Innovations in Security Awareness & Training
Security awareness and training programs aim to address the human element in cybersecurity, making them a must-have for any organization as the threat of social engineering attacks persists. How are leaders innovating to improve training so that more employees think and act securely?
One minute insights:
- Just over one-quarter say their organization has a security awareness officer primarily responsible for the training program
- The majority of respondents say employees are required to complete security training on at least a quarterly basis, but ongoing training is relatively uncommon
- Most respondents deliver security awareness and training via a purchased solution
- About one-third say their security awareness and training content is lacking in regards to accessibility, relevance or technical complexity
- Over three-quarters of surveyed leaders expect to see their security awareness and training budget increase in the next year
Responsibility for awareness and training programs typically rests with security, but in some organizations it is owned by the security awareness officer
More than half (59%) of respondents say their organization’s security awareness and training is owned by the security function, with 26% indicating their organization has a security awareness officer for this purpose.
While most leaders report that staff from security (62%) and IT (59%) teams are involved in building and operating their security awareness and training program, the inclusion of training managers (31%), a cross-functional team (25%) or HR staff (23%) in these efforts is not uncommon.
Question: Do you have any final thoughts to share on security awareness and training?
There is a fine line to walk with security training metrics and individual integrity. We spent a lot of time discussing with HR and DPOs before settling on a model.
My company has been working on getting more support from externals to increase security awareness.
We are far from innovating in terms of security awareness and training.
Most leaders say employees must complete awareness and training modules at least quarterly, which are delivered via a purchased solution
72% of leaders say their employees are required to complete security awareness and training modules at least quarterly if not more often. Only 5% of leaders say their employees receive this training just once during onboarding.
Nearly three-quarters (72%) report using a purchased solution in some capacity to deliver security awareness and training; 39% combine this solution with a commissioned provider.
47% say they use a proprietary program and just 8% rely on this exclusively to deliver training.
Question: Do you have any final thoughts to share on security awareness and training?
We looked at a very capable security awareness and phishing testing platform last year, but getting the capex approved is difficult as our industry is under financial pressure.
Ongoing training is critical, but getting employee participation is a challenge.
Strategic misalignment and content-related challenges are common, and many say engagement levels show room for improvement
Many (47%) cite strategic misalignment between security and the business as one of the biggest operational challenges facing their security awareness and training program.
Respondents also listed insufficient opportunities for in-person training (46%), as well as gaps in security headcount (44%) and metrics or reporting (39%) as major hurdles.
Almost two-thirds (64%) indicate moderate engagement levels with their security awareness and training, while 27% say employee engagement is high.
But in terms of their security awareness and training program’s design, more than two-thirds (68%) of leaders say low engagement is one of the biggest challenges.
About one-third pointed to content-related issues, including the use of material that is overly technical (34%) or lacks relevance (33%), as well as restrictions on when or how employees access content (30%).
Question: Do you have any final thoughts to share on security awareness and training?
Without real executive buy in and not just lip service, security will never be a high enough priority for most employees.
It is an ongoing challenge as risks continue to develop. The more inundated with info the staff become, the more blind they become and the more fatigued they are. The balance is tough.
Less than half say their security awareness and training program uses marketing or sales techniques, but most expect funding increases
The majority of respondents have programs that incorporate a security awareness computer-based training (SACBT) platform (68%) or an employee cybersecurity handbook (57%), and many say their program design employs marketing/sales techniques (41%).
77% anticipate their security awareness and training budget will increase by some degree in the next year; only 2% expect to see any decrease in funding.
Question: Do you have any final thoughts to share on security awareness and training?
It’s difficult to make it fun and interesting, but it is crucial.
We have had separate versions of security training for technical and non-technical people that’s applied based on their role.
It should be a continuous and relational program. Individual and independent activities do not last.
Want more insights like this from leaders like yourself?
Click here to explore the revamped, retooled and reimagined Gartner Peer Community. You'll get access to synthesized insights and engaging discussions from a community of your peers.