Lack of time and staff rather than budget are the most common factors holding back security awareness programmes in companies, a recent SANS report highlighted.
SANS Security Awareness Report also noted that nearly 60 percent of the professionals surveyed say they are not even aware of the budget allocated to security awareness in their companies.
These are some of the key findings of the 2019 Security Awareness Report, the fifth edition of a report produced annually by SANS Security Awareness, a division of SANS Institute and a world leader in security training.
The study presented today compares current data with that of previous years and analyses the main problems faced by security awareness professionals in companies: lack of resources, managerial support, and ambiguity in their positions and responsibilities.
“I’m absolutely thrilled about the release of the 2019 Security Awareness report,” says SANS Security Awareness Director, Lance Spitzner. “Every year we are able to gain a better understanding of the most common challenges awareness professionals face and how to best address them and after five years, we are beginning to identify key trends.”
The SANS survey was conducted in collaboration with researchers from The Kogod Cybersecurity Governance Center (KCGC), an initiative of American University’s Kogod School of Business (KSB).
The study revealed that lack of time and staffing were among the top reported roadblocks facing awareness professionals.
More than 75 percent of surveyed professionals work part-time, which means that companies are spending less than half of their time on security awareness, it said.
SANS also found that industry peer pressure have a distinctive role in determining whether leadership treats security awareness training as a top priority. The report showed that 69 percent of organisations whose managers believe that the market is investing significantly in this area consider safety awareness training to be a top priority.
In addition, the study revealed that the growing need to create more concrete job roles and expectations within the security awareness training realm – less than 10 percent of the respondents reported their job titles even included the words ‘awareness’ or ‘training’ in them, and about 60 percent were not even aware of the budget allocated to security awareness programmes in their companies.
The SANS report utilized the SANS Security Awareness Maturity Model as a guide to identify an organisation’s level of a program’s impact and how to measure human risk and change end-user behavior. The model, which has been revamped in this year’s report, provides organizations with the ability to easily identify where their security awareness program is currently at, where a qualified leader can take it, and it even outlines the path to get them to where they want to be.