Influencing security mindsets and culture

Communication, creativity and empathy are crucial in shifting from what we call a “have-to” security mindset (i.e., “I have to take this precaution because IT said so”) to a “want-to” mindset, which suggests employee buy-in to a company’s security policy beyond simply ticking off a to-do box or watching a training video. In today’s episode, Donna Gomez, Security Risk and Compliance Analyst for Johnson County Government in the State of Kansas, and Tomm Larson, Cyber Security Awareness Lead at Idaho National Laboratory, share security awareness and training strategies for putting learner experiences first, engaging employees and building your team with the right blend of talents to foster a strong security culture.

For twelve days in November, Cyber Work will be releasing a new episode every single day. In these dozen episodes, we’ll discuss career strategies, hiring best practices, team development, security awareness essentials, the importance of storytelling in cybersecurity, and answer some questions from real cybersecurity professionals and newcomers.

  • View transcript
    • [00:00:00] CS: Welcome to today’s episode of the Cyber Work with Infosec podcast. For 12 days in November, Cyber Work is premiering a new episode every single day. In these dozen episodes we’ll discuss cyber security hiring best practices, security culture, team development and the importance of storytelling in cyber security. Today’s episode is titled Influencing Security Mindsets and Culture and features two special guests. Donna Gomez, security risk and compliance analyst for Johnson County Government in the State of Kansas; and Tomm Larson, cyber security awareness lead at Idaho National Laboratory. Communication, creativity and empathy are crucial in shifting from what we have called a have-to security mindset, i.e., I have to take this precaution because IT said so, to a want-to mindset, which suggests employee buy-in to a company’s security policy beyond simply ticking off a to-do box or watching a training video.

      Donna and Tomm share security awareness and training strategies for putting learner experiences first, engaging employees and building your team with the right blend of talents to foster a strong security culture. We hope you enjoy this 30-minute conversation between Donna and Tom along with moderator Tyler Schultz.

      If you want to learn cyber security or move up the ladder in your career, we’re giving all Cyber Work listeners a free month of access to hundreds of courses and hands-on cyber ranges with Infosec Skills. Infosec Skills is aligned to the work roles knowledge and skill statements in the NICE workforce framework and can help you at any stage of your career. Be sure to use the code cyberwork when signing up. More details can be found in the episode description below. Catch new episodes of Cyber Work every Monday at 1PM Central Time on our YouTube channel for video or on audio wherever you like to get your podcasts.

      And now let’s start the show.

      [00:01:50] TS: Let’s actually get started today with would you mind each sharing – Quickly just sharing your role within your organization and give us kind of a 30,000-foot view of your security awareness and training program that you manage? Donna, would you mind kicking that off?

      [00:02:01] DG: Sure. So my program involves 5,000 employees and it also reaches out to some of the cities. And we do monthly. We do in-person. We’ve done some in-person for our 50 and over community as well as the virtual switching. With COVID, it was really important this year. And it’s just all about what do they need to know? What do they want to know? And just making sure that we’re delivering.

      [00:02:34] TS: That’s great. Tomm, do you mind jumping in?

      [00:02:39] TL: Sure. Sorry. So I’m the cyber security awareness lead, that means that I’m in charge of cyber security awareness for Idaho National Lab. The group that I work for, we have 6,000 employees. So got to get that little jive in there. We do monthly fishing drills. We do quarterly training. The quarterly training’s in snippets. So that we’re not asking people to do a bunch of training every quarter. It’s three to five minutes at the most. We do in-person events. well, we did in-person events until COVID-19. We try to do those throughout the year. We don’t have a real regular cadence for those. And basically we’re just trying to change the culture and to get everybody into that safety, that security mindset, like they are the seat belt mindset. Most everybody, when they get in their car, they automatically put their seatbelt on. We’re trying to get our culture to the point where most everybody, when they’re on their computer, they’re thinking about or they automatically perform good security behaviors.

      [00:03:53] TS: Yeah. Thanks for sharing both of you. And that actually is a great transition, and that’s kind of something we want to focus a lot in today’s discussion, is changing from kind of a – To really build more of a want-to with cyber security awareness than a have-to mindset with employees. And I know you guys have had a lot of success with that, and much of your program success really centers on steps that you take to put your learners first, meet them where they are in their security awareness and their behaviors. So I’m interested, what specifically, what are the types of things that you’re doing to understand those employees needs and where they are. Donna, you want to take that one?

      [00:04:34] DG: Sure. So first thing we did last year was started with a survey. So we changed – This was this was the first time we had introduced the platform to everyone, is that we wanted to ask them, “Well, what’d you think of it?” And every time we do something we ask, “Well, what could we do? What do you want to know more about?” And we always leave that forum for everyone to give us feedback. So if they didn’t like it, what was missing?

