People have become the primary attack vector for cyber attackers around the world. As the Verizon Data Breach Investigations Report 2022 indicates, it is humans rather than technology that now represent the greatest risk to organizations. According to the SANS 2022 Security Awareness Report, the top three security risks that security professionals are concerned about are phishing, business email compromise (BEC) and ransomware, all closely related to human behavior. Security awareness programs, and the professionals who manage them, are key to managing human risk.

An organization’s capacity to successfully identify, manage, and quantify its human risk can be used to gauge the maturity of these awareness initiatives. Organizations may utilize the Security Awareness Maturity Model created by SANS Institute to assess the maturity of their awareness initiatives.

The Security Awareness Maturity Model enables organizations to identify and benchmark the current maturity level of their security awareness program and determine a path to improvement.

According to the same SANS survey, the best developed security awareness programs are those with the most personnel dedicated to administering and supporting it. These larger teams are more effective at collaborating with the security team to identify, track, and prioritize their most significant human hazards, as well as engaging, motivating, and training their staff to manage these risks. Demonstrating that awareness programs are no longer merely annual training to check the compliance box but are crucial for firms to effectively manage human risk, is the key to garnering leadership support.

Building effective and mature security awareness programs and sharing best practices were the goals of the SANS 2022 Security Awareness Summit, which took place on August 3-4, 2022. The summit was a hybrid one and I had the honor to follow the proceedings from the comfort of my home in Greece. Here’s what I (Read more...)