News of Interest
News of Interest
What the Growing Need for Cybersecurity Awareness Means for Your Career
Human factors are a primary contributor to cybersecurity breaches and incidents. Social engineering and phishing are predominant threat vectors, driving the need for organizations to strengthen their human layer and build a strong security culture.
Nearly all surveyed chief security information officers (CISOs) report having cybersecurity awareness training measures in place. Almost two-thirds believe those programs need expansion. For cybersecurity awareness professionals, these trends represent new career opportunities.
Why Every Employer Needs a Cybersecurity Awareness Program
In recent years, security researchers have highlighted the growing prevalence of cyberattacks that target people rather than technology. The most recent data from Verizon’s annual Data Breach Investigations Report, for instance, shows that 74% of all confirmed breaches “include the human element.”
The explosive rise in generative artificial intelligence (genAI) also has CISOs concerned about new phishing risks. GenAI tools such as ChatGPT could give malicious actors an even higher ground and lead to an escalation in successful phishing attacks.
Phishing attacks are not only the most prevalent but also one of the costliest. Data breaches with phishing as the initial attack vector cost an average of $4.76 million globally, compared to the overall average of $4.45 million, according to IBM Security’s 2023 Cost of a Data Breach Report.
The costs go far beyond financial. Attacks that start with phishing can severely disrupt business operations, lead to exposure of sensitive or protected data, and damage brand reputation.
Organizations have responded to this growing threat by investing in security awareness, education, and training programs. Aimed at building a strong culture of security and changing human behaviors, these programs have proven effective:
- 99% of surveyed IT professionals said employee awareness efforts increased corporate security.
- After a year or more of ongoing training and phishing testing, organizations saw an 82% improvement on average, according to the 2023 Phishing by Industry Benchmarking Report from KnowBe4. Moreover, only 5% of employees failed a phishing test after a year of training, compared to 33% of untrained individuals.
- IBM’s report shows that employee training was one of three factors reducing data breach costs the most. The average cost of a data breach was 19% less for organizations with the highest level of employee training, compared to the overall average — and 34% less than those with low levels of training.
“The importance of fighting social engineering and phishing has really risen,” says Roger A. Grimes, a data-driven defense evangelist at KnowBe4 and author of 15 books on cybersecurity. “These programs are still underresourced, but the need to strengthen the human element is becoming commonly recognized.”
Professional Opportunities in Cybersecurity Awareness
In the past, the role of building a security culture and raising awareness fell on the shoulders of teams such as human resources, IT security, and compliance. But more organizations are adding dedicated roles such as security awareness officers, managers, and specialists. A recent review of job board listings showed a salary range of $70,000-$186,000 for these types of roles.
Those interested in this field don’t necessarily need a background in IT or cybersecurity. There are many paths to a security awareness and culture career, including technical, nontechnical, and multidisciplinary backgrounds.
The ongoing shortage of cybersecurity talent overall has also compelled many companies to create internal opportunities for cross-training. These avenues allow employees to move into a security awareness and training career starting with their current employer.
“By laddering up employees through opportunities like professional development or certifications, employees don’t have to go out and find talent for these roles,” says Marc Vasquez, a cyber regional training and exercise specialist with the Cybersecurity and Infrastructure Security Agency (CISA). “Employers can instead equip their talent internally, which is an advantage because those employees already understand the organization.”
The inevitability and severity of cyberattacks has brought the importance of cyber resilience to the forefront for both business and security leaders. Research indicates that a stronger security culture can improve cyber resilience by as much as 46%. As more organizations understand the impact of a strong security culture on hardening their human layer and boosting resilience, the demand for skilled security awareness professionals will only grow.
Certifications Provide Value to Professionals and Employers Alike
Certifications are a popular route for professionals looking to grow their technical or specialized skills. Nearly two-thirds of cybersecurity professionals surveyed by ISC2 identified skill growth and development as their primary motivator for pursuing certifications.
Furthermore, when asked about their qualification preferences for ideal cybersecurity candidates, survey respondents valued certifications higher than a related bachelor’s degree (66% vs. 34%) or independent experience such as hackathons (54% vs. 46%).
A certification also offers an advantage to individuals who are just entering a security awareness career. This was the case for Vasquez, who prior to CISA transitioned to security awareness from a background in communications and public relations.
To help with the change, he sought out technology-focused certifications. Eventually, Vasquez helped develop the Security Awareness and Culture Professional (SACP) certification — and was one of the first individuals to take the exam and obtain the credential.
“A certification can help you not only level up, but also make you more of an asset for your organization,” he says. “It also connects you to a community of other security professionals who have the same acumen as you and can help you with answers or problem solving.”
Grimes, who has an extensive cybersecurity background and holds numerous certifications including SACP, notes that going through the process helps identify your knowledge gaps.
“When you take a certification test, you’re being exposed to content, terminology, and methodology,” he says. “It validates your knowledge, but it also teaches you new things, shows you what you don’t know, and helps round out your experience.”
Cybersecurity leaders find technology-focused certifications equally valuable to their organizations — 95% of leaders surveyed by Fortinet saw a positive impact from certificated employees. The benefits included:
- Increased cybersecurity knowledge (72%)
- Improved job performance (62%)
- Accelerated career growth (55%)
- Higher salaries (47%)
“Getting a certification shows your manager you’re committed to professional development and are driven enough to set a goal and achieve it — and it’s easier for your boss to give you a bonus or a raise, too,” Grimes says. “It can also help your organization be more competitive and get customers by demonstrating its own commitment to security awareness.”
Three-quarters of security leaders surveyed by Fortinet believed security awareness and training for all employees would benefit their entire organization. If you’re interested in this field, you have a great opportunity to make a business case for a strong security culture to your employer.
Getting Started
Overall, 70% of cybersecurity professionals surveyed by ISC2 planned to pursue a vendor-neutral certification within the next two years. Nearly a quarter planned to do so in the next six months.
A vendor-neutral certification such as SACP is an excellent way of demonstrating your expertise in security awareness. This kind of expertise — applying human-centric strategies to security awareness, fostering a strong security culture, and educating employees about best practices — — has never been more important.
“Phishing attacks and social engineering scams are not going away. In fact, they’re becoming larger and more complex each year,” Vasquez says. “The need for security awareness is more vital now than ever.”