      And making sure that they know that we heard what they said. Just not like, “Oh, okay.” Trying to do something to let them know that we heard you and we’re going to help you is the biggest things, because I’m a big proponent of the Kirkpatrick model. Once I told everyone I was taking away learning assessments so there were no more tests and no more quizzes that go along with security awareness, huge transition for a lot of people, because then they were like, “Oh! She’s not going to trick me into a test.” Nope! It’s just a survey. I just want to know. I just want to know what your opinion is. I really want to know how you feel about the module. What else can I teach you?

      and so when people would show up to an in-person session or they would go to another meeting or they would see something somewhere else or another webinar and share it with me, like is that something you want us to do here? Yes. Great. Let’s do that. So it’s making sure that they feel heard and then making sure that you deliver on that. That’s a really big thing, because that reaction, that’s that first piece of the Kirkpatrick model. It’s like how do they feel about it? What’s their reaction to it? And are they responding to it? And by making somebody feel heard is the biggest thing, because needs analysis and meeting their needs is the biggest way to encourage a change in behavior.

      [00:06:34] TS: Yeah, that’s great. It’s a really good step too, because it could be easy to think about just kind of delivering training, but letting your employees be participants and having their feedback, it’s good for you, it’s good for them, it’s theoretically good for everyone. Tomm, do you have anything else to add there?

      [00:06:50] TL: Well, yeah. I’m glad that Donna is on, because she’s giving me all sorts of good ideas. But same, I’d like to reiterate. We try to know what our users want and what they’re doing and what impacts them. I scour the headlines on a regular basis looking for cyber security news that will impact my users. So what was the one – Oh, the Twitter hack apparently that’s a new phishing attack that’s becoming more popular amongst criminals. And so I wanted to let my users know, “Hey, this this attack is out there and it may not just be people attacking you at work. It’s people attacking you at home.” And kind of implicit in what Donna was talking about is we want to know what users want, but we want to develop trust so that they trust that we have their best interests in mind.

      And so like she says, we don’t do quizzes anymore. The only time I ever do quizzes is to give people an opportunity to test out of a training. And it’s funny, because I actually do use quizzes as a training technique. So yeah, people can take a quiz to test out of training or they can take a quiz just for their own personal assessment. And I’ve had people panic when they see a quiz and it’s like, “No. No. No. This is just for you to learn about you and what you might or might not know about cyber security.” We don’t care what the score is. We don’t care how long it takes. It’s just a learning tool for you. And that’s another approach we’ve taken. We recognize that not everybody learns the same way. And so we try to offer several different media. We try to offer content and information in various different ways, again, so that people can choose what works for them. So they trust us to provide something that’s useful. And like Donna says, or like you said, Tyler, actually reach them where they are.

      [00:09:13] TS: Yeah. That’s great. And, Tomm, you mentioned something that’s pretty interesting that I think maybe we should build on a little bit. You mentioned the element of trust. What have you found that’s been kind of more effective in building that relationship, that trust, between employees and the security team? If you guys are trying to work together, how do you build that trust?

      [00:09:33] TL: Well, the same kind of thing. We don’t test people. We’re not trying to get people in trouble. A couple of things we do, the phishing drills that we run, we run them every month. We constantly work to remind people that this is not to get them in trouble. It’s simply practice. It’s like a fire drill. That’s why we call them drills, and that’s the way when we actually have to get after managers now and then when they want to get mad at somebody for clicking on a drill. It’s like, “No. Don’t get mad. That’s not the point. The point is practice. That’s all it is.”

      The other thing we do – And this was actually setup before I started working at INL, is we have an email address specifically for cyber security questions. And so we ask people to report if they get a phish or anything like that. But we also say this is a forum where you can ask any cyber security question you have. You can even ask questions about personal cyber security and home cyber security. We tell them up front we can’t make recommendations. We can’t say we’ll use this anti-virus or use this VPN or use this router, but we can tell them how to set up their router properly when they might want to use a VPN or whether or not they should use a password manager. So we want to give them a place that they feel safe to come and ask us questions where we’re not going to get after them. We’re not going to get mad at them. We’re going recognize and acknowledge, “Hey, that’s a good question, especially if it’s been bothering you.” And try to give them good information that they can use both at home and at work. So that’s a couple of ways.

