The most common factors holding back security awareness programmes in companies are the lack of time and staff rather than budget according to a report from SANS Security Awareness.
Although nearly 60% of the professionals
surveyed say they are not even aware of the budget allocated to security
awareness in their companies. The study presented compares current data with
that of previous years and analyses the main problems faced by security
awareness professionals in companies: lack of resources, managerial support,
and ambiguity in their positions and responsibilities.
"I'm absolutely thrilled about the release of the 2019 Security Awareness report," says SANS Security Awareness Director, Lance Spitzner. "Every year we are able to gain a better understanding of the most common challenges awareness professionals face and how to best address them and after five years, we are beginning to identify key trends."
Working with researchers from The Kogod Cybersecurity Governance Center (KCGC), an initiative of American University's Kogod School of Business (KSB)
Common challenges holding back programme maturity: Lack of time and staffing were among the top reported roadblocks facing awareness professionals. More than 75% of these professionals work part-time, which means that companies are spending less than half of their time on security awareness.
Getting the support of management and programme buy: Industry peer pressure was found to have a distinctive role in determining whether leadership treats security awareness training as a top priority. In fact, 69% of organisations whose managers believe that the market is investing significantly in this area consider safety awareness training to be a top priority.
The growing need to
create more concrete job roles and expectations within the security awareness
training realm: Less than 10% of the
respondents reported their job titles even included the words 'awareness' or
'training' in them, and about 60% were not even aware of the budget allocated
to security awareness in their companies.
This report highlights these growing concerns and challenges for security awareness. It also utilizes the SANS Security Awareness Maturity Model as a guide to identify an organization's level of a program's impact and how to measure human risk and change end-user behavior.