Cyber security awareness programs are gaining ground among many organizations. But, most of the security IT professionals implementing them are challenged by a lack of resources and budget (more than 70 percent don’t know their allocated spend). And, the greatest challenge of all is having little time, according to a recent report from Kogod Cybersecurity Governance Center (KCGC) of Initiative at American University’s Kogod School of Business (KSB).
KCGC’s report also highlights a clear correlation between the level of support given to security awareness by an organization’s leadership and the maturity of the organization’s program. And, of course, end users are the weakest link in any program.
About the Security Awareness Report
Researchers analyzed the 2018 report data submitted by more than 1,700 security awareness professionals worldwide. The goal was to identify and benchmark how organizations manage their human cybersecurity risk.
The report enables those professionals to make data-driven decisions about how to improve their security awareness programs. The findings empower them to benchmark their programs against others. The analysis includes how various factors, including maturity, funding and staffing, combine to make programs effective. Learning what best helps and most hinders these programs lets organizations make the most of their people, resources and budget.
Essentially, the report definitively answers the question: “What makes a great security awareness program?”
Quick Hits from the Report
People, not budget, are key. The data repeatedly shows you need at least 1.9 full-time employees (FTEs) managing your awareness program to effectively change behavior at an organizational level. You need 3.9 FTEs to change culture and have the metrics framework to measure change. Far too many people are part time in this field, causing many security awareness programs to fail.
Preserving leadership support. The most mature awareness programs consistently have the greatest level of leadership support. The key to such support is demonstrating value. The report recommends you dedicate at least four hours a month collecting metrics about your program and communicating those metrics (and success stories) to your leadership. If you’re not sure how to share those results, partner with a champion at your organization to help craft your message. And, if you’re struggling with leadership to get new hires, researchers advise you to give them the report.
Soft skills. A lack of soft skills contributed to the failure of countless security awareness programs. Many times, these programs are led by people with highly technical skills and job titles which have nothing to do with awareness, culture or behavior. While these individuals understand tech and the behaviors people need to securely use it, they have no skills or experience how to communicate those behaviors and engage their workforce. A rule of thumb: Don’t hire computer science majors to lead your awareness program and do hire marketing or communications majors with a passion to learn and help others.
Seemingly, according to the report, the field of security awareness is still immature. Yet, there’s much evidence to prove security awareness is critical to your organization’s overarching security program. Data shows with more resources (time and budget) put into the program, the maturity level significantly increases, allowing organizations to apply metrics. Additionally, you must employ a broader variety of skills to improve the program’s creativity and connection with users. Ad hoc programs are not enough. It’s time to take a fresh look at your approach.
For help, learn about Vology’s Unified Security Services for additional guidance to set up an efficient and trustworthy security awareness program for your organization.