One of the key topics I have been discussing recently is how to optimize your security awareness program, specifically identifying the topics that have the greatest impact and benefit for your organization. The ultimate goal is to reduce the time of your awareness training while increasing its effectiveness. One reason for this is you will have limited time to communicate your program. Often management or human resources will give you only so much time for training. In addition, end users can only remember so much. However there is another key matter we have not discussed, and that is cost. By investing time and resources in developing an effective awareness program, you can SAVE your organization money. Here is a simple example.
Let's say a company of 1,000 employees requires security awareness training for compliance purposes. Assume the security team has been given no resources or budget to develop a solution. Instead they are told to just develop a one hour presentation to meet compliance requirements. The total cost to train those 1,000 users for just compliance purposes is (1,000 hours)x( assume $40 average man-hour) which equals $40,000. Now, lets give that same security team a budget, say $10,000. Let's say they use this money to research their requirements and develop a superior solution (or purchase one from a vendor). As a result of this investment they reduce the training to thirty minutes while increasing the value and impact to the organization. The total cost to train 1,000 users is now (500 hours)x($40 average per man-hour) + $10,000 = $30,000. The un-funded solution ends up costing $10,000 more than the professionally developed solution.
We all need time, resources and budget to develop a security awareness solution that makes a difference. This is one way you may be able to get that funding.