SANS Managing Human Risk 2023 Report: Key Insights for Cybersecurity Training and Awareness

The 8th annual SANS Security Awareness Report has been released, offering essential insights for professionals involved in managing human cyber risk through cybersecurity training and awareness.    

The report, based on a survey with the participation of nearly two-thousand security awareness professionals from over 80 countries, sheds light on critical factors influencing the maturity of awareness programs and the top human risks faced by organizations.

1) Leadership support and team size remain vital

As in previous years, the report identifies two key variables that significantly correlate with mature awareness programs - leadership support and the size of the security awareness team.

Organizations that demonstrated effective behaviour change typically had a team of at least three full-time equivalents (FTEs) dedicated to security awareness.

It would be intriguing to explore the correlation between staff size and the number of organization employees, especially for smaller entities in countries like New Zealand.

2) Emerging career opportunities in security awareness

Interestingly, the report highlights the growing trend of security awareness as an emerging career globally. Mindshift note there has been a rise in the number of security awareness roles advertised in NZ during 2023, indicating a growing demand for skilled professionals in this field.

3) Compensation and pay rates analysis

The report delves into a comprehensive analysis of compensation and pay rates, taking into account location and industry. However, the correlation between job titles and pay rates could benefit from a more nuanced examination of role descriptions versus pay rates. Moreover, regional variations in cost of living and average pay rates need to be considered when interpreting these findings.

4) Top Human Risks

As expected, phishing, vishing, and smishing continue to top the list of human risks faced by organizations. Passwords and authentication closely follow as the second most prevalent risk.

Interestingly, detection and reporting ranked third, highlighting the importance of fostering a highly trusted security culture to encourage staff to report issues and concerns promptly.

IT admin misconfiguration emerges as the fourth-ranking human risk, particularly concerning cloud environments. The cloud's complexity makes it susceptible to mistakes, leading to accidental exposure of highly sensitive data. As a result, there is a significant demand for specialized training for IT admins and developers on secure cloud management and usage.

5) Reporting structure

A notable finding from the report is that the majority of respondents reported to the cybersecurity, IT, operations, or risk management team. This pattern likely holds true for organizations in New Zealand as well.

6) Leadership Support as a Key Driver of Maturity

Reinforcing previous trends, the report emphasizes that the most mature awareness programs invariably have the strongest leadership support. This highlights the pivotal role of leadership in championing and driving the success of cybersecurity training and awareness initiatives.

Conclusion 

The SANS Managing Human Risk 2023 Report offers a wealth of valuable insights for cybersecurity professionals interested in training and awareness. From the significance of leadership support and team size to the identification of top human risks, this report provides essential guidance for organizations seeking to enhance their security posture. To access the complete report, visit the SANS Security Awareness site.