October is National Cybersecurity Awareness Month (or maybe Global?), which makes it a fine time for CISOs to evaluate the effectiveness of their own Security Awareness program. I took this opportunity to ask a number of security professionals – CISOs and their teams, vCISOs, and consultants – for their best practices at building a program that creates a secure environment in their enterprise.
Reduce the Waste
A common theme among CISOs is to recognize that awareness isn’t the be-all and end-all of interacting with your users, and that all too often we’re engaging in awareness activities not to change behavior, but to satisfy a compliance requirement. Jason Chan (retired from Netflix) leads off with an important distinction: “For all employees, I focused on ensuring folks knew where to go with issues/questions. For specific stuff (e.g. BEC, Appsec vulns), spend targeted time with the impacted groups with specific examples (targeting emails, bug bounty/pen test findings).” Understanding that you don’t need a one-size fits all smorgasbord to inundate all of your staff with is key. Some jobs need more education than others do.
Steve Mancini (Head of Security, Guardant Health) notes that “Awareness is not Behavior is not Compliance,” a lesson that really resonates with many targets of mandatory awareness programs. Imagine an annual computer-based training program, which isn’t engaging, but requires you to play a video at a slow speed for an hour. How much time are you wasting to “check the box” that everyone received awareness training, which might not have any effect on your business? While gamification can help, it also can hurt – many users have had so many ‘badges’ thrust at them over the years that may react adversely, especially if the awareness content isn’t relevant.
Another area to reduce is the amount of blame we push onto users. Notes David Chasteen (COO, SideChannel), “Suggesting that the reason you got popped is because they couldn’t identify a well-crafted phishing email is like getting mad because someone didn’t ‘just step over’ the missing stair on your building’s staircase.”
Reuse Programs That Work
While there is a lot of bad content out there that won’t fit your company, relevant content can be useful, and you shouldn’t feel the need to recreate fundamental content that already exists.
Kathy Wang (former CISO, Discord) tells us to not reinvent the wheel when it comes to security awareness training: “I’ve been happy to use materials from other companies (e.g., Amazon’s security awareness training).” Steve Mancini notes that engaging your user base can involve having them create the content for your own reuse, and highlights the security haikus created when he was at Cylance as a way to reduce the cost of creating content, while making it highly relevant and engaging.
Reuse can also involve copying someone else’s idea, even if you put your own spin on it. Brian Markham (CISO, EAB) shares a blog post entitled “Escaping Cybersecurity Awareness Month.” While I’d expected it to share his relief at being done with the mandatory fun we all face in October, it’s actually about a really fun event: building an escape room that walks participants through a security investigation. He took the idea from Living Security’s virtual escape rooms. Many of you might not have the time or inclination to build your own, but good ideas are good ideas.
Recycle Elements to Serve Other Needs
Mandatory “awareness” programs, like phishing tests, can often have a negative effect. Rather than promoting education and awareness, they create an adversarial relationship between security teams and your company. But by repackaging those elements in other ways, you can achieve awareness, education, and further your security program.
Yael Nagler (Managing Director, Yass Partners) has a completely opt-in phishing testing program. “We make this invitation available two times. First, at onboarding and then at the annual training. What we’ve found is that it increases the overall sentiment around phishing, generates better behavior and keeps employees feeling engaged about security.”
Both George Werbacher (VP, Security, Live Oak Bank) and Gary Hayslip (CISO, SoftBank Investment Advisors) also like to focus on the difference between the traditionally passive focus of Awareness and a more active approach like Education. Werbacher says, “This also allows us to educate our culture on how to not just protect the company, but also protect themselves and their family. Once you can make security relatable to anyone, the curiosity naturally sets in.” Hayslip makes it relatable with interactive brown bag lunch lessons, “I would much rather use examples of real phish to make a point and also show my employees real indicators of what to look for instead of having them watch a film or read a PowerPoint.”
Putting It All Together
I don’t think I can summarize better than Juliet Okafor (CEO, RevolutionCyber) does. “It’s important that one security awareness investment serves multiple functions / capabilities for the security org. Too often, awareness focuses just on employee engagement and fails to incorporate the leadership and capabilities into the broader goals for the Office of the CISO.” When you’re overly focused on security awareness activities, you might miss the opportunity to pursue other goals, especially if your focus is overly driven by compliance. Okafor notes the importance of using the elements of your awareness program to drive forward your security brand, employee training, security communications, stakeholder engagement, threat notification, updates about security initiatives, and crisis communications. “All those areas should have a unified voice, approach and vision for the way in which Security is ultimately viewed across the organization.”