A remarkable security awareness training program doesn’t happen overnight. frequently falling short in organizations’ priorities and understanding where they stand. After interacting and collecting data from thousands of organizations, we created a model to help address the elephant in the room. No one is perfect and almost everyone responsible for security awareness is doing it as a side hustle in their role. Curricula’s Simple Security Awareness Maturity Model is a tool for organizations to recognize patterns of where they stand and why they fall into that stage.
The model is made up of 3 major maturity phases: Do Nothing, Do Something and Do Something Better. I know super complicated right? While we recognize this model isn’t black and white, there’s commonalities between each stage, but it’s a good starting point to see where your organization lies are and more importantly where to go from there.
*Disclaimer: other security awareness companies have developed their own complex maturity models and we aren’t focused on discrediting them. This is just our way of keeping things simple and pointing out the obvious maturity stages we have learned from the data working with thousands of organizations just like yours.
Maturity Model Breakdown
Stage One: Do Nothing
The first stage of the maturity model is our starting point. It’s exactly as it’s described, and identifies organizations that do literally nothing when it comes to cyber security awareness training. And no sending an email saying ‘please don’t get hacked this year’ to your employees doesn’t count as doing something. It’s essentially the wild west when it comes to security awareness, so it’s no surprise that organizations in this stage are the most vulnerable to cyber threats. Cyber security usually isn’t a priority for these organizations, and they have probably never even heard of security awareness. Pretty much at this stage, no one cares about security awareness training until they’re forced to, which we all know is a recipe for disaster. But we recognize that no one is perfect and everyone has to start somewhere in their security awareness journey. This is a dangerous stage to be stuck in today’s world.
Common characteristics: Usually a small business with no designated IT decision-maker, might use a managed service provider, has no budget or plan to spend time on security, and has never run a phishing simulation.
Does this sound like your organization: “I’m too small to get hacked,” “Who would wanna hack me,” “We’ve never been hacked before, so why should we care now,” “Our employees don’t care about this,” “Why would we spend time and money on this?”
Stage Two: Do Something
The second stage, and where we see the majority of the industry stuck in right now, is an organization that has been driven to ‘do something’ quickly usually because of a trigger event. These trigger events mostly include compliance requirements, vendor contract terms, or experiencing a breach first-hand that require them to implement a security awareness program. Trigger events force organizations into their first attempt at a security awareness program, which is almost entirely based on compliance. A problem we see with these programs is they often look at the outputs (once-a-year training and compliance results) instead of outcomes (better security culture and long-term employee behavior change). This is a dangerous position to be stuck in because it creates a false sense of security by going through the motions without actually learning anything.
Management and budget are the two primary decision-making drivers behind a implementing a security awareness program at this stage. The major flaw we see with this is management exclusively selects training services without getting any buy-in from employees, due to an ineffective employee feedback loop. As for budget, the goal is to usually get the ‘most bang for their buck,’ meaning the focus will be looking for quantity over quality when it comes to a training program. For example, how can you get the most amount of content, buttons, and features possible (fun fact: most of those never get used once). To sum it up, the ‘Do Something’ stage is a lot like buying your first car. You don’t know what you like (or don’t like) and as long as gets you somewhere it’ll work. But as you continue to drive you start to recognize things you don’t like. Things become annoying and then you get annoyed and start looking for a better car. You now know what you don’t like. We see this happen with security awareness and it typically takes about a year or two of driving a “miserable car” to see the patterns emerge.
Common characteristics: Small to mid-sized organizations, usually managed by a single IT manager that wears a lot of hats, has a limited budget for security as a whole, and security awareness training isn’t almost never prioritized, is aware that security is important but doesn’t have the resources to develop an effective security awareness program, and is primarily compliance-driven to get completion results.
Does this sound like your organization: “We need everyone to do annual training for this audit,” “Quick our insurance provider said we need to complete training,” “We don’t want to pay for just training,” “It doesn’t matter, our employees just have to complete it,” “We just got hacked, watch this PowerPoint.”
Stage Three: Do Something Better
The third stage happens when an organization realizes that a compliance-driven security awareness program isn’t enough. This is the golden stage of maturity, and while it might take an organization a while to get here, we typically never see them never turning back. Security awareness becomes more about long-term behavior change rather than just compliance results. The organization is usually growing in several ways: employee growth, the value of company culture, and security are starting to become a priority instead of an afterthought.
Common characteristics: A growing organization that cares about employee safety and security, has a security budget with a designated item for security awareness training, usually building out or has a small security team, focuses on how to prevent cyber threats, has a mature phishing simulation program, and cares about the effectiveness of the training.
Does this sound like your organization: “Employee security comes first,” “We need something fun to drive engagement,” “We focus on our security culture more than compliance,” “We’re always looking to improve from employee feedback,” “Phishing simulations are treated as a safe learning experience,” We use the carrot approach to training, not the stick.”
Bonus Stage: Corporate Clown Town
We’ve added this bonus stage for large enterprises that reach that ‘corporate’ status and experience an uncontrollable shift in once successful security culture. This paradox is an unavoidable occurrence when security awareness training becomes difficult to manage due to scale, compliance becomes a priority, and employees become less engaged. This doesn’t mean your training is ineffective or you’re going to be hacked automatically, but rather a stage we see organizations reach without understanding why this change happens.
So, why does it happen? There are simply too many cooks in the kitchen and hoops that have to be jumped through for compliance. Meaning organizations unintentionally fall back to the ‘do something’ stage, with a security awareness program entirely driven by compliance. Even though budget, tools, and security teams are bigger and more expansive in nature, they have a reverse effect on efficacy. Corporate LMS environments become a roadblock for employees and phishing training becomes a punishment. Right now there’s no exact science to solve this but having a dedicated security awareness professional who is committed to working hard for a positive response from employees and successful results is a step in the right direction.
Common characteristics: A developed organization with 1,000+ employees, is entirely compliance-focused, users and managers resent security controls, a late adopter of tech and innovative software, treats security training as a chore, chooses features over effectiveness, the primary goal is compliance outputs versus security outcomes, their employee’s thoughts, and feelings aren’t prioritized in decision making.
Does this sound like your organization: “Frequently references remedial training,’” “Compliance is life,” “I don’t want to put in any effort but want maximum results,” and “My employees call IT security stupid and I call my employee stupid,” “My phishing training has my employees more scared of me than the hackers.
Regardless of where you are in the maturity model, it’s important to know where your organization lies to understand your current and future maturity goals. If you’re at Stage one, when would you like to be at Stage Two? If you’re at Stage Two, how can you get to Stage 3? As for those of you at Stage 3, consistency is key, and steer clear of driving into Corporate Clown Town.
Remember, this model is not perfect and each stage is a generalization of findings we’ve seen from interacting with thousands of organizations at all stages. If you do find yourself wanting to move up in the model you can’t just skip the stages or do it overnight. Each stage has a gray area in between and takes time, but more importantly effort.
No matter which stage you’re at in this maturity model. If you’re still confused drop us a message and we can help you figure out where you fit in and where you want to be! Whether you’re living in this model or corporate clown town, we hope you’ve got a better understanding of security awareness maturity.