The 2021 SANS Security Awareness Report, which this year focuses on managing human risk, details various challenges and action items to consider when implementing and measuring success of a security-awareness program.
“Security-awareness programs are one of the most effective ways organizations can manage their human risk,” notes Lance Spitzer in a SANS blog post. “But for too long security awareness has been perceived and treated as a compliance initiative, with success defined by how many people took security training,” he says.
Now, “security-awareness programs have evolved from having a limited compliance focus to becoming a key part of an organization’s ability to manage its human cyber risk,” says the SANS report, which shares data and results gathered from 1,500 security-awareness professionals from around the world.
One of the biggest challenges security professionals face is making security simple for their organization’s workforce, the report states. “Having a strong technical or security background can be beneficial because it provides familiarity with the common technologies and behaviors” related to potential risks. However, the report states, “being ‘too technical’ can mean that individuals lack the skills to effectively communicate those risks or meaningfully engage employees.” To address this potential communication gap, the report recommends working with others to craft messaging that is easily understood.
Other key challenges in implementing a successful security-awareness program include:
- Lack of time
- Lack of personnel
- Lack of budget
- Bureaucratic/conservative culture
- Lack of skills/experience
- Lack of leadership