Ever wonder why some security awareness programs successfully change and secure human behavior while others fail? One of the most common reasons for failure is minimal investment. Many organizations are heavily investing in their cyber security programs. The problem is they are stuck in the 1990s focusing only on bits-n-bytes. While technology is where every organization should start, we have hit the point of diminishing returns. In today's world organizations need to start investing in their human security also. To see where your organization stands, determine your Tech-to-Human security ratio. There are two ways to do this.
People: Count how many people are on your security team. Now out of that team how many are focused on securing technology and how many are focused on securing people? I'm not talking about governance, compliance or audit. I mean how many people on your security team are focused on communicating to your workforce and creating secure behaviors and ultimately a secure culture? For far too many organizations, that is just 15% of one person's time. A drop in the bucket.
Budget: Determine how much you spend on securing the average laptop in your organization. Include costs such as encryption, anti-virus / end-point security, patch management, centralized logging, etc. Then include the costs of managing and updating all those technologies. You probably get something like $50 or $100 a laptop, if not much more. Then compare how much you spend on securing the average employee. Yup, hear those crickets chirping.
So what is your Tech-to-Human security? Ten-to-one? Hundred-to-one? Nothing frustrates me more then when an organization says security awareness does not work, and yet out of their security team of 50 people,\\ they have one person spend just 30% of their time on their awareness program. That is a ratio of 49-to-1 (I'm being generous here). You absolutely can change and secure human behavior, thousands of organizations are doing it around the world. You just have to invest in it like you would any other part of your security team. Would your incident response team function with just 30% of one person? Would your endpoint security function if you spend more on laptop covers instead? The cause for failing to change and secure human behavior is often very simple, minimal investment. As long as we neglect human security to a part-time job with minimal resources, the human will continue to be the primary target.