Collaboration and cultural relevance: Taking security awareness global

[00:00:00] CS: Welcome to today's episode of the Cyber Work with Infosec podcast. For 12 days in November, Cyber Work is premiering a new episode every single day. In these dozen episodes we'll discuss cyber security hiring best practices, security culture, team development and the importance of storytelling in cyber security. Today's episode is entitled Collaboration and Cultural Relevance: Taking Security Awareness Global.

Our guests are David Hansen, senior analyst corporate IT security and compliance for Brookfield Renewable; and Dan Teitsma, information security specialist program manager for Amway. The old saying goes it takes a village to raise a child. In the case of Dan and David, their village is global and it takes a collaborative network of peers to plan and manage a worldwide security awareness and training program. If that sounds daunting, let Dan and David walk you through their blueprint for getting buy-in from stakeholders and designing feedback loops that allow them to tailor their programs to be culturally relevant and appropriate to employees worldwide. We hope you enjoy this 30-minute conversation between David and Dan, along with moderator Tyler Schultz.

If you want to learn cyber security or move up the ladder in your career, we're giving all Cyber Work listeners a free month of access to hundreds of courses and hands-on cyber ranges with Infosec Skills. Infosec Skills is aligned to the work roles, knowledge and skill statements in the NICE workforce framework and can help you at any stage in your career. Be sure to use the code cyberwork when signing up. More details can be found in the episode description. Catch new episodes of Cyber Work every Monday at 1PM Central Time on our YouTube channel for video or on audio wherever you like to get your podcasts.

Now let's start the show.

[00:01:46] TS: Let's actually dive right into how you're tailoring your training programs to accommodate the geographic and the cultural variances across your different offices. I know that's a huge challenge for each of you. And each of you actually both take kind of a decentralized approach to mapping specific portions of your global programs. David, can you step us through what this looks like and that collaboration between your core team and those individuals who are managing security awareness and training at a local or regional level?

[00:02:17] DH: Right. So we execute – At the corporate level we do a quarterly phishing exercise where we send out variations of theme to all of our people. But when we consider that we actually have 11 operating businesses, and we operate in a very decentralized model, there is a requirement to adopt the selected template or templates to better work within the target environment. Some of the ones we have to deal with are Brazil, Colombia, China, Germany, Spain. And so myself as a center coordinator, I'll reach out and I work with the assigned individuals in each of the operating businesses initially to take a look at the formatting for the templates we choose. For example, if we choose to do like a courier-based theme, one period may be very prevalent in UK, but non-existent in India. And so we customize that, then the language.

And the last step is usually um having the site reps just do a last pass through and make sure that something that translates from English into, say, German may sound not quite right. So they'll take it and they'll turn it into something which is more regionalized, more adaptable, more accepted as coming from the region.

[00:03:54] TS: Yeah, that's great. Dan, can you talk a little bit more about your program as well?

[00:04:02] DT: Yes. We have a combination of an approach that I'd say is centralized, but then also decentralized. We're centralized in the sense that we have a 12-member awareness team of individuals from eight different locations globally. And that team works together to make content decisions for our new hire and then our global mandatory training programs. And we develop common goals and overall training topics. So each region should reference when developing their own training materials.

We're decentralized in that the regional awareness team members are responsible then for supplementing or complementing that global training with facilitator-led training and other training resources that are more specific to that region or to that market. And they also share content with each other so that we can leverage that, but then they can adapt it to their own audiences in their region and their markets.

We provide training in English plus 11 other languages. And for translations, we work with Infosec Institute, but also our awareness team members are fluent in many languages and they help validate translations and provide some translation content as well so that we have all that content then translated and available in all those different languages. And learners then have the option to select their preferred language when they're accessing the training content.

[00:05:32] TS: Yeah. That's great, yeah. And I think obviously it's a huge challenge for each of you to spread this training globally, but part of that challenge is not only being able to deliver that, but making sure it's 100 relevant for everyone not only to kind of standardize the education that you know you're delivering, but making sure that experience is just as good for everybody.

Dan, I know you've mentioned in the past actually you've actually used focus groups as kind of part of this process to make sure the training works for everyone. Can you touch on that a little bit?

