Security Awareness Maturity Model - Part 1

Travis Good
December 29, 2020

We often get asked how to start a security awareness program or how to improve an existing one. At Haekka, we think about security awareness in stages. We start with basic awareness, move up to engagement, and then on to effectiveness. Each of these stages corresponds to a job to be done (JTBD). We’ll cover these stages in a later article. This post is focused on a similar model from SANS, the security awareness maturity model, depicted below.



The SANS security awareness maturity model is broken down into five stages:

  1. Non-Existent. This requires very little explanation. At this stage, you don’t have a security awareness program.
  2. Compliance Focused. This is where most companies start and it is usually triggered by an audit. In this stage, you deliver security awareness training solely to meet the requirements for compliance regimes such as HIPAA, PCI, SOC 2, or GDPR. Training is typically delivered annually.
  3. Promoting Awareness & Change. This is where you start to see tangible impact from security awareness. In this stage, training is relevant to your company and employees. It is also delivered more frequently than annually.
  4. Long Term Sustainment. Expanding on the previous stages, in this stage, you regularly review your security awareness program and update content. 
  5. Metrics. This last stage measures the impact of security awareness training and uses that information to continually improve the program.

Audits are most frequently the trigger for companies, especially small companies, to start a security awareness training program. This Compliance Focused training is usually delivered annually as that timeline typically addresses the requirements for regulatory and reporting regimes. If the goal of security awareness training is purely to meet compliance requirements, achieving this first level of maturity is not technically difficult; we even see companies develop their own training at this level using non-dedicated resources. Nudging, nagging, and collecting evidence of completion from employees can be a pain for those tasked with managing this.

Unfortunately, this infrequent Compliance Focused cadence for training does not move the needle much on employee decision making.

Regardless of compliance requirements, all companies should implement some form of security awareness training. The goal of that training should be to influence better decision making. This is because globally, roughly 9 out of 10 security incidents result from decisions that employees make directly. This means moving past Compliance Focused security awareness matters a great deal for your company.

Moving past the Compliance Focused stage is harder than moving from Non-Existent to Compliance Focused. Companies require dedicated resources to continually monitor their training and create and deliver relevant security awareness training on a continual basis. We've talked to companies with up to 5,000 employees, with dedicated training staff, who still struggle to create timely training that applies to the way work is done today.

Doing security awareness right is hard. The SANS Security Awareness Maturity Model is helpful in considering what you do today and how you can improve your security awareness program to meet your company’s needs.

----

Creating and maintaining a basic security awareness program is not hard; but, it has limited value if the goal is simply to address training requirements for audits. Creating an engaging, effective security awareness program is a challenge that requires dedicated resources.

Haekka can help. Technology companies use us to create, monitor, and maintain a mature security awareness program. Go from 0 to 60 on security awareness with Haekka.