SecureIT Observations: SANS Report on Managing Human Cyber Risk

For the past few years, SANS has been producing an annual report on security awareness that helps shed a light on what’s happening in the industry through data-driven analysis.  There are a few interesting findings in this year’s report that feel like they deserve additional attention and inquiry.

First and foremost is a finding very much consistent with one of my biggest concerns about security awareness and training programs today – they are being run and managed by technical security team members who tend to have a very myopic, product-centric view of the world.  Most have no background, training, or understanding of behavioral science, organizational psychology, running marketing campaigns, doing instructional design work, etc.  Through no fault of their own, they are asked to perform a role for which they aren’t really qualified, so they end up relying heavily on what ‘others’ are doing and invariably implement security awareness programs that are based on third-party modules (that aren’t contextually relevant to the organization and are only required once per year), a monthly email (which runs into a whole host of problems and is not a good vehicle for communicating important cybersecurity messages), and phishing campaigns (which tend to produce mixed results and turn the user’s idea of cybersecurity into a misguided notion that it’s all about email).  All of which falls very very short of the desired cultural shift that’s truly necessary to address human security factors. 

Now let’s combine this with the other significant finding that comes out of this year’s report.  When they looked at security awareness through the lens of a maturity model, what they found was a direct correlation between awareness program maturity and the average number of employees dedicated to awareness initiatives.  Did you know that the average percentage of time spent on awareness activities is dismally low for those tasked with awareness responsibilities?  60% of those tasked with security awareness spend less than 20% of their time on awareness!  Let’s take a moment to think about this in the context of the above statement about qualifications.  The vast majority of organizations are using technically-oriented people, who don’t really know anything about human dynamics, spending less than 20% of their time on awareness activities.  This is very much consistent with what I’ve seen over the course of my 30-year career.  Nearly every company I’ve ever worked with has one person who does awareness work, as a small part of a much larger job, making security awareness just one of several hats that they are wearing.  Worse yet, most of their other responsibilities are operationally oriented, so awareness gets relegated to “when I have time in-between emergencies and user requests”. 

So, with just these two findings on the table, what needs to change?  Obviously, we need to start emphasizing the right skillsets for the job and hire cybersecurity professionals who have a broader range of experience that extends beyond technology – either that or we need to bring in people who have more relevant skillsets and then teach/partner with them to make sure that the benefits of behavioral transformation can be felt across the organization.  What we need is skill diversity.  Over the years, I went from being a technically-oriented security engineer to being a cybersecurity manager and executive, to becoming more and more interested in understanding how people work – how people influence and are influenced by socio-cultural dynamics.  This led to studying psychology, behaviorism, motivation, marketing, instructional design, and more.  Right now, I’m finishing my master’s degree in Clinical Mental Health Counseling and next year I’ll be starting a Ph.D. in Integral and Transpersonal Psychology – the psychology of human transformation.  I’m also trained as a behavioral technician in a mental health setting – all of which translates into a very specialized skillset that is highly transferrable to security awareness and creating behavioral change at the level of organizational culture.  This is just one example of how a more diverse skillset can benefit companies that are trying to realize the ROI and results of their security awareness investments. 

The other thing we need to do is make sure that we are dedicating resources to security awareness initiatives.  If nothing else, the person running your awareness program should be completely and totally dedicated to awareness!  If they have other duties, especially operational duties, they are not going to have the time to do the work – and your awareness efforts will be reduced to the minimum (which won’t affect cultural change or the adoption of sound security practices).  But this really isn’t going to be enough – especially for larger or more complex organizational entities.  In fact, the SANS report suggests that to meet higher levels of program maturity for security awareness, a minimum of 2.5 dedicated resources are required – and to get to the point where you have a fully mature and measure program that includes strong metrics, 3.5 dedicated FTEs is where you need to be.  Okay, I can feel the cringe on the other end of these words – we all know how hard it is to get security resources as it is…  we really need 3.5 FTE’s just for awareness?  Well, let’s look at how we’re doing with what we’re doing.  Let’s refer to this line from the 2021 Verizon Data Breach Report:


“the simulations and training offered by most security education teams do not mimic real life situations, do not parallel the behaviors that lead to breaches, and are not measured against real attacks the organization receives. This is why it is important to progress from the traditional security awareness model to that of using behavioral science to change the habits that lead to attack path breaking actions”. 


The way that we do this work, by having an unqualified part-time resource contracting out third-party modules, requiring annual training completion, sending out a monthly email, and running phishing campaigns is completely missing the mark – and this is what most organizations are doing.  Take a moment to breath all of this in, because when we consider that people are the linchpin to absolutely every aspect of cybersecurity – from application development, to systems implementation, to data interaction and everything in-between (and beyond), it becomes very clear that it is foolish and foolhardy to relegate security awareness to a backburner issue that “we’ll get to eventually”. 

I cannot stress this enough, cybersecurity REQUIRES a cultural shift if we’re ever going to make any progress in protecting our assets (and asses).  We can’t keep doing what we’ve been doing, or we’ll keep paying the price, again and again and again.  This is why I’ve shifted the focus of my career and my company to begin bringing a different dimension of consideration to how we solve this problem.  We really need to be looking at behavioral and organizational psychology, human and organizational transformation, individual and organizational engagement if we are going to create the kind of shift necessary.  Stay tuned for what we’re doing here at SecureITExperts and let’s see how it all shakes out. 

Add a Comment