The Shift from Technology to People
Over the past twenty-five years, the security industry has undergone significant changes. When I first started in the 1990s, cybersecurity was primarily focused on technology—using technical controls to manage risks. As we became more adept at leveraging technology, cyber attackers adapted, shifting their focus from targeting systems to targeting people. It became clear that we, as a community, needed to also address the human side of security, yet there was no clear structure or strategy for managing human risk.
The Genesis of the Security Awareness Maturity Model®
Fifteen years ago, a community of over 200 security professionals came together to develop a solution—the Security Awareness Maturity Model®. This model was designed to help organizations effectively manage human risk. We purposely kept it simple, making it easy to use and communicate, especially to leadership.
A Practical Roadmap That Evolves with Organizations
The model serves as a strategic roadmap, guiding organizations through the stages of their awareness programs. It helps you assess where your program stands today, define where you want it to go, and take actionable steps to get there. Each of the five stages is clearly defined, outlining key focus areas, measurements, and the path to advancing to the next stage.
Built on over fifteen years of experience, the model is designed to work within the practical, real-world constraints. What makes it unique is its continual evolution. Every year, we update it based on insights from both the community and the SANS Security Awareness Report, which gathers data from thousands of awareness professionals around the world.
We hope this model not only helps you grow and strengthen your awareness program but also supports your professional development.
Download the SANS Security Awareness Maturity Model® eBook today and take the first step toward securing your organization’s greatest asset: it’s people.
