In this episode of BIG Reports in 5 Minutes, Earl Duby summarizes the SANS 2024 Security Awareness Report. This report breaks down the Security Awareness Maturity Model and discusses effective strategies for building a resilient security culture within organizations.
Learn about the major benefits of regular security training, the common obstacles businesses face, and practical tips for overcoming these challenges.
Earl also discusses the benefits of outsourcing aspects of security training that can significantly enhance your company’s cybersecurity efforts. Tune in to transform your approach to security awareness and safeguard your organization against cyber threats.
Transcript:
(0:00) All right, welcome back. We are back for another episode of Big Reports in five minutes.(0:07) Hey Jackie, guess what? You know, one of my favorite topics is security awareness training(0:13) because I really believe that this is, you know, the easiest way for organizations to make a large (0:21) impact in their security posture and I also say it’s the biggest return on investment you can (0:26) have for security spend.
You can spend a little amount of money and make a big difference in your (0:32) security culture by doing security awareness training properly. So I found this report. (0:38) It’s called Embedding a Strong Security Culture and it’s by the Sands Institute.
You know who the (0:44) Sands Institute is? No? So the Sands Institute, it’s been around for several years. It was put (0:51) together by some guys from the military and different places like that, but basically it’s (0:57) it’s a very technical security organization and they put together some really good security awareness (1:07) materials. So this report here, it’s one of the less big big reports that we’ve done.
It’s about (1:13) 26 pages, but I’m still going to save people some time so they don’t have to read it. (1:17) Section one of this report has a really good security awareness maturity model (1:23) and one of the things I like about it is it’s not like, hey, maturity level one, maturity level two. (1:28) It’s like if you’re at the lowest level, it’s non-existent and if you’re in the middle, you’re (1:34) promoting awareness and behavior change and you can see from the graphic here that, you know, these (1:40) are done in like real people language and so I think, you know, most organizations can stay in (1:47) this promoting awareness and behavior change and make some pretty good impact on their organization.
(1:55) This report is, it’s really good in the sense that it shows these graphics and then there’s(2:00) really good explanations about it and then when you flip in here, there’s a pretty cool graphic (2:09) as you’ll see here that talks about like the top three concerns that organizations are trying to (2:16) address with their security awareness programs and I think this is pretty spot on here. So you got (2:22) social engineering, which includes phishing, vishing, which is a voice social engineering, (2:30) and then they have smishing, which is when you do social engineering through SMS messages. (2:37) But there’s a third component on here, which is detecting and reporting incidents.
(2:44) I think this is really critical because, you know, a lot of people when they put their security(2:48) awareness programs together and like the videos they put out there or whatever, they focus a lot (2:55) on phishing. So they do the phishing simulations and they do, you know, videos on how do you identify (3:01) a phish and they do a fair amount on passwords and why passwords are important. But this is now (3:09) talking about detecting and reporting incidents, which I think is really important if you’re not (3:14) already incorporating these types of videos or these types of trainings into your security awareness (3:20) training program.
You should really think about putting this in here because this is (3:25) kind of transitioning from what they call the human firewall, which is your employees (3:34) preventing things from happening. So not doing the phish, not, you know, doing the falling for (3:40) the social engineering, to creating the human sensor, which is your team becomes a part of your (3:48) endpoint detection and response system. So you’re actually creating a larger (3:55) net out there trying to find and react to bad things.
So that’s pretty cool that that’s in (4:02) there. There’s a lot of cool stuff in here. I’m running out of time here.
But, you know, (4:08) one thing to note here, when they talk about why companies aren’t doing security awareness training, (4:15) the two top reasons are lack of time and lack of staff. And this gets us to the point of what (4:22) Oxium does. So Oxium, you know, we’re an MSP, we manage lots of things for lots of people.
(4:29) But we can also manage security awareness training programs. And I think people need to start (4:35) thinking outside the box a little bit on security awareness training. And it goes beyond just, (4:40) you know, let’s, let’s do a phishing simulation once a year and put up a poster in our cafeteria, (4:46) you really need to focus on security awareness culture change.
So how do we change the culture (4:54) of your organization, or at least change the behaviors of the employees. And if you’re lacking (4:59) time and lacking staff, you should augment your staff with, you know, some service provider. And, (5:06) you know, we do it, there’s a lot of other companies that do it.
But I would really say, (5:10) you know, because of the ROI on security awareness training, you should really think about, (5:17) about that piece of it, which ties into another metric that was in here. And they were talking (5:24) about, you know, what’s the proper staffing level for a security awareness program. And (5:30) the medium level comes to about 1.8 employees.
And so, you know, if you’re lacking staff, (5:38) you probably can’t come up with 1.8 employees to help you run your security awareness program. So (5:43) that’s another reason to think about outsourcing that if you don’t have, you know, the capacity to (5:49) do it. And then one other thing I want to point out here is program blockers.
And so, you know, (5:58) it says here mid-level managers are the number one program blockers for security awareness. And, (6:04) you know, that’s a little disappointing, you know, because, you know, these are people that control (6:10) resources, they control functions, but yet they’re standing in the way of security awareness for (6:15) their team or for the organization. And I think we really have to look at that top down approach (6:22) again, saying, you know, the leader of this company has to say security awareness is important.
(6:28) We’re going to bring in the people to do it, and we got to let them do their job. So just keep(6:33) that in mind. If you’re a CEO of a company out there looking to raise the security awareness(6:39) culture in your company, you’re going to have to probably move some blockers out of the way, (6:44) bring the right resources in, and get much more robust in how you’re educating your workforce.
(6:53) Then one last thing I want to point out here is in this report, if you get the PDF version of it,(7:00) there’s an appendix A, which has a download button in it. And if you click that download(7:05) button, this really cool spreadsheet pops up, and it’s got all five maturity levels of a security(7:13) awareness program listed, but then it has all of these things that you can do to assess your(7:20) current maturity level, how do you get to the next maturity level, what metrics are important.(7:26) So it’s got a really good full course meal on how you do a security awareness program.
(7:33) So I would strongly suggest you pick this report up, take a look at it, and start thinking about (7:41) security awareness training as a high ROI tool for you from a security perspective, and how do you (7:49) bring that culture up in your organization. So pick it up, take a read. In the meantime, (7:56) you know, life is rough out there, lots of cybercrime, so stay safe out there.
Thanks.
