How Mature is Your Security Awareness?

SANS_Maturity_Model Here at KnowBe4, we believe the greatest defense against security threats is an organization with a strong security culture – one that elevates an employee’s awareness around threats, risks, methods of attack, and appropriate responses.

But not every organization’s security awareness program is at the same level of maturity. Many struggle getting buy-in from the executive team to get a program off the ground, while others rely heavily on technology to do the work of securing the environment. And some have security awareness down to a science, being able to measure their progress and the impact of their program.

So, how do you measure the maturity of your program?

The SANS Institute recently released their annual SANS Security Awareness Report which provides insight into the current state of security awareness, as well as detailing action items to help move you program forward.

Using this report, your security awareness program falls in to one of five maturity stages:

Nonexistent – Somewhat self-explanatory, this group of organizations have no policies, procedures, or process in place resulting in employees having no concept of the threat.
Compliance-Focused – This group has policies in place that are designed to help meet compliance objectives. Employees have limited training and are unsure about standard policy.
Promoting Awareness & Behavior Change – Annual training and continual reinforcement occurs with this group. Awareness of threats exists and changes in employee behavior to actively recognize, prevent, and report incidents occur.
Long-Term Sustainment & Culture Change – This group has achieved having a continuous training program and good cybersecurity behavior embedded within the corporate culture.
Metrics Framework – Organizations at this level have metrics in place to demonstrate a programs progress, improvement, and impact.

In general, the report found that the majority of organizations (53%) consider themselves in stage 3, with only 13% in stage 4 and slightly less than 5% in stage 5.

With the goal being to reach stage 5, SANS recommends you ask yourself a number of questions:

What stage do you want to reach in the next 1-3 years?
What changes will need to be made to achieve that level?

I’d pose a few additional questions:

Do you have buy-in from leadership? Budget? Time?
Do you have a plan on how you will effectively create, grow, and sustain a culture of security awareness?

The key is found in continually engaging your employees through new-school security awareness training and testing, you can reinforce the need for a security-aware mindset while working.

I strongly suggest you get a quote for your organization and find out how affordable this is. You simply have got to start training and phishing your users ASAP. If you don't, the bad guys will, because your filters never catch all of it. Get a quote now and you will be pleasantly surprised.