“Awareness programs are great for a number of reasons, but they do not take priority over the daily fire drills that most security teams face,” said Brian Johnson, chief security officer at Armorblox.

Distractions and diversions are all too frequently stealing time away from security awareness professionals, forcing them to tend to non-critical tasks while setting aside their core responsibilities of developing a strong internal infosec culture.

A SANS Institute-conducted survey of more than 1,500 of these professionals around the world found that more than 75% of respondents spend less than half their time on the job developing or executing security awareness initiatives. Just under 40 percent of respondents said they spent only 10% of their time on security awareness.

And roughly half of the surveyed security awareness pros said that lack of time was the number-one cited challenge impeding their ability to create a mature security awareness program, according to the recently released 2021 Security Awareness Report from SANS Security Awareness. (Lance Spitzner, director of SANS Security Awareness, confirmed to SC Media that survey-takers qualified as security awareness pros if they confirmed that they are either dedicated full-time to security awareness or a contributor only helping with awareness.)

The report suggests that security awareness pros could better concentrate on their core competencies if they were to able to increase staffing and also delegate certain undertakings to other departments or outside contractors. For instance, SANS suggests that security awareness program leaders contract out the creation of monthly security newsletters and surveys. Also, instead of building a security solution from scratch, they could buy or license one.

The report also recommends parting with other departments such as marketing, graphic design, communications and security operations to further some of these efforts. “The more you are able to delegate, the more time you have to create partnerships within your organization, engage with others and ultimately drive change with your program,” the report states.

According to the research, the more full-time equivalent employees a company has dedicated specifically to security awareness, the more likely that business is able to achieve a higher security awareness maturity level. Organizations reporting program success by changing user behavior had on average 2.5 full-time-equivalent (FTE) employees dedicated to awareness. Organizations reporting success going beyond behavior change and impacting culture report that they have at least 3 FTEs dedicated to security awareness.

SC Media reached out to several infosec leaders and security awareness evangelists to ask what they believe are some of the biggest time-wasters and distractions that prevent security awareness managers from zeroing in on their primary job functions, and what steps these managers could take to win back their precious time.

Here’s what they had to say.

Brian Johnson, chief security officer at Armorblox, and former CISO at LendingClub

“Awareness programs are great for a number of reasons, but they do not take priority over the daily fire drills that most security teams face. Additionally, even if organizations are lucky enough to have dedicated security awareness managers as a resource, much of their time is spent reacting to the daily news feeds of c-staff and board members – even if the latest cybersecurity threat is not an immediate risk to their business. In order to protect the awareness managers’ time, communications should be planned much like software release sprints, with internal and external resources available to deliver on expected timelines.”

Joanna Huisman, senior vice president of strategic insights and research at KnowBe4, and former senior director, global security communications, training and awareness at ADP

“Having led a large, global security awareness team, I have firsthand experience in some of the biggest challenges working against program success. Working across the organization is always a challenge. As a security awareness manager, creating meaningful, reliable and useful partnerships within other departments is paramount to getting things done and getting your message heard broadly.

“Create a network of partners early on in each of the critical departments to funnel information through, partner on communications and be an overall advocate for your program. In addition to departmental partnerships, consider architecting a Security Champion Program where you enroll representatives across the organization to help steward and reinforce security messaging. This will allow you a consistent stream of security information that can be broadcasted at a local level ensuring cultural and social nuances are recognized. Safeguarding the organization from a behavioral perspective is not the sole responsibility of the security awareness manager, there needs to be shared accountability.”

Candy Alexander, NeuEon

Candy Alexander, president of the Information Systems Security Association and CISO at NeuEon

“The biggest time-stealer that I see [for] security awareness program managers is that they are busy justifying their purpose. Many businesses believe, as it is stated in the report, that [security awareness] is a compliance checklist item. Businesses do not see the full value of security awareness, which causes businesses to [devote] limited time/resources to the effort beyond what is called for in a compliance requirement.”

“The only way to solve this challenge is to provide rationale in terms of mitigating risk to the overall business strategy. For example, if the business goal is to increase sales via direct to consumer via e-commerce, it is important for the security awareness program to develop metrics as to how effective the awareness program is in reducing risks associated with the business goal – such as reduced opportunities through fraudulent phishing emails, etc. This objective is often difficult for a security awareness program manager to do, for they may not know the business goals; therefore, the security strategist needs to help make that link.”