A Cascade of Avoidable Errors: The Microsoft Breach & Human Risk in Modern Security Practice
Key Considerations for CISO’s in the wake of the CRSB’s Report on the MSFT Breach As we all know, the need for cybersecurity is still on the rise,...
The role of a Security Awareness & Communications Manager as well as cyber security awareness computer-based training are two key areas to increase maturity and effectiveness for creating a more digitally secure workforce.
Gartner stated recently that by 2022, 60% of large organizations will have a full-time equivalent (FTE) dedicated to security awareness and stated that “ hiring for the right skills in security awareness management roles will strengthen an organization’s overall program and security posture”.
AND then 2020 and the current panicdemic/coronapocolypse has thrown many business plans right out the window. Information security teams everywhere have had more than a few curve balls to deal with. We wanted to take a look at the many considerations for how current events are affecting the trajectory of growth in this role, and while we support and work with these types of roles at many organizations, there is much to be said for HOW RUBBER MEETS ROAD in terms of role timing, maturity, and budget.
The current employment landscape mid-COVID is the worst it’s ever been in my career, and I worked through both the dot-com era and the crisis of 2009. MOST managers we are speaking to now are being asked to do much more with less, roles are folding into each other and they foresee many more headcount/budget restrictions shortly as the economic and pandemic recovery are taking longer than expected. Many more CISOs will be asked to decide on cost savings in Q4 and into 2021, or at the very least will have to address organizational structures or even perhaps delegate security functions such as architecture, system engineering, and development to relevant internal IT teams.
If you need a plan to balance cost reduction with optimization efforts in the employee awareness and training space… here are a few things to consider.
While SANS and Garter advocate for adding FTE roles in order to expand and mature your program, in these times, creative solutions are needed when adding headcount isn’t an option. Many times a bridge is needed before you are able to bring a new hire on board.
The special situation here is threefold.
1. The critical need to expand and mature a security awareness program at most organizations to meet the need to secure the human element within all working environments.
2. The awareness and culture champion role itself is rapidly expanding, taking on new areas of responsibility with the shifting maturity to a culture and behavior, as well as continual improvement.
3. The new and sudden contracting or re-optimized budgeting cycle of most organizations requires new ways to get it done.
The data in the 2019 SANS report shows a strong correlation between full-time employee (FTE) staffing, program maturity, and success.
Programs have achieved success at changing behavior when there have been at least 2 FTEs dedicated to awareness.
Organizations reporting a successful change in culture and metrics programs indicate 4 FTEs dedicated to awareness.
The role itself of the Security Awareness Manager or Security Awareness and Culture Champion has been expanding and maturing for years. It is great to welcome more talented people into a fast-paced and important cybersecurity area! However, each company is going to address it differently based on the current needs, culture, maturity, and state of its training program. The function of Cyber Awareness is evolving, with new outcomes desired around sustained culture change, behavior adaptation on a regular basis, policy and technology adoption, and adherence. The requisite list of skills, competencies, culture, attitudes, and knowledge that are listed on job descriptions to actually deliver these programs is expanding and stretches wide across many quite disparate domains of expertise.
Gartner states this at the start of the article: Many employees view security awareness training as boring and hard to understand, so finding the right talent with the right skills to lead your training program is critical. (We say lead or deliver or whatever but we’ll get to that later…)
Full disclosure: I’ve spent years working in enterprise change and technology adoption- planning and assessing roles and IT functions PMO, and user development. So when looking at where this is going and how we are going to grow and evolve, innovate, and help people realize a better digital future, EVEN in the face of 2020 and murder hornets and aliens… as they say, this isn’t my first rodeo.
According to research as well as our dive into Indeed and Linkedin to see what was up in the market at the moment in terms of roles and hiring…Here were the regularly mentioned competency and skill areas needed for a Cyber Security Awareness Lead.
According to the SANS 2019 Security Awareness Report… there’s a GAP between the technical side and creative side of this role in terms of sourcing talent.
This year’s data shows that a majority (80%) of awareness professionals come from some type of technical background. Less than 20% have a non-technical background such as communications, marketing, legal, or human resources.
“A lack of soft skills, such as communications and marketing, continue to limit an organization’s ability to engage their workforce. Awareness professionals generally bring a dynamic set of technical skills, but can lack the skills to communicate their program needs.”
1. There are no such things as unicorns.
Let’s be honest. Looking at the list above, any company would be hard-pressed to find ONE person with half those skills in place. Not that people can’t be guided and trained into this, but two thoughts. One, what kind of timeframe do you have to deliver creative, personal, dynamic cyber awareness content (yesterday), and what is the learning curve to develop wicked comms and creative skills or conversely navigate the very complex and technical world of cyber? Also, the wide range of competencies and expertise needed is hard to find- normal learning paths, from university to professional development aren’t set up to go wide, they are set up to go deep and specialize. This range of skills will not be readily available on the market, the demand pool will be small.
