We recently picked the brains of three security awareness practitioners to cover this topic and more on a Spiceworks video meetup featuring Lisa Plaggemier, Chief Evangelist at Infosec, Kristin Abraham, former Global Cybersecurity Awareness Manager at General Motors, and Joe Pokropski, former Director of Security Education & Awareness at JPMorgan. Here’s what they said.
What principles can security and IT professionals borrow from marketing and sales to improve their security awareness programs?
Joe: From a sales and marketing perspective, it is useful to think in a campaign mindset. We need to bring that into the realm of education and security awareness as well. Like an effective marketing campaign, we need to deliver training the way people prefer to learn. It’s not one-size-fits-all. Some people learn best through visual means, for example, while others prefer audio or written content. Lisa: Sometimes we assume our employees feel as passionate about security as we do and that’s not always the case. We often miss the opportunity to get people’s attention from the outset. The reality is that there’s so much media and so many things vying for our attention. If we don’t get their attention, then they’re never going to engage with the rest of the message and we’ll lose our opportunity to teach them anything.
We hear time and time again that one-size-fits-all training doesn’t work. You need to make training more relevant and more personal. How can you do this?
Joe: For last year’s annual compliance training, we personalized the training. When employees logged in and registered to take the course, they could pick a persona and avatar that aligned with their job. The concepts that we taught were basically the same, but we could rephrase the scenarios and the questions based on their persona. We got some of the best feedback scores we ever had on any of the training by allowing them to “choose their own adventure”. In fact, it was so well received that we’ve now implemented it for new hire training. Kristin: For our annual corporate training, we added a section where employees indicate their job function. Based on their response, training would be customized so that no one sat through a lot of materials that weren’t relevant to their job. It didn’t require dozens of entirely different courses, but a custom delivery of relevant sections that were built as part of the annual program. Lisa: It’s important to have content that’s available for people’s different learning styles. Some people like a traditional computer-based training module while other people would rather watch an animation or something gamified or funny. It helps to have a variety of styles.
How do you make training specific for users without it being too time consuming to produce and deliver?
Lisa: There are so many tools out there that make it quick and easy to create your own modules. Don’t forget that training modules are just one piece. If you’re trying to get across some details that are specific to your organization, you can publish an article in a newsletter or hang posters. You don’t have to say everything in every tactic. Kristin: I think it’s equally important to keep in mind that you don’t want to make training too time consuming for employees either. If you can leverage quick training and awareness activities, and not ask employees to sit down and take an hour-long course, it helps you both. Joe: It saves a lot of time and effort to recognize that some of your users may already know this stuff. You can offer them ways to opt out or to prove their competency, so they don’t have to take certain training. And your program will be much better received if you’re not constantly hitting the same people with the same messaging year after year.
What, in your experience, have been some of the most common or the most egregious mistakes you see organizations making?
Lisa: I think too many people fall into the trap of making the entire program mandatory. If you’re really trying to change the culture and get engagement, then that’s generally separate from mandatory compliance training. It would be great if compliance training also changed the culture, but that’s usually not the case. And if you’re offering really engaging or entertaining training, making it mandatory can suddenly make it less engaging. The word engagement gets thrown around a lot these days, but it has to actually mean that you’re making people want something — that you’re drawing them in and they’re buying what you’re selling. What I frequently see amongst our clients, and what I’ve done as a practitioner, is to run two parallel programs. You have one program that’s purely for compliance and you have your metrics ready for the auditors, all tied up with a bow, nice and simple. Then you run another program focused on awareness and engagement. You can’t force culture change. You have to cultivate it. Joe: Sometimes, because of time constraints and workload, you get your requirements and jump right into building your training solution. Perhaps the boss tells you what they want you to do, or the IT department shares where they need to go, or cyber tells you what the biggest threats are that quarter. In most cases you or your SMEs already know the answers. So you build the content, push it out and wait, fingers crossed that people will consume the training. But to make training truly engaging, we can’t leave the users out of the mix. It’s really useful to have a user feedback loop because your employees are going to tell you whether your training resonates — if it hits the mark or not. Kristin: I think one of the most common mistakes companies make is adding a training module to the learning library or writing a security article for the employee intranet and then considering those boxes ticked. Those things are good, but they are a small part of an annual program that keeps users engaged all year. It’s also important to focus on the push versus the pull. If everything you’re doing is push, like mandatory training, then you’re not building something that people will engage with on their own. You want people to learn where the tools are and what resources are at their disposal, and then go get them when they need them.
