SANS 2018 Security Awareness Report reveals maturity of corporate security awareness programmes and offers actionable insights
June 2018 by SANS INSTITUTE
SANS Security Awareness released its 2018 Security Awareness Report “Building Successful Security Awareness Programs”. The report found that cyber security awareness programmes are beginning to gain ground among businesses, but that many of the professionals responsible for their implementation are challenged by a lack of time, budget and resources. It also highlights a clear correlation between the level of support given to security awareness by the organisation’s leadership and the maturity of that programme within the organisation.
“In light of recent large breaches such as those suffered by Equifax, Yahoo!, and the WannaCry ransomware attack on the NHS, and with new regulations like the EU General Data Protection Regulation throwing data protection into sharp focus, there’s a new sense of urgency around cyber security that’s stimulating both support and change.” says Lance Spitzner, Director, SANS Security Awareness. “Security awareness can be challenging, but it’s necessary, and it’s worth the effort,” he continues.
Working with researchers from The Kogod Cybersecurity Governance Center (KCGC) of Initiative at American University’s Kogod School of Business (KSB), the survey found:
• The defence industry is the most mature, reporting over 10% at the highest stage in the Security Awareness Maturity Module, with the manufacturing industry the least mature, reporting only 2%
• Finance and Operations departments are the largest blockers to building or maturing a security awareness programme
• The majority of awareness professionals come from a technical background, with less than 20% coming from non-technical fields such as communications, marketing, legal or HR
“The report reveals that a clear majority (80%) of security awareness professionals see their awareness programme activity as being only a portion of their overall job responsibilities,” says Dan DeBeaubien, Product Director for SANS Security Awareness. “Many claim to have no budget for an awareness programme or to not know what their budget is, and most lack the skills or background required to effectively communicate the programme to and engage with the workforce.” The SANS Security Awareness Report was developed to enable security awareness professionals to make data-driven decisions on how to improve their security awareness programmes and to allow them to benchmark these programmes against others. In short, its aim is to more definitively answer the question of what makes great security awareness programmes a success. This year, data analysed from over 1,718 respondents provides even greater insight in how to benchmark and mature a security awareness programme.
The report utilises the Security Awareness Maturity Model© as a guide to identify an organisation’s level of a programme’s impact and how to measure human risk and change end-user behaviour.
For more detailed analysis and recommended action on improving security awareness, you can download the SANS 2018 Security Awareness Report here.