As we look towards the new year and all the sweeping technological change that comes with it, we spoke with security awareness community member Dennis Legori to get his take on successes he's seen to carry with us into 2024. Dennis is the Associate Director for Security Awareness & Digital Communications at Carrier.
His team's innovative approach to building a positive security culture has led to a massive growth of Enterprise Defenders and increased reporting of phishing and ransomware attacks. With a background in cybersecurity since 2013, Dennis brings a unique blend of business and security expertise to Carrier as well as his own entreprenuer-like problem solving and new concepts.
Looking for the TLDR version? Check out Dennis' Community Spotlight page here.
Believe it or not, much of Dennis' community building success was born out of running a phishing simulation competition. Now, phishing simulations get a bad wrap mostly because they are used ineffectively and with little thought to the company culture or brands they impersonate; and are mistakenly treated as THE KPI to watch. Not to mention they can be very limited. You can't simulate wire fraud attempts or spoofing at scale, at least, we don't recommend it for many reasons :)
And just as important, there's generally a feeling by employees they're the ones being attacked by their own company - a sentiment that definitely does not promote a warm fuzzy feeling for company morale.
An Accidental Community Is Born
Immersive Learning + Real-Time Threat Intel
Xtreme Phishing Simulations
Reaping The Benefits
Not Your Typical Security Awareness Program
Many traditional security awareness plans include some type of ambassador program. Typically these have individuals who are already aware of the general risks and understand the concepts of cybersecurity awareness and many are 'volun-told' to be a point person for their particular department.
However, the thing about the grassroots efforts Dennis' team cultivated is that their (now) team of 5500+ defenders don't confess to be experts. They just want to be part of the bigger picture.
They're willing to learn from others, and it's just completely inclusive. In fact, when one employee expressed interest to join but was concerned about the language barrier, they shifted to create localized Teams channels for their regional teams across the globe for more personal and relevant conversations keeping people comfortable in their language.
Importantly, there's no penalty for clicking a link or taking any cyber missteps but rather support to quickly mediate while celebrating the positives from reporting to identifying attacks. Everyone's stronger for it from the individuals being empowered to the SOC team getting added intel from the employees 'in the field'.
It's all about inclusiveness. It's all about that global culture and using that. When you have people, there's power in the people.
But Is There Swag?
In short, they make do with what they have. But according to Dennis, "It's tied to what the company culture is. Obviously, if you're not in defense, it depends on what industry you are and what your company culture is and how supportive your management.
And sometimes we security professionals just have to go with the flow. But in this case, I have the backup of management; you definitely don't want to take any kind of punitive approach. Is that the right approach? It depends on the industry. But my thought is, if people are scared, if a SOC is going to shame them, or if their manager is going to shame them, then when they click on something real, or if they open something malicious, if something is going to happen and they keep quiet, I think that's the real danger."
But my thought is, if people are scared, if a SOC is going to shame them, or if their manager is going to shame them...if something is going to happen and they keep quiet, I think that's the real danger.
Crowdsourcing Security Awareness
Dennis feels much of the program's success is the fact that it's basically crowdsourced cybersecurity using the power of the people. Similar to how Waze managed to transform transportation apps through crowdsourced information from real-time reporting by its users, Carrier has been able to transform its rate of reporting while reducing the human risk landscape through its highly engaged and empowered employee-base. It's a great example of the transformative power of shifting from a problem-focused mindset and demonstrating the success of gamifying the crowdsourcing process to encourage community participation and celebrate achievements.
Both Dennis and Gaby underscored the importance of cultivating a positive culture that celebrates success rather than solely focusing on preventing failures. This mindset shift plays a pivotal role in creating an engaging and collaborative community where people are motivated to contribute, even without monetary incentives, ultimately contributing to the success of projects like Waze.
Marketing Your Security Awareness Program
However, the continual growth of the Enterprise Defenders 'movement' didn't happen in a vacuum. Once the team saw real interest and engagement they began to take concerted efforts to make sure to make the opportunity available to more of their global team. In short, they put on their marketing cap and looked at different ways to invite more people to their awareness community. After their first cohort of Defenders was a success, they began to send an invitation in response to someone successfully reporting a real phishing email which began to provide new monthly signups.
One particular effort saw great success when Dennis challenged his teammate Jeleasa Grayned to sign up 1000 new Defenders in 10 days. This initiative earned them the opportunity to present their tale at SANS Security Awareness: Managing Human Risk Summit 2023. And this past year, the team did another push for 500 in 5 days. A good reminder that if you build it, they will come.
Aside from the larger campaigns to scale, they also keep to the rhythm and themes already present within the company. One campaign capitalized on International Women's Day, while their Phantom Phish Halloween challenge reassured them they didn't have to be scared of online threats but could join the Defenders team to upgrade their savvy.
One other venue where they are able to market and engage is simply through coordinating with their Communications teams that provides live trainings. In these sessions they are able to speak to 300-400 employees on a range of topics that affect them personally in the cyber world with guest speakers and live Q&A.
They've had so much success that whereas most departments are alloted 30 minutes slots, Dennis' team is given 1 hour - 30 minutes for the training and then 30 minutes for an 'after party' where employees can causally engage and interact with the cybersecurity professionals for further discussion. To date, these sessions are topping the employee ratings at 97% satisfaction! And as an added benefit to the employees, they can also receive learning credits as the recording is also uploaded to the LMS.
In Conclusion
In short, to help your employees evolve with the security threats of 2024, more than fancy tech or huge budgets, providing a space for employees to engage and connect with security teams can be a huge step forward that opens the way for more possibilties while simply using the tools already at your disposal. While it takes work, the ROI of a stronger workforce reinforced with a positive security mindset is priceless.
Connect with Dennis on LinkedIn! Enjoyed this? Check out Dennis and Paula West's conversation on the early days of building their Defenders program along with more great insights from other community members in the Resource section below.
Want to catch our next community talk? Subscribe to our announcements here.
More Resources on Security Awareness Programs
Building A Winning Security Awareness Program
Building A Healthy Cybersecurity Culture
Creating Impactful Videos for Security Awareness Training
Security Awareness Training Highlights PDF
