Cyber Security Awareness: Role, Unicorn, or Service?

Managing Human Risk Is One of the top growing concerns with cisos and business executives around the world.

The role of a Security Awareness & Communications Manager as well as cyber security awareness computer-based training is two key areas to increase maturity and effectiveness for creating a more digitally secure workforce.

Gartner stated recently that by 2022, 60% of large organizations will have a full-time equivalent (FTE) dedicated to security awareness and stated that “ hiring for the right skills in security awareness management roles will strengthen an organization’s overall program and security posture”.

AND then 2020 and the current panicdemic/coronapocolypse has thrown many business plans right out the window. Information security teams everywhere have had more than a few curve balls to deal with. We wanted to take a look at the many considerations for how current events are affecting the trajectory of growth in this role, and while we support and work with these types of roles at many organizations there is much to be said for HOW RUBBER MEETS ROAD in terms of role timing, maturity, budget.

BALANCING COST AND OPTIMIZATION IN CYBER SECURITY AWARENESS PROGRAMS

The current employment landscape Mid-COVID is the worst it’s ever been in my career, and I worked through both the dot-com era and the crisis of 2009. MOST managers we are speaking to now are being asked to do much more with less, roles are folding into each other and they foresee many more headcount/budget restrictions in the near future as the economic and pandemic recovery are taking longer than expected. Many more CISOs will be asked to decide on cost savings in Q4 and into 2021, or at the very least will have to address organizational structures or even perhaps delegate security functions such as architecture, system engineering, and development to relevant internal IT teams.

If you need a plan to balance cost reduction with optimization efforts in the employee awareness and training space… here are a few things to consider.

Cybermaniacs quote: "Problem are nothing but wake-up calls for creativity"

While SANS and Garter advocate for adding FTE roles in order to expand and mature your program, in these times, creative solutions are needed when adding headcount isn’t an option. Many times a bridge is needed before you are able to bring a new hire on board.

The special situation here is threefold.

1. The critical need to expand and mature a security awareness program at most organizations to meet the need of securing the human element within all working environments.

2. The awareness and culture champion role itself is rapidly expanding, taking on new areas of responsibility with the shifting maturity to a culture and behavior, as well as continual improvement.

3. The new and sudden contracting or re-optimized budgeting cycle of most organizations requires new ways to get it done.

STAFFING YOUR CYBER SECURITY AWARENESS FUNCTION

The data in the 2019 SANS report shows a strong correlation between full-time employee (FTE) staffing, program maturity, and success.

Programs have achieved success at changing behavior when there have been at least 2 FTEs dedicated to awareness.
Organizations reporting a successful change in culture and metrics programs indicate 4 FTEs dedicated to awareness.

Graph depicting maturity of companies tech progress

The role itself of the Security Awareness Manager or Security Awareness and Culture Champion has been expanding and maturing for years. It is great to welcome more talented people into a fast-paced and important cyber security area! But each company is going to address it differently based on the current needs, culture, maturity, and state of its training program. The function of Cyber Awareness is evolving with new outcomes desired around sustained culture change, behavior adaptation on a regular basis, policy and technology adoption, and adherence. The requisite list of skills, competencies, culture, attitudes, and knowledge that are listed on job descriptions to actually deliver these programs is expanding and stretches wide across many quite disparate domains of expertise.

Gartner states this at the start of the article: Many employees view security awareness training as boring and hard to understand, so finding the right talent with the right skills to lead your training program is critical. (We say lead or deliver or whatever but we’ll get to that later…)

Full disclosure: I’ve spent years working in enterprise change and technology adoption- of planning and assessing roles and IT functions PMO, and user development. So when looking at where this is going and how we are going to grow and evolve, innovate and help people realize a better digital future EVEN in the face of 2020 and murder hornets and aliens… as they say, this isn’t my first rodeo.

THE ROLE OF THE CYBER SECURITY AWARENESS LEAD AND CULTURE CHAMPION

According to research as well as our own dive into Indeed and Linkedin to see what was up in the market at the moment in terms of roles and hiring…Here were the regularly mentioned competency and skill areas needed for a Cyber Security Awareness Lead.

Adult Education, Professional Development, L&D
Learning Technology
Communications
Marketing
Cyber Security
Psychology and Behavior Change

Organizational and Saftey Culture
Change Management
Data Science
Statistics
Reporting and Dashboarding
Project and Program Management
Social Sciences

Oh and they have to be creative
Oh and they have to be innovative
Oh and they need relationship skills
And need to fit your culture, and be a self-starter….

According to the SANS 2019 Security Awareness Report… there’s a GAP between the technical side and creative side of this role in terms of sourcing talent.

This year’s data shows that a majority (80%) of awareness professionals come from some type of technical background. Less than 20% have a non-technical background such as communications, marketing, legal, or human resources.

Cybermaniacs quote: "creativity is the answer. I always prefer the creative solution to an expensive solution"

“A lack of soft skills, such as communications and marketing, continue to limit an organization’s ability to engage their workforce. Awareness professionals generally bring a dynamic set of technical skills, but can lack the skills to communicate their program needs.”

