It’s this time of the year again, time to look back to move forward. So, Cornelia, Fabio and I sat down and tackled these questions: How has the IT security domain been dealing with human risk? How is security awareness evolving as a discipline? What have we, as a team, accomplished so far? And most importantly, where do we want to go?
At first, the outcome was sobering:
- Everybody is talking about the human factor being the primary attack vector or the biggest risk, but investing accordingly in educating users? We don’t see that happening very often.
- User shaming, boring content, frustrated CISOs and end users are still widely spread phenomena.
- Broadly speaking, it’s usually (Chief) Information Security Officers, technical Info-Sec experts, with no time and little communications expertise[1] who should engage and educate users. Not ideal, as educating and moving people to change their behaviour is a fulltime job, which needs an arsenal of all sorts of communications skills.
In a nutshell: There is a lack of resources and expertise among the people who have to deal with the human factor in IT security.
But taking a closer look at our communities, there has been some very encouraging development over the past few years:
- More and more organisations hire full time Security Awareness Officers[2] with a skill set fit for educating users. Great!
- The 5th SWITCH Security Awareness Day was packed – more than 100 participants (69 on site, 44 online) joined us for a full day on the topic. A record!
- Our SWITCH Security Awareness Adventures were in huge demand this year. Awesome!
- We were invited to talk at various conferences, dealing with the human factor is no longer a niche topic. Finally!
We are on the right track. But looking forward: how can we support our communities even better? How can we provide you with more resources and the necessary expertise?
Here is our new year’s resolution:
- We will offer a hands-on Security Awareness Training on how to address the human factor more effectively.
- We will provide a starter list or guideline for everyone who needs to start addressing the human factor but doesn’t know where to begin.
- We will support organisations by developing an action plan (roadmap, measures, budget).
- We will offer our expertise on demand.
But of course, we cannot lift that burden entirely from you. So, here’s our recommendation for your new year’s resolution:
- Hire or find a person in your organisation with time and an adequate skill set to deal with the human factor.
- Connect with your communications and/or eLearning team to benefit from their expertise and tools.
You need help fulfilling those resolutions? Let us know, we’re here for you.
To sum it up: dealing with the human factor isn’t a 10 % side-gig and requires more than just technical skills.
Having said that, we are looking forward to boost Security Awareness in 2023 with you!
[1] The SANS Security Awareness Report shows that they dedicate less than 30% on the topic and are usually only equipped with a technical IT background.
[2] Over the past years, the results SANS Security Awareness Report show that the number of full time Security Awareness Officers is constantly rising.
SWITCH Security-Blog 