Is Security Awareness Officer a Necessary Role?
A security awareness officer can better enable a security-driven culture in many organizations
The most recent Data Breach Investigations Report (DBIR) from Verizon finds 94 percent of malware was delivered by email last year. The research also finds 1 in 3 data breaches involved social engineering, which is the manipulation to trick a person into giving up confidential information.
It’s clear criminal tactics still largely rely on human error and the hope that an end user will trip and offer a hacker the opportunity to breach sensitive assets.
One way to arm employees against these kinds of ploys is through security awareness training. Yet, figures from SANS, which conducts an annual Security Awareness Report, finds less than 30 percent of security awareness professionals dedicate more than half of their time to awareness activities. Less than 10 percent have the words “awareness,” “training” or “education” in their job titles.
“This indicates that for most organizations, awareness and behavior change is considered a part-time job, simply dumped on someone within the technical security team to handle,” said Lance Spitzner Director, SANS Security Awareness, in a blog post on the topic.
SANS is advocating for a description of a security awareness and communications officer position to be added to the NIST NICE framework, which is formalized approach to defining the cybersecurity workforce. The purpose of the framework is to enable organizations to effectively identify, hire, track, train and develop a qualified cybersecurity workforce.
“After reviewing the NICE Framework, we could not locate what we felt was an adequate description for what we would call a security awareness and communications officer,” Spitzner noted in the post. “This is someone who is specifically responsible for selling the concept of cybersecurity to the workforce. In this role, their goal is to create secure behaviors throughout the organization, and ultimately enable a security driven culture.”
Spitzner added that by adopting this work role in the NIST NICE Framework, it will hopefully encourage more organizations to invest in a dedicated role responsible for organizationwide awareness and behavior change. SANS plans to roll out a professional credential called the SANS Security Awareness Professional (SSAP) this summer.
Not everyone agrees on the effectiveness of awareness training, and as a contentious issue over the years, some analysts have argued it is a waste of time and resources. Others point to numbers that demonstrate the susceptibility to phishing and other social engineering tactics improves after awareness training.
Advocacy for awareness training, combined with education around privacy, was recently emphasized in an opinion piece in CPO Magazine. In the article, Tom Pendergast, chief learning officer at MediaPRO, an awareness training provider, notes “the conditions are ripe for a merger of the security and privacy domains, at least in the way they communicate about risk to employees.”
Pendergrast argues that while some of the nature of risks around security and privacy are different, to employees, these differences don’t matter. And an effort to educate them as elements of an overall data protection program will lead to better defenses.
“When it comes to employee awareness, security and privacy share goals that are largely the same—both want employees aligned with the mission to create a more secure, trustworthy, and risk-aware culture. And both use similar methods to achieve those goals: You both use training and ongoing communication to reach employees.”
As awareness training and efforts continue to find their place in security strategy, it will be interesting to see if concerted efforts to formalize roles connected with awareness take hold on security teams in the future.
