Solving the cybersecurity puzzle requires more than technical solutions as attackers increasingly target the people who use systems and data legitimately. Management must understand that improving security awareness among all employees is critical to defending their cyber assets, which is why the SANS Institute’s new SANS Security Awareness Professional certification was developed.
While there is an assumption that a cybersecurity professional possesses elite technical skills, they are less of a priority for cybersecurity awareness pros who address human vulnerabilities. Security awareness professionals help organizations by running awareness training to educate all employees and to instill a security awareness mindset.
In this Q&A, Lance Spitzner, director of SANS Security Awareness, explains why the new credential will change the way organizations defend themselves against cyberattacks.
Editor’s note: This interview has been edited for length and clarity.
Why is SANS offering this new credential for security awareness professionals?
Lance Spitzner: This is something that’s been in high demand in the security awareness and security culture community. Whenever we hold events or talk to anybody in this industry, this has been the No. 1 thing they’ve been asking for. We’re just really excited to deliver.
Lance Spitzner Director, SANS Security Awareness
What is security culture, and how does it fit into enterprise cybersecurity programs?
Spitzner: Cybersecurity is no longer just about technology. You have to acknowledge and address the human element. For organizations today, cybersecurity is now both technology and people. There’s this whole new field now developing, where organizations are also addressing their human risks.
Security awareness, security culture is how you secure the human element. Security awareness is typically focused on changing human behavior or securing people’s behavior. Security culture is even more broad or strategic, when you actually change not only behavior but what people believe: their perceptions and attitudes.
Who is the intended audience for the SANS security awareness credential?
Spitzner: Most of your more mature organizations have somebody on their security team dedicated to the human side. That person’s titles tend to vary because this is still a relatively new field, but the most common title is security awareness officer. It can be security culture officer, security engagement officer or security communications officer. One of the things we’re hoping to do with this cert is not only establish this as a new field for cybersecurity, but also help develop and standardize things like titles and job descriptions.
What would their job descriptions look like?
Spitzner: Instead of focusing on technology like most of the security team, they would be focusing on the workforce, the people. They would be doing things like communication and engagement, telling people why cybersecurity is important, teaching them the most important secure behaviors like strong passwords, how to detect phishing. Ultimately, you want to make your people as secure as your technology.
What kind of background do those people have? Would they have technical backgrounds or would they be coming from other areas of the organization?
Spitzner: What we’re starting to see is more security awareness officers having soft skill backgrounds like communications, marketing, training, public relations. They don’t need very strong technical skills because they’re working with the security team, so the other security geeks can help with the technology and with the behaviors. A good security awareness officer has strong people skills. They’re good at communicating, building partnerships and engaging others, and we’re seeing more and more of that.
What’s fascinating is if you come to our annual security awareness summit conference, two-thirds of our speakers will be women. The women outnumber the men.
Is that balance a case of women being steered into security awareness because they are perceived to be less technical?
Spitzner: What the data shows us is this: More organizations are realizing that good security awareness officers are great communicators. So when they’re going out to hire awareness officers, they’re not hiring from the technical community. They’re hiring from the marketing and communications community.
When you go into that community, that community is predominantly women. It’s not that women make better security awareness officers or that women are worse at technology. It’s because when you want an awareness officer, you go to the communications or marketing community, and that industry, right now, is predominantly women. As you’re hiring your full-time awareness officers, the bias tends to be toward women because of the pool you’re going to.
How important are technical security skills to security awareness officers?
Spitzner: Security awareness officers don’t need technical skills, but they have to have the passion to do some learning. They can learn from the security team, because they need to understand the language that the security team is communicating to them.
The awareness officer also has to have an understanding of the workforce. If the security geeks are trying to explain the security technology that people have to use in the company and the security awareness officer can’t understand the security geeks, well, that’s a good litmus test. The awareness officer can go, ‘Look, I’m not technical, and I don’t understand what you’re telling me. But if I don’t understand, nobody in our company will understand you, so let’s take a step back and work together so that everybody in the company will understand it.’
Can you give more details about the SANS security awareness credential?
Spitzner: What it really comes down to is this is a new field. It’s been gelling for five years now, and we’re looking for a way to standardize and credential people that are experts in this field. Up to now, there’s been no way for a security awareness professional to demonstrate they are an expert in this field. This is the first industry-recognized standard that really enables awareness professionals to demonstrate their expertise in managing human risk.
To achieve this, you take a two-day class on how to manage human risk. We’ve taught well over 1,500 awareness officers, so it’s based on a lot of experience, a lot of data. The credential is a two-hour, 50 question exam based on the course. It is proctored — you don’t go online and do it, you actually have to go into a physical building, demonstrate that this is you and then take the exam.
Are the questions on security and risk, or more on developing and maintaining security awareness programs?
Spitzner: Mostly the latter. The class itself does have some concepts on risk, what is risk, how do you manage risk, but the real focus of the class and the credential is on things like how to identify your target audiences, how to identify the key behaviors that manage those risks, what are the most effective ways to engage people and change those behaviors to manage those risks.
The course is not an academic, theoretical ‘how do I build the perfect program’ course. It’s about how you can build the most mature, high-impact awareness program in the real world with limited time and resources.
Are organizations actively recruiting for these positions?
Spitzner: Absolutely. As you know, cybersecurity is a fast-growing field, and the human side of cybersecurity is one of the fastest growing in cybersecurity. Organizations are just now realizing that technology alone will not solve all their security problems. They really need to address the human factor, so there are a lot of organizations out there that are scrambling to address the human side.