If you are aware of the SANS Security Awareness Maturity model you will be familiar with the need to build a mature security awareness programme. And if you read our previous post on the number 1 security awareness mistake you’ll recognise the annual only training element of a Compliance Focused level of maturity. http://advanced-engagement.com/top-security-awareness-mistake/
Maturity models are common in Information Security and it’s easy to fall into the trap of trying to achieve a defined level of maturity without really recognising why. Maturity is often mistaken, internally and externally, as reaching 4 or 5 on a scale. You should plan to be as mature as you want to be within the current planning cycle.
Lessons to be learned
For security awareness and ultimately culture change it is unlikely that you will be able to achieve more than a single step improvement in an annual cycle. Why? Because you will learn valuable things about how the people in your organisation react to what you are trying to do. These learnings can be used to make successes when you approach the next level.
Time to change behaviours
Additionally, unless you already have a mature security awareness programme your goal is to change behaviours to align with the needs of the business. Changing behaviours takes time.
Don’t believe me? Ever tried to stick to a new diet, become a regular gym goer or to change your spending habits?
If you have, I bet you were motivated. How easy was it to change your previous behaviour?
In general, the average employee is not highly motivated to change behaviours that could have a security impact. You can see where the time element comes in. Research abounds as to how long it takes to change a behaviour and make it a habit. Much of that focusses on a single habit, you are likely trying to address multiple!
In summary, when you are thinking about the level of maturity you want to reach, consider where you are currently and what you can realistically achieve within the next 12 months. Momentum breeds success and you’ll soon have a whole new improved landscape to build on in the next phase.
For an overview of the SANS Maturity Model [https://securingthehuman.sans.org/blog/2016/02/25/security-awareness-maturity-model-your-path-to-success]
If you enjoyed this post please come back regularly for further updates including upcoming information of security awareness events across Scotland and further afield. @adv_engage