      And In fact we try to make the whole program fun. You can kind of see the colorful stuff behind me there. We try to make our cyber security awareness program fun and in no way whatsoever punitive. And we even tell people if you click on the phish, the drill message, still report it, you can still get credit for reporting it. And people want to get credit for reporting it, because they can get phished. Keep forgetting it’s not mirrored. They can get phished and they can get little silver sharks. They can earn rewards. And again it’s the whole idea of even if you do something bad, we want you to report, and that’s the most important thing. And they trust us that we’re not going to get mad at them. We’re not going to punish them. We’re going to work with them to improve everybody’s cyber security.

      [00:12:17] TS: That’s great. A lot of really good stuff there. I know, Donna, you mentioned getting that feedback from employees and listening to them. I’m sure that is a great, great way to build trust. Is there anything else, like kind of keys or biggest takeaways for you that has helped you build that trust between employees and security team?

      [00:12:35] DG: Well, just like what Tomm was talking about, it’s like clicking on something. Whether it’s a drill or a live event, not making that – Treating them like a victim. They are a victim and letting them know anybody can be a victim and taking that element of care with them and showing that compassion and that empathy versus the id10t that it is famous for. I cannot believe you did that. That’s not fair. Don’t do that. Belittling people does not change behavior. That puts the fear factor in them. So it’s how do you eliminate that. So take them in consideration. And I like to ask people, “Why did you click? Did we create a business process? A business environment for you that has driven you to react inappropriately? Finding out that there’s a business driver that may want somebody to complete emails, have a clean inbox for the day or respond to an inquiry within so many seconds of delivery, that type of thing, or calls.

      All of those different type of metrics that are out there, are they reasonable? It’s like we’re educating them in security awareness to take the time to look at the email address. See what’s coming from the sender and then do all of this reasoning. Is it real and all of that? But if we’re having these business drivers that are saying, “Do this. Do this. And be quick about it.” They’re not being able to take that time. So actually interviewing the person and making sure we’re not signing up to fail. And that’s where that circle – The circle of trust where that that relationship’s been built. Like, “Okay, you’re actually trying to understand my business. You’re really trying to understand what my job is and trying to help make things better for me.” And it’s like, “Yeah, I really want to know what your day is.”

      And also taking consideration where the business is at. Like right now, elections. Elections has a cycle. They have a blackout period. It’s not a good idea to set a time frame for something that impacts their setup period. Yes, security is important to that department. But at the same time, I don’t want to set a deadline for that department that hinders them and makes them feel like, “Hey, you’re just another added stress.” Elections is the priority.

      So it’s understanding the business. Understanding the business schedule and then putting a timetable to that. So really getting familiar and building that relationship is key. And then they trust me. They trust me. They tell me. They’re honest about it. And it’s built a great reputation for the security team where we were known as the department of no, and now we’re the department of how can we help you.

      [00:15:44] TL: Right. And if I can jump in – And I have to give credit beyond my awareness team. Our cyber security team at INL is very good about enabling the business. And the same kind of thing, when people come on, I give a briefing to new hires and I tell them we are no longer the department of no. We do not want to be the roadblocks. We want to be the guardrails. We never ever want to stop you from getting your work done. We just want to make sure you get it done securely.

      So going back to the cyber security team, if someone comes to us and they say, “I need access or I need to use this tool to collaborate with somebody in France, or career or whatever, we have a team who will actually assess the tool and determine if there’s minimal risk or and we can say, “Yeah, go ahead and use the tool.” Or if we need to modify slightly, how they use the tool. Or if we have to say that tool does present a lot of risk that we’re just not willing to accept. So here’s another tool you can use in its place.

      And because they’ve become so good at that, we have people reporting to us, “Hey, I’ve been using this and I realize this might be a problem,” and people are much more willing to come to us. And again, they come through that email and say, “Hey, I’ve got this problem or I need to change tools or I need to try a new tool. They feel free, they feel confident coming to us knowing that we’re not going to say, “No, you just can’t do that.” Knowing that we’re going to say, “We’re going to make sure that you can do it in the most secure manner.”

      [00:17:28] TS: Yeah, that’s –

      [00:17:29] DG: It’s a conversation of risk. It makes my job so much easier to explain risks, because now we’re speaking the same language and I’m not really teaching them anything new. They knew it. It’s just teaching them in the same language. I’ve I used to explain to people that I have audit speak. There’s a hat that I can put on occasionally where I speak like an auditor and then I take it off and I’m no longer speaking like an auditor. But the thing is, is that you learn a different language based on your audience. And so now they’re in a room and they’re speaking with risk. They’re speaking from a risk perspective. They start to understand and interpret and then they their thought process changes.

