“Security awareness planning and education is key”

“Security awareness planning and education is key” to dealing with complex threats says Spitzner

Ahead of SANS London 2015, the largest and most important security training event across the region, SANS will be running the recently updated MGT433 Building a High-Impact Awareness Campaign class on 14th and 15th November.

The course which has grown in popularity in the last few years will be taught by course author Lance Spitzner, an internationally recognised leader in the field of cyber threat research and security training and awareness. Over a 15 year career, Spitzner has worked with the NSA, FIRST, the Pentagon, the FBI Academy, the President’s Telecommunications Advisory Committee, MS-ISAC, the Navy War College, the British CESG, the Department of Justice, and the Monetary Authority of Singapore and invented and developed the concept of honeynets as well as authoring several books and over thirty security whitepapers.

In his view, based on the available evidence, it is extremely likely that every large organisation will experience an information security breach at some point in time.

“People are often an organisation’s greatest weakness. However this is not their fault, but the failure of the organisation. Through a high-impact awareness program, organisations can radically change that,” says Spitzner.

The threat is increasing with the rise of more interconnected networks and new trends such as cloud, teleworking and mobile devices distributing sensitive digital data to more locations. According to the influential Data Breach Investigation Report (DBIR) which has examined over 100,000 security breaches over the last decade, 81 percent of the incidents can be described by just 4 root causes namely miscellaneous errors (27 percent), insider misuse (19 percent), crimeware (19 percent) and physical theft/loss (16 percent).

According to Spitzner, “The biggest factor of ‘miscellaneous errors’ are simply any mistake that compromises security. The main threat comes from human error, such as accidentally posting private data to a public site, sending information to the wrong recipients, or failing to dispose of documents or assets securely. However, lack of security awareness also has a part to play in insider misuse, physical theft and lost incidents.”
In his view, in the past organisations have had security awareness programs, but these were compliance driven programs designed by auditors to ensure their organisation could ‘check the box’. “These programs consisted of nothing more than a once year Power Point presentation or some very basic Computer Based Training (CBT). While this approach ensured compliance, they were not effective at changing behaviours.”

Yet he believes that the past several years have witnessed a fundamental shift in how organisations have begun approaching awareness and training.

“They are building mature security awareness programs that identify and change high-risk human behaviours. After working with and helping literally hundreds of organisations around the world build security awareness programs, we wanted to share with others what we have seen work and what does not work.”

This intense two-day course teaches the key concepts and skills needed to build, maintain and measure just such a program. All course content is based on lessons learned from hundreds of security awareness programs from around the world and includes extensive interaction with peers’ during the course.

Spitzner also points out that the course is structured to meet the soft skills needed for effective program development and delivery,

“Often security awareness programs are run by highly technical people such as security analysts or IT administrators. While these individuals understand security, they lack the skills or training to effectively communicate to a large group of people. They also tend to view security problems from only a technical perspective. Security awareness programs instead should be run by people with communications, marketing or learning backgrounds. We need people that can effectively reach and engage others.”

SANS London 2015 takes place at London’s Grand Connaught Rooms in the heart of the West End from the 14th of November and includes 14 courses spanning 4 core disciplines. For more information, please visit

[su_button url=”https://www.sans.org/event/london-2015/” target=”blank” style=”flat” background=”#df2027″ color=”#ffffff” size=”10″ radius=”0″ icon=”icon: arrow-circle-right”]For more information on SANS London 2015 click here[/su_button]

About Security Buyer

Security Buyer is the leading authority in global security content, delivering expert news, in-depth articles, exclusive interviews, and industry insights across print, digital, and event platforms. Published 10 times a year, the magazine is a trusted resource for professionals seeking updates and analysis on the latest developments in the security sector.

To submit an article, or for sponsorship opportunities, please contact our team below.

Rebecca Spayne picture 2025

Rebecca Spayne

Managing
EDITOR

Georgina Turner image

Georgina Turner

Sales
Manager

Afua Akoto image - Security Buyer

Afua Akoto

Marketing Manager

Read the Latest Issue

Follow us on X

Follow us on X

Click Here

Follow us on LinkedIn

Follow us on LinkedIn

Click Here

Advertise here

Reach decision makers and amplify your marketing

Advertise here

Click Here

Related News

Barracuda releases ransomware research

After identifying and analysing 106 highly publicised ransomware attacks over the past 12 months, Barracuda researchers have found that the education (15%), municipality (12%), healthcare (12%), infrastructure (8%), and financial (6%) sectors are the five most targeted by adversaries.
defenses

Enterprises should strengthen cybersecurity defenses

There are concerns about cyberattacks, particularly on critical infrastructure, and as a result, companies need to strengthen their defenses
defenses

Enterprises should strengthen cybersecurity defenses

There are concerns about cyberattacks, particularly on critical infrastructure, and as a result, companies need to strengthen their defenses
Markus Auer

ThreatQuotient-sponsored SANS study of Threat Hunting

ThreatQuotient, a pioneer in the security operations platform market, have announced the results of the SANS Threat Hunting 2019 study
Markus Auer

ThreatQuotient-sponsored SANS study of Threat Hunting

ThreatQuotient, a pioneer in the security operations platform market, have announced the results of the SANS Threat Hunting 2019 study
Ned Baltagi

SANS announces its biggest ever Gulf Region Cyber Security Training Event in Dubai

SANS Institute, the world leader in cyber security training and certification, returns to Dubai in November with its biggest yet Gulf Region event
SANS

SANS Dubai 2019 helping to develop strong talent to address region’s cyber security skills shortage

SANS Institute has announced that it is holding its next renowned immersion-style Cyber Security Training program in Dubai.
Gallagher Security

New Gallagher Security General Manager to combat cyber threat

The growing cyber threat is the target for the new man at the helm of Gallagher Security, whose vision is to equip companies and authorities to combat it.

New Gallagher Security General Manager to combat cyber threat

The growing cyber threat is the target for the new man at the helm of Gallagher Security, whose vision is to equip companies and authorities to combat it.
Scroll to Top