2. What are your “need to have” vs “want to have”?/p>
Any good hiring manager from HR should be telling you that a good job description comes down to realistic expectations… can you afford for this role to fail? This mismatch of hopes, skills, needs, and expectations happens all the time in business, companies mix roles from let’s say marketing and sales, and thinking it’s pretty much the same function, we’re sure one person can do it. The risk is that the position won’t be filled or filled with someone who will burn out. When you start to cut back the job description to 50% or 60%, honing in on only the need to have skills, then the risk is in the role of being able to fulfill the necessary business value.
3. Hiring an FTE isn’t just the cost of a salary. Other HR considerations need to be taken into account.
Increased headcount at any company comes with management overhead, increased fringe spend, kit setup or real estate footprint, and other risks such as the complications of post-probationary periods, etc depending on your business's hiring locations.
Angelo D’Agostino
HC Group Advisors
“When looking at these new roles and where companies are in 2020, adding 28%-30% to a salary is conservative when talking about the true cost of a hire. The hiring process and the cost of increasing headcount has implications across many business functions.”
The current salary ranges we surveyed on Indeed and LinkedIn and with our HR contacts were anywhere between 70-150K in the US and between 50-80k in the UK. Add in your 30% overhead and the average cost of an organization would be 90k USD or 70K GBP per year.
And the hard truth is that most likely the candidate will not have nearly all the skills listed in the functional matrix above because unicorns aren’t real.
When faced with internal demand due to maturity, delivery, threats, or regulatory issues… “we need to do more/better" cyber awareness, and ‘we need people to get this done, level-setting a talent pool internally isn't the only way to get it done. If you have to scale back the ‘nice to have’ vs ‘need to have” which skill set could you lose? Communications? Nope. Cyber Savvy? Nope. L&D knowledge? Nope. Creative and graphic design? Nope. Data and metrics, or is this where culture slides off the table?
And what about the ‘je ne sais pas quoi” or artistry behind many aspects of the creative side which is incredibly important? Simplifying complex topics into things normal people can understand? Understanding signs and semiotics, brand and culture, playing to demographics, the art of rhetoric? What about being able to find the right way to emotionally connect to your internal audience and capture attention? Being skilled in the visual and digital means delivering a concise and critical message? Or about deeply understanding that the mission we are on is about more than corporate compliance, it’s a mindset shift and a personal journey of change that everyone needs to go on…. but I digress.
What if you could get the wide range of expertise needed through access to a team who specializes in every aspect of the delivery of cyber awareness learning, with a wide back catalog of content, and the agile and digital delivery mechanisms to make it work…. at a fraction of the cost of an FTE and the flexibility you need to navigate these uncharted waters?
Would it increase your ability to secure your company and re-allocate resources to other critical threat areas if you could remove the issues around needing/finding a unicorn, the cost of hiring, the risk of not finding the right person or set of skills?
That’s the reason why we put Digital Club Gold together. Our customers were asking for it (literally, Hey guys could you maybe give us all that cool content you provide regularly, and could you come in and help us work in better and more innovative ways and how do we measure that oh yeah, and by the way can you customize it for our company and put out brand and colors on it and we said, um, yeah. )
We give you the full unicorn at a price in line with 2020 budgets and the flexibility to turn things on and off as needed. Google just extended working from home to 2021, (we don’t even want to think about the real estate footprint they have with the Chelsea building at 1.8 billion and the London offices alone!) What is the value of having top-rated content, a team of experts, and the flexibility you need for the foreseeable future vs hiring a full-time role? If getting to the next level of maturity is critical, or if you need to deliver something new to a remote workforce if you want new metrics on the human aspects and soft risk indicators… Call us.
A well-placed Security Awareness as a Service with a consultative wrapper for your business could:
Social Posts, Memes, newsletter text, infographics, interactives & more.
Sketches, Songs, Newsdesks, Human & Fuzzy Fun
Posters, coasters, toasters, signs, mailers, postcards & more
Weekly Support, Team of Experts, Customise Everything, Culture/People Firs
Key Considerations for CISO’s in the wake of the CRSB’s Report on the MSFT Breach As we all know, the need for cybersecurity is still on the rise,...
8 min read
The "Know-How" Guide on Setting up an Event during Cyber Security Awareness Month Cyber Security Awareness Month (or NCSAM) is a global event that...
7 min read
The more we dug into it, the more we realized there was a lack of emphasis on relevant security awareness metrics. This absence forms a crucial...
3 min read