FEW THINGS TO KEEP IN MIND

1. There are no such things as unicorns.

Let’s be honest. Looking at the list above, any company would be hard-pressed to find ONE person with half those skills in place. Not that people can’t be guided and trained into this, but two thoughts. One, what kind of timeframe do you have to deliver creative, personal, dynamic cyber awareness content (yesterday), and what is the learning curve to develop wicked comms and creative skills or conversely navigate the very complex and technical world of cyber? Also, the wide range of competencies and expertise needed is hard to find- normal learning paths, from university to professional development aren’t set up to go wide, they are set up to go deep and specialize. This range of skills will not be readily available on market, the demand pool will be small.

2. What are your “need to have” vs “want to have”?/p>

Any good hiring manager from HR should be telling you that a good job description comes down to realistic expectations… can you afford for this role to fail? This mismatch of hopes, skills, needs and expectations happens all the time in business, companies mix roles from let’s say marketing and sales and thinking it’s pretty much the same function, we’re sure one person can do it. The risk is that the position won’t be filled or filled with someone who will burn out. When you start to cut back the job description to 50% or 60%, honing in on only the need to have skills, then the risk is in the role of being able to fulfill the necessary business value.

3. Hiring an FTE isn’t just the cost of a salary. Other HR considerations need to be taken into account.

- Time/Effort to hire in a new role or new functional areas (with tough to find skills)
- There aren’t enough people who have years of skill in this emergent cybersecurity role so the search timeframe may be longer than other easier-to-fill roles.
- The current COVID unemployment crisis will only make the hiring process more difficult, people will put their hand up (naturally) because they need a paying job, and there may be an increased risk if they aren’t a good fit or can’t perform the role?
- Increased headcount at any company comes with management overhead, increased fringe spend, kit setup or real estate footprint, and other risks such as the complications of post-probationary periods, etc depending on your business's hiring locations.

Angelo D'Agostino headshot

Angelo D’Agostino
HC Group Advisors

Follow

“When looking at these new roles and where companies are in 2020, adding 28%-30% to a salary is conservative when talking about the true cost of a hire. The hiring process and the cost of increasing headcount has implications across many business functions.”

The current salary ranges we surveyed on Indeed and LinkedIn and with our HR contacts were anywhere between 70-150K in the US and between 50-80k in the UK. Add in your 30% overhead and the average cost of an organization would be 90k USD or 70K GBP per year.

And the hard truth is that most likely the candidate will not have nearly all the skills listed in the functional matrix above because unicorns aren’t real.

problems are nothing but wake up calls for creativity

YOU CANT ALWAYS GET WHAT YOU WANT BUT YOU MIGHT FIND YOU GET WHAT YOU NEED

When faced with the internal demand due to maturity, delivery, threats, or regulatory issues… “we need to do more/better" cyber awareness and ‘we need people to get this done, level-setting a talent pool internally isn't the only way to get it done. If you have to scale back the ‘nice to have’ vs ‘need to have” which skill set could you lose? Communications? Nope. Cyber Savvy? Nope. L&D knowledge? Nope. Creative and graphic design? Nope. Data and metrics, or are this where culture slides off the table?

And what about the ‘je ne sais pas quoi” or artistry behind many aspects of the creative side which is incredibly important? Simplifying complex topics into things normal people can understand? Understanding signs and semiotics, brand and culture, playing to demographics, the art of rhetoric? What about being able to find the right way to emotionally connect to your internal audience and capture attention? Being skilled in the visual and digital means delivering a concise and critical message? Or about deeply understanding that the mission we are on is about more than corporate compliance, it’s a mindset shift and a personal journey of change that everyone needs to go on…. but I digress.

Consider This:

What if you could get the wide range of expertise needed through access to a team who specializes in every aspect of the delivery of cyber awareness learning, with a wide back catalog of content, and the agile and digital delivery mechanisms to make it work…. at a fraction of the cost of an FTE and the flexibility you need to navigate these uncharted waters?

Would it increase your ability to secure your company and re-allocate resources to other critical threat areas if you could remove the issues around needing/finding a unicorn, the cost of hiring, the risk of not finding the right person, or set of skills?

That’s really the reason why we put Digital Club Gold together. Our customers were asking for it (literally, Hey guys could you maybe give us all that cool content you provide on a regular basis, and could you come in and help us work in better and more innovative ways and how do we measure that oh yeah, and by the way can you customize it for our company and put out brand and colors on it and we said, um, yeah. )

Cybermaniacs quote: "I want to be an expert in different fighting styles, new training methods, new ways of thinking."

We give you the full unicorn at a price in line with 2020 budgets and the flexibility to turn things on and off as needed. Google just extended working from home to 2021, (we don’t even want to think about the real estate footprint they have with what the Chelsea building at 1.8 billion and the London offices alone!) What is the value of having top-rated content, a team of experts, and the flexibility you need for the foreseeable future vs hiring a full-time role? If getting to the next level of maturity is critical, or if you need to deliver something new to a remote workforce if you want new metrics on the human aspects and soft risk indicators… Call us.

A well placed Security Awareness as a Service with a consultative wrapper for your business could:

Take away the problem of output, ramp-up periods, and downtime.
Bring a team of culture, behavior, learning, creative, cyber experts to your table.
Increase your agility through our fresh approach to content development with a trusted ongoing process for creative and behaviourally focused design.
Leverage greater efficiency through our shedload of ready-to-go and ready-to-customize content- so you can execute on more with super high-quality digital content, videos, and other learning items but still get that custom/brand touch that makes it look like it’s from your team.
Make an exponential change for the incremental cost increase. For many job tasks around security awareness, it doesn’t matter if you have 500 people or 50,000 people, the time requirements are similar.