SANS reveal top reasons for failure of enterprise security awareness programmes

SANS reveal top reasons for failure of enterprise security awareness programmes

Ned Baltagi, Managing Director, Middle East and Africa at SANS

‘SANS 2017 Security Awareness’, a new report by leading cybersecurity training and certification institute, SANS, has revealed the lack of time dedicated to employee training and a lack of communication skills as the key reasons organisations’ cybersecurity awareness programmes fail to meet their objectives.

In identifying these factors, the researchers also found that women are twice as likely as men to be dedicated full-time to cybersecurity awareness. The report further went on to specify human resource allocation, partnerships, hiring of dedicated professionals and fostering of security ambassadors as the four areas organisations need to focus on to dramatically improve the effectiveness of their awareness campaigns.

“There is no doubt that awareness programmes play a vital role in strengthening IT security,” stated Ned Baltagi, Managing Director, Middle East & Africa at SANS. “While organisations in the region are doubling down on their security investments, the challenges cannot be solved by technology alone. The behaviour of end users, most commonly unintentionally malicious, are often the root-cause of data breaches, which is why SANS has worked to pinpoint the shortcomings of security awareness programmes and provide enterprises with a clear outline for how they can overcome these.”

Time constraints

Surprisingly, respondents did not cite budget constraints as an inhibitor to the success of their security awareness initiatives. Instead, the biggest challenge appears to be time, with over 75% of security professionals spending just 25% of their time on awareness. The report pointed out that to bring awareness up to a basic level, organisations should on average have 1.4 full-time employees (FTEs) dedicated to these initiatives. This number increases to 2.6 FTEs in organisations that have the most successful awareness programmes.

The lack of communication

Reported by 30.23% of respondents as their biggest challenge, the lack of communication and employee engagement is the other major hurdle that security awareness professionals face. This largely results from the inability of IT staff dedicated to this function to translate the impact human risks present to cybersecurity to their non-technical counterparts. While 80% of security awareness professionals have technical backgrounds, just 8% of them have soft skills backgrounds such as communications, marketing, training or human resources.

Not surprisingly, organisations that had the most robust security programmes were also those that had complete buy-in from higher management, while 64.5% of organisations that did not receive sufficient support from company leadership categorised their awareness programmes as non-existent.

Remedying security awareness challenges

“In addition to dedicating the right resources and time to security awareness and working on the communications skills of security professionals, organisations should strategically leverage their budgets to hire resources who will get their awareness programmes up and running. They should also identify and empower awareness ambassadors –
employees who are committed to security initiatives and push their colleagues to do the same – as a cost-effective means to raise the entire organisation’s security posture,” said Baltagi.

About the report

The third annual SANS Security Awareness Report is based on a survey of 1,084 qualified professionals who are responsible for building, managing or contributing to their organisations’ security awareness programmes.

The entire report along with the researchers’ recommendations and expert advice is available as a free download from here.

Browse our latest issue

Intelligent CISO

View Magazine Archive