Lack of Time Biggest Barrier for Security Awareness Programs
When it comes to building a mature security awareness program, money isn't the biggest challenge.
Time; there's never enough of it. This has been the case for many of us over the last year but especially defenders in trenches trying to drive security awareness programs at businesses around the world.
For many of them, fostering security awareness is one of their occupation's tent poles, but fewer and fewer workers are actually able to spend the time needed to get these programs off the ground and running effectively.
That’s at least according to the latest numbers via SANS Institute's Security Awareness Report, an annual summary of the behavior of over 1,500 security awareness professionals from 91 different countries.
According to the 2021 version of the report, released on Tuesday, over 75% of those who responded said they spend less than half of their time on security awareness, a number that demonstrates that there simply aren't enough hours in the day or that workers are increasingly finding themselves busy with other tasks. Most of those who responded said lack of time was the number one problem facing their security awareness program.
This, as one can imagine, impedes a number of businesses from maintaining a mature awareness program. A lack of certified personnel to work on and implement the program – a problem that’s indicative of the much-publicized cybersecurity skills gap – is also a problem according to SANS. Lack of budget, thought of as a big roadblock in some circles, was third on SANS' list for workers.
While security awareness programs have gained popularity of late, SANS report makes it clear that many companies still have some hurdles to overcome .
In order to bridge the gap, the report suggests having on average 2.5 but at least 3 full-time-equivalent (FTE) employees specialized in security awareness can translate to success.
“To effectively manage human risk, leaders must make long-term, strategic investments in people, just as they would for other security efforts like Vulnerability Management, Incident Response or Security Operations Centers. People, not budget, are key to managing human risk."
According to the report, another reason why workers may not be spending time on security awareness could be because program leads and awareness responsibilities are getting delegated to workers who lack the appropriate communication skills. Specifically, workers in these roles come from more technical backgrounds, meaning they may not be proficient in the so-called "soft skills" needed to convey what's needed by programs in simple to understand terms.
While most of the respondents to SANS report said they reported to their local IT director, the structure of security awareness and managing trust should be shifted to the role of Chief Information Security Officer soon, if it isn't already the case at organizations.
This isn't to downplay the effectiveness of IT directors, SANS says. But CISOs often have the ear of the executive level if not a role in corporate leadership. They also should have access to the security team and the ability to work with that team on policies, processes, procedures, and security announcements.
"We recommend that an awareness program be managed by a full-time dedicated individual who is part of the security team and reports directly to the CISO,” SANS says in the report, “Security awareness should be a part of and an extension of the security team, not disconnected from other security efforts.”