Ask us anything about security awareness, behavior & culture (session #2)
It is vital that cybersecurity programs find a balance between securing the operations that their businesses rely on and enabling them to work effectively. An important component of finding this sweet spot comes with the successful implementation of a security awareness program and encouraging a security-minded culture from the corner office down to the newest employee, starting right from the moment new employees are hired.
How four different types of organizations go about fostering a security-conscious mindset was actually a topic at the Infosec Inspire Cyber Skills Summit. The Security Awareness, Behavior and Culture: Ask Us Anything Q&A session featured the following guests:
- Donna Gomez, Security Risk & Compliance Analyst, Johnson County Government — State of Kansas
- David Hansen, Senior Analyst, Corporate IT Security & Compliance, Brookfield Renewable
- Tomm Larson, Cyber Security Awareness Lead, Idaho National Laboratory
- Dan Teitsma, Information Security Specialist/Program Manager, Amway
The panel covered a range of topics, but it was clear that each of the guests was passionate about creating a strong security mindset across their large, multi-faceted organizations even in the face of the uncertainty of the COVID-19 pandemic.
What qualities make for successful training team members?
Clip #1: What Skills are needed on a security awareness team?
When it comes to staffing your security awareness training team, the panelists emphasized more soft skills and people skills than technical, as there will always be resources around to answer the specific questions. This includes good writing organizational and project management skills as well as a creative mindset to think of new ways to deliver materials to their audience.
Equally important is an understanding of work and regional culture so training resonates and the language used fits the audience. As Tomm Larson notes, “You have a consistent message globally, but you have to adapt it for the culture at the local level. And that’s absolutely key: you need the people that have that cultural awareness.” One potential solution is having team members embedded in specific locations.
How have your organizations adapted your security awareness programs for virtual and live delivery?
Given the ongoing COVID-19 global pandemic and the drastic changes many organizations have made to their operations — including a notable rise in remote work — this question from the audience garnered a lot of input from the panel.
While the panelists noted that they already had a lot of the key components in place to introduce and reinforce security awareness just given the geographic scale and size of their organizations, the move toward an even more dispersed workforce still presented challenges. While computer and web-based training as well as online meetings were already a regular part of security awareness training, these components took on even more importance as live, in-person delivery was taken off the table as an option.
For Tomm Larson of Idaho National Laboratory, that meant a big switch in gears. According to Larson, while there were some upsides — such as seeing a different, more personal side of your coworkers while they worked from home — it also meant a change in tactics to reach his audience. While he has spent a lot of his career getting up in front of people, interacting with the audience and feeling the audience’s energy, Larson has had to find new ways to do this online.
“There’s a lot of technology already out there that allows us to do these types of things beyond just typing something in a chat window. We try to take advantage of [the online tools],” notes Larson. In addition, he uses the new information that he has learned about his coworkers while they are working from home to find new ways to reach them..
For Dan Teitsma and David Hansen, although there was not much of a change to their programs, they leaned more on web-based tools to deliver computer-based training. However, it is about finding a healthy balance between making their training and email messages resonate without sending so many that they are overlooked.
For Teitsma, that means his facilitators make more of a real conscious effort to engage with staff during the training. For Hansen, they have tried to be more targeted with those that may need more help. “What we have adopted or started is the process of adapting our training for those individuals who have demonstrated susceptibility to my phishing campaign. We are now conducting instructor-led, online training sessions to give them the tools so that way they’re self-sufficient.”
How do you effectively justify your security training and awareness budget?
Clip #2: How to get budget for your security awareness training
The panel consensus was a strategy that compared the costs of their training budgets toward the considerably more expensive technical equipment.
“In my experience, the technology that we use to protect our users via firewalls or email filters or proxy servers, all of that is orders of magnitude greater than my training costs,” notes Tomm Larson. “You can spend a million dollars on a firewall or you can spend $30,000 on a subscription to some great cybersecurity awareness training.”
The panel also noted that you can also talk about risk and point out that studies have shown that the biggest risk to your organization’s cybersecurity is people, as that’s how the hackers get in most often. “So if it’s a risk conversation, you’ve got to get your ammunition ready,” concludes Larson.
Similarly, the panel notes trying to quantify what the financial impact will be of an actual security event based on real events and compare that to your training costs. “Understand what the business wants and needs are, and tell them the story,” notes Donna Gomez, but put it in the mindset of who you are talking to. “Get to know your auditor. Get to know your risk manager. Get to know your cyber insurer,” recommends Gomez.
“Go out there and talk to these people. IT is supposed to enable the business and how you do that is by making the business and IT understand each other, and that’s part of cybersecurity awareness.”
In an ever-changing operational environment, it is clear that security professionals need to stay as nimble and as vigilant as ever while also thinking proactively about how to maintain a high level of security awareness among their stakeholders. That even includes leaning on peers in the industry more. In fact, the panels agreed that, ironically, “if you want to steal, beg, borrow, take” from them to improve your own security awareness program, feel free to reach out.