The building blocks to a mature security awareness program

A lack of time and data works against cybersecurity defenders working in the trenches to drive internal security awareness.
5 May 2021

A lack of time and data works against cybersecurity defenders working in the trenches to drive internal security awareness programs at firms around the globe. (Photo by ROMAIN LAFABREGUE / AFP)

When it comes to building a mature security awareness program, money isn’t always the biggest challenge. All too often the real problem is time; in that there is never enough of it. While this has certainly been the case for many of us over the past year, it is especially true for defenders working in the trenches who are trying to drive internal security awareness programs at firms around the globe.

Fostering security awareness is supposedly a key task these individuals need to undertake as part of their role. Yet, according to recent research, fewer and fewer of these workers are actually able to dedicate the time needed to get such programs off the ground and running effectively.

Indeed, the findings of the 2021 SANS Security Awareness Report should serve as a wake-up call for any organisation that wants to up its game when it comes to managing the issue of human cyber risk.

Driving security awareness: top challenges

Providing a detailed analysis of the behaviours of over 1,500 security professionals from 91 different countries, the SANS Institute’s report reveals how over 75% of security awareness professionals say they spend less than half their time on security awareness. Busy juggling a multitude of conflicting demands, these professionals confirm that there literally aren’t enough hours in the day to undertake their security awareness responsibilities. As a result, security awareness is at best a part-time effort on their part.

That brings us to the second most reported challenge that’s compromising the ability of businesses to maintain a mature security program: a lack of appropriately certified personnel to work on and implement the programme. Finally, lack of budget was identified as the third major roadblock hindering many companies from pursuing a comprehensive security awareness strategy.

Clearly, many companies still have some significant hurdles to overcome when it comes to their security awareness efforts. Fortunately, there are some key actionable steps that organizations can take to help accelerate their programs.

Step 1: Dedicate the right personnel and resources

To bridge the gap between aspiration and reality, the SANS report found that having at least three full-time equivalent (FTE) employees who are responsible for managing the cybersecurity awareness program is proving to be the key to success. However, just as key is ensuring that these roles are undertaken by the right people, with the right skillset.

That’s because the SANS research findings reveal how all too often security responsibilities are delegated to staff from highly technical backgrounds, who may lack the skills needed to communicate with the workforce in easy-to-understand terms.

To optimize for success, organizations should instead look to appoint personnel who, as well as being knowledgeable cyber specialists, are proficient in the interpersonal and soft skills that will be needed to effectively ‘market’ or convey the organization’s strategic security priorities in practical ways.

Step 2: CISOs should take the lead

In recent years, security awareness has shifted from being something that’s driven by HR or legal and compliance teams, to becoming the primary concern of IT directors. However, the SANS report advises that top-line responsibility for threat monitoring and managing trust should increasingly fall on the shoulders of the Chief Information Security Officer (CISO).

Responsible for helping the board understand potential security problems and accountable for managing enterprise cyber risk, the CISO is ideally placed to ensure that security awareness is part and parcel of the wider security strategy. Which is why SANS recommends that awareness programs should be managed by a full-time dedicated individual who is both part of the security team and reports directly to the CISO.

The key message here is that security awareness should be part of, and an extension of, the security team – and not disconnected from other security efforts.

The key success criteria

In light of recent rapid operational changes implemented in response to COVID-19, investing in security awareness is vital if organisations are to become more effective at managing their human risk. Appointing the right number of people, with the right skills to deliver the program is just the start.

To achieve meaningful improvements, board members need to champion their security awareness programs and prioritise appropriate funding in line with other security efforts. After which, it will be key to ensure that people senior enough to have real authority and awareness of the organization’s most strategic security priorities hold ultimate responsibility for shaping the program in line with the enterprise’s ever-evolving security needs.



Written by Tim Bandos, CISO at Digital Guardian

Tim Bandos, CISSP, CISA, CEH is CISO and VP Managed Security Services at Digital Guardian and an expert in incident response and threat hunting. He has over 15 years of experience in the cybersecurity world and has a wealth of practical knowledge gained from tracking and hunting advanced threats that targeted stealing highly sensitive data. The majority of his career was spent working at a Fortune 100 company where he built an Incident Response organization and he now runs Digital Guardian’s global Security Operation Center for Managed Detection & Response.