Dubai, UAE – The most common factors holding back security awareness programmes in companies are the lack of time and staff rather than budget, although nearly 60% of the professionals surveyed say they are not even aware of the budget allocated to security awareness in their companies. These are some of the key findings of the 2019 Security Awareness Report, the fifth edition of a report produced annually by SANS Security Awareness, a division of SANS Institute and a world leader in security training.

The study presented today compares current data with that of previous years and analyses the main problems faced by security awareness professionals in companies: lack of resources, managerial support, and ambiguity in their positions and responsibilities.

The intention of the SANS Security Awareness Report is to provide security awareness professionals with a roadmap to make data-driven decisions on how to improve their security awareness programs. It also provides professionals with the ability to benchmark their programs against their industry peers. Essentially, it works to more definitively answer the question of what ingredients go into making a security awareness program successful. This year, data was analysed from nearly 1600 respondents providing even greater insight into how to benchmark and mature a security awareness programme. 

“I’m absolutely thrilled about the release of the 2019 Security Awareness report,” says SANS Security Awareness Director, Lance Spitzner. “Every year we are able to gain a better understanding of the most common challenges awareness professionals face and how to best address them and after five years, we are beginning to identify key trends.”

Working with researchers from The Kogod Cybersecurity Governance Center (KCGC), an initiative of American University's Kogod School of Business (KSB), the survey data was examined in detail to provide information on:

  • Common challenges holding back programme maturity - lack of time and staffing were among the top reported roadblocks facing awareness professionals. More than 75% of these professionals work part-time, which means that companies are spending less than half of their time on security awareness.
  • Getting the support of management and programme buy-in is key – industry peer pressure was found to have a distinctive role in determining whether leadership treats security awareness training as a top priority. In fact, 69% of organisations whose managers believe that the market is investing significantly in this area consider safety awareness training to be a top priority.
  • The growing need to create more concrete job roles and expectations within the security awareness training realm - less than 10% of the respondents reported their job titles even included the words 'awareness' or 'training' in them, and about 60% were not even aware of the budget allocated to security awareness in their companies.

This report highlights these growing concerns and challenges for security awareness. It also utilizes the SANS Security Awareness Maturity Model as a guide to identify an organization's level of a program's impact and how to measure human risk and change end-user behavior. This model, which has been revamped in this year’s report, provides organizations with the ability to easily identify where their security awareness program is currently at, where a qualified leader can take it, and it even outlines the path to get them to where they want to be.

About SANS Security Awareness

SANS Security Awareness, a division of the SANS Institute, provides organizations with a complete and comprehensive security awareness solution, enabling them to easily and effectively manage their ‘human’ cyber security risk. SANS Security Awareness has worked with over 1,300 organizations and trained over 6.5 million people around the world. Security awareness training content is translated into over 30 languages and built by a global network of the world’s most knowledgeable cyber security experts. SANS Security Awareness content and training is world-class and available to a global audience. The SANS Security Awareness program includes everything security awareness officers need to simply and effectively build a best-in-class security awareness program. For more information about training programs, please visit: https://www.sans.org/security-awareness-training/products 

About SANS Institute

The SANS Institute was established in 1989 as a cooperative research and education organization. SANS is the most trusted and, by far, the largest provider of cyber security training and certification to professionals at governments and commercial institutions world-wide. Renowned SANS instructors teach over 60 different courses at more than 200 live cyber security training events as well as online. GIAC, an affiliate of the SANS Institute, validates a practitioner’s qualifications via over 30 hands-on, technicalcertifications in cyber security. The SANS Technology Institute, a regionally accredited independent subsidiary, offers master's degrees in cyber security. SANS offers a myriad of free resources to the InfoSec community including consensus projects, research reports, and newsletters; it also operates the Internet's early warning system--the Internet Storm Center. At the heart of SANS are the many security practitioners, representing varied global organizations from corporations to universities, working together to help the entire information security community. (https://www.sans.org)

For more information, please contact sleatherbarrow@sans.org 

© Press Release 2019

Disclaimer: The contents of this press release was provided from an external third party provider. This website is not responsible for, and does not control, such external content. This content is provided on an “as is” and “as available” basis and has not been edited in any way. Neither this website nor our affiliates guarantee the accuracy of or endorse the views or opinions expressed in this press release.

The press release is provided for informational purposes only. The content does not provide tax, legal or investment advice or opinion regarding the suitability, value or profitability of any particular security, portfolio or investment strategy. Neither this website nor our affiliates shall be liable for any errors or inaccuracies in the content, or for any actions taken by you in reliance thereon. You expressly agree that your use of the information within this article is at your sole risk.

To the fullest extent permitted by applicable law, this website, its parent company, its subsidiaries, its affiliates and the respective shareholders, directors, officers, employees, agents, advertisers, content providers and licensors will not be liable (jointly or severally) to you for any direct, indirect, consequential, special, incidental, punitive or exemplary damages, including without limitation, lost profits, lost savings and lost revenues, whether in negligence, tort, contract or any other theory of liability, even if the parties have been advised of the possibility or could have foreseen any such damages.