[00:06:01] DT: Yeah. As part of the development of our program, we use focus groups where we’ll get a few people together in a conference room or possibly remotely and just talk through different types of learning content, different types of methods for delivering content and just getting people to respond to that and talk to us about what they like, what they don't like, what works well for them or doesn't work as well. It's very interesting, because key finding from that is definitely that people have different learning styles and respond to the same content differently. And some of that seems to be aligned with cultural differences based on location, but really primarily it seems to be related to individual differences and learning styles and content preferences. And that seems to cross over from a cultural standpoint everywhere. So it really just reinforces that we need to offer training content over two to three year period that covers similar topics, but provides variation in the content format and delivery so that it resonates with people in a different way or with two people with different learning styles.

[00:07:14] TS: Yeah. That's interesting. David, what have you picked up over your time administering global training? Have you noticed any preferences or differences you observe from different regions?

[00:07:27] DH: In line with what Dan was saying, we're seeing something similar. Different themes of the of the phishes that we test people on, we'll elicit different responses. We emulated a year and a half ago a LinkedIn invitation request, and that got a lot of traction right across all the areas. Right around the October, November early December period, there's a lot of packages being sent. So we've seen a lot of activity to that particular style of phish. But other people will also react more to like a free one month subscription. So it's really what sort of bait you're going to dangle in front of them will elicit different responses.

We've also found too that different groups respond differently, like a request for help, “Hi.” Something like, “I'm a new member of the team. How do I get to this site.” Some groups will be very susceptible to that than others. I'm thinking here specifically of somebody from a legal team will not respond to that at all. And we gather that information. We do a sampling and talk to people and after the test is over and find out what worked. Why? Why didn't it work? Why? And we feed that back into our iterations that are coming down the road.

[00:09:00] TS: Yeah, that's great. So actually uh switching gears a little bit, it might sound a little bit daunting to run these large programs that kind of span the globe. So I'm interested, what sorts of tools do you rely on? What kinds of – Within your training platform are the tools that you use to automate as much as you can to make running this type of global program as efficient as possible? David, any insight on that?

[00:09:24] DH: I wish I'd had a solid answer on that. To date, I haven't implemented any tools or automation, but through identifying areas in the development phase for the quarterly tests, things like sending out a preset phishy domains, to borrow your company's phrase, that they'll white list. It'll push on to the safe center list. That will help to contract down the time requirement. Other things like you know certain individuals are more cooperative in doing the translations. That can save you some time.

When I first started putting the program together back in beginning of 2017, it was around six to seven weeks to coordinate for all the different regions, the languages and actually launched the test. Now it's, on a good cycle, three and a half four weeks. And a not so good cycle, you can just add on another week or two. But finding a tool that can take up some of that workload, not been successful to date.

[00:10:35] TS: How about you, Dan, is there anything you've found has really helped scale the program and deliver training globally?

[00:10:42] DT: With the Infosec IQ learning platform, we have automated the new employee training with a reoccurring monthly campaign that automatically kicks off each month and includes new learners added since the previous month. We're not currently doing an AD sync because we have a separate automated process for identifying and uploading learners each month. But that definitely has been a big benefit to us. Another benefit has been automation of scheduling and delivering a global learning campaign to approximately 20,000 learners. This includes the ability to create a training course, create a learner group and then schedule a campaign to automatically send notifications and track completion and then support easy reporting as well. So being able to automate both the new employee training and then also the global learning campaign has definitely been a real value and real benefit to us and saved us a lot of time.

[00:11:41] DH: Really leveraging the active directory synchronization, which I wish that was an option, but it's just not with the organization.

[00:11:51] TS: Yeah. I think what's really smart the way you each handle your programs is obviously you probably could really automate global training and use translations that kind of come out of the box and be super-efficient, but obviously you guys have taken the approach to let's really take advantage of local regional offices and make it as effective as possible as opposed to let's just get it out the door as quickly as possible. I think that's – There's always going to be some tradeoffs there, but I think it's probably a smart decision. Probably the most effective way to distribute training the way you guys are doing that.

[00:12:25] DH: The initial training is actually pretty straightforward. I really don't uh put a lot of time on a monthly basis looking at it other than for the core corporate group. Anybody new comes in, put them into the list. Once a year I'll review and if necessary update the core modules that we want people to be trained on to establish that baseline. Plus we also put our IT acceptable use policy in there, in that training stack as well. So it also serves a legal purpose. So if ever required, we can go here. They did the training, they finished it on this day.

We run with a decentralized program where the actual assignment of training and completion within the 21 business day mandated time frame is done by the operating business. I just sort of sit at 20,000 feet and make sure there isn't any slippage.

