awareness events, and ambassador programs.
Key actions required
Increase Staffing: Consistent with initiatives like Incident Response, Vulnerability Management or Security Operations Center activities, managing human risk requires strategic, long-term investments in people.
Buy Time: Use your budget to buy yourself time. Don’t build the solution yourself; rather, see if there is a solution you can buy or license. The more you are able to delegate, the more time you have to create partnerships within your organization, engage with others and ultimately drive change with your program.
Build Partnerships: Reach out to other teams/ departments such as Marketing, Graphic Design, Communications or Security Operations. Partnering with other teams will amplify your reach and allow you to drive adoption of the behaviors you wish to promote.
Define Resources: Identify the roles or specialties you need to execute your program plan. Once you define their roles and estimated the time involved, conduct a cost-benefit analysis demonstrating why leadership should invest in these people and doing so will ultimately enable you to better manage your organization’s human risk.
Train: Train the people you do have to be more effective. Refer to Appendix B: Career Development Path for Security Awareness, Engagement, and Culture Professionals.
To achieve a truly mature program, including a strong metrics framework, organizations will need at least 3.5 FTEs. Summary of key actions :
FTE numbers may vary depending on organizational size, structure, and requirements.
Provide the Right Title: Demonstrate organizational commitment to the program, not only by having someone dedicated full-time but also by ensuring they have a title that aligns with the program’s goals. In other words, have a title that is focused on managing human risk.
Ensure Leadership Support: Pressure is one of the most effective means to obtain leadership support. Demonstrate to your leadership how other organizations in your industry have mature awareness programs and continue to invest in them.
Encourage Partnerships: Build partnerships and collaborate with others in your organization. This is especially important for any key departments that are blockers, such as Finance or Operations. Get key stakeholders involved in the planning process from the beginning.
Buy Time: If you have the budget, use it to buy yourself time. For example, buy or license materials rather than create your own.
Know Your Bias: Your expertise is a plus as long as you pay careful attention to how it contributes to your program.
Improve Communication and Engagement Skills: Be sure you have someone on your awareness team who has the skills required for effective communication and engagement.
Seek out a Champion: Find a strong champion within leadership. Have that leader help you better understand certain blockers, communicate the value of your program to other leaders, or help you craft your message in the language that business leaders understand and act on.
Improve Perception: Focus and speak in terms of managing human risk. Human risk is far more aligned with most organizations’ strategic security priorities, and it is far more likely to gain leadership buy-in and resonate with a security team.
Leadership should demonstrate how you can better support the security team with security policies, processes, and priorities. Measure key strategic security metrics that leadership cares about. Identify top human risks and the key behaviors that manage those risks.