Imagine a teeter totter (or seesaw, if you will). One one side, sits a technical security practitioner. On the other side, sits a person with advanced skills in changing behaviors and community engagement. In order for the teeter totter to stay level, each person needs to have equal experience, or one needs to move further to the center to achieve the desired equilibrium. If one level of experience too demonstrably outweighs the other, the right balance of talent won't be achieved.
Talent for what? The oft-misunderstood role of the security awareness professional.
Security awareness at its most basic level is the act of applying technical security knowledge to programs and activities that raise the awareness -- and diminish risky behaviors -- of employees within a given organization. This includes everything from phishing and password test programs, to community engagement with educated practitioners teaching less security savvy users how to change their behavior to better secure protect themselves or their companies.
It's long been stated that security is not convenient, and for many years cybersecurity teams were challenged with addressing the human element of security risk (patch your systems! change your passwords! no, that is not a real email from George Clooney!) while also trying to create a secure infrastructure that defends the organization from external attackers. While the challenge of insider threats is real and malicious employees do exist, there's an equal chance that human faux pas creates a significant risk -- whether it be someone losing a device, clicking on a malicious link, or emailing the wrong file to the wrong person.
Hence the importance of security awareness programs.
According to Masha Sedova, co-founder of Elevate Security, and former trust engagement leader at Salesforce, a good awareness program gets feedback from the rest of the security organization into what the top people-centric risks are for the company and, then creates an effective campaign to address those risks.
"Security awareness was initially started about 10 years ago with the advent of regulation and compliance requirements," Sedova said. "Unfortunately, they were designed with the wrong question in mind. They ask 'show me how many people have taken your training.' Instead they should have asked 'show me metrics that your program yields improvement in X behavior.' The companies leading the charge in the awareness space today are creating their programs around this question."
This leads back to the discussion around the right balance of talent for creating these programs. According to the SANS 2016 report on security awareness, more than 80 percent of security awareness personnel have a technical background, but also need soft skills such as communications, change management, learning theory, and behavior modeling, in order to be most effective.
The report calls out one option to address this gap: Adding a communications professional to the security awareness team. Although not wrong, this is a tricky one. While facets of marketing and communications expertise are helpful for many teams, as represented in the soft skills written above, the old adage applies: "you can't secure what you don't see." And if you don't have a firm understanding of security, and how risk can be created by humans and how such risk tracks back to security technology and implementation, marketing and communications skills alone cannot create the robustness required for a security awareness team.
In fact, too much of a focus on the communications elements of the security awareness role can somewhat water down its criticality. While communications programs, educational events, community dialogue and networking are important components, security awareness programs are not built on this kind of skill. These are just merely channels for influencing more people to understand their part in securing their organizations, or their communities at large.
"Most marketing people can't identify the underlying behaviors that need most focus, and unfortunately most technology-focused security people aren't great at that either," Sedova said. "Security folks will say 'employees need to be less dumb' which is hard to measure and drive a specific campaign for. And marketing people will say 'don't click on phishing links' but can't spend the time to explain why an employee should care about not clicking on phishing links and how it connects to a bigger picture. A good security awareness practitioner can bridge both skills sets."
The other component in achieving the proper torque in the seesaw, is ensuring there are resources available to fuel these security awareness programs. They are must-haves as much as basic security programs are themselves. According to the same SANS security awareness report, more than 50 percent of security awareness professionals survive on a budget of less than $5,000, or those professionals are not able to dedicate all of their time to awareness. The report also says that the amount of support is relative to the maturity of a security awareness program, so a focus on education, the human actor, and demonstrable metrics is crucial.
Corporate support, whether it be freeing up budget or resources, for security awareness programs and professionals is a must-have, as they need to scale as their organizations do.
"What needs to happen are programs that can create and educate local security champions throughout the organization," Sedova said. "This includes subjects such as secure coding, vulnerability identification and remediation, and threat sharing. These programs are great areas for security awareness practitioners to partner with security subject matter experts and create effective programs that scale. Overtime, I hope to see this happening more in this field."