If your organization is like a whole lot of others out there, you’re struggling to find scalable, practical and cost-effective solutions to the employee awareness problem in security. Should you stay in-house, which requires hiring between 1-3 full-time employees? Or should you outsource your security awareness training efforts, which typically requires a whole lot of time, effort and money to be invested into external resources?
This is a question that only you and your team can answer. You know how much money and person-power you want to invest into helping raise awareness and create a lasting and deep change in employee behavior.
But just how much does it actually cost to effect those deep changes?
SANS recently released a study (2017 Security Awareness Report) in which they polled 1084 security professionals. They found that in the average organization of up to 5000 employees, at least 1.4 full-time employees were needed to begin to effect changes in behavior. To reach a mature and ready-for-anything level of security awareness, organizations needed 2.6 full-time employees. Organizations that are particularly risk-averse, that are highly regulated, or have over 5000 employees needed more than the stated figures.
Based on the SANS calculations, we formulated our own calculations to see how much the average organization spends on in-house security awareness professionals per year. Here is what we found:
The average annual security salary is $74,000 or €64,580 euro. (all salary stats from payscale.com and rates fluctuate regularly. The information presented here was culled on 11.17.2017 and may be different, according to the day.)
To reach that first level of security awareness, according to SANS, you’ll need 1.4 full-time employees.
$74,000 X 1.4 employees = $103,600
€64,580 X 1.4 employees = € 90,412 per year.
To reach that highly mature level of employee behavioral change and awareness that incorporates advanced learning metrics, you’ll need 2.6 full-time employees.
$74,000 X 2.6 employees = $ 192,400
€64,580 X 2.6 employees = €167,908 per year.
The above is just the cost of the employees alone, not taking any additional tools or training materials into account. Once you add those on as well, your costs go up again.
Now add to this calculation any employee time spent away from actual job functions at training sessions. With an hourly average of $20 or €25 per employee, an organization of 5,000 employees will add minimum $100,000 or € 125,000 to security awareness costs. This still hasn’t yet taken into account the content development of simulations and the data analysis needed to understand if your efforts are working, which again, causes your costs to rise.
And now, your yearly grand total spent on security awareness training?
~$300,000 or € 255,000 per year.
The CybeReady Solution
As noted by SANS, the most effective awareness training is one that truly changes the security culture of an organization. Your goal should be to reach their upper level, which they classify as long-term sustainment and cultural change, paired with a robust metrics framework. “This stage simply reinforces that to truly have a mature program, you must not only be changing behavior and culture, but have the metrics framework in place to demonstrate that change.”
With CybeReady, you can achieve that uppermost level of security awareness without all the heavy costs associated with hiring full-time employees. The unique approach to helping organizations attain a true “security readiness” not only changes employee behavior but transforms the overall security culture. Using our robust metrics framework, organizations can continually monitor their own progress and behavior, while dramatically lowering their phishing risk. And best of all, the framework allows you to achieve significant results in less than 20 minutes of employee training per year.
A cost, time and resource-effective way to truly transform risky employee behaviors into a corporate security culture. Many organizations world-wide have slashed their awareness costs by >50-70% with CybeReady’s fully automated phishing solution. To experience CybeReady Readiness Solution, Click Here.