More soft skills are needed for leading today’s security awareness programs says Spitzner
April 2015 by Spitzner
Ahead of SANS Secure Europe 2015, the region’s largest annual InfoSec training event; Lance Spitzner, Director, SANS Institute suggests that the recent 2015 Security Awareness Report highlights that security awareness programs are still in their infancy and many lack the soft skills needed to ensure successful implementation.
“In many cases, the wrong people are leading security awareness programmes or lack the training they need to be successful,” says Spitzner, an internationally recognised leader in the field of cyber threat research and security training and awareness “The majority are from highly technical backgrounds and lack skills such as communication and an understanding of human behaviour.”
More than 75% of the awareness programs surveyed are run by people with highly technical backgrounds, such as IT admins or security analysts, but with little experience in softer skills, such as communications, change management, learning theory or human behaviour. In addition, people limited to just technical backgrounds may be prone to view security strictly from a technical perspective.
“There is a role for IT and for other stakeholders such as auditors but they should contribute to the definition of sensible policies. Organisations need to invest in and train their security awareness officers on the softer skills required for any security awareness program, or provide them access to the people who can deliver those diverse skills.”
Another key finding was that awareness programmes are still immature, “We found that half of the organisations surveyed currently do not have an awareness program or have an immature program that is solely focused on compliance. Only 5% of respondents felt that they had a highly mature awareness program that not only was actively changing behaviour and culture, but also had the metrics to prove it.”
The survey was conducted last October by the SANS Institute during National Cyber Security Awareness Month and included approximately 225 respondents with analysis carried out by Bob Rudis of the Verizon DBIR team and validated by community reviews including experts at Charles Schwab, Cisco Systems and Cyber Risk Aware amongst others.
The report found the top two challenges facing security awareness officers are employee engagement and lack of support from senior management. “They need to understand that their organisation cannot effectively mitigate risk if security is treated only as a technical issue; the human issue must be addressed also,” says Spitzner.
The report also makes several recommendations including the advice that any organisation with over 10,000 employees should have at least one person dedicated to running the security awareness program. “Giving the person in charge of security awareness multiple responsibilities destroys his or her ability to focus and the consequences speak for themselves,” says Spitzner pointing to “human error” as consistently in the top 3 of root causes of breaches as identified by the influential Data Breach Investigation Report (DBIR) which has examined over 100,000 security incidents over the last decade.