Providing users with Security Awareness Training is a critical part of a security strategy. According to the latest data from SANS, more organizations are using awareness training in 2019.
Every year SANS puts out their annual Security Awareness report. This year’s report, entitled the 2019 Security Awareness Report: The Rising Era of Awareness Training, highlights both SANS’ Security Awareness Maturity Model, as well as where organizations fit within the model.
The maturity model is broken out into 5 stages:
- Non-Existent: No awareness program of any capacity exists.
- Compliance Focused: A program exists primarily to meet specific compliance or audit requirements with infrequent annual or ad-hoc training.
- Promoting Awareness & Behavior Change: The program uses continual training throughout the year, with content encouraging behavior change at work and at home.
- Long-Term Sustainment & Culture Change: The program has the processes, resources, and leadership support in place for a long-term lifecycle and establishing awareness as part of the organization’s culture.
- Robust Metrics Framework: The program has an ability to track progress and measure impact using specific metrics for continual improvement.
According to the report, the majority of organizations sit in the Promoting Awareness & Behavior Change stage, where a culture of security has not yet been established, but users are being continually educated on both the need for security-mindedness and specific attack methods and tactics used – all in an effort to elevate the user’s ability to play a part in stopping a cyberattack.
A slow-but-steady shift towards more mature stages of the maturity model is evident when comparing the last 3 years of data. According to the report, the bottom two stages have reduced by 2-6% over the last three years, with the top two stages increasing by about 5% each. This demonstrates a growth in interest by organizations towards adopting and supporting continual security awareness training, and more mature implementations of security awareness programs.