      It’s changing behavior, because they’ve built this relationship and they go, “Now I understand where you’re coming from.” You’re not trying to tell me no. You’re not trying to limit me. You’re trying to enable me and doing things the best way possible that’s making it more secure. So we’re not – That’s the big thing too. That’s one of them. That’s the eye opener for a lot of people. Do you want to be like Sony? You know you name the names. And it’s always like – The news. They want to be in news for good things, not for bad things.

      [00:18:49] TS: Yeah. That’s great. That’s great stuff. And I you guys have talked about this a lot, building that trust and that understanding. And that really is kind of that foundation. If you want to achieve behavior change, if you want to move towards security culture change, you got to start there, right? But I know, and this is something I’m excited to talk to you about. I know you guys have taken some other approaches too to get people on board, get creative, have fun. So I did want to take the chance to ask you guys, what are some of the more creative, more successful things that you’ve done to really kind of pull your employees together? Have a chance to have fun and bring cyber security to the front stage? Donna, do you want to take that?

      [00:19:33] DG: Well, yeah. So this year, because everything’s virtual right now, we’re really trying to come up with something. And I don’t want to let it all out of the bag, because I kind of want to leave it as a surprise.

      [00:19:47] TS: We won’t tell anyone.

      [00:19:49] DG: Yeah, I know. Won’t tell anyone, except they’re going to see this. But business email compromise. It’s a spoof of the big names in the organization. And so from our county manager, there’re spoofs. So October is cyber security awareness month. Halloween, it’s dress up. And so there’s going to be a little bit of a match game with business email compromise and a dress-up. So that’s something that’s coming along that’s going to be a little fun, I think. We are organizing a family feud of sorts for teams, departments to do. We’re hoping to get that one through. That’s a couple of ideas that we have in the mix. But the big one was just any time we do an awareness module, we like to tell who’s the first person who gets it done, like the first team that gets it done, the first one, and then Captain America. Has the Johnson County logo on his shield. He went to a team last year. And so we have – So he’s getting ready to get passed along. So we’re waiting to see who’s going to be the first one to be for this round. And it’s a tight race right now, but it’s so much fun, because it’s like he’s a plastic toy with a plastic sticker, but it’s a motivator, because people say like there’s something to it.

      And so it’s just things like that, just ways just to encourage people just a little bit different. I don’t have to monetize it necessarily, but also it’s just trying to do something from the virtual realm is that’s been the challenge that we’ve run into. But I think what we have right now might be something entertaining for the gang especially. I’m looking forward to doing the whole dress up one, because I already know I’ve got some crazy people that I work with that i can see them coming up with some wild stuff right now.

      [00:22:14] TS: That’s awesome.

      [00:22:17] TL: Yeah. I’d like to say we do competitions, but we don’t do near enough, and that’s something we’re trying to integrate more. Yeah, we’ve got big plans for October too, and one of those plans is we’re actually going to do what we call a phishing tournament, phishing with the “ph”, where we’re gonna divide the whole lab into teams and we’re going to run several fishing drills throughout the month and the team – Several teams or the top – I can’t remember how many. At least the top five, probably the top ten teams who report the phish have the best reporting numbers will win prizes. Nothing big. As a government entity, we’re not allowed to give away anything that’s really pricey or significant. We give out things like nice coffee mugs and little tool kits. But as far as the best idea, I still think that this is one of the best ideas I ever had, is these little squeeze phish, these little stress phish. But like Donna says, you can’t give these – We still try to give them away even though we’re all virtual. We use our mailing service to get things out. But I started doing this almost as soon as I got to INL, started giving these out. And I changed the species or the color scheme every year, and you can see behind me, this is our fifth. We’re working on our sixth. But you’d be surprised how many of these you see around the lab. On people’s cubes along their cube walls, by their monitor. People are proud of them and they’re happy to have them, and we’ve been able to – My team, who’s much more creative and smarter than I am, they have come up with all sorts of different ways to use these as a motivator, as branding, again, to make the program fun and, again, to help people remember cyber security. So that’s probably one of the best things that I came up with.

      Behind me you can see a little spinny wheel that we use, and that’s an idea that my team picked up on. And going back to what Donna said at the very beginning, this is one of the ways we get feedback, is we actually go out and do in-person events where we make ourselves available in the cafeterias. We make ourselves available in the lobbies of the buildings and say, “Hey, we’re going to be –” And we sent out an invite. We’re going to be here at X-o’clock and we’re going to be here for an hour. You can come earn a phish by answering a cyber security question or asking a cyber security question. Or if you’ve got two pink phish and you want a blue, you can come and swap phish. Again, using what we’ve already got. But that’s a great way to get feedback, because people will come to us and they’ll ask us questions. They’ll also tell us what they think about certain things. But that in-person is really hard with COVID.

