Security Awareness Maturity Model. (Image: Supplied)

The shift from technology to people

Over the past 25 years, the security industry has undergone significant changes. When I first started in the 1990s, cyber security was primarily focused on technology – using technical controls to manage risks. As we became more adept at leveraging technology, cyber attackers adapted, shifting their focus from targeting systems to targeting people. It became clear that we, as a community, needed to also address the human side of security, yet there was no clear structure or strategy for managing human risk.

The genesis of the Security Awareness Maturity Model

Fifteen years ago, a community of over 200 security professionals came together to develop a solution – the Security Awareness Maturity Model. This model was designed to help organisations effectively manage human risk. We purposely kept it simple, making it easy to use and communicate, especially to leadership.

A practical roadmap that evolves with organisations

The model serves as a strategic roadmap, guiding organisations through the stages of their awareness programmes. It helps you assess where your programme stands today, define where you want it to go and take actionable steps to get there. Each of the five stages is clearly defined, outlining key focus areas, measurements and the path to advancing to the next stage.

Built on over 15 years of experience, the model is designed to work within the practical, real-world constraints. What makes it unique is its continual evolution. Every year, the SANS Institute updates it based on insights from both the community and the SANS Security Awareness Report, which gathers data from thousands of awareness professionals around the world.

I hope this model not only helps you grow and strengthen your awareness programme, but also supports your professional development.

