Region’s IT professionals don’t have enough time for proper cyber security awareness finds new report

Region’s IT professionals don’t have enough time for proper cyber security awareness finds new report

Over 75% of security professionals spend just 25% of their time on cyber security awareness initiatives, according to a new report by cyber security training body and certification institute – SANS.  The report pointed out that to bring awareness up to a basic level, organizations should on average have 1.4 full time employees (FTEs) dedicated to these initiatives. This number increases to 2.6 FTEs in organisations that have the most successful awareness programs.

“There is no doubt that awareness programs play a vital role in strengthening IT security,” said Ned Baltagi, managing director, Middle East & Africa at SANS. “While Middle East organisations are doubling down on their security investments, the challenges cannot be solved by technology alone. The behaviour of end-users, most commonly unintentionally malicious, are often the root-cause of data breaches, which is why SANS has worked to pinpoint the shortcomings of security awareness programs and provide enterprises with a clear outline for how they can overcome these.”


Lack of communication and employee engagement is the other major hurdle that security awareness professionals face. The report says that 30.23% of respondents cite this as their biggest challenge. This largely results from the inability of IT staff dedicated to this function to translate the impact human risks present to cyber security to their non-technical counterparts, the report finds. While 80% of security awareness professionals have technical backgrounds, just 8% of them have soft skills backgrounds such as communications, marketing, training or human resources.

Not surprisingly, organisations that had the most robust security programs were also those that had complete buy-in from higher management, while 64.5% of organizations that did not receive sufficient support from company leadership categorized their awareness programs as non-existent.

“In addition to dedicating the right resources and time to security awareness and working on the communications skills of security professionals, organisations should strategically leverage their budgets to hire resources who will get their awareness programs off and running. They should also identify and empower awareness ambassadors- employees who are committed to security initiatives and push their colleagues to do the same- as a cost-effective means to raise the entire organisation’s security posture,” said Baltagi.

About the report

The third annual SANS Security Awareness Report is based on a survey of 1,084 qualified professionals who are responsible for building, managing or contributing to their organizations’ security awareness programs. Among the 58 countries that were represented were the UAE, Saudi Arabia, Qatar and Bahrain. The entire report along with the researchers’ recommendations and expert advice is available as a free download from