Ask us anything: Security awareness, behavior and culture (part 2)

[00:00:00] CS: Welcome to today's episode of the Cyber Work with Infosec podcast. For 12 days in November, Cyber Work has premiered a new episode every single day. In these dozen episodes we've discussed cybersecurity hiring best practices, security culture, team development and the importance of storytelling in cyber security. Our final episode in our daily podcast series is entitled Security Awareness and Business Culture: Ask us Anything and features four guests from the past two days of podcasts. David Hansen, a senior analyst corporate IT security and compliance for Brookfield Renewable; Dan Teitsma, information security specialist program manager for Amway; Donna Gomez, security risk and compliance analyst for Johnson County government in the State of Kansas; and Tomm Larson, cyber security awareness lead at Idaho National Laboratory. Our four guests took questions that were sent live during our virtual Infosec Inspire Conference in September about their expertise in creating effective and globe spanning security awareness programs. Our guests along with moderator Tyler Schultz took questions about the changes in awareness strategies in the face of mass work from home scenarios due to COVID, key traits they look for when hiring cyber security awareness storytellers and lots more. You can also hear more from these guests by checking out the past two days episodes. If you want to learn cyber security or move up the ladder in your career, we're giving all Cyber Work listeners a free month of access to hundreds of courses and hands-on cyber ranges with Infosec Skills. Infosec Skills is aligned to the work roles knowledge and skill statements in the NICE workforce framework and can help you at any stage of your career. Be sure to use the code cyberwork when signing up. More details can be found in the episode description. Can new episodes of Cyber Work every Monday 1PM Central Time on our YouTube channel for video or on audio wherever you like to get your podcasts. And now let's ask us anything. [00:01:54] TS: How have you guys pivoted or adjusted your programs to move more online while also kind of having to address maybe a hybrid approach for anyone who is actually going into the offices? Dan, do you have any thoughts there? Any advice? [00:02:09] DT: Well, I would say for us really the program hasn't changed significantly because of doing computer-based training along with facilitator-led training. I think probably the one obvious difference is facilitator-led training is being done virtually or remotely as well with smaller groups of people, but rather than having people in a conference room right in the office. So I think really that's the main difference. But one of the great things about using a tool like an Infosec IQ learning platform is you can very easily push out training to many people in a computer-based training format. That actually has been a good thing that we've transitioned more to that over the last year or two. So when things started transitioning to people being totally working remote, that just set us up for success even better, right? Being in that type of situation. So really, it’s been business as usual with our phishing program, our awareness training. Really the only difference is facilitator-led training is moved to being virtual as well was really the main impact. [00:03:18] TS: Yeah. So in your program where your facilitator-led training had someone from the local or regional area, really helping lead some of those, like you mentioned, on-site or in-person training. How has their role kind of shifted? Are they still kind of the head of communication as far as delivering training, or how does their role shifted? [00:03:38] DT: I think their role has really been again shifted toward reaching out to people more in a virtual or remote way, whether that's individual people or smaller groups of people where they probably would have been reaching out, interacting with those people in-person in the offices a lot more. They've had to make a real conscious effort, I think, to still be visible, but in a virtual or remote way, if that makes sense. So I think that's kind of really how their role has shifted. but I think all of them have still been able to stay quite active and still doing facilitator-led sessions with smaller groups of people, but just doing it virtually remotely versus in the office. We have people who have started going back into the office now in many of our locations globally. So I think they're starting to now have more of that in-person contact again as well. [00:04:27] TS: Yeah. That makes sense. Tomm, thanks for joining. We're definitely happy to have you as well. Have you noticed any major shifts or have you had to shift strategy significantly due to kind of a shift to working from home environment? [00:04:39] TL: Yeah, and there's good and bad to everything, right? You can see – Well, I always forget. You can see in my background, that's one of the shifts that we've made previous to COVID. The cyber security awareness team would actually go to different locations and do booths, and it was just an opportunity for people to come ask us questions, us to share questions, give them some candy as a bribe to