[00:13:21] TS: Yeah, that makes sense.

[00:13:23] DT: Yup. The other thing that we have been exploring more is the assigning additional training courses to specific audiences based on their job role. And so we can provide access to learning platform to additional people within the organization to allow them to look at content and then possibly assign training courses to people within their groups. So that's an area that we're looking at expanding and doing more automation around.

[00:13:47] TS: Yeah, that's great. So aside from – So obviously there's a lot of cooperation between security, your IT staff and obviously anyone helping deliver the program in specific regions. But are there any other kind of collaborations within your organization that you found really useful for your program such as working with HR, communications departments or anyone else at your organization? Dan, do you have anything on that?

[00:14:15] DT: Yeah. We partner with our human resources and legal and communications groups to combine plans for our information security training along with training done by our compliance group and HR, human resources group. And we have kind of a training month or training initiative once a year. So we may do our global mandatory training. We're sending out communication talking about our information security training, but then training in the other areas as well. that allows us to get a lot of executive leadership support to encourage everyone to complete the training. So we really have a big emphasis on like a training month and the training that will be offered during that month and that it's required for everyone to complete the training. So that's allowed us to increase the level of awareness with our information security training because we are partnering with those other groups and their training initiatives also.

The other thing that happens is our awareness team members also collaborate directly with leadership within their regions to follow up and communicate further when we're running our global campaign to ensure that we're getting the completion of the training by all the learners. So that collaboration and partnership has worked well also.

[00:15:33] TS: That's great. David, how does that shake out at your organization? Do you have a lot of other coordination with other departments or leadership teams that everything runs through?

[00:15:43] DH: Apparently Dan talks to the other departments far more than I do. The one group we do work with is part of our process. We engage with each of the HR teams to acquire the active email addresses. And then after the fact when the quarterly test is done, we work with communications and we send out what I’ve termed to be a lessons learned document to all of our users and they help with the translations. And the intent behind that is that we highlight within that quarterly phish that is within the last, usually, two weeks, has been sent out and is still relatively fresh in people's minds.

We'll point out areas that they should watch for, the email address, other sorts of hooks that we put into it, spelling mistakes, that nature of thing. And the objective is, is that to get people to recognize and to learn from the experience and hopefully that they will use that information in real-time.

[00:16:53] TS: Yeah, that's great. So big question for each of you. What does success look like for you? So what metrics do you measure your program by and how do you know what's working and where to adjust? Dan, what are your thoughts?

[00:17:11] DT: We do have a phishing program that includes monthly phishing tests. So we do metrics and reporting on phishing clicks and suspicious email reporting and then scorecards associated with that. So we do have specific targets for those that we monitor. And then for regions or divisions not doing as well on phishing results, our regional awareness training members will reach out to those groups to add additional facilitator-led training targeted at those specific groups. Or in some cases individuals depending on what the need is. For our new hire and global mandatory training programs, we monitor the percent completion and we have targets that we measure against for employees and contractors and completing the training.

[00:18:02] TS: Gotcha. David, what does success look like for you?

[00:18:07] DH: The main goal we're going for is to get our click rate down into the five percentile range. And we're pretty close. We're not there, but we're getting close. Each area, especially we do see a lot of new people coming in and even new acquisitions and we follow what it what looks to be a fairly standard model where the initial test is. It will score relatively high for that region. And then with training with both the online training, but also a small group direct-led training courses. I ran a course on that in 2017 and we've dusted it up and often updated it. But the intent is, is to see within a two period or two-quarter period to see it fall down somewhere into the relevant range that we’re looking for.

One thing that we have started since the Q2 test is when individuals who have clipped, have fallen for the quarterly phish. We're re-testing them again and usually within a pretty tight time frame. And each one of those people, if they click again, that's another conversation. But each of those people will also be going through an interactive training session with a member of security compliance to help them understand where the weaknesses at and bring up their base level of knowledge and ability to recognize the phish.

[00:19:50] TS: That's great. So another kind of tough one for you guys. Can you share with the viewers some of the lessons you've learned over the years or any aha moments for managing this global training program? David, do you want to take one?

