Key Findings From the 2021 SANS Security Awareness Report

Like most security professionals, there are a few industry reports that I really look forward to reading each year. Pretty high on that list is the SANS Security Awareness report. SANS ability to produce a high-quality vendor neutral analysis of the current ‘state of the union’ for security awareness professionals is a great public service.

The 2021 report tabulated survey results of over 1,500 qualified security awareness professionals across 91 countries. If you’ve read any of the previous years’ reports, you’ll undoubtedly recognize some general themes. Specifically, the vast majority of respondents had a technical background rather than a communications (or other background). Specifically, SANS found that, “[f]ewer than 20% of this year’s respondents have a non-technical background such as communications, marketing, legal, or human resources.”

Additionally, it seems that many organizations still undervalue the discipline of security awareness. For instance, “[s]alaries trended higher for those who were involved in security awareness during only a portion of their work time ($106,000) versus those who were dedicated to security awareness full-time ($96,000).” And, “[o]ver 80% of security awareness professionals reported that they spend half or less of their time on awareness, indicating far too often that security awareness is a part-time effort.” This is an interesting – yet unfortunate – truth to see, especially when it is evident that there is a direct link between the maturity of an awareness program and the amount of intentional effort that organizations put into developing and adequately staffing the program. This is seen by looking at the average number of FTEs by level of maturity. Unsurprisingly, organizations that have less mature programs have fewer FTEs dedicated to awareness.

Here a few other key takeaways:

• Understand that security awareness is not about technology… it’s about behavior, communication, and winning hearts and minds. Most techies aren’t the best communicators. So, if your firewall admin is also your security awareness leader, then you are probably doing it wrong. Focus on finding and developing the right people and skill sets. Find people who have a passion for people. Find people who can help you develop (or select/procure) messaging, learning modules, events, and other program elements that best resonate with your audience.
• Don’t allow “lack of time” (another finding from the report) to be a reason for not doing awareness well. Here’s how to think about it: if you don’t have enough time to prepare your last line of defense, then how will you ‘find the time’ to recover from a breach? The time will have to come from somewhere no matter what. And I’d rather invest the small(er) amount of time up front preparing my people. Responding and recovering from a breach is no fun… and the impacts linger in the forms of financial and reputational damage.
• The report clearly shows that leaders respond to the idea that security awareness can breed behavior change. Adopt behavior change as the main business value for the program. Focus on a program that is designed to create real behavior change; that means a combination of awareness content and frequent simulated social engineering testing.

Let’s end with some good news! SANS found that, “[o]ver the past four years respondents report that program maturity is increasing. Those stating that their security awareness program is immature – defined as a Nonexistent or Compliance-Focused programs – have decreased by approximately 4%. Concurrently, there’s been a consistent year-over-year increase in respondents identifying their program to be at a level of increasing maturity – defined as Long-Term Sustainment & Culture Change (from 9.8% to 15.71%) or Metrics Framework (.08% to 7.26%).” Our industry is seeing progress. I love seeing the increase in a focus on culture change and metrics. That’s fantastic news… and the focus will surely pay off for the organizations who are taking the journey.