come visit us. And so we've shifted gears and now we do a virtual booth where we set a time and set up a meeting and anybody can join and we make it clear that we're not asking you to come and spend a whole hour or an hour and a half with us. Just pop in sometime during that hour and a half, ask a question, earn a phish. We'll spin the prize wheel for you. So that's one of the things that we've done. But as we're talking about this, I'm realizing there are some new opportunities here that we may not be aware of. My wife is actually teaching a second grade class online and she has been introduced to a whole world of technologies that are designed for online interaction and not just Zoom, or Teams or go to webinar, but things where it allows children – You can show a presentation and allow a child that's across the world to take control and do something with the presentation. So there's lots of technology out there to help make things more interactive. And for me that's one of the things that I miss about the in-person. I spent a lot of my career getting up in front of people and talking, and I love doing that. But I love being able to interact with the audience, feeling the audience's energy, getting them to participate. And so we have to recognize that there's a lot of technology already out there that allows us to do those types of things beyond just we’ll type something in a chat window. And so that's one of the shifts that we've tried to make, try to take advantage. And the other thing that popped into my head was one of the things that I've learned that I kind of like about this where everybody's working from home is I'm starting to learn a little bit more about my co-workers. Just by what they have in their background or my boss every morning at our stand-up meeting – Stand-up meeting. His daughter comes in and gives him a hug before she leaves for school. Now I can put a face in the name to the daughter and I have a little more insight into my boss's personal life that obviously he's willing to share. That's another thing you got to think about. What are you willing to share and what are you not willing to share? I’m going to comb my hair and brush my teeth and groom my beard before I get on camera, but I'm not worried if my daughter walks in and asks for a candy bar. I'm not worried if my dog wants me to pet him. And so those are things you have to think about, but also that's an opportunity to get to know your audience. And one of the best ways to reach people is to know how to reach them. I take awareness as a marketing challenge. So I want to know my audience. And the more I know my audience, the more effective I can be at reaching them and engaging them and helping them improve their lives in a secure way. [00:08:04] TS: Yeah, that's great. And I think it's very important and definitely admirable that you're taking on that challenge of how are things going to be different, because we don't really know if things are going to shift back to the old way where you can do your booth in-person, and if we can, when that'll be. So I think that's definitely a smart strategy. Donna, or David, are you starting to adopt any new strategies or any changes based on the new workplace environment? [00:08:29] DH: Now being quick, similar to what Dan was saying, there's been no marked change to our new user training or our quarterly phish campaigns that we run. But what we have adapted or started the process of adapting into is for those individuals who have demonstrated susceptibility to a phish campaign, we are now conducting an instructor-led through online training session. And I used to do it in-person, no longer an option. But again, it's driving home the message to the members, to the folks in the different regions. This is not punitive. This is educational. Let us know what you are nervous about and get into that open interactive setting. And so it's not just dry information, but something that they can start to piece it together and hopefully go back into the work environment, they're better equipped to identify and respond appropriately to a suspected phish. [00:09:36] DG: Yeah. For us one of the biggest things in the plan that had to shift was for our 50+ community. Nursing homes have been impacted greatly by COVID. And going in-person, you're there detached from the world. So the only thing they have are the nursing home staffs. So just detached from their community, I mean from their family members even in some cases. But those are people who are the targets for a lot of the scams that are out there. So they need the information. So we have worked with Outreach to develop a program for them. So working with our parks and rec department and giving them the information so they know the people and then providing the program and presenting that content and creating that channel and then also helping them. So you're a victim? Here's what you need to do. So giving them the steps. Giving them the tools so that way they're self-sufficient. That way they're not abandoned. They're not left to their own devices and everything else. And it gives them a connection point and gives them a face. So they see people, and because that's what's so hard, is that people need people. And you don't see faces, you're left about. You're left