Compliance focus and too much expertise hurts security awareness programmes

Office worker
Image: Stockfresh



Read More:

30 January 2017 | 0

Security awareness teams are not getting the support they need to be successful, according to the SANS Institute. But some unexpected factors can cause programmes to fail as well, including a focus on compliance — and too much security expertise on the team.

“Most organisations actually have a security awareness programme,” said Lance Spitzner, director of the Securing the Human Program at the SANS Institute, looking back at what the industry learned in 2016. “Yet we continue to have problems.”

Take compliance, for example, he said.

Immature programmes
A common problem of immature security awareness programmes is that they come out of a compliance requirement.

“It was developed by auditors wanting to check a box,” he said. “The programme doesn’t change behaviour because it wasn’t designed to change behaviour.”

That doesn’t mean that compliance isn’t important, he added.

“Don’t get me wrong, it is important,” he said. “But ultimately we want to change behaviour and to change the culture.”

This requires that the security awareness program be designed to help people change bad security habits, and to measure those changes.

Designed wot work
It is no surprise that many security professionals do not believe that security awareness programmes work — they are not designed to.

This year, companies looking to move their security awareness programmes from the compliance stage to where they actually improve security should start by identifying the human risks that make the biggest impact on the company, which behaviours affect those risks, and then measuring those behaviours.

“For example, phishing represents a high human risk,” he said. “And it’s a good metric, because most organisations care about it, and it’s a great example of how effective awareness training can be.”

When a company runs its first phishing awareness test, typically 30 to 60% of employees will fall victim, he said. After a year of training, that number can be lowered to less than 3 or 4%, he said.

“Yet when you think about it, security awareness is nothing more than effective communication,”

Human firewalls
Lance Spitzner, director of the Securing the Human Program at the SANS Institute

“And the ones who do click, will realise that they shouldn’t have clicked on it, and they’ll report it,” he said. “So you’re not only developing a human firewall, but also a human sensor.”

Some security people say that someone will always click, so there’s no point in these kinds of programmes.

“This is designed to reduce risk, not eliminate it,” he admitted. “But all technologies reduce risk — they don’t eliminate it. And it’s a very effective control, and you see a very dramatic drop in incidents.”

In fact, phishing assessments were the most common metric used by companies, according to a survey the institute conducted last year, followed by the number of security violations, and the number of infected devices.

A lot of knowledge
The other big stumbling block is that the people running security awareness programmes know too much about security.

“It’s not that people are stupid,” said Spitzner. “The reason people are not being secure is because we, as a security community, are to blame. We don’t reach out enough to them, or when we do reach out to them it’s geeky, technical and overwhelming.”

According to the survey, 79% of people leading security awareness programmes have highly technical backgrounds.

“The more of an expert you are at something, the worse you are at communicating it,” he said. “‘Come on, do complex calculus! You guys are so stupid. It couldn’t be easier. How could you not understand this?'”

To make things even worse, all this technical knowledge is often combined with a lack of communication skills.

“Yet when you think about it, security awareness is nothing more than effective communication,” he said.

Different methods
Organisations with successful security awareness programmes typically solve this problem in a couple of different ways.

One is that they get someone from a communications department or marketing or public relations and embed them into the security team.

“This tends to be for the larger organisations,” he said. “And the beauty of it is that the communications department has all the connections to push a message out.”

The other approach is to take a security professional and train them in communications. It is important to pick someone who’s good at social skills, he added.

“That’s one of the first things I tell my students,” he said. “If you don’t like people, you’re in the wrong class.”


IDG News Service

Read More:

Comments are closed.

Back to Top ↑