"Security Awareness Report: the Rising Era of Awareness Training - Sans"

ADVERTISEMENT
ADVERTISEMENT

Download "Security Awareness Report: the Rising Era of Awareness Training - Sans"

Download PDF

Fill PDF online

Rate (4.3 / 5) 22 votes
2019 SANS Security
Awareness Report
The Rising Era
of Awareness
Training
1
2019 SANS Security
Awareness Report
The Rising Era
of Awareness
Training
1
Table of Contents
Executive Summary .......................................................................................................4
About This Report ..........................................................................................................6
Overview ..................................................................................................................6
How to Measure Success .....................................................................................6
Benchmarking Your Program’s Maturity Level........................................................8
Blockers and Supports .................................................................................................9
Action Items ..........................................................................................................10
Predicting Success ....................................................................................................... 11
Leadership Support = Program Maturity ........................................................ 11
Action Items .......................................................................................................... 12
Budget and Program Success ........................................................................... 12
Additional Steps .................................................................................................. 13
The Most Valuable Resources for Security Awareness .......................................14
Action Items: Get the Most out of Your Time ................................................ 17
2
2019 Security Awareness Report
|
www.sans.org/security-awareness-training
Table of Contents
Analysis by Industry: Who is the Most Aware? .....................................................18
Demographics – Who Runs Security Awareness Programs? ..............................20
Background ...........................................................................................................20
Action Item for Communicating to Learners and Leadership ................... 21
The Organizational Structure of a Security Awareness Department ........22
Job Titles for Security Awareness Professionals ..........................................23
Action Item ............................................................................................................23
Summary of Key Action Items ..................................................................................24
Appendix A – Hiring Requirements for a Security Awareness Officer ............26
Appendix B – NIST NICE Framework Mapping ....................................................... 27
A Big Thanks ..................................................................................................................28
Contributors ..........................................................................................................28
Authors .....................................................................................................................................29
About SANS Security Awareness .............................................................................. 31
3
2019 Security Awareness Report
|
www.sans.org/security-awareness-training
Executive Summary
The 2019 SANS Security Awareness Report represents data aggregated from security
awareness professionals from around the world. The analysis of this data identifies and
benchmarks how organizations manage their human risk to include security awareness
program maturity, funding, and staffing. Outlining what enables organizations to create
thriving programs, lessons learned uncovering potential pitfalls, and how to address
them is the predominant intent of this annual report.
A brief summary of key findings for 2019 include:
1
For a mature awareness program, we recommend the person in charge of awareness
should have a job title that reflects their dedicated awareness role. To encourage a
deeper understanding and appreciation of this, we’ve added a new recommendation
Job
Title.
to the report this year, which can be located in the section,
2
The survey results show that an effective way to garner leadership
Among
support is to leverage peer comparisons via benchmarking.
those organizations whose leadership believe that their peer
organizations are investing significantly,
69%
of them are
treating security
awareness training
69%
as a top priority
.
10x
This is nearly a
increase over those organizations whose
leaders who do not perceive their peers as investing in awareness.
SANS Security Awareness
Included in your report download is the
Value of Managing Human Risk for Leadership
presentation, which outlines tactics for
gaining leadership support for your awareness program.
4
4
2019 Security Awareness Report
2019 Security Awareness Report | www.sans.org/security-awareness-training
|
www.sans.org/security-awareness-training
3
Time, not budget, continues to be an awareness professional’s greatest challenge.
75%
Over
of security awareness professionals are part-
time, meaning they’re spending less than half their time on
security awareness
.
The implication is that awareness is simply mounted on to
their other job requirements. This is the largest single factor
limiting the growth and maturity of programs.
75%
4
A lack of soft skills, such as communications and marketing, continue to limit an
organization’s ability to engage their workforce. Awareness professionals generally
bring a dynamic set of technical skills, but can lack the skills to communicate
Appendix A
their program needs. Outlined within
of this report, information can
be found on the expectations, requirements, and skills recommended for a typical
security awareness & communications manager-focused role. There is also detailed
information regarding the job description and mapping to the NIST NICE Framework.
5
The data shows a strong correlation between
full-time employee (FTE) staffing, program
maturity, and success.
Programs have achieved success at
changing behavior when there have been
2 FTEs
at least
dedicated to awareness.
Organizations reporting successful
change in culture and metrics programs
4 FTEs
indicate
dedicated to awareness.
While there is a general tendency to isolate individual employees as the cause of security-
related issues, the data within the report demonstrates that addressing an organization’s
human cyber risk is best handled by making consistent systemic training investments. This
report examines the most effective steps to address them, enabling you to benchmark your
awareness program against your peers and other organizations.
5
5
2019 Security Awareness Report
2019 Security Awareness Report | www.sans.org/security-awareness-training
|
www.sans.org/security-awareness-training
Page of 32