Talent shortage impacts security awareness efforts

Over three-quarters of security awareness professionals are spending less than half their time on security awareness, according to a new report from SANS.

This underlines the fact that awareness training is often a part-time effort, commonly assigned to staff with highly technical backgrounds but who may lack the skills needed to effectively engage their workforce in simple-to-understand terms.

"Cybersecurity is no longer just about technology but people; managing human risk. Awareness programs enable security teams to do just that by not only guiding how people think about security but how they act, from the Board of Directors on down," says Lance Spitzner, SANS security awareness director. "This report enables security professionals to make data-driven decisions on how they can most effectively engage the workforce and manage human risk."

The two top challenges for building a mature awareness program are cited as lack of time to manage the program and a lack of personnel to work on and implement it. Awareness programs effectively changing behavior had at least 2.5 full-time equivalent staff dedicated to helping manage the program. Those impacting culture and having the metrics framework to prove had on average 3.5 full-time equivalent staff.

"Security awareness programs have evolved from a limited compliance focus to becoming a key part of an organization's ability to manage human cyber risk," says Dan deBeaubien, SANS security awareness director and co-author of the report. "While security awareness programs are gaining executive support, there is still a long way to go before enough personnel, resources and tools are allocated to this effort."

The full report is available from the SANS site.

Image credit: Rawpixel.com / Shutterstock