SANS Security Awareness, a specialist in providing security awareness training, has released the 2021 Security Awareness Report: Managing Your Human Cyber Risk
This annual report analyses the data of more than 1,500 security awareness professionals from around the world to benchmark how organisations are managing human risk and provide data-driven action items to mature awareness programmes.
2021 marks the sixth release of the SANS Security Awareness Report, and through 2020-2021 the industry witnessed deep and rapid changes in how and where employees work. These changes have caused unprecedented evolution in not only in technology we use, but how we use it, especially with so many working from home. Simply stated, it has never been more important to effectively create and maintain a cyber-secure workforce and a vibrant security culture.
“Cybersecurity is no longer just about technology but people; managing human risk. Awareness programmes enable security teams to do just that by not only guiding how people think about security but how they act, from the Board of Directors on down,” said Lance Spitzner, SANS security awareness director and co-author of the report. “This report enables security professionals to make data-driven decisions on how they can most effectively engage the workforce and manage human risk.”
Key findings:
Workforce: More than 75% of security awareness professionals are spending less than half their time on security awareness, implying awareness is too often a part-time effort. The data shows that security awareness responsibilities are very commonly assigned to staff with highly technical backgrounds who may lack the skills needed to effectively engage their workforce in simple-to-understand terms.
Compensation: The average salary reported was US$103,000 for security training full time professionals. However, salaries were found to be higher for those with a technical background and on average up to US$10,000 less for those with non-technical backgrounds.
Top Reported Challenges: The two top reported challenges for building a mature awareness program are the lack of time to manage the program and a lack of personnel to work on and implement the programme.
Dedicated Personnel: Awareness programs effectively changing behaviour had at least 2.5 FTEs (Full-Time Equivalent) dedicated to helping manage their awareness programme. Those impacting culture and having the metrics framework to prove it on average had 3.5 FTEs.
“Security awareness programmes have evolved from a limited compliance focus to becoming a key part of an organisation’s ability to manage human cyber risk,” said Dan deBeaubien, SANS security awareness director and co-author of the report. “While security awareness programmes are gaining executive support, there is still a long way to go before enough personnel, resources and tools are allocated to this effort.”