2021 Security Awareness Report: Managing Human Cyber Risk

EXECUTIVE SUMMARY

Security awareness programs have evolved from having a limited compliance focus to becoming a key part of an organization’s ability to manage its human cyber risk. The SANS 2021 Security Awareness ReportTM analyzes the data of over 1,500 security awareness professionals from around the world to identify and benchmark how organizations are managing its human risk. The goal of this report is to offer analysis and insights as to what makes great programs successful, as well as to provide actionable data to improve your own program. Key findings from this year’s report are listed below.

1. Time, not budget, continues to be the top challenge awareness programs face.

According to the data, over 75% of security awareness professionals spend less than half their time on security awareness, implying awareness is too often less than a full-fledged effort.

Organizations reporting program success by changing user behavior had on average 2.5 full-time-equivalent (FTE) employees dedicated to awareness.

Organizations reporting success going beyond behavior change and impacting culture report that they have at least 3 FTEs dedicated to security awareness. To effectively manage human risk, leaders must make long-term, strategic investments in people, just as they would for other security efforts like Vulnerability Management, Incident Response or Security Operations Centers. People, not budget, are key to managing human risk.

2. Majority of program leads are technical in nature, lacking soft skills, such as communications and marketing, continues to limit organizations’ ability to effectively engage their workforce.

The data show that security awareness responsibilities are very commonly assigned to staff with highly technical backgrounds who may lack the skills needed to effectively engage their workforce in simple-to-understand terms.

3. Strategic alignment is important.

Awareness programs manage human risk; as such, security awareness should be an extension of the security team, as opposed to being a part of and reporting to legal, audit or human resources.

A new recommendation added this year is that most organizations’ security awareness teams should report to and be the responsibility of the security team, reporting directly to the CISO if possible.

To make the most use of this report, you can read it through in its entirety or skip to the sections that are most valuable to you. We have strived to provide not only the data and what the data mean, but also actionable steps you can take to better manage your human risk. In addition, we have added a new section on how security awareness professionals can grow and develop their career, including detailed salary information (a first for our field) and a career development path.