A few months ago, CSO ran a point/counter point series about the value of security awareness training. The articles got a lot of comments online and had many of our readers discussing the issue.
In the discussion, our first contributor, Dave Aitel of Immunity Inc., argued money spent on security awareness training is money wasted. Ira Winkler then offered his counter-point perspective and said awareness was, in his opinion, the most cost-effective measure a company can invest in for their security.
Regardless of what your opinion is on the effectiveness of security awareness training, a new report out this week finds companies struggle with finding the money to fund awareness programs, and often can’t even get employees to take security seriously.
Winkler, along with Samantha Manke from Internet Security Advisors Group (ISAG), co-authored the report and released it in partnership with Wombat Security Technologies. Entitled the "Habits of Highly Successful Security Awareness Programs: A Cross-Company Comparison, " the report claims:
- 48% of survey respondents reported difficulty in receiving funds for their training programs
- 44% of respondents reported that they had a difficulty encouraging employees to take security seriously
- 65% reported that they created most of their own training materials. (The press release adds “despite the fact that many practitioners are not familiar with education or learning science principles that can enhance the effectiveness of programs.”)
You can read the full report here with registration. The folks who sent me the information also note the report includes profiles of companies that are using new approaches to security awareness training to achieve better results. The white paper includes topics such as how to obtain C-level support and budget for training programs, and how to use metrics to demonstrate positive results.
I’m curious to hear what you’re experiencing in your organization. Do you have a security awareness education or training program in place? What kind of resources, funding or support do you receive from both employees, and management, to make it effective?