Human-risk remains the biggest threat to organisation’s cyber security

With an unprecedented number of employees now working in hybrid or fully remote environments, compounded by an increase in cyber threats and a more overwhelmed, COVID-19 information fatigued workforce, there has never been a more critical time to effectively create and maintain a cyber-secure workforce and an engaged security culture.

“People have become the primary attack vector for cyber-attackers around the world,” said Lance Spitzner, SANS Security Awareness Director and co-author of the report. “Humans rather than technology represent the greatest risk to organizations and the professionals who oversee security awareness programs are the key to effectively managing that risk.”

After analyzing the data of more than 1,000 security awareness professionals worldwide, SANS Security Awareness, the global leader in providing security awareness training, has released its seventh annual SANS Security Awareness Report. The 2022 report establishes updated global benchmarks for how organizations manage their human risk and provides actionable steps to making improvements with key metrics in the Security Awareness Maturity Model Indicators Matrix to measure progress.

“Awareness programs enable security teams to effectively manage their human risk by changing how people think about cybersecurity and help them exhibit secure behaviours, from the Board of Directors on down,” said  Spitzner. “This report enables security awareness professionals to make data-driven decisions on how to best secure their workforce and speak to leadership about risk in a compelling way that demonstrates value and support for their strategic priorities.”

Key Findings:

  • Workforce: More than 69% of security awareness professionals are spending less than half their time on security awareness. The data shows that security awareness responsibilities are very commonly assigned to staff with highly technical backgrounds who may lack the skills needed to effectively engage their workforce in simple-to-understand terms.
  • US Compensation: The average salary reported was $110,309 USD for security training professionals, an increase from 2021. However, those dedicated full-time to awareness were paid on average only $86,626, while those who are part-time averaged $117,584 – $30,000 difference. This difference is because people dedicated part-time to security awareness have their compensation based on their other responsibilities, which are usually more technically focused.
  • Global Compensation: Security awareness professionals in Australia/New Zealand had the highest average annual compensation ($121,236), while South America had the lowest ($56,960). In North America, the higher the maturity level of an organization’s security awareness program, the higher the salary for the awareness professionals who work there.
  • Top Reported Challenges: The three top reported challenges for building a mature awareness program were all related to a lack of time: specifically lack of time for project management, limits on training time to engage employees, and a lack of staffing.
  • Pandemic Impacts: The top two reported impacts were the challenge of a more distracted and overwhelmed workforce and a working environment where human-based cyber-attacks have become more frequent and effective.

To read more exclusive features and latest news please see our latest issue here.

Media contact

Rebecca Morpeth Spayne,
Editor, Security Portfolio
Tel: +44 (0) 1622 823 922
Email: editor@securitybuyer.com

Subscribe to our newsletter

Don't miss new updates on your email
Scroll to Top