Security awareness is a somewhat contentious term among security professionals. There are many that are strong advocates for training and prevention and others that look at it as a lost cause. However, as threats against companies and their employees continue to grow year over year, so do the needs for awareness, communications and education as a deterrent and extra level of security.
Having a security awareness program in place can have an innumerable ROI. Instead of looking at it as an immediate and measurable return, it needs to be thought of as what cost the program is helping to prevent. A breach on a company can cost millions of dollars, not to mention being detrimental to a company's reputation. Some companies struggle to recover from these events, if they ever fully recover at all. And many large companies with breaches between 2013-2015 are now realizing that investing in their people, the weakest link but the first line a defense, can be a better preventative measure than some of the most innovative technology that is available.
Having worked in a security awareness role for over four years now at a Fortune 1000 company, I have seen the need and demand for similar positions at companies, both large and small, continually increase. When I first took my position I googled the job “security awareness analyst” and found very little information. Now, as more companies are being breached and the media is bringing it out to public attention, more businesses are looking for security awareness positions to help implement a preventative training and communications program.
As advancements in technology and threat vectors occur there will be a progression of opportunities to educate employees about these risks. The real question then is as a company do you wait until it is too late and you are required to have training in place? Or do you take a preemptive approach and put in place additional layers of security by training your employees to have an active role in securing your company and its assets? I know from experience that the latter has immeasurable positive and constructive results on both a company and its people. A well designed security awareness program will help to lessen risks and in return will have boundless rewards.