Security awareness training has been part of some organizations for decades and for others only in the last few years. However, the big challenge still remains in how to ensure it’s being done effectively and not just a box to tick off for the compliance team.
In another Back to Basics webinar partnership with the folks at Side Channel and Wizer-Training, Brian Haugli moderated a fantastic panel discussion from leading cybersecurity experts Nadja el Fertasi, Dutch Schwartz, Ryan Cloutier and Wizer’s own founder Gabriel Friedlander.
When discussing the effectiveness of traditional security awareness training (SAT), all panelists agreed it’s not successful. Common stumbling blocks include:
However, the good news is that it is possible to achieve an effective SAT program but it’s not a one-size fits all approach - is any security application, really?
In short, effective training must above all be about the people in your organization.
To that end, as varied as the people in your company are, your training program should take that into account. While making highly individualized trainings for each person is not scalable, addressing the training materials to meet various learning styles can be.
This is where cybersecurity leaders would do well to take a chapter out of their marketing team’s playbook and perform a little KYC research (know your customer) and audience segmentation. This will help create a better understanding of both personal and professional pain points to help security teams curate training material that addresses those issues relevant to the people in their specific business.
Nadja el Fertasi, Human Resilience expert and former NATO executive responsible for digital transformation, noted that “emotions drive behaviour” and when we engage the element of our human emotion and connect it to a tangible event in our personal lives, this makes learning and application much stronger. However, “people are under a lot of pressure and the challenge is how to get them to build digital resilience and better cyber hygiene.”
In correlation with this idea, Ryan Cloutier, President of Security Studio, commented that “Risk is a human function. We’re all natural risk managers in the analog world [however] when we get into the digital world, we don’t have the same cues that we do in the physical because there’s no other corresponding cues to help us properly evaluate in context.
And that is where I see the humans failing every day. It isn’t that they don’t know about multifactor; it isn’t that they don’t know about phishing or not to click the links - it’s that they cannot contextualize it to something that makes sense when they’re sitting at the dinner table.”
“First of all, it has to be signalled from both formal management and informal group leaders…and you do that through culture…It can’t be abstract, it can’t be separate from what we do daily, weekly, monthly…Think about your culture and how you want to make that interesting and important to your employees.” - Dutch Schwartz, Cloud Security Strategist
The same way that a CISO sits down with peers in the boardroom to run a table top exercise and holds a dialogue with all the stakeholders, so, too, should the security awareness discussion be held as a conversation with all the stakeholders.
To state it another way, approach the security training as a transformation change program using stakeholder engagement (both internal and external) along with a communication plan that includes:
Training should move away from being compliance-focused and instead be more engaging.
As stated earlier, the specific types of training would do well to include a variety of learning styles in order to connect with a broader audience:
Also, gone are the days of negative reinforcement - it’s well established it is not effective especially when fear of retribution only taints employee sentiment and builds walls instead of bridges.
Instead, create positive rewards programs and friendly competition to reinforce positive security behaviours and reporting.
Another critical element of the training program is creating a two-way communication path to allow feedback from the learners to the security team to enable better insights on how to engage and improve. This open channel supports a culture of security within an organization.
Finally, tie the training back into an existing structure or program the company already has implemented.
Don’t make security an ‘add-on’ or an ‘extra’ but rather add security training as a bullet point to an existing policy already in play. This helps make security awareness/training more of a ‘baked-in’ component instead of a ‘bolted-on’ feature within the company and helps to embed it more into the company culture, as well.
Borrowing a title from Ryan, one of the biggest challenges security practitioners face is they are trying to initiate change in human behaviour - no small feat to be sure. So how do we take them from merely being aware of online risky behaviour to actually caring enough to change their habits?
First, the awareness has to be given context that is meaningful to the employee. Leave the technical terms out of it and use language that communicates clearly to the individual. For many, it's about first demonstrating the relevance of online safety habits in home life.
Another method is through story-telling. Stories are sticky and engage an emotional connection. Wizer Stories series is an example of this that dramatizes real-life security incidents in simple, short retelling in a narrative format. As Gabriel shared "When you tell stories to people, it connects all the dots. It puts things in context and it makes it much easier to remember."
In addition to utilizing language that is simple and easy to understand, it's important to ensure employees have clear guidelines that maps out what actions to take in a given scenario. Most training makes individuals aware without communicating the reason they should care and the actions they should take.
And then, just like building any type of muscle memory, it’s repetition. This doesn’t mean forcing employees to watch the same mind-numbing videos every 3 months, but rather have a strategy to engage them in a variety of ways that reinforces what they’re learning with new habits.
While much of the company training and policies is relegated to the human resources department, security training is assumed to be ‘techy’ and out of reach for mere mortals and thus gets put on the desk of the CISO. However, is that the best scenario?
If security awareness really is properly integrated into a business culture, then the leadership understands its importance and value and, well, helps lead the effort and sets the example within the company.
As Ryan sees it, ultimately the CEO is responsible for the overall success of the security training in the organization, “CEO, CEO, and the CEO and the board are who are ultimately accountable for the cybersecurity/information security of any business. The CISOs job is not to make risk decisions for the business. The CISOs job is to make recommendations, to highlight the risk and context and then implement those decisions to the best of their ability.”
In short, security awareness training ultimately is a business issue, not a technical one.
The implementation of the learning, however, is best housed wherever it already exists within your organization / culture.
Nadja outlined a use case as an example of what that might look like. “I’m actually working with a client one-on-one in the human resources department. But the information security [professional] is my SME point-of-contact. So the design and the implementation is done through human resources, but the design of the scenarios and the case studies is done with the information security officer to understand the pain points.
So I think it comes back to shifting paradigms and also shifting our perception. It's not so much the formal reporting line, but [rather] how can we make this happen as a team?
Formally, you need to have reporting structures, et cetera, but across teams, you have project management basics - you have accountability, and those who are holding the risk, et cetera…Healthy security cultures have healthy collaboration, communication and coordination.”
Dutch and Ryan also brought an interesting perspective with the idea of incorporating security assessments as new hires along with all the other assessments HR is already implementing. Not to necessarily rule out an individual for a position but rather to determine a baseline competency so that training relevant to his/her level can be given and thus more relevant and effective.
Just as cybersecurity initially started in the IT department and then evolved into its own entity, so too, Gabriel Friedlander predicts that Security Awareness Training will evolve into its own role within the cybersecurity landscape.
As has already been talked through in this discussion, there are so many moving parts to a successful SAT program that involves not only understanding security but communication, marketing, teaching, speaking with senior management, working with HR and having a finger on the pulse of the organization as a whole, as a cross-departmental role that it really is a full-time job.
In conclusion, security awareness training spans the entire organization. An effective program accounts for the nuances of the people that make up that business and works in sync with other departments to support the business as a whole. It's not an easy task to be sure but is well worth the effort.
Nadja el Fertasi - Panelist, Human Resilience Expert and Consultant; Former NATO Digital Transformation and Cybersecurity; Founder of Thrive with EQ; Podcast Host
Dutch Schwartz - Panelist, Cloud Security Strategist; Principal Security Specialist Amazon Web Services; Advisor and Speaker
Gabriel Friedlander - Panelist, Founder of Wizer Training; advocate for security awareness for everyone; former founder of ObserveIT (acquired by ProofPoint)