Managing human risk is one of the top growing concerns with CISOs and business executives around the world.
The role of a Security Awareness & Communications Manager as well as cyber security awareness computer based training are two key areas to increase maturity and effectiveness for creating a more digitally secure workforce.
Gartner stated recently that by 2022, 60% of large organizations will have a full-time equivalent (FTE) dedicated to security awareness and stated that “hiring for the right skills in security awareness management roles will strengthen an organization’s overall program and security posture”.
AND then 2020 and the current panicdemic/coronapocolypse has thrown many a business plans right out the window. Information security teams everywhere have had more than a few curve balls to deal with. We wanted to take a look at the many considerations for how current events are affecting the trajectory of growth in this role, and while we support and work with these types of roles at many organisations there is much to be said for HOW RUBBER MEETS ROAD in terms of role timing, maturity, budget.
Balancing Cost and Optimization in Cyber Security Awareness Programs
The current employment landscape Mid-COVID is the worst it’s ever been in my career, and I worked through both the dotcom era and the crisis of 2009. MOST managers we are speaking to now are being asked to do much more with less, roles are folding into each other and they forsee many more headcount/budget restrictions in the near future as the economic and pandemic recovery are taking longer than expected. Many more CISO’s will be asked to decide on cost savings in Q4 and into 2021, or at the very least will have to address organizational structures or even perhaps delegating security functions such as architecture, system engineering and development to relevant internal IT teams.
If you need a plan to balance cost reduction with optimization efforts in the employee awareness and training space… here are a few things to consider.
While SANS and Garter advocate for adding FTE roles in order to expand and mature your program, in these times, creative solutions are needed when adding headcount isn’t an option. Many times a bridge is needed before you are able to bring a new hire onboard.
The special situation here is threefold.
1. The critical need to expand and maure a security awareness program at most organisations to meet the need of securing the human element within all working environments.
2. The awareness and culture champion role itself is rapidly expanding, taking on new areas of responsibility with the shifting maturity to a culture and behavior, as well as continual improvement.
3. The new and sudden contracting or re-optimised budgeting cycle of most organisations requiring new ways to get it done.
Staffing your Cyber Security Awareness Function
- Programs have achieved success at changing behavior when there have been at least 2 FTEs dedicated to awareness.
- Organizations reporting successful change in culture and metrics programs indicate 4 FTEs dedicated to awareness.
Gartner states this at the start of the article: Many employees view security awareness training as boring and hard to understand, so finding the right talent with the right skills to lead your training program is critical. (We say lead or deliver or whatever but we’ll get to that later…)
Full disclosure: I’ve spent years working in enteprise change and technology adoption- of planning and assessing roles and IT functions, PMO and user development. So when looking at where this is going and how we are going to grow and evolve, innovate and help people realise a better digital future EVEN in the face of 2020 and murder hornets and aliens… as they say, this isn’t my first rodeo.
The Role of the cyber security awareness lead and culture champion
- Adult Education, Professional Development, L&D
- Learning Technology
- Cyber Security
- Psychology and Behvaiour Change
- Organisational and Saftey Culture
- Change Management
- Data Science
- Reporting and Dashboarding
- Project and Program Management
- Social Sciences
- Oh and they have to be creative
- Oh and they have to be innovative
- Oh and they need relationship skills
- And need to fit your culture, and be a self starter….
This year’s data shows that a majority (80%) of awareness professionals come from some type of technical background. Less than 20% have a non-technical background such as communications, marketing, legal, or human resources.
“A lack of soft skills, such as communications and marketing, continue to limit an organization’s ability to engage their workforce. Awareness professionals generally bring a dynamic set of technical skills, but can lack the skills to communicate their program needs.”
FEW things to keep in mind
- There are no such things as unicorns.
- Time/Effort to hire in a new role or new functional areas (with tough to find skills)
- There aren’t enough people who have years of skill in this emergent cybersecurity role so the search timeframe may be longer than other easier to fill roles.
- Current COVID unemployment crisis will only make the hiring process more difficult, people will put their hand up (naturally) because they need a paying job, there may be an increased risk if they aren’t a good fit or can’t perform the role?
- Increased headcount at any company comes with management overhead, increased fringe spend, kit setup or real estate footprint, and other risks such as the complications of post-probationary periods etc depending on your businesses hiring locations.
HC Group Advisors
“When looking at these new roles and where companies are in 2020, adding 28%-30% to a salary is conservative when talking about the true cost of a hire. The hiring process and the cost of increasing headcount has implications across many business functions.”
And the hard truth is that most likely the candidate will not have nearly all the skills listed in the functional matrix above because unicorns aren’t real.
You Cant Always Get What you Want But You Might Find You Get What You Need
And what about the ‘je ne sais pas quoi” or artistry behind many aspects of the creative side which is incredibly important? Simplifying complex topics into things normal people can understand? Understanding signs and semiotics, brand and culture, playing to demographics, the art of rhetoric? What about being able to find the right way to emotionally connect to you internal audience and capture attention? Being skilled in the visual and digital means to deliver a concise and critical message? Or about deeply understanding that the mission we are on is about more than corporate compliance, it’s a mindset shift and a personal journey of change that everyone needs to go on…. but I digress.
What if you could get the wide range of expertise needed through access to a team who specialises in every aspect of delivery of cyber awareness learning, with a wide back catalog of content, and the agile and digital delivery mechanisms to make it work…. at a fraction of the cost of an FTE and the flexibility you need to navigate these uncharted waters?
That’s really the reason why we put Digital Club Gold together. Our customers were asking for it (literally, Hey guys could you maybe give us all that cool content you provide on a regular basis and could you come in and help us work in better and more innovative ways and how do we measure that oh yeah and by the way can you customise it for our company and put out brand and colors on it and we said, um, yeah. )
- Take away the problem of output, ramp up periods, downtime.
- Bring a team of culture, behaviour, learning, creative, cyber experts to your table.
- Increase your agility through our fresh approach content development with a trusted ongoing process for creative and behaviourally focused design.
- Leverage greater efficiency through our shedload of ready to go and ready-to-customise content- so you can execute on more with super high quality digital content, videos, and other learning items but still get that custom/brand touch that makes it look like it’s from your team.
- Make exponential change for incremental cost increase. For many job tasks around security awareness it doesn’t matter if you have 500 people or 50,000 people, the time requirements are similar.
Print & Merch
What is this Digital Club Gold you speak of?
Want More Fuzz? Subscribe To Our Newsletter!
We don't spam or send lots of junk. But if you do want to hear from us when we've published something cool or released another video, please join our mailing list.