More organizations are still faring poorly in addressing the one dimension of cybersecurity over which they have the most control: people’s behavior.

That’s according to the sixth annual survey of business adoption of security awareness principles conducted by SANS Institute. The 2021 Security Awareness Report, released today, is conducted by SANS, which is the business name of the Escal Institute of Advanced Technologies Inc.

The survey found that more than 75% of security awareness professionals spend less than half their time actually raising security awareness. It also found that responsibility for this communications-intensive task is commonly assigned to highly technical people who are not well-qualified to translate concepts into understandable terms.

The top challenges to security awareness the 1,500 professionals who took the survey cited were lack of time to manage the program and personnel shortages. Opposition from financial and operations executives were also cited as frequent impediments.

Security awareness is an established discipline that covers training, communication and testing designed to prevent people from making mistakes that lead to security incidents. Numerous research reports and anecdotal evidence have established that human errors such as using weak passwords and clicking on unknown links in emails is the number one cause of cyberattacks.

“On average, an organization that has done no [security awareness] training will see a 30% click rate on phishing mails,” said Lance Spitzner, SANS Security Awareness director and co-author of the report. “A year into awareness training it drops to 2%.”

Beyond compliance

However, most organizations treat security awareness programs as checklists to meet compliance requirements and don’t see them as strategic risk-avoidance tactics. “The organization picks someone on their IT staff and says, ‘You’re now in charge of the awareness program,’” Spitzner said. “They check the box. Really mature organizations pick people who will be dedicated and focused on running the program.”

However, even committing dedicated people to the task often doesn’t go far enough. The survey found that fewer than 20% of respondents come from nontechnical backgrounds such as communications, marketing, legal or human resources, which better equip them to explain often technical topics.

“Cybersecurity is typically perceived as highly technical, so most of the people chosen are highly technical,” Spitzner said. “But those people tend to be really bad at communicating the concept.”

He called this the “curse of knowledge” syndrome: People with strong technical skills may perceive security as being simple or assume that concepts are common knowledge because they deal with them every day. Their communications to business colleagues can be confusing, intimidating or overwhelming as a result.

The situation isn’t helped by leadership attitudes that minimize the importance of awareness. The survey reported that finance and operations executives are the two greatest barriers to success. “Ultimately, they don’t see the value and they see that awareness programs cost them money,” Spitzner said.

Poor compensation for security awareness professionals doesn’t help. The survey found that security professionals who are only partially responsible for awareness earn about $10,000 more per year than those who do it full-time. That creates a disincentive for people to develop the communication and training skills that the discipline demands.

People needed

Organizations that SANS considers to be the most mature practitioners of security awareness commit resources to the effort for the long term and establish metrics that demonstrate value. Less than a quarter of respondents to the survey classify themselves as at or near the highest level of maturity. That’s up from just over 10% four years ago, but it’s still well below the share of organizations that are driven by compliance or short-term behavioral change objectives.

SANS found that most mature organizations devote an average of at least 3.5 full-time equivalent positions to the task, although the number varies somewhat with the size of the employee population. Spitzner also recommended that security leaders can help the effort along by providing tools such as a password manager and by simplifying or eliminating burdensome policies. “Do we need to have passwords expire every 90 days? In most cases, no,” he said.

They can overcome resistance in the organization by shifting the language away from compliance and toward managing risk. “We’re seeing an evolution from a compliance focus to changing human behavior,” Spitzner said. That’s the only way to fortify the organization for the long term.

Photo: Pexels