This month I caught up with Lance Spitzner, Director of SANS Securing The Human. Lance has over 20 years of security experience in cyber threat research, awareness and training. He invented the concept of honeynets, founded the Honeynet Project and has published three security books. Lance has worked and consulted in over 25 countries and helped more than 350 organizations plan, maintain and measure their security awareness programs. In addition, Lance is a member of the Board of Directors for the National Cyber Security Alliance, frequent presenter, serial tweeter (@lspitzner) and works on numerous community security projects. Before working in information security, Mr. Spitzner served as an armor officer in the Army’s Rapid Deployment Force and earned his MBA from the University of Illinois.
You were an early enthusiast for security awareness. How do you see the changes from where you started to now?
The part that excites me the most is just how fast this field is maturing. When I started ten years ago the human element saw very little if any security training. What little organizations were doing was strictly compliance focused, think death by power point. As a result, awareness rightly got a bad reputation. Fast forward today and things are vastly different. Not only organizations realizing they have to go beyond technology and address the human issue, they are putting resources into their program AND getting the right people involved. This means not just people with expertise in technical security, but communications, culture and collaboration.
Did you ever think that security awareness would be as big as it is now?
Yes and no. I remember this field in 1999/2000, getting anyone to take cyber security seriously back then was an impossible task. Today cyber security is one of the top topics on most Board of Directors agendas. You knew it would happen sooner or later as the problem was too great to ignore. Human security is the same. Organizations and our field have matured when it comes to technical security, we have hit the point of diminishing returns. We now must address the human element or continue to lose ground against the bad guys. I’m seeing this industry open up to that fact. The one thing that frustrates me though is often the biggest blocker to human security are other security professionals, for many in our community if its not bits and bytes it can’t be security.
You’ve recently completed a 2016 Security Awareness Report based on surveying awareness practitioners. Were there any big surprises?
Yes, some BIG surprises. One of the key findings from the 2016 Security Awareness Report is the background of security awareness professionals; the vast majority have highly technical backgrounds. At first this makes sense, organizations build awareness officers from the security team. But if you think about it, this is why so many awareness program struggle. Awareness is all about securing the human. This means awareness officers have to be good with people, they need soft skills like communication and collaboration, then need to understanding concepts such as behavior modelling, culture management and cognitive overload. Many awareness professionals today lack those critical skills. Until we realize security is more then just bits and bytes and that it also involves people, the bad guys will continue to win.
What initiatives are you working on and how can security awareness practitioners get involved?
One of the exciting things about this field is its still in its infancy, anyone can have an impact to its future. The key problem is so many awareness officers are understaffed/under-resourced, anything that can make their job easier is a huge help. As such, community resources can have a huge impact. What I love about working at SANS Institute is they give me the freedom to work on projects like this. If anyone is interested in getting involved, reach out to me at [email protected].
The SANS Securing The Human program has some fantastic awareness resources that you should check out regardless if you are highly experienced or new to the industry. For opportunities to learn about evolving best practice and networking opportunities see the Monthly OUCH! Newsletter, NCSAM Planning Kit and the Security Awareness Summits.