Simply Solving Cyber - A Conversation on Cyber Workforce Awareness

Show Notes

Ever feel like you're just checking boxes when it comes to cyber awareness training? Prepare to revolutionize your approach as Aaron Pritz, Cody Rivers, and special guest Jim Wailes dissect the urgent need for a cyber education metamorphosis. It's time to transform passive training into a vibrant culture of proactive defense, where every employee is an empowered guardian against digital threats. We're scrapping the obsolete methods and giving you the ABCD blueprint—Awareness, Behavior, Cultural Change, and Delta—to ensure your organization becomes a bastion of cyber resilience. 

This episode isn't just a discussion; it's a masterclass in erecting a robust cyber awareness program. We unpack the importance of executive endorsement, pinpointing the ideal advocates, and crafting a plan that transcends the initial rollout's excitement. Jim enlightens us with the harsh realities of cyber strategy missteps and the golden nuggets of incentivizing team engagement. If your aim is to forge a formidable cyber team equipped to navigate the ever-shifting cyber threat terrain, let us arm you with the latest and greatest strategies to protect your digital domain.

Chapters

• 0:01: The Importance of Cyber Awareness
• 14:20: Building Successful Cyber Awareness Programs
• 21:14: Cyber Team Programs Conversation

Transcript

Speaker 1: 0:01

Welcome back to Simply Solving Cyber. I'm Aaron Pritz and I'm Cody Rivers, and you're about to tune in to our deep dive on awareness. All right, that's enough of the intro, let's dive right in, guys, because I think we've got three passionate individuals here that I think know a little bit about awareness, have some problems with how it sits in the industry today and hopefully want to have some lively conversation that can help us change that at companies that our listeners are part of or work at. Really, what we want to talk about today is what's going on with cyber awareness programs and do we think they're really effective? Maybe let's start with Cody. What is awareness to you? Oh?

Speaker 2: 0:47

man. Awesome, great question, so big thing. For me, I think it's an organization's overall approach to managing human risk. It's more than just this like nebulous buzzword in the market that they kind of coined to capture all things of just phishing and training. But policies, procedures, reporting concerns again, things that are approved, tools, things that are tailored to your organization. What's your overall marketing campaign and education and training to make your workforce, to upskill them and teach them on things more important than just phishing and social engineering.

Speaker 1: 1:22

Yeah, that's right, cody. I think we also. I mean, personally, I'd like for us to stop calling it awareness. If you ask me to tell you what awareness is, I'll probably give you a early 2000s definition of what it was back then and unfortunately for some companies it's still the same answer. It's phishing training. It's online training. Training's gotten a little bit more creative, but it's once, twice, four times a year.

Speaker 1: 1:43

Quarterly is the max that I see at some of these check the box programs and you know IT leaders that are very tool oriented by these tools they turn it on and they think they're done. But there's so much more that the workforce can be doing and, quite honestly, if you're leading with phishing the workforce as your core form of awareness, even though phishing is a problem, the workforce is conditioned to fear, fear cybersecurity. Like they're the police they're trying to trick me. I remember in one of my corporate roles where I'd get emails of like, why are you guys phishing me once a week? And I kind of laughed because we were doing quarterly and they were getting real phishes. But they were assuming that it was us. So there's a little bit of collateral damage to that.

Speaker 3: 2:23

So I think you're spot on there and it's I mean, it's gotta be. I don't. I'm with you, I don't. I don't like the term awareness I don't have necessarily a better word for it right now. I thought about it and try to come up with that. But it's like you know, you've got problems with the, with phishing, you've got problems with cybersecurity as a whole. You know, and we're going to make everybody aware. Well, great, you know, if the building's on fire and I walk in and say, hey guys, building's on fire? Well great, now you're aware, what are you going to do about it? So it's like you know. So we got to teach folks like, okay, yes, we have problems, but what do you do? How do you react? So it's more than just awareness. You need education for people that they can act on, so they have understanding of how to solve problems.

Speaker 1: 3:07

Yeah, jim, and on the word, and I don't know that I have the new name right, but what I've been using for a few years is ABCD and awareness, behavior, cultural change, the D coming from the Greek symbol, change, which is the delta. So again, abcd may be something a little bit catchier but, bottom line, you got to pull it through further than awareness to the actual behavior change and action.

Speaker 3: 3:32

Absolutely. I think action's definitely the most important part of that, you know, because if people understand, people already know that there's problems, right, but they don't know what to do about it, and I think that that's a big part of what's missing in a lot of for lack of a better term awareness programs.

Speaker 1: 3:48

So over the years I've heard several executives usually or stereotypically technical grounded or rise up through infrastructure Executives make comments like humans are stupid. We're never going to fix them. We can do awareness, but there's still going to be people that are going to be clicking the links and emails or opening an attachment. So why try? Let's bet the whole farm on technology and tooling. What are your thoughts on that? Should we be giving up or is awareness really all that important?

