Contents
- Report Summary 3
- About This Survey 4
- Your Biggest Single Challenge 5
- Resources, Support, and Time (or Lack Thereof) 7
- The Geeks Have Inherited Awareness (Is That Good?) 15
- Demographics and Additional Information 21
- Conclusion 24
- A Big Thanks 25
- About SANS Securing The Human 27
Report Summary
Don’t have a lot of time? Then just read this page. The SANS Securing The Human 2016
:Security Awareness survey uncovered two key findings
Don’t have a lot of time? Then just read this page. The SANS Securing The Human 2016
:Security Awareness survey uncovered two key findings
1. SUPPORT IS ESSENTIAL: Security awareness teams are not getting the support they
need to be successful. Over 50% of awareness personnel surveyed have a budget
of $5,000 or less or don’t know what their budget is. Less than 15% of awareness
personnel are dedicated full-time to their job. While this is an improvement
from last year’s 10%, we are concerned that is still too low. In fact, 64% of people
%reported spending less than a quarter of their time on awareness. Finally, 35
?report not having the executive support they need. Why is all of this important
Because the data shows a strong relationship between the amount of support
you have and the maturity of your security awareness program. We need to do a
better job of educating leadership that security cannot be solved by technology
alone; it must also address the human factor. Key steps to achieving this include
demonstrating to leadership that you have a proven roadmap to creating a secure
.culture and the metrics to show leadership the impact your program is having.
need to be successful. Over 50% of awareness personnel surveyed have a budget
of $5,000 or less or don’t know what their budget is. Less than 15% of awareness
personnel are dedicated full-time to their job. While this is an improvement
from last year’s 10%, we are concerned that is still too low. In fact, 64% of people
%reported spending less than a quarter of their time on awareness. Finally, 35
?report not having the executive support they need. Why is all of this important
Because the data shows a strong relationship between the amount of support
you have and the maturity of your security awareness program. We need to do a
better job of educating leadership that security cannot be solved by technology
alone; it must also address the human factor. Key steps to achieving this include
demonstrating to leadership that you have a proven roadmap to creating a secure
.culture and the metrics to show leadership the impact your program is having.
2. SOFT SKILLS ARE LACKING: Last year, we reported that soft skills are lacking
in security awareness personnel. By soft skills, we mean skills such as
.communications, change management, learning theory, and behavior modeling
The data told the same story this year: over 80% of security awareness personnel
,have a technical background, with skills such as debugging network traffic
building websites, or securing a server. However, this also means that many
security awareness teams don’t understand the proven concepts and techniques
in changing behavior and culture. In addition, we identified communications
as one of the key soft skills lacking. By communications, we mean engaging
employees with a meaningful message, delivering the right content to the right
people, leveraging multiple communication methods, and building a roadmap
that pulls this all together. One successful approach is embedding someone from
your communications department into your security team. A second option is to
train your awareness team on the new skills they will need. A third option is to
contract or hire someone with strong soft skills. Long story short, you not only
need security expertise on your awareness team, but you need soft skills, starting
.with communications.
in security awareness personnel. By soft skills, we mean skills such as
.communications, change management, learning theory, and behavior modeling
The data told the same story this year: over 80% of security awareness personnel
,have a technical background, with skills such as debugging network traffic
building websites, or securing a server. However, this also means that many
security awareness teams don’t understand the proven concepts and techniques
in changing behavior and culture. In addition, we identified communications
as one of the key soft skills lacking. By communications, we mean engaging
employees with a meaningful message, delivering the right content to the right
people, leveraging multiple communication methods, and building a roadmap
that pulls this all together. One successful approach is embedding someone from
your communications department into your security team. A second option is to
train your awareness team on the new skills they will need. A third option is to
contract or hire someone with strong soft skills. Long story short, you not only
need security expertise on your awareness team, but you need soft skills, starting
.with communications.
Security awareness is hard. Today’s security awareness teams don’t have the support
time, and resources they need to be successful and/or are missing the skills and experience to effectively engage and train their organization. The rest of this report is dedicated to better understanding these two challenges and their different solutions.
time, and resources they need to be successful and/or are missing the skills and experience to effectively engage and train their organization. The rest of this report is dedicated to better understanding these two challenges and their different solutions.
No comments:
Post a Comment