How to Make Security Training About the User with Cybersecurity Thought LeadersCybersecurity thought leaders Robert Carey, Simon Waller, and Ellie Warner discuss their most effective ways of changing the security training conversation.
Too often, security awareness and training are focused on organisational needs rather than holistic end-user cybersecurity. At ADAPT’s CISO Edge in July, we asked cybersecurity thought leaders Robert Carey, Simon Waller, and Ellie Warner of their most effective ways of changing the conversation to be about the employee working safely anywhere.
Robert Carey – VP & GM, Global Public Sector Solutions at RSA
So there’s a nice hierarchical chain of command to throw information down and there are lots of ways to do that in a structured manner. But you really find the nexus of the unstructured communications, the word of mouth, the blogging, the all-hands emails, the all-hands meetings, so you communicate in a way that you enable the communicators to continue the journey of aligning thought and value propositions around cyber security investments. One of the biggest things that we encountered was, I need to make sure that every user has a certain amount of skill as they engage the network to do their job. We took it for granted that you log in with your user id and password and off you go. I was one of the people selected to roll out smart cards for the United States Navy and so, it was a giant change to how you’re going to log onto the network, giant change, and how you’re going to call yourself a member of the United States Navy. It was a different ID card. And the change management initiative was really persistence, thoroughness, and a deliberate demonstration of the value proposition on the other side, so that you diffused all the questions, concerns, and challenges. And there was a point in time when there were several commands who said: “I’m just not doing it.” And then you can pull out the letter from the deputy secretary of defence saying “yes, you are.”
So, but if you didn’t have to do that, that went all the better, and then suddenly they got over it. And sometimes you had to push them, but sometimes they were, and there was always a few that, give me mine, I want to be the first.
To me, it’s persistence to ensure that you’re touching all the right people, and then enable those people to continue to communicate the message.”
Simon Waller – Digital Champion, Author and Advisor
I mean a couple of examples that people came up when we asked and where they were saying “we’re thinking of our friends, and training to parents about cybersecurity for kids.” And as much as it’s valid to say that it’s probably the kids that don’t need so much of that training.
Suddenly we’ve taken this idea of cybersecurity and we’ve made it meaningful to people.”
And I think the skills that people develop in that type of training, a perfectly transferable backing to their work posts. We’re not dealing with different problems, like here you are in business, worried about my password security, and I need to be worried about that in my personal life, And you’re worried about phishing emails and ransomware attacks, and turns out that most of those are actually directed to people at home, so I need to be worried about that too. So all the things you’re worried about, I’m worried about. So in theory, if you were to teach me the things that I needed to know, it would also be the things that you needed me to know. It’s interesting that we haven’t seemed to have come over from that direction.
Ellie Warner – Head of Cyber Awareness at Standard Chartered Bank (Singapore)
We tend to treat employees as risks, and as the weakest link, and we use all this terminology that suggests that they don’t actually have the power to be a strong security agent. So the language we use needs to change. We need to really think about our employees as security agents. Arm them with tools, make it really personal for them. So rather than talking about what’s in it for us, the company, how can the tools, techniques, and the tips we give them help them at home as well. These are human beings. They want to be able to be secure in their home life as much as they do when they come into the office. We need to change our rhetoric, really make it personal, and think like a marketer would be the third aspect.
So, audience-based awareness, rather than one size fits all.”
If I’m an application developer, I’m going to have a very different set of security questions than if I’m somebody that works in a branch sensor of a bank, for example. So we have to tailor our training based on the recipients, rather than everybody takes an e-learning course, or everybody read this policy document.
That’s insightful because I’ve never heard that before: think like a marketer. And then how about the actual delivery of those modules because we are used to reading really long documents and then either sign or, answer a few questions and then you’re done. But that’s, does not help us retain a lot of things in our head.
It really doesn’t, does it? And everyone knows the kind of the adage about you know, if you read something versus if you see it versus if you do. So we are trying to get more and more immersive in the way that we run our training sessions. So, worst-case-scenario you would give somebody, as you said, a policy document. Read this, check the box, well it keeps the regulators happy, but are you actually changing their understanding? Probably not. They want to go back to their day job, straight! I have never met anyone that wants to do more e-learning. However, if you can shift that balance to doing, the chances of retention, and also their ability to understand the inherent risk, can only increase.
So one of the tools that we’re using, for example, is discussions around cyber case studies. So, industry news that might have happened, whether its BA, or Marriott, or Uber. Discuss what happened, what would you have done?
Especially if it was the human angle that led to the breach. So, what could you have done differently?”
And what are the types of information you need from us to help you do that? So get them involved, get them doing, get them discussing, rather than being passive agents of data overload, because no one responds well to that.