Human error is the leading cause of data breaches. According to the 2022 Verizon Data Breach Incident Report, 82% of breaches in 2022 involved the human element. People have become the primary attack vector.
But, according to the SANS 2022 Security Awareness Report, the status quo in most security teams is a 10 to 1 ratio of technical security professionals to human-focused security professionals. This means that for every 10 technical security professionals who focus on things like network security and vulnerability management, there is only 1 human-focused security professional who focuses on things like security awareness and training, incident response, and stakeholder communication.
One sentence in the report struck my mind especially, due to my own background in online marketing:
[…] the large majority (72%) of security awareness professionals have a technical background. […] This can help explain why so many awareness programs struggle to engage their workforce. Having a strong technical or security background is valuable, as it enables people to understand the common technologies and behaviors that pose a risk to the organization and the tactics, techniques and procedures of cyber attackers. However, having “too technical” a background can also sometimes mean the person lacks the skills to effectively communicate those risks or meaningfully engage employees.
Also, a diverse team with a range of skills may be more effective at managing security risks. Security teams that include professionals with communication skills can bring a different perspective and approach to problem-solving, which can lead to more comprehensive and effective risk management strategies.
In this discussion, we will explore the importance of communication professionals in security teams and the challenges of addressing the human risk in cybersecurity. We will consider the case for why communication professionals should be the counterpart within the security team for the communications department. Finally, you will get 10 ideas how communication professionals can improve engagement for your awareness program.
Tech heavy teams can be problematic
Another quote from the SANS 2022 Security Awareness Report:
Managing human risk is not a technology challenge, it is a human challenge, and as such it requires people to solve the problem.
human error is considered the leading cause of data breaches
There are several reasons why the imbalance of technical security professionals to human-focused security professionals is problematic. First and foremost, human error is considered the leading cause of data breaches. This includes things like weak passwords, falling for phishing scams, and inadvertently sharing sensitive information. In order to effectively address these types of risks, organizations need a sufficient number of human-focused security professionals who can design and deliver effective security awareness training and messaging, as well as coordinate incident response and manage stakeholder communication in the event of a security incident. Communication professionals are well-suited to this role because they have the skills and expertise to create engaging, effective materials that can educate and motivate employees to adopt better security practices.
the reality of the modern threat landscape
Another issue with the current 10 to 1 ratio is that it does not reflect the reality of the modern threat landscape. Cybersecurity threats are no longer just technical in nature, and they often involve social engineering and other tactics that target human vulnerabilities. To effectively defend against these types of threats, organizations need a diverse team of security professionals who can bring a range of skills and perspectives to the table. This includes not only technical skills, but also communication skills, business acumen, and an understanding of human behavior and decision-making.
growing importance of stakeholder trust
Furthermore, the current 10 to 1 ratio does not take into account the growing importance of stakeholder trust and confidence in the digital age. In the event of a data breach or other security incident, it is crucial for organizations to be able to effectively communicate with stakeholders such as customers, partners, and investors. Professionals with strong communication skills as well as a profund technical understanding of security aspects are essential in building trust and confidence by managing the flow of information and addressing concerns.
a more balanced ratio of technical and human-focused security professionals is needed
In summary, the current 10 to 1 ratio of technical to human-focused security professionals is problematic because it does not adequately address the leading cause of data breaches (human error), does not reflect the reality of the modern threat landscape, and does not take into account the importance of stakeholder trust and confidence. In order to effectively manage cybersecurity risks, organizations need a more balanced ratio of technical and human-focused security professionals.
With such a large imbalance, it is not surprising that many security teams tend to focus more on the technical aspects of cybersecurity.
The challenges of addressing the human element in cybersecurity
Tech is easier to handle
There are several reasons why many security teams tend to focus more on technology than on the human risk. One reason is that technology is often seen as the more "tangible" aspect of cybersecurity. It is easier to measure and quantify, and there are more tools and technologies available to help manage it. In contrast, the human risk is more intangible and harder to measure. It is also more difficult to address because it involves changing human behavior, which can be challenging.
the importance of the human risk
Another reason is that there is often a lack of understanding or appreciation for the importance of the human risk. Many organizations and security professionals may not fully understand the extent to which human error and behavior can impact cybersecurity. They may also not fully appreciate the importance of effective security awareness training and other human-focused efforts in mitigating these risks.
a lack of resources
Finally, there may be a lack of resources or prioritization of the human risk. Organizations may not allocate sufficient resources or prioritize the development of human-focused security programs. This can be due to a variety of factors, including budget constraints, lack of understanding of the importance of these programs, or other competing priorities.