Speaker 3: 4:18

I think no awareness is critically important. Again, maybe ABCD is critically important is what I should say to go along with that line of thought, because it's really up to the organization on what you choose to invest your time into and how to train your people. And there's been this longstanding kind of attitude that you know the humans are the weakest link. The people are the weakest link. That's the failure point and I disagree with that. They can be your weakest link. They can also be your first line of defense. That's up to you and you as an organization and as a leader, you need to own that. Are you going to invest? Are you going to work with your people? Are you going to find out how they learn and what's working for them and what's not? Or are you going to say, well, they're not understanding that, they're not supposed to click on these links in the phishing emails, so we're just going to give up?

Speaker 1: 5:09

You've got to own it. Great point, Cody over to you.

Speaker 2: 5:12

I think it's extremely important. And I mean, let's take a quick pause and look at the past 20 years. Right, significant investment in technology risk but very little in human. And look, you got firewalls, antivirus, edr, mdr, xdr you know, configuration hardening. I could go on for the next 15 minutes on the investment. No, I can't. Well, not all humans. Well, here's a little training. Here is a once a month, once a quarter training. You pick up there that might have some kind of relevance to what's going on in that time. All while social engineering holds a commanding lead on the number one cause of breaches. That's people, that's human. So I've got my biggest investment over here and I've got my largest risk profile or breach cause over here, and they're not correlated.

Speaker 1: 6:06

So let's fix that Yep, great point. So, jim and Cody, what makes a good awareness or ABCD or culture change program? And then obviously the counter to that is what makes a bad program.

Speaker 3: 6:18

Well, I think you got to be very intentional about your program and you've got to be honest with yourself about where you are as an organization and you have to be willing to come in and put yourself in the position of the people that you're trying to help.

Speaker 3: 6:33

This is not the time to come in and show off how big your cyber brain is. You have to take your ego out of this and you have to approach this and say, okay, this is where we are as an organization and, yes, this is rudimentary for me, this is simplistic for me. But if you're the cyber pro who's been tasked with solving this problem, you can't approach it from your level of understanding. You have to be able to put yourself in the shoes of the people that you're trying to help and be willing to step down from your level of knowledge and start to spread that understanding of what to you made me very simple but could be very helpful to the people that you're trying to help out. So I think, if you're willing to do that, if you're willing to slow down and to step down and work on those basics instead of trying to do the one-off cool things, that can make all the difference in a program.

Speaker 1: 7:24

Yeah, great point, Cody.

Speaker 2: 7:26

Easy what's in it for me. So I think here like making this, like making it relevant topics, making it omni-channel. So, first of all, people need to know why is this training important to me? How does it help me as Cody for the job that I'm working in? And, I think, going a step further for Cody at home my wife, my kids, my parents, my cousins, my family, my neighbors, people I care about. This news or this stuff that I'm learning I can use here and there. So while I'm getting this training to keep my company safe and being a better person there, I can use this other ways Also.

Speaker 2: 8:01

Omnichannel I mean you don't have a lot of your workforce, it's not always going to be at an email, you're going to have manufacturing, you're on a line somewhere, you're out in the middle of the ocean on an oil rig. So making the content come digitally, signage, lunch and learn. So, I think, having a relevant topics, omnichannel approach. And then I said earlier, making it more than just a phishing and solutions journey. Yes, that's great, that's important Table stakes, that should be there. But how do I handle data? How do I? I see a concern. Who do I report it to? How do I report it to. So I think arming them with that knowledge, I think it makes it a lot better. So, to Jim's point, you educate your team. So instead of having 20 vulnerable areas, you've got 20 sentinels that are going to, are additional. Now are armed, educated in your workforce that are reporting back and finding things and looking at things that may be suspicious.

Speaker 1: 8:52

Yeah, great point, cody. A couple things for me. First of all, grassroots and you can call it a champions program advocates, ambassadors, whatever word works within your company. And most importantly and this goes to what I see as bad programs is a cyber leader says, okay, let me get some champions who are my business-facing IT people to take the role. Okay, I would take that versus nothing. But we are missing the boat if we can't indoctrinate champions within the business that are true grassroots, not the IT person that they assume is already doing cyber for them.

Speaker 1: 9:28

Get somebody in the business. It's easier to get somebody that knows how to influence within their group and the culture and the actual job that you're trying to protect. And then also like multiple countries and cultures and states, should even states in the US have different cultures. You look East Coast, west Coast, midwest nice that's where most of us sit. Jim, you transplanted to Florida so you can unpack later what the Floridians are like.

