It’s this time of the year again, time to look back to move forward. So, Cornelia, Fabio and I sat down and tackled these questions: How has the IT security domain been dealing with human risk? How is security awareness evolving as a discipline? What have we, as a team, accomplished so far? And most importantly, where do we want to go?
At first, the outcome was sobering:
- Everybody is talking about the human factor being the primary attack vector or the biggest risk, but investing accordingly in educating users? We don’t see that happening very often.
- User shaming, boring content, frustrated CISOs and end users are still widely spread phenomena.
- Broadly speaking, it’s usually (Chief) Information Security Officers, technical Info-Sec experts, with no time and little communications expertise who should engage and educate users. Not ideal, as educating and moving people to change their behaviour is a fulltime job, which needs an arsenal of all sorts of communications skills.
In a nutshell: There is a lack of resources and expertise among the people who have to deal with the human factor in IT security.
But taking a closer look at our communities, there has been some very encouraging development over the past few years:
- More and more organisations hire full time Security Awareness Officers with a skill set fit for educating users. Great!
- The 5th SWITCH Security Awareness Day was packed – more than 100 participants (69 on site, 44 online) joined us for a full day on the topic. A record!
- Our SWITCH Security Awareness Adventures were in huge demand this year. Awesome!
- We were invited to talk at various conferences, dealing with the human factor is no longer a niche topic. Finally!
We are on the right track. But looking forward: how can we support our communities even better? How can we provide you with more resources and the necessary expertise?
Here is our new year’s resolution:
- We will offer a hands-on Security Awareness Training on how to address the human factor more effectively.
- We will provide a starter list or guideline for everyone who needs to start addressing the human factor but doesn’t know where to begin.
- We will support organisations by developing an action plan (roadmap, measures, budget).
- We will offer our expertise on demand.
But of course, we cannot lift that burden entirely from you. So, here’s our recommendation for your new year’s resolution:
- Hire or find a person in your organisation with time and an adequate skill set to deal with the human factor.
- Connect with your communications and/or eLearning team to benefit from their expertise and tools.
You need help fulfilling those resolutions? Let us know, we’re here for you.
To sum it up: dealing with the human factor isn’t a 10 % side-gig and requires more than just technical skills.
Having said that, we are looking forward to boost Security Awareness in 2023 with you!
 The SANS Security Awareness Report shows that they dedicate less than 30% on the topic and are usually only equipped with a technical IT background.
 Over the past years, the results SANS Security Awareness Report show that the number of full time Security Awareness Officers is constantly rising.