Enterprise cybersecurity awareness challenges. At present, the two biggest challenges for Enterprise cybersecurity awareness challenges to improve their security awareness maturity are the lack of time investment in managing security awareness programs. And to control the enterprise cybersecurity awareness challenges. And the lack of manpower to plan, implement and manage security awareness programs.
Other challenges include lack of budget, and failure to engage employees. And conservative/bureaucratic corporate culture, lack of metrics, lack of expertise and skills, lack of leadership support, etc. Security personnel with security awareness education. And responsibilities spend half or even less of their man-hours on security awareness education. And security awareness work is often a “sideline” and a small part of their security responsibilities. This means that the depth and breadth of security awareness education are far from enough.
It is also worth noting that most corporate security awareness leaders come from technical backgrounds. And often lack soft skills such as communication and marketing. There are still limitations in their ability to effectively attract employees to actively participate. They are likely to fall into the “curse of knowledge”. Lack of skills to transfer knowledge and increase employee engagement in an accessible way. For small and medium-sized enterprises that have not yet set up a full-time security awareness position. Or have limited resources, the professional service of “buying time and manpower”. And namely security awareness hosting service is a better choice at present.
Promote the professionalization and specialization of network security awareness education talents
Large corporate organizations have launched comprehensive security awareness training programs, many with a dedicated security awareness position (or equivalent). The National Cyberspace Security Education Program-Cybersecurity Workforce Framework (NCWF) is divided into 7 categories and 32 areas of expertise. Which is including the areas of training, education, and awareness under the Governance. And Governance category and related job roles include Cybersecurity Instructor.
And network security course developer, these two positions are related to security awareness work. In the network security talent recruitment market, corporate security teams have urgent needs for positions. Such as security awareness education/training managers, security awareness and culture managers, security awareness communication managers, and security awareness evangelists. And security awareness directors, other positions, and security awareness professionals. The average annual salary is $103,000. Some companies even set up senior positions. Such as human factor risk officer and security awareness officer for the person in charge of . “human factor” risk management.
Professional Security Awareness
Organizations are urgently seeking professionals. Professionals who can effectively manage and measure human factor security risks. And professional security awareness certification has emerged in recent years. The Certified Security Awareness Practitioner (CSAP). Launched by the nonprofit Information Assurance Certification Review Board (IACRB). In August 2018, is the industry’s first professional-level certification for security awareness practitioners. Help security awareness professionals successfully create and manage corporate security awareness education programs to reduce corporate human factor security risks.
The US Institute of System Administration, Audit, Network and Security (SysAdmin, Audit, Network, Security, SANS) launched the “Security Awareness Professional Certification” (SANS Security Awareness Professional, SSAP) in 2019 to assess and certify certification holders. Investors have the knowledge and expertise needed to build, maintain, and measure a mature security awareness program. The certification body H Layer Credentialing will launch the vendor-neutral Security Awareness and Culture Professional (SACP) certification in 2021 to certify that security awareness and culture professionals use a “people-centered” approach to develop, evaluate, and manage and maintain the expertise of a security awareness program that enhances the security knowledge, beliefs, and behaviors of the audience.
Status Quo of Cybersecurity Awareness Education in U.S. Enterprises
With increasingly sophisticated cyber-attacks, businesses often focus on technical defenses and emphasis on compliance, while the most important attack surface—employees—may remain unprotected. In fact, people directly influence safety outcomes more than technology, systems, or processes. According to a Cybersecurity Ventures survey, most Fortune 500 and Global 2000 companies in 2021 see security awareness training as the “foundation” of their cyber defense strategy, with small and medium-sized businesses not far behind.
Security Awareness
Security awareness training has become the norm for most U.S. companies, evolving from being conducted solely to meet regulatory compliance requirements to a critical part of an organization’s “human factor” cybersecurity risk management capabilities. The maturity level of security awareness programs in American companies has increased year by year. And about 70 to 80% of the companies are in the middle position—the stage of “promoting awareness-raising and behavior change”. That is, the security awareness programs carried out by companies have formed a system. Which can be based on different job roles and requirements. Risk priority conduct targeted and advanced training.
Training is carried out on a regular basis and continuously strengthened throughout the year. The training content forms a system. With diversified forms, taking into account professionalism, popularity, and fun, satisfying the learning preferences of different groups. And employees are highly motivated to participate. The training not only focuses on disseminating safety knowledge. But also encourages employees to change their risk behavior in a positive way. So that all employees can consciously abide by the organization’s safety system/strategy/norm, and can actively identify, prevent. And report safety incidents, and give full play to the “human resources”.
The active role of firewalls” and “risk sensors”. About 10% of enterprises are in the more advanced “metrics framework” stage. Where the enterprise security awareness program forms a strong metrics framework, aligned with the organization’s strategy and mission, capable of the tracking process, measuring results, continuous improvement, and fully demonstrating. And demonstrate the return on investment of security awareness programs. Through a system of quantifiable metrics to measure and demonstrate success across multiple dimensions.
Cultural Change
About 15% of enterprises are in the “cultural change” stage. That is the enterprise security awareness program has formed a long-term, dynamic. And competitive life cycle, with standardized processes, sufficient resources, high employee autonomy, and strong leadership support. The network security culture has been shaped in the organization has become an organic part of the corporate culture. The integration of security awareness into employees’ words and deeds has not only changed employees’ risk behavior. But also changed employees’ security awareness, attitude, sense of responsibility, values, etc.