The SANS institute have produced a white paper report on Security Awareness. This is an area of particular interest for me as the human element in security is something that I have been paying particular attention to. The work that we have been doing over the past years with cybersec101.ca to facilitate community-led security awareness have made clear the importance of security training. The report brings some insight from what is happening in enterprise on this front.
The report highlights the amount of time it takes to operate a mature security awareness program. The average staffing for an awareness program at an average (Awareness/Behaviour Change) level was nearly two full time employees (FTE), with the highest level of maturing at 3.67 FTE. This seems at odds with the vast majority of security awareness professionals spending more than half of their time on other duties. Most of the security awareness professionals were from an IT technical role. This was contrasted against the importance of soft skills and the particular difficulties of being knowledgeable in a complex subject and sharing that knowledge with others at a much lower level.
Perhaps the importance of security awareness and the growing maturity of this function within organizations means that there will soon be a clear professional role delineated with its own delineated set of specific skills. It is of course hard to project the future but it raises questions about how to provide the skilled professionals this role requires.
The report provides some interesting information and it all appears to align with what I have seen and heard from others. That said, I will admit to being a little reserved in making connections from all of data as presented. Its not just the glossy presentation replete with stock photos of funky people gesturing inoffensively at their empty desks and impressive charts, although that might be involved. By that I mean there are a few in the report that are a little unclear but there is a chance the woolliness is just a result of dressing the content for impact. For example, I am not sure the number or staff dedicated to security awareness programs has a direct relationship with the maturity level of the organisation or it is more an indicator of the size or operational complexity of the organisation. Terms like “direct correlation” also raise the hackles a bit as they suggest more than they mean. That said however there are some good points to take out of this and the reports’ presentation is very helpful for those making decisions for security awareness in their organisation.
It is also nice to see the collaboration between industry and academia here with SANS working with the Business School at American University, specifically the Kogod Cybersecurity Governance Centre.
https://www.sans.org/security-awareness-training/reports/2018-security-awareness-report
Name and email required for download 🙁