[00:20:07] DH: Yeah. You need to be really clear about what your objectives are of course, and also that an effective program which is spanning multiple countries and languages. It does require a certain amount of time resource to ensure that it's developing and being implemented to the standard that you're working for. I find it a little interesting, because the initial training block for new employees, I don't want to say set and forget, but it's pretty close to that. But the actual phishing the campaigns to follow-up, particularly now that senior leadership is well-versed as to the threats that it represents to business, this is something that we do put a lot of time and effort into it. So when you are developing your program, make sure that operationally you're putting the resources to ensure that it maintains or even enhances the standard that you're looking for, which is to train the people. We've recognized that we've got top-rate firewalls and email filters and spam detectors and all that. but if you don't train the people, if they're not able to recognize it, you're always going to have that vulnerability to your business continuity.

[00:21:35] TS: Yeah, absolutely. Dan, any tips for the viewers?

[00:21:41] DT: Yeah. I think one of the big things that we've learned over the last two to three years is the benefit of having consistent content delivered globally that you can create a baseline with all of your employees, all of your contractors globally through that computer-based training and you have a way to track the completion of the training and kind of ensuring that everyone's getting that common baseline to start with. And then the fact that it's really important to balance that with facilitator-led training in the regions and the markets where you can then expand on the topics and make the training be a little bit more relevant to the people in that location or based on their job role. So it's really probably the importance of doing both and doing them both in a way that complements and supports each other.

So obviously we're still learning about that and how to do that effectively, but I think we've made a lot of good progress and become being more effective in achieving that good balance. And then part of that too is we talked about this earlier that people just respond to content differently, right? Not just because of cultural differences, but because of how they learn. So, really, I'm a real strong believer in repetition of the same topics and kind of the same information, but covering it a little bit different way and maybe a little bit different format just to reinforce that learning over time and to accommodate the different learning styles.

[00:23:17] TS: Yeah, that's a really good point. Go ahead, David.

[00:23:19] DH: I'm just going to say there's one other point as far as the aha or lessons learned. I touched on it very lightly previously, but we tracked this in 2018 and again in 2019 where across each quarter we're seeing – It'll float a little bit somewhere between the four and a half, five and a half percentile click rate in Qs one, two and three. But in Q4, I have always gone with a courier based notification or your package is lost, something of that nature. And my click rates have consistently across two years now jumped up in that quarter to 10, 11 or higher percentile.

So for us we are changing our Q3 and Q4 training and instructions to focus on this clear vulnerability that's been brought forward. And I'll be interested in seeing what our numbers look like in January when i wrap everything up for the Q4 testing.

[00:24:26] TS: Yeah, that's really smart and I think that's really a good reminder too, is obviously you guys have been running your program successfully globally for some time now, and obviously building that program is a challenge in itself. But just like you guys or just like other organizations out there, testing, seeing how employees perform and continuously changing. I think that's a good reminder, David, that that's kind of the game, right? Figuring out where you're vulnerable and what kind of training is required to address that and starting over and doing it again and continuously testing and continually working towards that.

[00:25:02] DH: Dan hit on a really good point actually that people in different regions will have different vulnerabilities. Like in Colombia, there're particular points where they have a greater susceptibility. Other places um in China, for example. For example, we would normally write in our phish. You're telling a little bit of a story like, “Hi, you need to do this and you explain why.” And then the person will digest that and decide.

I found out that with Chinese users, get to the point. They just like hammer right to it. And if you're not aware of these cultural or regional normalcy, then you're undermining the efficacy of your template. So you're always learning. You're always pulling in the lessons and trying to improve the product.

[00:25:58] CS: Thanks for checking out Collaboration and Cultural Relevance with David, Dan and Tyler. Join us back here tomorrow for the final episode of our 12 episode daily podcast series. This one entitled Security Awareness and Business Culture: Ask us Anything featuring all four of our guests from the past two days; David Hansen and Dan Teitsma from today's episode, as well as Donna Gomez of Johnson County government in the State of Kansas and Tomm Larson from Idaho National Laboratory.

The Cyber Work with Infosec podcast is produced weekly by Infosec.The show is for cyber security professionals and for those who wish to enter the cyber security field. New episodes of Cyber Work are released every Monday on our YouTube channel and at all the places where you like to get podcasts. To claim one free month of our Infosec Skills platform, please visit infosecinstitute.com skills and enter the promo code cyberwork for one free month of security courses, hands-on cyber ranges, skills assessments and certification practice exams for you to try.

Thanks for listening and I'll see you back here tomorrow for more cyber work. Bye for now.