alone. So it's all about engagement and that's what awareness is. So just launching the program isn't enough. You have to connect the content to the people. And so that's one of the things that we've done for that community, is include – Find a way to bring the content, deliver the content in a way that's meaningful to them. [00:11:27] TS: That's great. Another question that came in that kind of tie into that topic as well from Gilberto, how often do you send communications to employees? I don't know if that's something that has necessarily shifted for you guys now, but I would definitely like each of your opinions and kind of thoughts behind that communication element. How often should you be potentially sending out whether it's training, whether it's kind of more generic security communication? How often would you recommend doing that? David, do you want to take that one? [00:11:57] DH: We average about once every six weeks. There'll be a group communication that goes out and it will speak to the threats that are being detected and letting people forearm them with a bit of knowledge. Just in case something new or some variant gets past our filters, but about every six weeks. We don't want to hit them every three weeks, because then you get a little bit blind to it. [00:12:32] TS: Awesome. Another question from Gilberto. This is interesting to hear your perspectives on this one as well. What strategy do you follow or perhaps did you follow in order to get the budget that you needed to run the type of program that you're running? [00:12:47] DH: That's a biggie. [00:12:51] TL: So my favorite strategy is to compare my costs to the cost of a new firewall. And in my experience, the technology that we use to protect our users via firewalls or email filters or proxy servers, all of that is orders of magnitude greater than my costs. I can buy a couple thousand of those squeeze fish for pennies compared to how much it cost to put in one firewall. And so that's one of the favorite strategies I use. And you can always talk about risk and point out that studies have shown that the biggest risk to your cyber security is people. And I'm not saying our people are the problem. I'm saying that's how the hackers get in most often. That's the most common way they get in. So that's our biggest risk. So that's where we should be putting most of our resources to protect against that risk. So if it's a risk conversation, you've got the ammunition already. And if it's just spend, if it's a spend conversation, well yeah, you can spend a million dollars on a firewall or you can spend 30,000 on a subscription to some great cyber security awareness training. So those are two of the things that have worked very well for me. [00:14:15] DT: Yeah. Sorry. Really quick. Kind of building on that, I think you can qualify and quantify what the impact will be of an actual security event. So I think if you can lay out here's a real life scenario or situation that either has occurred in our company or has occurred at other companies that could occur at our company and you can help people understand what the true impact of that would be, then I think that really helps go a long way with driving the discussion and what makes sense from a budget standpoint around awareness training. [00:14:57] DG: The way I look at it is – So here's the way I proposed it. So it was going back to – So if your organization and whether you have IT governance in place, whether you're bored, what matters to them? It’s your story. You got to tell the story. And if you follow the new cyber security framework, if you're doing the CIS top 20 controls, whichever one of those is your body of knowledge, whatever one is your cost of compliance, whatever the drivers are. Cyber security awareness is part of that. I look at cyber security awareness as part of your threat and vulnerability management program. It should be also embedded in your change management practice. It should be embedded in every single practice that you have, because it is behavior change. If you want people to know how to do business, you want to connect. You have IT governance program. IT is supposed to enable the business. And how do you do that is you make the business and IT understand each other. And that's part of cyber security awareness. Security is doing good practice, and you have good cyber hygiene. These two things go hand in hand together. So when things are not going well, we already know what the cost of a cyber attack is. You can ask your cyber insurer. They're going to tell you. The cost of a cyber insurance program, we know what the cost of that is. The cost of cyber security awareness program is here's the license cost. You do that cost benefit analysis. You put that in front of your finance, your financial person. It's going to be a no-brainer. So understand what the business wants, needs are and tell them the story. But put it in the mindset of what's out there. What the standards are? So if somebody is driving, talking about NIST, get to know your auditor. Get to know your risk manager. Get to know your cyber insurer. Find out what's out there and talk to these people. And they can help you tell the story. If you want some help from me, because I've written one of these before, I have a nice