Speaker 1: 9:55

But beyond that, if you got your champions, you got to next hit them with something that they don't expect. More corporate training and ITP individual learning plan assignments is not going to get it done. You got to hit them with something that's going to knock them out of their chair, stumble on the way into work like not literally, whether it's humorous videos or Netflix style crime documentaries, like what is popular on Netflix. And how can you replicate some of that same energy through something that's specific to your company? And also don't get trapped into assuming that a out-of-the-box Netflix style video from a training provider is going to do it for your company. Does it have anything about your company's specific initiatives and culture and industry that you're in? Probably not. Some great things. We use them, but spend all of your time making it specific to your company. And then, lastly, measure what works and keep doing more of that and dump what doesn't All right.

Speaker 1: 10:52

Next, leadership buy-in. And this is probably the biggest trick, because this is the thing that limits organizational uptake for awareness. If your senior leaders don't think it's important, you're not going to get any energy within the company. So, jim, what are your tips and tricks on how to get senior leadership by him?

Speaker 3: 11:10

Yeah. So this is an interesting one for me because I'm always this is not just with educational programs like this, but with any kind of cyber program. I think that you know just, you make the business case right. Make the business case for why it's important to invest in this and it seems like on its face, like a lot of times, it should be a pretty easy conversation because I think we've got great evidence at this point that we've got years of historical evidence that cyber incidents being the victim of a cyber incident is far more expensive than any investment that you're going to make into bolstering your defenses right. And if you can circle that conversation back to taking your workforce and making them your first line of defense and making them something that's a positive for the organization rather than being perceived as that weakest link, then by doing that, then it very much helps that conversation along to be able to get that leadership buy-in.

Speaker 3: 12:02

Make it about the business and it carries over too into people's personal lives. There has to be value seen in that. Maybe you've got a great workforce, but if you've got all of your employees constantly worried about whether or not they're going to get their identity stolen or their bank accounts taken over and drained, they're not going to be focused on the work that they're trying to be doing for your business. They're going to be paranoid about everything going on in their lives. So empower them to be educated enough to understand that information so that they can concentrate on what they're doing for the business.

Speaker 1: 12:31

Great point, cody.

Speaker 2: 12:33

Rising tide raises all ships. So to Jim's point. I'll do a quick echo what he said. Make it about the business. Correlate business risk to cyber risk. Show people why it's important. You give me a business risk or business initiative and I can tell you how cyber affects it and cyber can put that in harm's way. Every business leader whether it's finance, operations, executive, legal compliance cyber risk is a potential derailer to their strategy. Align that with cyber risk, help have a conversation about it, educate them on potential and I think you get buy-in.

Speaker 1: 13:06

Yeah, great point. Quick story from my perspective, and this is specifically a pharma client that we've had for several years Great partner, great progress along the way. But early on in their journey the senior executive that the CISA reported to was kind of doubting whether more training would be effective. And this was an executive that was in ethics compliance and obviously training means something for ethics compliance. It's probably a little, I dare to say, old school from basic. I mean, if we've all been through compliance training, it has to be pretty vanilla, just based upon the topics. But really we had to take some early wins and batting signals instead of home runs and triples.

Speaker 1: 13:47

But I think once we got some of the basics in place and we started to prove the return on investment and the impact and the energy that was creating each year we've been allowed to expand the footprint and do some maybe slightly more avant-garde elements. It's still a conservative culture. They're not out there doing some of the craziest stuff that we've been able to do at other companies or I did when I was on the corporate side, but it fits within the organizational culture. But I think it's really like early wins and then more will come once you show some growth.

Speaker 1: 14:20

So, jim, I want to come back to you because I mentioned in my things that what makes a good program. I mentioned champions and being embedded in the business. I know you went to a national cyber awareness conference in January and came across a panel that I know you were very excited about and it was about awareness and all three speakers were interested in it, but they never actually achieved it yet. They were working on it. So, jim, talk about champions and maybe that experience. Why should it be that hard? Why is it hard and how do people get by that?

Speaker 3: 14:53

You're right, aaron, and it wasn't just the panelists that were interested in it myself that was interested in it, honestly, the entire room was very, very engaged in this conversation around champions and it does seem to be something that a lot of organizations are interested in or trying to do. But it is difficult and it is fairly rare that companies have a good and well-established, well-built champions program, and I think the reason for that is it's hard, and I kind of learned this when I first started building champions programs because on its face and I'll admit that when I first started looking at these programs and trying to figure out how to build them they seem pretty simple. You just get a bunch of folks together that are interested in this stuff and they're willing to talk about it. But it's so much more than that and you have to find the right people and you have to get the leadership buy-in.

Speaker 3: 15:39

You have to have a plan for how to put all these pieces together to get this stood up, because it is a distributed group and there are dynamics to that that are very challenging. So, even though it seems fairly simplistic, walking into it, you have to have a plan on how you're going to go about eating that elephant, because it absolutely is a large project to take on. And then I think you have to also have a plan for sustainment, because getting past the point where you've stood it up is great and that's a great accomplishment, but how do you keep it going, how do you keep it relevant? And I've seen other programs fail because once they got it stood up they thought they were done. And it's a continuing effort and you have to plan for that yeah, great point, doc Gravers, over to you.

