It’s that most wonderful time of the year again! With record growth projected for today’s security services, join us as we look towards the year ahead, and highlight 5 growing security awareness trends to watch out for in 2022.
1. A new category of Managed Services will emerge: the Managed Security Awareness Provider
Managed services are estimated to grow 8% annually between 2021 and 2026 – but managed security services are looking at almost double the growth rate, as much as 15% every year in the forecasted period. That reflects the skills shortage in the security sphere in general.
In security awareness training specifically, we’re seeing a huge jump in customers looking for managed services, as a result of a unique kind of talent gap. While there is a wider issue with getting the right skills in more traditional areas of security such as network segmentation, cloud, or endpoint security, in the era of the Great Resignation, there are still experts to be found.
In contrast, security awareness training has never really been a career path until now, and the number of people who understand both security and the psychology to create behavioral change is very low. This leads to a natural drive to find this expertise from external managed services. As the skill set required for security awareness training is unique and different from regular security practice, we expect a new category of managed services to become distinct – the managed security awareness provider.
2. Decision-makers are expected to demand better metrics to measure security awareness
As security awareness training becomes more ubiquitous, managers and executives will be looking to move away from performance-based metrics and get greater insight on behavior. The truth is, security awareness is an area where there aren’t always a lot of good metrics to track, and some are even counter-intuitive.
For example, click rate is a common metric to track when you’re training employees against phishing scams. However, what’s the best-case scenario here, that you reduce your click rate down to 0%? All that means is no one is engaging with your training material, or perhaps that your employees were taking a vacation day when the training email arrived in their inbox. It also sends the message that the problem of phishing has been solved, creating a false sense of security.
Instead, we’re going to see customers move away from performance, and turn to KPIs that measure progress. This could be high-risk employees over time, mean time between failures, or security readiness across the company or within specific teams. These will show a real learning curve – much easier to take into your next meeting with the board.
3. Security awareness training will shift from “one and done” to continuous training
Industry leaders such as Gartner are championing training as an essential part of your security arsenal. With new and emerging threats such as cybersecurity for operational technology, security training comes second on the list of controls. This is before incident response, patching, segmentation, and detection tools.
In a similar way to how pen testing used to be a periodic assessment, but now businesses are increasingly implementing continuous tools – watch out for an increase in the regularity of security awareness training. Organizations traditionally held annual or biannual training sessions, but we predict an increase to 4-6 per year, or for more mature organizations, even 12 times a year.
This has many benefits. Ultimately, the ability to meaningfully derive information about employees is directly correlated to the number of data points you have as a business. When you train employees once or twice a year, there’s no way of deriving any meaning from the results. Maybe employees were having an off day, or maybe it was random luck that they didn’t click on the malicious link. However, with continuous training, you can isolate high-risk employees from low-risk staff, and then train them in cohorts to avoid under-training that causes risk, or over-training that can cause frustration.
4. Security readiness will become essential for working with third-party businesses
According to Gartner, “by 2025, 60% of organizations will use cybersecurity risk as a primary determinant in conducting third-party transactions and business engagements.” Simply put, businesses will need to feel confident that vendors, partners, or anyone who will become part of their wider supply chain has strong resilience against cyberattacks, knowing that in a connected environment – third-party risk becomes their own.
It’s widely recognized that the greatest risk to today’s connected IT environments is phishing scams and that security awareness training is the only real defense against the residual risk of phishing. Understanding this, implementing robust security awareness training will become a prerequisite for B2B relationships and subscription-based commerce.
5. Organizations will move from a culture of training to a culture of learning
Watch out in 2022 for organizations that look to foster a more resilient security culture rather than simply deliver training. Most security offerings are purely logistical – we’ll implement this firewall here, or set up that sandbox there. Even with security awareness training, it’s normal to see practical steps like setting up alerts or running educational workshops.
This fails to take into account the psychology behind how people change their behavior. While training is a process that happens when the instructor has time to teach, learning happens when the student has a moment of need. It’s a cognitive process that happens in an employee’s mind when they need knowledge to close a gap. This doesn’t happen on a trainer’s schedule – it happens when the employee needs to learn, for example when they’ve just clicked on a phishing scam unawares and realized their mistake.
By 2025, Gartner predicts that 70% of CEOs will be mandating a culture of organizational resilience. Security awareness training that offers learning platforms rather than one-size-fits-all training solutions will be best placed to create behavioral change that leads to true security readiness.
Ready to step up your game, and implement a fully-managed security training platform for 2022? Schedule a demo of our cybersecurity training platform now!