Compliance focus, too much security expertise hurts awareness programs

Security awareness teams aren't getting the support they need to be successful

student books with apple for teacher

Security awareness teams aren't getting the support they need to be successful, according to the SANS Institute. But some unexpected factors can cause programs to fail as well, including a focus on compliance -- and too much security expertise on the team.

"Most organizations actually have a security awareness program," said Lance Spitzner, director of the Securing the Human Program at the SANS Institute, looking back at what the industry learned in 2016. "Yet we continue to have problems."

Take compliance, for example, he said.

A common problem of immature security awareness programs is that they come out of a compliance requirement.

"It was developed by auditors wanting to check a box," he said. "The program doesn't change behavior because it wasn't designed to change behavior."

That doesn't mean that compliance isn't important, he added.

"Don't get me wrong, it is important," he said. "But ultimately we want to change behavior and to change the culture."

This requires that the security awareness program be designed to help people change bad security habits, and to measure those changes.

It's no surprise that many security professionals don't believe that security awareness programs work -- they're not designed to.

This year, companies looking to move their security awareness programs from the compliance stage to where they actually improve security should start by identifying the human risks that make the biggest impact on the company, which behaviors affect those risks, and then measuring those behaviors.

"For example, phishing represents a high human risk," he said. "And it's a good metric, because most organizations care about it, and it's a great example of how effective awareness training can be."

When a company runs its first phishing awareness test, typically 30 to 60 percent of employees will fall victim, he said. After a year of training, that number can be lowered to less than 3 or 4 percent, he said.

Lance Spitzner, director of the Securing the Human Program at the SANS Institute

"And the ones who do click, will realize that they shouldn't have clicked on it, and they'll report it," he said. "So you're not only developing a human firewall, but also a human sensor."

Some security people say that someone will always click, so there's no point in these kinds of programs.

"This is designed to reduce risk, not eliminate it," he admitted. "But all technologies reduce risk -- they don't eliminate it. And it's a very effective control, and you see a very dramatic drop in incidents."

In fact, phishing assessments were the most common metric used by companies, according to a survey the institute conducted last year, followed by the number of security violations, and the number of infected devices.

A lot of knowledge is an even more dangerous thing

The other big stumbling block is that the people running security awareness programs know too much about security.

"It's not that people are stupid," said Spitzner. "The reason people are not being secure is because we, as a security community, are to blame. We don't reach out enough to them, or when we do reach out to them it's geeky, technical and overwhelming."

According to the survey, 79 percent of people leading security awareness programs have highly technical backgrounds.

"The more of an expert you are at something, the worse you are at communicating it," he said. "'Come on, do complex calculus! You guys are so stupid. It couldn't be easier. How could you not understand this?'"

To make things even worse, all this technical knowledge is often combined with a lack of communication skills.

"Yet when you think about it, security awareness is nothing more than effective communication," he said.

Organizations with successful security awareness programs typically solve this problem in a couple of different ways.

One is that they get someone from a communications department or marketing or public relations and embed them into the security team.

"This tends to be for the larger organizations," he said. "And the beauty of it is that the communications department has all the connections to push a message out."

The other approach is to take a security professional and train them in communications. It's important to pick someone who's good at social skills, he added.

"That's one of the first things I tell my students," he said. "If you don't like people, you're in the wrong class."

Copyright © 2017 IDG Communications, Inc.

Make your voice heard. Share your experience in CSO's Security Priorities Study.