- Security TWENTY
- Women in Security
Cyber security awareness training is beginning to gain ground among businesses, but many of those responsible for making it happen face a lack of time, budget and resources. That’s according to SANS Security Awareness, a division of SANS Institute, in its 2018 Security Awareness Report “Building Successful Security Awareness Programs”. It also shows a clear correlation between the support given to security awareness by an organisation’s leadership and the maturity of that training in the organisation.
Lance Spitzner, Director, SANS Security Awareness, says: “In light of recent large breaches such as those suffered by Equifax, Yahoo!, and the WannaCry ransomware attack on the NHS, and with new regulations like the EU General Data Protection Regulation throwing data protection into sharp focus, there’s a new sense of urgency around cyber security that’s stimulating both support and change. Security awareness can be challenging, but it’s necessary, and it’s worth the effort.”
Working with researchers from The Kogod Cybersecurity Governance Center (KCGC) of Initiative at American University’s Kogod School of Business (KSB), the survey found that the defence industry is the most mature, reporting over 10pc at the highest stage in the Security Awareness Maturity Module, with the manufacturing industry the least mature, reporting only 2pc. Finance and Operations departments are the largest blockers to building or maturing a security awareness programme. A majority of awareness professionals come from a technical background, with less than 20pc coming from non-technical fields such as communications, marketing, legal or HR.
Dan DeBeaubien, Product Director for SANS Security Awareness says: “The report reveals that a clear majority (80pc) of security awareness professionals see their awareness programme activity as being only a portion of their overall job responsibilities. Many claim to have no budget for an awareness programme or to not know what their budget is, and most lack the skills or background required to effectively communicate the programme to and engage with the workforce.”
The report this year analysed over 1,700 responses to look at how to benchmark and mature a security awareness programme. The report uses SANS’ Security Awareness Maturity Model as a guide to identify an organisation’s level of a programme’s impact and how to measure human risk and change end-user behaviour.
For more detail, download the SANS 2018 Security Awareness Report at the SANS website.