little template that I’ll be more than willing to give you that you can beg, borrow and steal and use it to present and at will. Because I consider it an easy sell as long as you know who your audience is to tell the story. [00:17:34] DH: You touched on it on a good point, Donna. I also cover off on the IT compliance requirements at the corporate level, and we've been seeing a distinct change, or of course for publicly traded companies, a distinct change in the last year with what the external auditors are looking for. And they are specifically interested in cyber security. It is, I mean, more and more of an active topic. But going back to the question, we take the approach of we put forth what objectives we'd like to achieve for the upcoming year in our initial draft budget submission. The board comes back with what they like to see. And then it's just that challenge of matching the board expectations to the funding level and making sure that they're more or less on par with each other. [00:18:24] TS: Yeah. That's great advice. One thing that I was kind of curious about – So have any of you encountered kind of the mindset whether it's amongst security leadership or just anyone else on the security or it teams where the common frame of mind is your employees, they may be the greatest weakness and maybe we're going to do security awareness and training to achieve compliance, but we're better off investing in technology over training. Have any of you had to overcome that kind of objective of our efforts should be in technology rather than the time and effort for security awareness and training? [00:19:10] DH: Donna want this one. [00:19:14] DG: Since 1999, I’ve done this many, many, many, many times. And the thing is, is you still need people to enable technology. So you don’t invest – And I can’t tell you how many times I’ve worked for an organization where the first thing they've done is cut the training budget and then they wonder why. I mean you look at the curve right now. There was even a presentation, and Jack talked about it in the beginning, is looking at the cyber security skills gap. There's a training skills gap. And why is that? Because training is cut. It’s the first thing they cut. Why is that? It's not just through osmosis that things are going to work. You have to enable people. And how do you enable people? You educate people. How do you change behaviors? You help people understand their potential. Anyone who's taken a leadership course, leaders are not born. Leadership is a process. How do you learn that process? It's training. You develop yourself into becoming a better leader. Leaders still make mistakes and you learn from mistakes. So one of those is like you’re like “Aah!” Anytime I hear it. So what am I saying, get to my point, my 15 seconds to hold your attention, because I've already lost you with the fleet time here. It's just that your training. You have to do it. If anytime someone tells you, you redirect him. It's like, one, how do you maintain the skills? You have to – There's a balance, because I mean we've implemented technology and we did not take the training to train the employees on how to use the technology. That is something that's always missed. You're not just going to learn it. It's just not like it's the same product. It doesn't happen. Training, it's essential and it's part of everything that we do. I mean, woohoo! Yeah. [00:21:40] TS: Actually, so I know Tom just from talking in the past. You've actually built a team kind of around you to help with a lot of the things that I know Donna has mentioned, each of you guys have talked about. And when we're talking about things like your team or anyone else helping you run your program or David and Dan talking about having an extended global team, whether it's facilitator-led training in regional areas, what do you do to – Or are there any traits that you look for someone else to add to your team that something you're really looking forward to that you know you're going to get your message across and you know you're going to be delivering impactful training? [00:22:20] TL: Well, for me, good writing skills, because a lot of what we do depends on writing or is in writing. Good organizational skills, good project management skills, because I don't have them. So I need somebody else who can do that for me. But yeah, I mean that's the first thing. What are the things I wish I had that I don't? And one of the things that I've kind of looked into is the last few people or the few people that I've had join my team are very creative and come up with fantastic ideas. So definitely creativity and a kind of a marketing mindset and marketing capabilities and knowledge are definitely things that I look for. The technological stuff, it does help, but I can get technology help from other people. And I'm surrounded with techies. Because I need to engage people, I need marketing expertise and communications expertise. [00:23:28] DT: Yeah. I would say it's really communication, but also culture, right? So someone that's really embedded in that location area, that culture and having a good understanding of that if at all possible, because one of the real challenges you have is how do you effectively communicate to a truly global audience but have it