SANS Institute has released its 2017 Security Awareness Report, a community-driven study with more than 1,000 security awareness professionals across 58 contributing countries.
Security awareness itself has become an increasingly relevant topic for both emerging and mature organizations, given that having a truly skilled professional in the role has become a "must have" versus optional.
SANS' study was designed from a vendor-neutral perspective, to help organizations identify how successful awareness programs are operating, and the challenge of fledgling awareness programs.
ZDNet has covered the trend of security awareness in the past, with a significant focus on the right type of talent (more technical versus nontechnical) to make security awareness programs work -- and the SANS study shows this to be true, according to those surveyed.
"An overwhelming majority of awareness professionals come from technical background. 80 percent in fact. Less than 8 percent have a soft skills background such communications, marketing, training or human resources," said the report. "Those with a technical background have an advantage because they possess a strong understanding of the technical and human risks."
The report goes onto say that security awareness professionals with more technical backgrounds are more keen to recognizing behaviors that might bring risk, however, at times communications training is critical given that human interaction soft skills make changing risky employee behavior. They know what behaviors are the most effective in managing those risks. Often however, the challenge is that these same individuals often lack the skills or training to effectively communicate those risks and engage employees in a manner that effectively changes behavior.
The two primary findings of the report are focused on just these things: proper staffing and communication. The latter is the number one challenge called out by the survey participants, and the second is resources, in the sense that there is not enough time to do what their teams need to take on to better secure the organization. This is sometimes driven by budget, sometimes by finding the right talent.
SANS describes the communications challenge as the ability to effectively communicate and engage employees and, almost more important, the ability to effectively communicate to and demonstrate value to leadership. If you run tight security programs but cannot effectively, and with respected authority, communicate them to impact the right actions, then your program is more security than awareness, and that can put an organization at risk.
The study recommends the following for addressing communications:
Communicate to leadership monthly about your security awareness program -- in a way that business leaders will value.
Find a strong champion within leadership, and ask them to help relay the program value to other leaders, or assist with message crafting.
Partner with those in the org that you've found to appreciate and adhere to security awareness inputs, especially those who can help partner on better communications.
Take communications training; they can be easily developed with the right focus.
Align with human resources to ensure an awareness program is tied into company culture.
Keep an eye on your audience, as it grows and shift, and recognize that the same message that works for developers may not be effective for marketing, and vice versa. A one-size-fits-all communications approach can be limiting.
Regarding the resource challenge, SANS defines this as a combined effort people who contribute to an awareness program, measured as total number of full-time employees, stated the report.
"Far too many organizations view awareness as a part-time job, crippling their awareness team's ability to effectively get things done," the report said.
SANS findings show the minimum number of full-time employees required to change behavior at an organizational level was 1.4 for midsize organizations (1.28 for organizations under 500 people), with the most successful programs having 2.6 full-time awareness professionals.
The study also offered recommendations for addressing time and resources:
Ensure you have at least 1.4 full-time employees focused on changing security behavior at an organizational level.
Similar to communications, partner with those in the organization who are ultimately equipped and interested in helping you change security behaviors.
If you do have budget, us it for people to hit the full-time employee requirement and run a robust program.
Mature programs should consider a security ambassador program; a network of volunteers in the organization that will help engage fellow employees.
According to SANS, if there isn't enough time and people resource to do the job, no amount of monetary investment will help ensure a successful awareness program.
The study concludes by astutely saying that "security awareness is hard" but urges readers, especially those in a management or influence position for these programs, to follow the guidance gleaned from the 1,000 global professionals.
"Without [time and communication], it'll be difficult to get legs to your program and successfully protect your organization and the people within it."
The study also reported what it called a "surprise finding," stating that women are twice as likely as men to be dedicated full-time to security awareness given their ability to more naturally consider emotional intelligence and root behaviors that dictate employee behaviors -- including security.