Is security awareness haunting your organization?
Boo!
No, that’s not the sound of the ghost of security awareness (which is dead, by the way). It’s the sound of us booing it—or, at least, booing the organizations that still put it on a pedestal.
Security awareness has kept a tight grip on the industry for a long time. Too long. Even now, when many security professionals are waking up to the idea that awareness isn’t enough to reduce human risk, it’s still the focus of most human risk management efforts.
In case it isn’t clear by now, we have strong feelings about security awareness. Faced with its demise, we even wrote a few words about it. Okay, it’s not exactly a few words. It’s an entire eBook. And you can download it for free.
Okay, so why is security awareness still held up to a standard that it doesn’t really deserve?
4 reasons your organization is struggling to move on from security awareness
1. It ticks the right boxes
When most people think human cyber risk, they think awareness training and running phishing simulations. And that’s the beginning and end of that line of thought.
But raising awareness is the bare minimum. It’s the easiest way for an organization to say it’s done “something” about its human risk. And the quickest way for organizations to tick the “we’re addressing our risk” box.
2. It’s the industry standard
For the last couple of decades, “security awareness” has been the go-to answer to the “human risk” question. But if that were true, then every new cybersecurity threat could be avoided with a couple of posters and a training session.
Because awareness has been the answer to the human risk question for so long, many organizations have mistaken it for the only answer. But what’s the point of awareness that doesn’t influence long-term behavior change?
3. It’s easy to get on board
Security awareness vendors aren’t just selling the same old awareness training, they’re also selling the idea that awareness is enough to reduce risk. And organizations have been buying into it.
Which is totally understandable because, well, the industry has been pushing it for so long that security professionals might find it easier to get buy-on from higher ups for standard awareness training than it is for modern solutions.
But there’s a reason the traditional awareness training vendors are a dime a dozen. Awareness training is low-hanging fruit. And it doesn’t really matter if it’s ineffective because it doesn’t measure or track behavior change (read: it doesn’t prove its effectiveness in risk reduction).
4. It’s the basis of carrot-and-stick
The result of awareness training is often the basis for punishment and the punishment itself (when people are assigned more training).
At least that’s the case in organizations that believe fear of punishment is an effective motivator.
Low completion rates? Assign more awareness training!
High click rates? Assign more awareness training!
Hint: there are more effective security interventions. Ones that don’t breed resentment, or damage your relationship with your people.
Want to know more about why security awareness just doesn’t cut it (and what to do about your human risk)? Download our free eBook.
