At ADAPT’s Security Edge, Warner recommends tailoring training according to interdepartmental roles and leveraging people managers to spread the message.
So, on top of your mind about security awareness and training, what do you think is happening and what needs to change?
Well, a lot, in a word. We tend to treat employees as risks and as the weakest link, and we use all this terminology that suggests that they don’t actually have the power to be a strong security agent. The language we use needs to change.
We really need to think about our employees as security agents, arm them with tools, make it really personal for them. So rather than talking about what’s in it for us – the company – how can the tools and techniques and the tips we give them help them at home as well.
These are human beings. They want to be able to be secure in their home life just as much as they do when they come into the office. So change our rhetoric, really make it personal, and to think like a marketer would be the third aspect.”
So audience-based awareness rather than just one size fits all. If I’m an application developer, I’m going to have a very different set of security questions than somebody that works in a branch centre of a bank, for example.
So we have to tailor our training based on the recipients, rather than just everybody taking an e-learning or everybody reading this policy document.
Wow, that’s insightful because I’ve never heard that before. Think like a marketer.
How about the actual delivery of those modules because we are used to reading really long documents and then just sign or answer a few questions, and then you’re done?
But that does not help us retain a lot of things in our head.
It really doesn’t. And everyone knows the adage about if you read something, versus if you see it, versus if you do.
So we are trying to get more and more immersive in the way we run our training sessions. So worst-case scenario, you would give somebody, as you said, a policy document, read this, tick the box.
Well, it keeps the regulators happy, but are you actually changing their understanding? Probably not, right? They want to go back to their day job. I have never met anyone that wants to do more e-learning.
However, if you can shift that balance to doing, not just the chances of retention but also their ability to understand the inherent risk can only increase.
So one of the tools that we’re using, for example, is discussions around cyber case studies. So industry news that might have happened – whether it’s BA, or Marriott, or Uber. Discuss what happened.
‘What would you have done?’ Especially if it was the human angle that led to the breach. What could you have done differently, and what are the types of information you need from us to help you do that?
So get them involved, get them doing, get them discussing, rather than being passive agents of data overload. Because no one responds well to that.”
Who are your stakeholders in general in the organisation – CISOs or risk management people? Who are you talking to? Are you getting demands or increased pressure on quickly getting the employees aware and trained?
Well, there are quite a few parts to that question.
So who are our stakeholders? Everybody.
Getting back to the marketing-driven approach of security awareness that I think organisations should be looking at, is if we’re talking to an executive or a board member, their access to privileged information is much greater than somebody who doesn’t have external email access, maybe somebody that doesn’t actually have access to any privileged information.
The types of discussions we need to have with those individuals are very different. And the types of risk-based discussions we need to have with them are very different.
The risk of a confidential document or a restricted board paper getting into the wrong hands is much greater than somebody leaving a public document lying on their desk. So it’s got to be a nuanced discussion. Stakeholders are right across the company.
People managers are a particular tranche of users that have an incredible ability to cascade messages to their teams.”
One of the tools that we give our people managers is little slide decks – 2 or 3 slides – that they can use every quarter. What’s happening in the security world at the moment? What are the types of incidents that are happening? And how can we help raise awareness around that? Such straightforward tools.
We run little clinics for people managers. It means for a people manager that if somebody on your team clicks on a link, how can you enable that employee to feel not afraid to come forward and have that discussion with you? I clicked on the link.
Rather than creating this culture of fear where employees don’t want to go to their line manager and say, I clicked on the link, they come forward and ask, how can you help me?”
So how do we arm our employees? The second part of your question was around, are we there yet? I don’t think we’ll ever be there. I don’t think any company will ever be there.
I think what you can do is, through a risk-based approach, make sure that you’re really dealing with the risky areas first and foremost.
People with access to privileged ID, coding, application developers, maybe people who keep clicking on links repeatedly, people who have access to privileged information – really focusing on those employees and executives and middle management to make sure they understand the risk of what they’re doing.
Closed-loop planning we use and feeding good practices back to them: where did you do well, and rewarding people who did well. Running videos, recognising that people did well, giving little prizes.
People love to feel valued, right? If somebody reported a phishing email, they might have clicked on it. Then they took a little video about why they clicked on it. That’s great, we want not to encourage them to click on links, but we want people to feel that they are working in a culture of enablement rather than a culture of fear.
I wouldn’t say that we’ve ever finished our training programmes anywhere in any organisation, but it’s an iterative process for sure.
If you had to speak with a security leader and if you had to give them your top advice on how to communicate better with their employees so that they understand security better, what would that advice be?
Make it personal, make it relatable, and make it fun.”
Because as soon as you make it scary, as soon as you create a culture of fear, as soon as you make it dry through a policy-driven, everything’s policy-based, but it doesn’t mean you want to do policy-driven comms.
You lose your audience, and when you lose your audience, one of two things happen: They either completely ignore you and find a workaround, or they genuinely don’t understand the risk you’re trying to highlight, and they go and perform insecure behaviour. So either way, it just doesn’t work. You’ve just got to be human.
And the fun part interests me. Have you seen any really good modules or training or awareness programmes that are fun? Like one of your favourites?
There are plenty of industry best practices out there and we’re constantly looking at how we can evolve our programme as well within the organisation. Gamification is often a cited one because that’s what we do at home. People work on their phones and their devices and people like to get points for doing things, and they like to get leaderboards to see how they stack up against their peers and their competitors. So how do we build that into our initiatives as well? And also just recognition as well. But the gamified approach I think is probably the one area where cyber awareness is going to increase genuine understanding of the risk and just getting people to be really involved in managing the risk. So one of the initiatives we ran was getting people to decide the end of the video. We gave them two options, you either pick this option, which is protecting the bank from the cyber villains, or you go with this option, in which case the bank ends up getting hacked in these simulation exercises. And it was fantastic, we had so much traction because the employees felt like they actually had the power to protect the organisation from, even though it was just a fun video, and then we ran that over a few weeks and we gave away prizes during the process. And it’s by far the most successful campaign that we’ve run.
That sounds interesting.
Keep people engaged, yeah? And get people understanding the risk rather than just telling them what to do and what not to do.
People don’t like being told what to do. They want to get involved and decide for themselves.”
True, true, that’s great. It reminds me of my days when you had to do those compliance based training modules and I wish I had this as an option.
We still all have to do compliance training, especially in organisations, the banking and financial institutions, everything is regulatory-driven. No harm in that, of course. You just want to make sure that your e-learning is designed in a way that people don’t dread doing it and they retain the information at the end of it. Not just, I just want to get to the end so I can tick the box. It’s, hey I really learned something. That’s pretty awesome. And you want to then be able to go home and hover over the URL, is it genuine or phishing? All these kind of tricks that they can then take back, it doesn’t all have to be dry.
So it implies that there has to be some difference between the compliance training and actual education for long term retention of what IT threat is?
So there’s mandatory training, has to be done. So the argument is, well how engaging must we do it, but yes you do because you want to mitigate the risk. And if made memorable and understandable, people will understand it and they will not contribute to insecure behaviour. All the other stuff is optional. So you know what, we got to make it engaging, we gotta make it attractive, and we’ve gotta make it meaningful to that particular audience, and make it something they can apply at home. And if we don’t do that, they’re just not going to want to engage. They’ve got busy day jobs. We just got to cut through all the noise and just go, hey you want to look out for the next cyber video that’s coming out. Or, did you hear about the competition last year, I want to do the same again. So we want to kind of have that marketing-driven approach to running our campaigns.