resonate with that person where they're at in a way that's meaningful to them. And it's really interesting the discussions that we have in our team that has people represented from all over the globe, because we'll talk about this training topic or how we're presenting something and someone will say, “Well, in our culture, that would kind of mean this. It would resonate this way. In our culture, it would mean this and resonate this way.” And you just realize that you have to be – Have people that can understand those differences, right? So that's one of the things we talked about that's so important is you have a consistent message globally, but you have to adapt it for the culture at the local level. And that's absolutely key, and you need the people that have that cultural awareness to be able to do that. [00:24:35] DH: Yeah, your person in the locale. They're going to give you incredible value. As I found out through engagements last year, you're dealing with our China group. Get to the point. Do not flower. Just get to the point. That's what they understand. That's the norm for them. In Colombia, in Brazil, yeah, informal, build up the rapport with the individuals or with the group. That's great. Ireland, just bring beer, you're good. [00:25:11] DG: So Irish. [00:25:14] DH: It is adaptive, and yet you’re still trying to [inaudible 00:25:16] that common [inaudible 00:25:17]. You have to be adaptive. And I like your point about the people skills. There’re some people where they’re creative, they’re good communicators. They can think on their feet. But there’s also a place for people who are very procedural. I think in terms of when I'm developing the program, when I'm pushing it out there, that's where I need the creative people. They can think out of the box and on their feet. Once it's established, then somebody who's more procedural-based and organizational, a good PM sort of approach. They're a really good fit for that. [00:25:57] TS: That's great. So in our last few minutes, I know you guys have touched on this a little bit, but any new exciting major plans or changes to your programs coming up in the next year or so? Donna, anything in particular? [00:26:14] DG: Well, because of tom, the phishing derby has requested. Why don't we do that? Oh, okay. We'll do that. Thanks, Tom. So yeah, and that's the great thing about thing like this, is that collaboration really helps give you new ideas to try something new. And that's what I always tell everybody, is like I'm willing to try anything. Is it something? It engages people in a different way. And so that’s just it. I'm just looking. For me, I'm looking forward to just trying something different than what we've done in the past, because it's a way to engage people, reconnect them in a different way. [00:27:12] DT: Indeed. We've got to prove it. We know what works. What can we do next to enhance upon that? And that's the challenge. And I said earlier, it's trying more. It's more time demanding but more of the one on small group approach and get that question and answer and hopefully get them to the point where they're willing to start admitting what they don't know. And then you can – [00:27:37] TL: Yeah. Well, Dan, it stole my thunder. For cyber security awareness month, we're holding a fishing tournament where we're going to pit different parts of the organization against each other. We're going to send out three different phish through the month and see who has the best reporting metrics after the tournament and give away prizes to the winning teams. [00:28:02] DG: Well, you included it in your presentation. So use it. [00:28:06] TL: That's right. That's right. [00:28:09] DT: Well, yeah. Just like Donna said. If you want to steel, big borrow steel, take whatever you want and feel free to reach out to me and I'll show you what few ideas I have and I'll share all the great ideas my team has. [00:28:21] CS: Thanks for checking out Security Awareness and Business Culture: Ask us Anything with Donna, Tomm, David, Dan and Tyler. We hope you enjoyed these dozen episodes and we're able to acquire some lessons, ideas or strategies that you can use to create or update your security awareness training program and make the work of security more effective and engaging. Cyber Work will return to its weekly episodes on Monday, November 23rd when Terrence Jackson of Thykotic and I talk about how to best protect an organization's privileged credentials in the cloud given the current proliferation of remote work and the unevenly secure devices people use when doing that work. The Cyber Work with Infosec podcast is produced weekly by Infosec. The show is for cybersecurity professionals and for those who wish to enter the cybersecurity field. New episodes of Cyber Work are released every Monday on our YouTube channel and at all the places where you like to get podcasts. To claim one free month of our Infosec Skills platform, please visit infosecinstitute.com/skills and enter the promo code cyberwork for a free month of security courses, hands-on cyber ranges, skills assessments and certification practice exams for you to try. Thanks for listening. Thanks for joining us in these last 12 days, and I'll see you very soon for more regularly scheduled episodes of Cyber Work. Bye for now.