Embedding a strong security culture

Written By Melonie Cole

SANS 2024 security awareness report

This year’s SANS Security Awareness report has now been released and has some key findings that we thought valuable to share.  

 

The SANS Institute helps organisations mitigate cyber risk by empowering cyber security practitioners and teams with training, certifications, and degrees needed to safeguard organisations and advance careers. This edition of the Security Awareness Report, their ninth edition, features the participation of over 1,000 security awareness practitioners from over 70 countries spanning the globe. Participants from North America, Europe, Asia, Africa, Australia, and South America shared their unique perspectives. 

 

The theme of ‘Embedding a strong security culture’ resonates well with the work we have been doing in New Zealand.  

 

A key finding in the survey found that organizations that were effectively changing their workforce’s behavior had a team dedicated to awareness of at least 1.8 dedicated full-time employees (FTEs). To go beyond behaviour and embed a strong security culture with a strategic metrics framework requires almost double this number.  

  

Another key learning Mindshift took from this report was the top 3 challenges organizations faced when building and managing an effective security awareness program.  

 

These were: 

  • lack of time, 

  • lack of dedicated staff  

  • and lack of budget.  

 

Securing dedicated staff and resourcing them with adequate time and budget has shown to build trust and partnerships within the organisations surveyed.   

At Mindshift we are exposed to many different types of  organisations and the #1 barrier of ‘lack of time’ is no surprise at all. No matter the organisation size or make-up we find a direct connection between time dedicated to awareness programmes and the effectiveness of the programme being implemented.  

 

One of this year’s survey objectives was to better understand the top supporters and blockers to effective awareness programs. Again, we find no surprise that the mains supporters are IT and information security departments. Most common departmental blockers are finance and operations teams, however a key finding this year came with a new blocker in the top 3 roles, that of the Mid-level manager.  

 

Mindshift believes focusing on this group of key people, helping them focus on why they should care about cyber security, how it benefits their team, and how to build a culture of security within their team is seen as a big learning from this year's report. 

 

 


Melonie Cole
Previous

Voice Cloning: The future of audio replication
Next

Beware of scam calls: cybersecurity alert for New Zealand residents