How IIE moved mountains to build a culture of cybersecurity

Over the past two years, the Institute of International Education (IIE) has shifted to a belief that effective information security and data protection takes a village to execute properly.

“We have a duty to protect the data provided to us by those we serve from undue security risk,” said Allan Goodman, CEO and president of IIE. Shannon McPherson, Director of Information Security and Compliance, takes this mission to heart and applies it directly to IIE’s security awareness efforts.

Knowing that a cyberattack is a matter of “when” and not “if,” McPherson set out to re-envision IIE’s cybersecurity training program — and she had her work cut out of her. Previous training efforts were infrequent and, in McPherson’s words, encompassed the dreaded “Death by PowerPoint'' approach.

IIE also struggled with an issue with which many IT teams are all too familiar: a difficult relationship between IT staff and everyone else. “The largest obstacle in the creation of IIE’s Information Security Program began not with the need to procure a versatile security awareness platform,” explained McPherson, “but with the need to overcome our cultural deficit, one of mistrust and disconnection.”

What followed was a security awareness program uniquely cultivated to engage employees, celebrate successes and transform the culture at IIE. Each year, staff go through comprehensive security awareness training and assessments. Long gone are the dreaded PowerPoints — engaging learning experiences have taken their place.

“We are big fans of the Need to Know series. Anthony and his friends do not disappoint. They also bring a mixture of engagement and comedy,” said McPherson. “The first year we did this when we were still in the office (pre-pandemic), I actually heard people around the office randomly saying, ‘Don't call me Tony,’” a phrase from the Need to Know series. “That was quite fun to hear because it means people are remembering things and associating the content with specific security topics.”

New hires also benefit from a security training course during onboarding to springboard them into their new job with the safety, security and awareness knowledge they need to succeed.

Security awareness training doesn’t end with training modules and assessments. McPherson supplements training and awareness with an array of resources, including newsletters, infographics and posters, to name just a few.

IIE also uses supplemental training campaigns such as the Wild, Wild Net toolkit to jumpstart awareness throughout the year. “We were using that on a weekly basis as it was designed, but I also customized the emails to our audience, which I feel is the most efficient way of connecting with your team members.”

IIE confronts its phishing risk head-on by delivering quarterly phishing simulations to all team members and providing supplemental information on an internal phishing awareness page.

McPherson utilizes the Catch of the Week template category and hand-selects templates most relevant to IIE. To McPherson, providing relevant education and obtaining a true measurement of employee risk is more important than driving a phishing performance rate to 0%. “We purposely do not select the easiest phishing templates for our team members. We also use customized templates from our own repository.”

McPherson strategically communicates the phishing pass rate (versus the traditional phished percentage) to align with IIE’s employees and culture. “Our people thrive on being able to celebrate their progress. Communicating a pass rate instead of a failure rate helps us do that.”

Despite the often difficult, real-world tests, IIE has watched its phishing pass rate increase from 75% to 94% with employee email reporting following the same trend.

Since taking the helm, McPherson has noticed a significant shift in employee attitudes towards cybersecurity at IIE. She was even able to quantify this shift using Infosec IQ’s Cybersecurity Culture Survey, designed to gauge employees’ attitudes and perceptions towards cybersecurity.

McPherson was pleased with staff responses and high marks in all five cultural domains. This year’s survey findings will serve as a baseline the Information Security Team can use as a measuring post for future surveys.

McPherson and the rest of the staff at IIE moved at warp speed to not only modernize their training efforts, but also transform the relationship between employees and cybersecurity. “Our Team Members recognize that their business and personal decisions in cyberspace have a direct impact on our organization and risk landscape,” said McPherson. “Our people feel empowered and are not afraid to engage with us. We’ve built this trust and continue to do our part providing support with compassion and empathy.”

Instead of being intimidated by the endeavor, they tapped into their collective drive as an educational community to master this new and critical subject. These days, IIE proudly identifies as a security-conscious organization in a habitually vulnerable industry.

IIE was the Engagement Award winner for the 2021 Infosec Inspire Security Awareness Awards. The Engagement Award is a salute to the most engaging and influential security awareness training programs. These are the programs that go “outside of the box” to harness the power of creativity, learner engagement or gamification to drive lasting behavioral change.