Speaker 2: 16:21

I mean I say, how easy is it to ask people to do extra work for free, right? Most programs I learned that are champions is an additional financial bump. In addition, what are the key assets that need to be successful? What are the responsibilities? How often do they meet? How do you communicate this mission statement for the champions program to other champions supervisors that, hey, I need some of their time each quarter, and for what? So it's not easy.

Speaker 2: 16:45

And a lot of folks, to Jim's point, this is their first champions program, so it's not like there's a precedent that you can just go oh, here's my champions toolkit. So I think a lot of that is the fear of the unknown. And also with a lot of things, you don't get a lot of shots on goal, you don't come correct and you don't have the right messaging and the right story and you can't get the buy-in and you get shut down from the leader who says my team's too busy, I'm not going to do it. You got to get folks on board, make it easy as possible and find creative ways to reward them and I think, like Jim said earlier, that's just that's how you do in year two and year three, because that's just year one. So it's. It can be difficult, but for those who've done it a couple of times or you've got some resources, it's not a just a idea that turns out tomorrow.

Speaker 3: 17:26

Yeah, and if I could piggyback on that just real quick. Cody, I think you brought up a really good point, because there are those difficult items. But, aaron, you asked an important question about why is it rare? And it's rare because a lot of, I think, because a lot of folks try to do this and they fail because they don't have a lot of other people that they can go to to say you have this established, how did you do it? Because it's fairly new and most of the time when it gets tried it does fail.

Speaker 1: 17:51

There are some successful programs out there, but people don't know who built and who are running those programs, so they don't know who to go to for advice favorite question of all topics is hey, if folks hearing this don't have a program in place or it's early stage, what is one thing that they could take away or one action that they could take to get started? And I'll go ahead and start with kind of my one thing. And I'll start with not my one thing, but the thing that almost everyone starts on and sometimes stalls on is it's easy to say, hey, there's a lot of great tools out in the market and I'm going to go buy one of them. It's probably going to be Nova 4, proofpoint, definite the market leaders. Both are great. We use both at many of the companies that we help with awareness.

Speaker 1: 18:40

But the problem is you spend a year rolling that out, you get some traction and a lot of the programs die. There Executives start to say, hey, we got our tool, that should be enough. It's training, it's industry best practice, but they're really missing the opportunity to be more strategic, to define the business and really implement that comprehensive strategy. So, as much as I support these tools and basic phishing, if you don't have a broader strategy and you start down that path, you might get pressure that that was your last chess move that you've made and I really try to help early leaders and early CISOs avoid this, because the people element is the most underutilized asset within a program Cody or Jim.

Speaker 2: 19:32

Sure, I'll take it. I'll let Jim finish up. My thing is I think it's easier to get InfoSec people on board for an awareness program and educate. I think the first thing is you need to educate non-InfoSec IT leaders on the risk around their critical assets. What are they, infosec IT leaders on the risk around their critical assets, what are they, when do they exist and who has access to them? Build a cyber committee. So it's my simple thing is build a cyber committee, get their involvement and establish conversations around what's in place around their critical assets. That's what makes them stay up late at night to think about and then that leads to okay. Well, now that I know there's this risk, I am more apt to awareness education. But I first have to understand how does the risk apply to me as a non-IT, non-Infosec function leader?

Speaker 1: 20:19

Great point, jim.

Speaker 3: 20:20

Yeah, I'll finish up just by saying that I agree with what you guys are saying 100%.

Speaker 3: 20:25

I really like what you're saying, aaron, about the tool and concentrating too much on the tool and bringing in the people. I think bringing somebody into your team, or at least having somebody identified that you can have, that can help your team in delivering those awareness, those training messages, is critical because, to your point, with the tool, aaron, you can bring somebody into your kitchen that knows what a spatula is, but they don't know how to use it. If they don't know how to use the tools in the kitchen, they can't put together a good meal, right? You've got to be able to understand how those pieces come together and how they can be presented to people so that they understand it and that they like it. You need somebody who's got some experience with training so that they can use those tools that you've already invested in. They can use the information that you have so that they can put that into a holistic item, a presentation to give to your workforce that they can then benefit from.

Speaker 1: 21:13

Yep, great point. Well, that's all the time we have for today. If any of our listeners heard something that they're interested in, any one of us would love to pick up a conversation with you. We are passionate about this topic. Again, I think it's an underserved opportunity. With most cyber teams, most of the programs that are awareness are behind the times and stale, even with the best technology. So we would love to have some of those conversations to figure out, even if it's just a conversation, how we can help you achieve more success with people. Thanks so much and have a good rest of the day.