Human Resources Key to Securing the Human

As part of European Cyber Security Awareness Month (ECSM), Lance Spitzner, Director, SANS Institute suggests that human resource departments have a critical role to play in helping their organisations improve information security procedures.  “Organisations are beginning to realise that they have to secure the human element as technology can only go so far,” says Spitzner, an internationally recognised leader in the field of cyber threat research and security training and awareness.

ECSM is a European Union advocacy campaign that takes place in October. ECSM aims to promote cyber security among citizens, to change their perception of cyber-threats and provide up to date security information, through education and sharing good practices.

“As long as people store, process or transfer information, they too must be secured. One of the most effective ways to secure employees is to change their behaviours through an active, long term security awareness program,” adds Spitzner who has spoken to and worked with numerous organisations, including the NSA, FIRST, the Pentagon, the FBI Academy, the President’s Telecommunications Advisory Committee, MS-ISAC, the Navy War College and the British CESG.
According to the SANS Director, based on the available evidence, it is extremely likely that every large organisation will experience an information security breach at some point in time.  According to the influential Data Breach Investigation Report (DBIR)  which has examined over 100,000 security breaches over the last decade, 81% of the incidents can be described by just 4 root causes namely miscellaneous errors (27%), insider misuse (19%), crimeware (19%) and physical theft/loss (16%).

The biggest factor “miscellaneous errors” is, according to the report, simply any mistake that compromises security. The main threat comes from human error, such as accidentally posting private data to a public site, sending information to the wrong recipients, or failing to dispose of documents or assets securely. However, lack of security awareness also has a part to play in insider misuse, physical theft and lost incidents.

“In the past organisations have had security awareness programs, but these were compliance driven programs designed by auditors to ensure their organisation could ‘check the box’.  These programs consisted of nothing more than a once year Power Point presentation or some very basic Computer Based Training (CBT),” says Spitzner, “In recent years, organisations have begun a fundamental shift on how they approach awareness and training.  They are building mature security awareness programs that identify and change high-risk human behaviours.”

Spitzner advocates the first task is gaining support of management and answering the key questions of Who?, What? and How? “Once you have a program rolled out you will need the ability to measure it.  Measuring provides several things.  First it helps you identify where your greatest risks are and where you need to focus your efforts.  Second, it can be used to demonstrate the value of the program to senior management, gaining you the support you need to keep the program long term,” he adds.

To further support ECSM, Spitzner is running a webinar session offering a step-by-step walk through of how to take your security awareness program to the next level. The session covers key points including how to leverage the Security Awareness Maturity Model, how to effectively engage people, and how to measure change in behaviour and communicate those results to management. Registration is available via www.sans.org/webcasts/securing-human-emea-generation-awareness-programs-98857

SANS ‘Securing The Human’ is a partner and supporter of ECSM and has also made available a set of community resources on how to build a high-impact security awareness program developed as community projects by hundreds of different security awareness officers available via www.securingthehuman.org/resources  Details regarding SANS training course, “Building High Impact Security Awareness Programs”, can found here: www.sans.org/mgt433

About Security Buyer

Security Buyer is the leading authority in global security content, delivering expert news, in-depth articles, exclusive interviews, and industry insights across print, digital, and event platforms. Published 10 times a year, the magazine is a trusted resource for professionals seeking updates and analysis on the latest developments in the security sector.

To submit an article, or for sponsorship opportunities, please contact our team below.

Rebecca Spayne picture 2025

Rebecca Spayne

Managing
EDITOR

Georgina Turner image

Georgina Turner

Sales
Manager

Afua Akoto image - Security Buyer

Afua Akoto

Marketing Manager

Read the Latest Issue

Follow us on X

Follow us on X

Click Here

Follow us on LinkedIn

Follow us on LinkedIn

Click Here

Advertise here

Reach decision makers and amplify your marketing

Advertise here

Click Here

Related News

Markus Auer

ThreatQuotient-sponsored SANS study of Threat Hunting

ThreatQuotient, a pioneer in the security operations platform market, have announced the results of the SANS Threat Hunting 2019 study
Markus Auer

ThreatQuotient-sponsored SANS study of Threat Hunting

ThreatQuotient, a pioneer in the security operations platform market, have announced the results of the SANS Threat Hunting 2019 study
Ned Baltagi

SANS announces its biggest ever Gulf Region Cyber Security Training Event in Dubai

SANS Institute, the world leader in cyber security training and certification, returns to Dubai in November with its biggest yet Gulf Region event
SANS

SANS Dubai 2019 helping to develop strong talent to address region’s cyber security skills shortage

SANS Institute has announced that it is holding its next renowned immersion-style Cyber Security Training program in Dubai.
Scroll to Top