What’s Your Tech-to-Human Security Ratio? (SANS)


Ever wonder why some security awareness programs successfully change and secure human behavior while others fail? One of the most common reasons for failure is minimal investment.

Many organizations are heavily investing in their cyber security programs. The problem is they are stuck in the 1990s focusing only on bits-n-bytes. While technology is where every organization should start, we have hit the point of diminishing returns. In today’s world organizations need to start investing in their human security also. To see where your organization stands, determine your Tech-to-Human security ratio. There are two ways to do this.

People: Count how many people are on your security team. Now out of that team how many are focused on securing technology and how many are focused on securing people? I’m not talking about governance, compliance or audit. I mean how many people on your security team are focused on communicating to your workforce and creating secure behaviors and ultimately a secure culture? For far too many organizations, that is just 15% of one person’s time. A drop in the bucket.

Budget: Determine how much you spend on securing the average laptop in your organization. Include costs such as encryption, anti-virus / end-point security, patch management, centralized logging, etc. Then include the costs of managing and updating all those technologies. You probably get something like $50 or $100 a laptop, if not much more. Then compare how much you spend on securing the average employee. Yup, hear those crickets chirping.