Security awareness programs held back by lack of time
SANS Institute research shows programs gaining in popularity, but awareness is usually a part-time job
Cyber security awareness programs are gaining popularity among businesses, but lack of time, budget and resources are holding them back.
According to research by SANS Institute, the lack of staff-time is the number one challenge faced by security awareness organisations. Over 80% of respondents reported spending less than half of their time dedicated to awareness programs and most organizations categorize security awareness a part-time job.
The ‘2018 Security Awareness Report Building Successful Security Awareness Programs', also shows a clear correlation between the level of support given to security awareness by the organisation's leadership and the maturity of that programme within the organisation.
SANS Institute ranked security awareness programs based on maturity, ranging from non-existent (stage one) or focused purely on compliance (2) through programs that focus on promoting awareness and behaviour change (3) to long term sustained programs and culture change (4) and programs with metrics (5). Fifty-three percent of organisations fall into the third category, while 29% lag in the first or second stage.
The role of ‘Awareness Professional', responsible for delivering security awareness programs, is generally still falling to IT or IS professionals rather than other departments. The majority of awareness professionals come from a technical background, with less than 20% coming from non-technical fields such as communications, marketing, legal or HR.
Awareness roles are also usually held in addition to other duties. Eighty-five percent of those responsible for delivering Awareness programs believe they have a positive impact on their organisation, while 67% believe they have adequate support from management
"In light of recent large breaches such as those suffered by Equifax, Yahoo!, and the WannaCry ransomware attack on the NHS, and with new regulations like the EU General Data Protection Regulation throwing data protection into sharp focus, there's a new sense of urgency around cyber security that's stimulating both support and change," said Lance Spitzner, Director, SANS Security Awareness. "Security awareness can be challenging, but it's necessary, and it's worth the effort."
The survey was carried out in cooperation with researchers from the Kogod Cybersecurity Governance Center (KCGC) an initiative of the Kogod Business School, American University, Washington DC.
In terms of maturity, the defence industry has the most developed approach to security awareness, while manufacturing sector ranked last.
The survey also found that Finance and Operations departments are the largest blockers to building or maturing a security awareness programme.
"The report reveals that a clear majority (80%) of security awareness professionals see their awareness programme activity as being only a portion of their overall job responsibilities," said Dan DeBeaubien, Product Director for SANS Security Awareness. "Many claim to have no budget for an awareness programme or to not know what their budget is, and most lack the skills or background required to effectively communicate the programme to and engage with the workforce."
The SANS Security Awareness Report was developed to enable security awareness professionals to make data-driven decisions on how to improve their security awareness programmes and to allow them to benchmark these programmes against others. In short, its aim is to more definitively answer the question of what makes great security awareness programmes a success. This year, data analysed from over 1,718 respondents provides even greater insight in how to benchmark and mature a security awareness programme.