One More Prediction for 2010, But Are We Going to Heed It?

In our last post we gathered together the pundits’ predictions for 2010, but perhaps predictably (sorry), they seem to be more about a focus on surprise and novelty than actual risk-based predictions. In fact, few of these pundits even mention what is probably the greatest risk of 2010.  Even worse, even those who know what that risk is are not acting strongly enough to manage it. Here is what our members–the real experts–think are the top risks for 2010 (survey of our membership in September):

threat landscapeLike every year, the #1 risk is employee carelessness.  The Verizon Business data breach reports we like to reference say the same thing. This risk isn’t great for flashy headlines, and it probably isn’t great if you have a security solution to sell. But if you are trying to manage risk, it is important to keep this risk top-of-mind.

Are We Going to Heed This Prediction?

I ask this question, because even though I think we all know this is our biggest risk, it doesn’t seem like we act on that fact.  Let’s take a closer look at our efforts to reduce the risk of employee carelessness.

First, we only spend 2% of our budgets on awareness and training.

Click for larger

Now I realize that it is impossible to reduce the carelessness risk to a small value, not to mention zero.  Maybe we are stuck with carelessness as our largest risk, and current spending is appropriate?  Let’s dive even deeper to see what we are accomplishing with that 2%.

Behavior Change Efforts

Click for larger

Apparently we are doing pretty well at pushing out broad-based generic training, but most of us are not even trying some of the better tools in our toolkit, like incentives. And almost no organizations actually measure user behavior and use that feedback to improve their efforts.

Arguably there is no better tool than targeted training that is relevant to a user’s job. The figure above shows fewer than 60% of organizations do this even for high risk roles. Here is another perspective:

Targeted training

Click for larger

Another very effective way to change user behavior is to have proper behavior communicated and reinforced by their manager. Here is how we are doing in that area:

Manager communication of behavior

Click for larger

A Modest Proposal

What would happen if organizations cut their technology budgets by 10% (1.8% of overall spend) and doubled their awareness and training budgets? Many organizations could cut their technology budgets by that amount without even affecting risk, just by avoiding purchases that end up not getting used, or that are largely redundant with existing technologies.

I know what I would predict.

Explore posts in the same categories: Awareness, Insider Threat, Risk Management, Strategic Planning

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: