security awareness program

How to Develop a Mature Security Awareness Program

When was the last time you took a good look at your security awareness program? Was it last October during National Cyber Security Awareness Month (NCSAM)? As security professionals, we are regularly reminded that our end users are the weakest link. With so many priorities to juggle in your overall security program, it’s understandable that addressing the “people factor” with a fresh, creative approach is a constant challenge.

In fact, according to the recently released 2018 SANS Security Awareness report, more than 80 percent of 1,718 security professionals “reported spending less than half of their time dedicated to awareness programs and most organizations categorize security awareness a part-time job. This lags significantly behind staffing levels of more conventional security roles such as those in incident response, security operations centers and members of endpoint security teams which are typically well staffed with full-time employees.”

For those of you who fall in that 80 percent group, let’s consider some key strategies to improve the time management and resource allocation of your security awareness program going forward. You will need to line up supporting resources, document your program plan, and zero-in on the most important things to communicate to your audience.

security awareness model

Measuring Success

The Security Awareness Maturity Model© is the key measure of program impact and success as established b the level of measurable human risk that can be mitigated by changing by changing end-user behavior. Established in 2011 through a coordinated effort of over 200 awareness officers, the Maturity Model© enables organizations to identify and benchmark the current maturity level of their security awareness program and determine a path to improvement. The most successful, most mature, security awareness programs not only change behavior and culture but can also measure and demonstrate their worth via a metrics framework.

Source: SANS, 2018 SANS Security Awareness Report

Line Up Your Resources

The SANS report found that a clear majority of awareness professionals come from a technical background fewer than 20 percent of individuals coming from non-technical fields such communications, marketing, legal, or human resources.

It’s unlikely that you have all the experience and background to deliver a security awareness program that will actually change behaviors across your user community. Identify stakeholders who can help outside of your current silos. A security awareness program involves similar traits to a marketing campaign. That means appealing to people’s hearts and minds to sell them on why security is their responsibility. Consider reaching out to other departments to figure out a creative approach to deliver the message.

You’ll also need to loop in human resources and legal to help address business considerations, policy, and corrective actions that may need to be addressed. Depending on the internal resources you have available, you may need additional budget for content creation through external sources.

Document Your Program

The best way to ensure that your security awareness program is on track and has support from all the parties involved is to run it using program or project management methodology. Develop a plan that documents the objectives and aligns those objectives to actionable tasks and activities. Create a timeline of deadlines and milestones for the creation and release of content. Did I mention there should be a budget?

As your program matures, you can begin to document metrics and measure those metrics to expected outcomes. All these steps may seem daunting at first, especially if you prefer to spend your time in the technical trenches. However, if you spend the time to map all of this out annually, you’ll have a plan with complete transparency and direction. All the parties you need help from will have a better picture of the work to be completed. Hopefully you’ll get their input when creating the plan.

Consider What’s Important to People

After you establish a plan to execute your program, and you’ve gained the support of additional resources to design and deploy the program, you’ll need to determine the most relevant points to communicate to your audience and start creating awareness. Typically, security professionals think about the most common threat vectors that involve human errors, and they’ll develop educational content to generate awareness around these common mistakes. This is an important start.

More and more, mature programs seek to include actionable content to help the audience understand security breach impacts to their life at work and at home. Content should focus less on policy and more on actionable practices that emphasize the importance of each individual protecting their business and family. Changing user behavior requires making a connection. For example, think back to memorable safety campaigns such as McGruff the Crime Dog or Smokey the Bear. These types of campaigns resonated with people on an emotional level and compelled change.


There is plenty of evidence to prove that security awareness is a critical component of an organization’s overall security program. Data shows that as we put more resources (time, budget) to the program, the maturity level significantly increases, enabling organizations to apply metrics. Additionally, you may need to apply a broader variety of skills to improve the program’s creativity and connection with users. Ad hoc programs simply are not enough. It’s time to take a fresh look at your approach.

For additional help, look into our CISO advisory services for additional guidance for setting up a security awareness program.