I often see that the MarCom-departments are in charge of crisis communication in case of an incident, which seems to make sense as they are used to do stakeholder communications. But they often face the challenge to have no counterpart in the security team which can give comprehensive information about the situation, focused on the impact for the stakeholders.
MarCom needs a counterpart
Here are my top 5 reasons why crisis communication needs a counterpart in the security team:
- Lack of expertise: Someone outside the security team may not have the necessary expertise and knowledge about cybersecurity and incident response. This can lead to misunderstandings or incomplete information being communicated to stakeholders.
- Lack of context: Someone outside the security team may not have the full context and understanding of the incident, which can lead to inaccurate or incomplete communication.
- Lack of credibility: Stakeholders may be less likely to trust and believe someone who is not a member of the security team, especially if they are not seen as an expert in the field.
- Lack of coordination: Someone outside the security team may not be fully aware of the ongoing response efforts or have access to all of the relevant information. This can lead to conflicting or inconsistent communication.
- Lack of buy-in: If stakeholders do not fully understand the incident or the response efforts, they may be less likely to support and cooperate with the organization.
Therefore, it can be problematic if someone outside the security team has the sole duty to communicate to stakeholders in case of an incident because they may lack the necessary expertise, context, credibility, coordination, trust, engagement, and buy-in. This can lead to misunderstandings, incomplete information, and damage to trust and confidence.
In summary, there are several reasons why many security teams tend to focus more on technology than on the human risk. These include the perceived "tangibility" of technology, a shortage of human-focused security professionals, a lack of understanding or appreciation for the importance of the human risk, and a lack of resources or prioritization of human-focused security efforts.
10 ideas how communication professionals can improve engagement
About 70% of respondents in the SANS 2022 Security Awareness Report voted for "Inability to engage employees" as one "top challenge in managing awareness programs".
This challenge is overall on rank four, just after "Lack of time for program management", "Limits on training time per employee" and "Lack of staffing", which are all related to lack of time.
Here are 10 ideas, how communication professionals can improve the engagement for your awareness program.
- Use engaging and interactive training materials: Communication professionals can help design training materials that are more engaging and interactive, which can help keep employees more interested in the material.
- Make the training relevant to employees: Communication professionals can help tailor the training to specific employee roles and responsibilities, which can help make it more relevant and meaningful to them.
- Use storytelling and case studies: Communication professionals can use storytelling and real-life examples to make the training more relatable and engaging.
- Use a variety of training methods: Communication professionals can help design a training program that uses a variety of methods, such as videos, simulations, and interactive activities, to keep employees engaged.
- Communicate the value of the training: Communication professionals can help communicate the importance of the training and how it can benefit employees and the organization.
- Make the training accessible: Communication professionals can help ensure that the training is accessible to all employees, regardless of location or device.
- Encourage employee participation: Communication professionals can help create opportunities for employee participation and feedback, which can help make the training more interactive and engaging.
- Use reinforcement techniques: Communication professionals can help design a training program that includes reinforcement techniques, such as follow-up quizzes and reminders, to help ensure that the material is retained.
- Use rewards and incentives: Communication professionals can help design a training program that includes rewards and incentives to motivate employees to participate.
- Encourage a culture of security: Communication professionals can help promote a culture of security within the organization by communicating the importance of security practices and encouraging employees to adopt them as part of their daily routines.
The SANS report states:
The most mature awareness programs (either at the sustainment/culture change or metrics framework levels) had at least three full-time employees dedicated to or helping manage the program.
How is your team actually staffed?
In this discussion, several arguments were presented regarding the importance of communication professionals in security teams and the challenges of addressing the human risk in cybersecurity.
It was noted that human error is the leading cause of data breaches and that communication skills are essential in building effective security awareness programs and managing incident response.
It was also highlighted that a diverse team with a range of skills is more effective at managing security risks and that communication skills are important in building trust with stakeholders.
Additionally, the current status quo of a 10 to 1 ratio of technical to human-focused security professionals was discussed as being problematic because it does not adequately address the leading cause of data breaches, does not reflect the reality of the modern threat landscape, and does not take into account the importance of stakeholder trust and confidence.
Finally, it was argued that communication professionals should be part of the security team rather than only being part of the communications department because they are essential in addressing the human risk, are critical in incident response, are crucial in building stakeholder trust and confidence, and can help promote a culture of security within the organization.
(disclaimer: this article was not written entirely by, but with support of ChatGPT as an experiment)