The SAT elephant in the room
A strategic cybersecurity goal for many organizations around the world is to build a resilient and strong culture of security where the employees are well trained, able to discover and avoid security threats, and report any and all security incidents they may have caused. The CISO will often purchase some training and phishing assessment tools. This appears to be the only choice for many - it is better to assess and educate the employees, than to do nothing. Yet recent research has demonstrated that more often than not, CISOs struggle to find a return on their investment (Hielscher et al., 2023).
Security awareness training (SAT) has become a necessity for organizations as the cybersecurity industry seeks to secure the human element. Training and education are key components to building a culture of security - employees cannot engage in efficient defence methods without knowledge and understanding of the threats they are facing. That being said, employing security awareness training is not as simple as deciding on a vendor and rolling out content. For SAT to be a successful, efficient addition to your security program, you need to engage with your employees - on their turf (and sometimes terms).
Many CISOs are struggling with SAT. One such challenge from the CISO perspective is that SAT vendors are more focused on their own business than their customers state of security, or as one of the CISOs in the recently submitted research paper put it (Hielscher et al., 2023):
“But many [security awareness vendors] just want to make money with it.”
It should not be surprising that vendors focus on making money. They are a business after all. What may be more surprising is that some security professionals, even CISOs, do not recognize the fact that it is their responsibility to ensure that they identify, source and implement the right security controls for their specific organization. It is not the responsibility of their chosen (or available) vendor(s). Or put differently: there are no silver bullets that catch all the security training needs of your employees. It is down to you to understand the needs of your organization, and follow up with relevant interventions. This can be difficult, at best.
What we find is that many organizations lack relevant metrics to document their current state of security, their progress towards their stated security goals, and to adjust that documentation to the various needs of their stakeholders. What we see, however, is not lack of data - organizations today are collecting more data than ever before. The challenge is to know what part of the data is relevant, and how to leverage that data to turn it into information, results and documentation.
At Praxis Security Labs, our team of analysts are experts on finding that goal and presenting it in meaningful ways. Together with our analytics team and our subject matter experts, you can easily turn your massive data on employee behaviors into actionable, measurable KPIs and reports that not only help you document the ROI on your security programmes, but also help you determine which part of your security programme is performing better, and which parts may need adjustments. Contact us today to speak with one of our experts.