How do you know if your security awareness and training efforts are working?
Lisa: It’s about monitoring the behavior that you want to change. That’s why phishing tools are so popular — what you’re monitoring is very specific. Look beyond the security department for metrics from around the business that you think you can influence based on your employees’ engagement with security training, and use those to gauge program effectiveness. Don’t forget to get a baseline. You can’t go back and create a baseline. If you just jump in and start and you don’t have that starting point, then it’s really hard to say, “This is how much we improved.” Kristin: Metrics are hard in the security awareness space. There’s not a quick and dirty list you should use. A lot of times the best evidence you have is anecdotal stories versus hard numbers, but those can work as well.
What is new in the security awareness and training space?
Joe: Leadership now has greater expectations that you can measure your results. They want to understand whether your security awareness program pays off. You need better, more robust metrics to prove the return on the investment of our people, time and money. Lisa: I see a lot more emphasis on integrating with different tools. This includes assigning training modules based on alerts from your endpoint protection and other security tools. Kristin: Companies want to do more advanced training now because many employees, if your program has been in place for a few years, understand the basics. This gives you the opportunity to go into some more advanced topics, especially with certain target groups.
How do you deal with employees who never learn and continue to put the company at risk?
Lisa: When you point the finger at somebody, there are three fingers pointing back at you. If they are not learning, is it them, you or a combination of both? Try different methods to get through to the learner, to speak their language. It’s also really important to have an escalation process in place. You can use a three- or four-strike rule where everybody gets one strike. Strike two might involve you meeting with the person individually. Strike three might require a meeting with the employee along with their supervisor. Strike four might require a meeting with the employee, their supervisor and a representative from HR. It’s not the security organization’s job to fire anybody; that’s the role of HR. It’s also really important to put technical protections around those risk-prone people. So maybe they don’t have admin rights to their laptop or their USB drive is disabled. Joe: It is important to recognize that you are not the “Security Police”. This really goes back to the size of the organization you represent. In a smaller organization where the security team may have more authority and are empowered to do more, you can take different actions. You may be able to restrict entitlements or even remove someone from a role. In larger, more complex organizations you may have to escalate through human resources or a compliance framework. It’s important to understand your risk appetite. It’s a foolhardy game to think that you’re ever going to get click rates to zero or reporting rates to 100% when it comes to phishing. That’s not going to happen. So what’s our risk appetite, what can we expect and what can we tolerate?
The reality is that some people simply can’t remember all the information in your training. How do you deal with that?
Joe: You need repetition. You need spacing. You need time to digest, reflect and practice to change a behavior. All of that’s important when constructing any type of program. What’s probably more important is pointing people to the resources and having a place that somebody can go that contains compelling and engaging material. That could be a corporate intranet site, a company homepage or a website. It’s important that they know that there’s a place they can go back to in case they don’t retain all of the training.
Do you have any parting advice for other security awareness training managers?
Lisa: There is a lot of work that goes in to kicking off your security awareness program, but once you’ve sent that first baseline phish, that’s when your job really starts. That’s when you need to really dig in to the whole idea of educating people and creating engagement with your security training. Seeing people learn and engage, getting more demand for your security services and having more people come to your team to ask questions — that’s what should really get you excited. Joe: It’s important to understand the culture that your organization has and, maybe more importantly, the culture that you aspire to have. That’s what defines security behaviors. Once you understand that, you can do what you need to do to change or support those behaviors. Kristin: People learn and retain information in different ways and have different motivations for adopting better security habits. That’s why it’s useful to help them understand why cybersecurity is important, not just at work, but at home as well. If you can make security training personal by relating it to an employee’s home PC or their kid’s phone you can deliver a more impactful message and help them see security as part of their everyday life, not just an afterthought at work.