πŸ‘¨β€πŸ’» SANS Security Awareness Professional (SSAP)

🧠 1. Certification Name and Issuing Body

🧩 2. Certification Level and Type

  • Level: Advanced

  • Type: Managerial / Governance (Non-Technical)

πŸ“œ 3. Purpose and Goals

  • What skills does it certify?
    The ability to lead and manage effective security awareness programs that drive measurable behavior change and reduce human cyber risk across organizations.

  • Target roles or professional profiles:

    • Security Awareness Officers

    • GRC Managers

    • CISOs and Deputy CISOs

    • Organizational Behavior Experts

    • Training & Human Risk Program Managers

  • Practical application in cybersecurity fields:
    Planning, executing, and improving human-centric security programs, reducing phishing and social engineering risks, building a culture of security, and aligning awareness with enterprise risk management.

πŸŽ“ 4. Prerequisites

  • Recommended prior certifications:
    None required, but experience in training, communication, or risk management is recommended.

  • Suggested professional experience:
    1–3 years working in security awareness, cybersecurity culture, internal communication, or training/HR functions within cybersecurity.

  • Required technical knowledge:
    Minimal – focuses on communication, behavioral science, program development, and metrics, not on tools or systems.

πŸ“š 5. Content and Curriculum

  • Key domains or modules:

    1. Planning a Human Risk Program

    2. Engagement and Communication Strategies

    3. Program Implementation and Lifecycle

    4. Behavior Change and Culture Engineering

    5. Metrics and Measurement

    6. Executive Buy-In and Budgeting

    7. Global Deployment and Customization

  • Included technologies and tools:
    Focus on communications tools, LMS platforms, phishing simulators, behavioral analytics (e.g., KnowBe4, Proofpoint, Wombat), not technical security tools.

  • Mapping to frameworks:

    • NIST Cybersecurity Framework

    • NIST SP 800-50 and SP 800-16 (Awareness Training Guidelines)

    • NICE Framework (Awareness Work Role)

    • Aligns with ISO 27001 Annex A.7

πŸ§ͺ 6. Learning Approach

  • Theoretical, practical, or mixed:
    Mixed, with strong focus on real-world applications and human psychology

  • Virtual labs or simulation environments included:
    Included as interactive case studies, assessments, and behavioral planning exercises

  • Official learning materials:

    • SANS-provided eBooks, worksheets, templates

    • OnDemand video instruction

    • Case-based learning modules

  • Recommended platforms for preparation:

    • SANS OnDemand

    • Live Online or In-Person SANS classes

    • Webinars from the SANS Security Awareness team

πŸ“ 7. Exam Format and Details

  • Mode: Online (proctored via SANS GIAC platform)

  • Exam duration: 1.5–2 hours

  • Number and type of questions: ~60–75 scenario-based multiple-choice questions

  • Available languages: English

  • Retake policy and certification validity: Retake available after 30 days (fee applies); certification valid for 4 years

πŸ’° 8. Estimated Cost

  • Exam fee:
    ~$949 USD (via GIAC)

  • Official course/training cost:
    ~$3,000–$4,000 (SANS training required for exam eligibility)

  • Renewal and maintenance costs:

    • GIAC renewal: $429 every 4 years

    • CPEs required: 36 credits (minimum)

🌍 9. Industry Recognition

  • Popularity and demand:
    Growing popularity among enterprise awareness teams, especially in regulated industries (finance, healthcare, energy)

  • Companies that require or value it:

    • Fortune 500 companies

    • Government agencies

    • Healthcare and financial services firms

    • Critical infrastructure and utilities

  • Comparison with similar certifications:

    • More advanced and specialized than KnowBe4 certifications

    • More strategic than general GRC or compliance certs

    • Often compared to CIPM (privacy management) for program leadership

πŸ’Ό 10. Career Opportunities

  • Job roles associated:

    • Security Awareness Lead

    • Human Risk Program Manager

    • CISO Advisor

    • Cybersecurity Culture Consultant

    • GRC Training Manager

  • Suggested certification paths or advanced follow-ups:

    • SSAP β†’ CISM (for broader security leadership)

    • SSAP β†’ ISO 27001 Lead Implementer

    • SSAP β†’ Organizational Change certifications (e.g., Prosci)

πŸ’΅ 11. Average Salary

  • Salary ranges (approx.):

    • USA: $90,000–$125,000

    • Europe: €65,000–€90,000

    • LATAM: $30,000–$55,000

  • Estimated salary increase:
    ~10–20%, especially if transitioning into leadership or program ownership roles

πŸ“… 12. Renewal and Maintenance

  • Validity period: 4 years

  • Renewal requirements:

    • 36 CPE credits

    • Payment of renewal fee ($429 USD)

    • Maintenance of professional practice and ethical standing

🧭 13. Final Recommendations

  • Who is this certification ideal for?
    Professionals leading or developing security awareness programs, those seeking to reduce human cyber risk through education and behavior change.

  • When should it be pursued in a professional roadmap?
    After gaining experience in awareness, GRC, or internal communications. Ideal for professionals pivoting into human-centric cybersecurity leadership.

  • Personal preparation tips and advice:

    • Learn about behavior change psychology

    • Practice building campaign messaging and metrics frameworks

    • Engage with the SANS Security Awareness Community

    • Customize learning with practical application inside your organization