Most organizations today have some kind of security awareness training program in place for their staff, but the success of those efforts is a mixed bag at best.

Indeed, only around 10 percent of organizations can boast that they have achieved the highest two tiers of security awareness maturity when measured on a five-tier model, according to a new study from the SANS Institute published today.

SANS’s 2017 Security Awareness Report, a community-driven study with more than 1,000 security awareness professionals across 58 contributing countries, shows that success more often than not boils down to a single factor: having dedicated staff in place to direct those training efforts.

That might seem obvious, but a large number of organizations still have to contend with subpar security awareness training because they rely on existing security staff to organize and implement such programs, instead of employing dedicated personnel, the study found.

Even so, companies need to be careful about the kind of person they find to fulfill the security awareness training role, SANS said. The study found that 80 percent of security awareness professionals come from a technical background, adding that these “have an advantage because they possess a strong understanding of the technical and human risks.”

The report continues that those with technical backgrounds are better able to recognize behaviors that might bring risk. Still, it said that communications training is nonetheless critical in order to help convince employees to change their risky behavior. The problem is that most security awareness professionals with a technical background lack the communication skills necessary to engage employees in a way that can effectively change their behavior, SANS said.

As such, SANS said organizations need to focus on proper staffing and communication in order to raise security awareness among their employees. However, communication (defined as the ability to effectively communicate to and demonstrate value to leadership) was cited by respondents as the number one challenge, followed by a lack of time needed to train staff to change their behaviors. The report warns that many organizations run tight security programs but are unable to properly communicate their importance to staffers, meaning they struggle to eliminate risk.

SANS offered the following recommendations to address the communication challenge:

• Communicate to leadership monthly about your security awareness program — in a way that business leaders will value.
• Find a strong champion within leadership, and ask them to help relay the program value to other leaders, or assist with message crafting.
• Partner with those in the org that you’ve found to appreciate and adhere to security awareness inputs, especially those who can help partner on better communications.
• Take communications training; they can be easily developed with the right focus.
• Align with human resources to ensure an awareness program is tied into company culture.
• Keep an eye on your audience, as it grows and shift, and recognize that the same message that works for developers may not be effective for marketing, and vice versa. A one-size-fits-all communications approach can be limiting.

SANS also revealed what it believes is the minimum number of full-time security awareness personnel needed to change employee behavior at an organizational level. It recommends 1.4 full-time equivalent personnel for midsize organizations, or 1.28 for organizations with fewer than 500 employees. However, it said the most successful security awareness programs have an average of 2.6 full-time professionals on hand. SANS also warned that if companies don’t dedicate enough time and people to do the job correctly, no amount of financial investment can guarantee that their security awareness programs will be successful.

SANS concludes that “security awareness is hard,” but insists that companies can pull it off by following its guidance. “Without [time and communication], it’ll be difficult to get legs to your program and successfully protect your organization and the people within it,” the report noted.

The study also noted a “surprise finding,” saying that women are twice as likely as men to be dedicated full-time to security awareness. This is because women are more naturally oriented to consider emotional intelligence and root behaviors that dictate employee behavior, the study found.

SANS said its study was designed from a vendor-neutral perspective, in order to help companies identify how successful awareness programs operate.

Image: JanBaby/pixabay