As an unprecedented number of employees now work in a hybrid way or fully remotely, plus an increase in cyber threats, there has never been a more critical time to effectively create and maintain a cyber-secure workforce and an engaged security culture, says the SANS Institute.
People have become the primary attack vector for cyber-attackers, according to Lance Spitzner, SANS Security Awareness Director and co-author of the 2022 SANS Security Awareness Report. He said: “Humans rather than technology represent the greatest risk to organisations and the professionals who oversee security awareness programmes are the key to effectively managing that risk.”
After analysing the data of more than 1,000 security awareness people worldwide, SANS Security Awareness, which offers training, has released its seventh annual report. The 2022 edition has updated global benchmarks for how organisations manage their human risk and provides steps to making improvements with key metrics in the ‘Security Awareness Maturity Model Indicators Matrix’ to measure progress.
Spitzner said: “Awareness programmes enable security teams to effectively manage their human risk by changing how people think about cybersecurity and help them exhibit secure behaviours, from the Board of Directors on down. This report enables security awareness professionals to make data-driven decisions on how to best secure their workforce and speak to leadership about risk in a compelling way that demonstrates value and support for their strategic priorities.”
Among the findings:
More than 69 per cent of security awareness professionals are spending less than half their time on security awareness. The data shows that security awareness responsibilities are very commonly assigned to staff with highly technical backgrounds who may lack the skills needed to effectively engage their workforce in simple-to-understand terms.
The average salary reported was $110,309 in the United States for security training professionals, an increase from 2021. However, those dedicated full-time to awareness were paid on average only $86,626, while those who are part-time averaged $117,584 – a $30,000 difference. This difference is because people dedicated part-time to security awareness have their compensation based on their other responsibilities, which are usually more technically focused.
Security awareness professionals in Australia/New Zealand had the highest average annual compensation ($121,236), while South America had the lowest ($56,960). In North America, the higher the maturity level of an organisation’s security awareness, the higher the salary for the awareness professionals who work there.
The three top reported challenges for building a mature awareness programme were all related to a lack of time: specifically Lack of time for project management, limits on training time to engage employees, and a lack of staffing. The top two reported impacts were the challenge of a more distracted and overwhelmed workforce and a working environment where human-based cyber-attacks have become more frequent and effective.
Consistent across all global regions is that current programmes’ most common maturity levels are compliance-focused and awareness/behaviour change. As for what are the indicators of a successful programme: strong leadership support, increased team size, and a higher training frequency topped the charts. One of the top ways to increase leadership support is speaking in terms of managing risk, not compliance, and explaining WHY you are doing something, not WHAT you are doing. Additionally, creating a sense of urgency by utilising data and communicating value by demonstrating alignment with leadership’s priorities.
As for how to increase team size: documenting and contrasting how many people on the security team are focused on technology versus how many on the team are focused on human risk, creating a document to explain personnel needs fully, and developing partnerships with key departments that can help develop ways to communicate the programme’s value were recommended.
The report recommends that organisations communicate to, interact with, or train their workforce at least once a month. Keeping training simple and easy to follow was the key to increasing your opportunities to engage and train your workforce.
Spitzner added: “The most mature security awareness programmes not only change their workforce’s behaviour and culture but also measure and demonstrate their value to leadership via a metrics framework. Organisations can no longer justify an annual training to check the compliance box, and it remains critical for organisations to dedicate enough personnel, resources, and tools to manage their human risk effectively.”