SANS Security Awareness has released its 2018 Security Awareness Report. This report entitled “Building Successful Security Awareness Programs” is focused on the primary issues security awareness professionals face: lack of time, budget and resources.
“Security awareness can be challenging, but it’s necessary and it’s worth the effort,” says Lance Spitzner, Director, SANS Security Awareness. “With support, and by investing the necessary time, budget and resource in communicating the purpose and the value of security awareness to a business, it’s possible to overcome any obstacles, and achieve a mature program that has a measurable impact on comprehension and competence across the entire organization.”
The SANS Security Awareness Report was developed to enable security awareness professionals to make data-driven decisions on how to improve their security awareness programs. It also allows them to benchmark these programs against others. In short, its aim is to more definitively answer the question of what makes great security awareness programs a success. This year, data was analysed from over 1,718 respondents providing even greater insight into how to benchmark and mature a security awareness program.
Working with researchers from The Kogod Cybersecurity Governance Center (KCGC), an initiative of American University’s Kogod School of Business (KSB), the survey data was examined in detail to provide information on:
- Security awareness program maturity by industry – Defense being the most mature, and manufacturing being the least.
- Key blockers within an organization – Finance and operations departments contributing to the biggest challenges awareness professionals face.
- Actionable insights and program initiatives awareness professionals should consider when growing their program.
“The report reveals that a clear majority (80%) of security awareness professionals see their awareness program activity as being only a portion of their overall job responsibilities,” says Dan DeBeaubien, Product Director as SANS Security Awareness. “Many claim to have no budget for an awareness program, or to not know what their budget is; and most lack the skills or background required to effectively communicate the program to and engage with the workforce.”
This report highlights those challenges, utilizing the Security Awareness Maturity Model(c) as a guide to identify an organization’s level of a program’s impact and how to measure human risk and change end-user behaviour.
Image courtesy: slideplayer.com