The compliance standards for awareness are almost universally vague. They usually state something as broad as, "The organization must have a security awareness program in place." There is often nothing regarding the content or structure of such a program, and it generally falls upon the auditors to determine what is compliant. Auditors tend to know little about what constitutes a good awareness program, and tend to almost always approve the once a year, 10 minute awareness video, as long as it has a quiz at the end and you can verify that all employees have passed the quiz.
At best, these programs are examples of short-term retention, and provide no reinforcement or actual proof that people exercise the appropriate behaviors as a result of watching the video. We have heard first hand that to satisfy such standards, a group of employees will assign one person to take the training, write down the answers to the quizzes, and then provide the answers to other people within the organization, so that the other people "don't waste their time reading the slides." This situation is not unique. In short, saying your awareness program is compliant does not necessarily equate to create the desired behaviors.
Failing to acknowledge that awareness is a unique discipline
You can usually tell if a security awareness program is going to be a success or failure by the person assigned to run the program. It is not the individual's fault, as you as the CSO need to know whether or not the person has the right knowledge, skills and abilities (KSAs). As awareness involves changing behaviors, you need someone with a competence in what most technology professionals would consider "soft skills" such as communications and marketing.
As CSOs and CISOs are typically the one to assign a person to run the awareness program, they usually assign people out of their standard pool of people, who are technical. Rarely is it a person who was hired or assigned the position, because they have the right KSAs.
Since security awareness seems to involve soft skills, most security professionals believe that anyone can pick up the job. A good security awareness professional will have good communications ability, be familiar with learning concepts, understand that awareness is more than a check the box activity, knowledge of a variety of techniques and awareness tools, an understanding that there is a need for constant reinforcement of the desired behaviors, among many other KSAs.
Just as you would not want to assign a person with no experience or decent technical ability to maintain a corporate firewall infrastructure, you do not want to hire a person without any awareness experience or communications ability to run an organizational awareness program.
Sign up for CIO Asia eNewsletters.