      Again, what my team came up with was let’s do a virtual booth. So rather than setting up a booth in a lobby or in a cafeteria, we send out an invite and say, “You can join this meeting, this online meeting,” and we remind them, “You only have to come for a couple minutes.” You don’t have to stay for the whole time. You just come ask a question or get a question answered and then jump off. You don’t have to stay for the whole time. And we use the spinny wheel just like they would in real life, except I get to spin it every time. Instead of letting somebody else do it.

      So it’s trying to take that step away from the in-person and making the virtual similar. And it works really well for the folks in our lab that kind of missed the camaraderie, missed the collaboration, missed being in the same office with their workers. So those are some of the ideas that we’ve had that that seem to have really made a big difference.

      [00:26:22] TS: Yeah. That’s great, and it’s so great to hear your stories and your experiences. I think a lot of a lot of people responsible for training might be a little hesitant to put themselves out there and do something really creative. But the stories that you guys tell us, you can tell people care, people respond to it, and these are the steps that you take to really make change and really turn cyber security into something that matters to everybody.

      I know we’re bumping close to time, so I definitely wanted to ask you at least one more question. Kind of a big one here. What’s the one thing that you know now that you wish you would have known at the start of launching your cyber security awareness program? In other words, are there any piece of advice? Any aha moments or lessons learned that you would like to share with today’s viewers?

      [00:27:12] BH: Boy! How long do we have?

      [00:27:14] DG: Right?

      [00:27:18] TL: I mean, go ahead, Donna. I’ll let you go first.

      [00:27:21] DG: Well, I always tell everybody one of my spiels is that I started doing this in 1999 and we didn’t even call it cyber security awareness training back then. It was just training. That was right with the dot coms, and I was teaching people not to click on attachments and emails. And it’s now 2020 and I’m still telling people not to click on attachments and emails. So the lesson that I’ve just learned is back then I just kept telling people, and now the lesson is always to listen versus always telling and always come in with an open mindset. Always no. Don’t assume that people don’t know the answer. That’s the important part. That’s why going back to that Kirkpatrick model, tests go out the window. They have the knowledge for the most part. They really do know. But what has happened is that the behavior has been modified through the years based on business process.

      And so now it’s modifying the behavior from a security. It’s putting that security posture at the top level and letting the business process become equal to where the security posture is embedded in the business process, because they’ve always been separate. And now make sure that it’s an integrated process. That’s been my biggest lesson, is making sure that that’s part of that messaging piece and pushing that where those people are more the champions and they’re the talkers, versus it’s just me. I’m just enabling them with the information to help them tell that story.

      [00:29:12] TL: Yeah, that’s great. So, real quick, I think the one thing that I wish I’d known a lot earlier was people are doing the best they can. By default, people want to do the right thing. They want to do what’s best for them and for their organization. And my job is just to make that as easy as possible. Make cyber security as easy as possible for them. And I could recap everything we said, but in interest of time I won’t. But just remember that people are doing the best they can and you just need to remind them of what the best is. And again, make it easy.

      [00:29:51] CS: Thanks for checking out Influencing Security Mindsets and Culture with Donna, Tomm and Tyler. Join us back here tomorrow for our next episode; Collaboration and Cultural Relevance: Taking Security Awareness Global featuring David Hansen, senior analyst corporate IT security and compliance for Brookfield Renewable; and Dan Tetsma, information security specialist program manager for Amway.

      The Cyber Work with Infosec podcast is produced weekly by Infosec. The podcast is for security professionals and for those who wish to enter the cyber security field. New episodes of Cyber Work are released every Monday on our YouTube channel and at all the places you like to get podcasts. To claim one free month of our Infosec Skills platform, please visit infosecinstitute.com/skills and enter the promo code cyberwork for a free month of security courses, hands-on cyber ranges, skills assessments and certification practice exams for you to try.

      Thanks for listening, and I’ll see you back here tomorrow for more cyber work. Bye for now.

Cyber Work listeners get a free month of Infosec Skills.

Use code “cyberwork” to get access to hundreds of IT and security courses today.

Get Started

About Cyber Work

Knowledge is your best defense against cybercrime. Each week on Cyber Work, host Chris Sienko sits down with an industry thought leader to discuss the latest cybersecurity trends — and how those trends are affecting the work of infosec professionals. Together we’ll empower everyone with the knowledge to outsmart cybercrime.

Cyber Work listeners get a free month of Infosec Skills!

Use code "cyberwork" to get 30 days of unlimited cybersecurity training.