Time Constraints Hamper Security Awareness Programs

The increasingly complex threat landscape and the porous IT environment – driven by the shift to permanent remote/hybrid work and digital transformation – make the need for a security-aware workforce and healthy security culture more critical than ever. Enterprise defenders say that phishing and social-engineering attacks, ransomware, and business email compromise (BEC) are among their biggest day-to-day headaches.

Security awareness programs can help lessen them, but no one seems to have time to create them, according to the "SANS 2022 Security Awareness Report." The three top challenges for building a mature awareness program cited are lack of time for project management, limits on time available to train employees, and not having enough time to focus on security awareness because of staffing shortages. Lack of budget and lack of leadership support also made the list.

“People have become the primary attack vector for cyberattackers around the world,” says Lance Spitzner, SANS Security Awareness director and co-author of the SANS report. "Humans rather than technology represent the greatest risk to organizations, and the professionals who oversee security awareness programs are the key to effectively managing that risk."

Security awareness professionals lack relevant skills, the report shows. Security awareness responsibilities are very commonly assigned to staff with highly technical backgrounds who may lack the skills needed to effectively engage their workforce and communicate security risks in simple-to-understand terms, according to the report.

More than 69% of security awareness professionals are spending less than half their time on security awareness, the report also shows. That's because they have other security responsibilities. Enterprises should focus on having more professionals focused on security awareness rather than making it part of an already long to-do list. The report encourages documenting and contrasting how many people on the security team are focused on technology versus how many on the team are focused on human risk in order to create a case for a more dedicated team.

The report suggests that a successful security awareness program requires strong leadership support, a larger dedicated team, and a training schedule for employees that emphasizes frequency. Organizations should also communicate to, interact with, or train their workforces at least once a month. Keeping training simple and easy to follow is key toward an engaged workforce, the report says.

“Organizations can no longer justify an annual training to check the compliance box, and it remains critical for organizations to dedicate enough personnel, resources, and tools to manage their human risk effectively," said Spitzner.