More soft skills are needed for leading today’s security awareness programmes, according to the SANS Institute.
Ahead of SANS Secure Europe 2015, an annual InfoSec training event, the director of the SANS Institute, Lance Spitzner, says that security awareness programmes are still in their infancy and many focus too heavily on the technical aspects, lacking the soft skills needed to ensure successful implementation.
“In many cases, the wrong people are leading security awareness programmes or lack the training they need to be successful,” says Spitzner. “The majority are from highly technical backgrounds and lack skills such as communication and an understanding of human behaviour.”
According to the survey, more than 75% of awareness programs surveyed are run by people with highly technical backgrounds, such as IT administration or security analysts, but with little experience in softer skills, such as communications, change management, learning theory or human behaviour.
“There is a role for IT and for other stakeholders such as auditors but they should contribute to the definition of sensible policies,” said Spitzner. “Organisations need to invest in and train their security awareness officers on the softer skills required for any security awareness program, or provide them access to the people who can deliver those diverse skills.”
The SANS Institute conducted a survey found that half of all respondents had either no awareness programme at all or a programme that was immature.
“We found that half of the organisations surveyed currently do not have an awareness program or have an immature program that is solely focused on compliance,” explained Spitzner. “Only 5% of respondents felt that they had a highly mature awareness program that not only was actively changing behaviour and culture, but also had the metrics to prove it.”
The report found the top two challenges facing security awareness officers are employee engagement and lack of support from senior management.
“They need to understand that their organisation cannot effectively mitigate risk if security is treated only as a technical issue; the human issue must be addressed also,” says Spitzner.
The report makes several recommendations including that any organisation with over 10,000 employees should have at least one person dedicated to running the security awareness program.
“Giving the person in charge of security awareness multiple responsibilities destroys his or her ability to focus and the consequences speak for themselves,” says Spitzner, pointing to “human error” as one of the root causes of breaches as identified by the Data Breach Investigation Report (DBIR).