Many cyber and information security workforce awareness programs are nascent, broken, starved for resourcing, and/or lack a meaningful budget. They tend to focus on a few standard but tired components:
• Many companies are myopically focused on automated distribution of realistic email phishing practice simulations. In many organizations, this focus represents about 90% of the workforce-facing efforts.
• Annual (or periodic) online training modules (often limited to 30-60 minutes for the year by corporate rules designed protect employee time). Evolving organizations have adopted more modular and frequent online training, but the majority are using standard, non-company specific SaaS-based training solutions, deploying them like a typical IT project.
• Producing long lists (in the form of policies, standards, or communications) of things employees shouldn’t do to keep the company safe.
While none of these things are inherently bad or misguided, we as an industry of cyber professionals must do better to engage and empower employees to stay safe while being productive and innovative. We need to transform (or even revolutionize) our engagement tactics and use design thinking to reinvent the employee experience around cyber protection. And most importantly, STOP making lists of bad things to avoid without bringing proactive solutions to do the right thing to help.
Consider the following common business scenarios:
• Steve from marketing gets a link to a document seemingly shared by a co-worker via SharePoint or Google Drive and quickly clicks the link to open the file.
• Donna from accounts payable gets a text from her boss asking for help with a client invoice issue and directing her to join a call with the customer accounting rep to update ACH instructions.
• Sandra shares a very sensitive strategy deck via email with an external party unencrypted.
• Alejandro manages multiple steps of a critical business process but doesn’t have context or any tactics to help him understand the sensitivity of the various types of information involved, or how to treat the information differently if it is sensitive.
• Rochelle is disgruntled and interviewing for jobs outside the company, so to prepare for interviews and show examples of her work she emails herself several folders of key project she built materials for.
All of these led to a significant breach of company information/IP, monetary loss, or operational impairment for an organization. Importantly, only one of them involved email phishing.
All these scenarios occurred at organizations that required cyber training and sent ethical phishing campaigns to employees at least quarterly. They also had a robust stack of protective and detective cyber tools. In these cases, the tools did not catch or mitigate the risk of the employee action before the damage was done.
As they say, doing the same thing over and over expecting a different result is the definition of insanity.
The biggest challenge and opportunity in cybersecurity programs is not technology itself, but the human factor surrounding use of technology. It is no surprise that employees, who are often busy with their daily tasks, are the most desired and exploited pathway for cyber attackers to infiltrate their company’s systems to steal from, manipulate, or disrupt the business.
It is easy enough to critique the past and present, but it only matters if you can pave the way for change and improvements in the future. Here are some practical insights and focal areas on how organizations must transform their human factor defenses:
Ethical Phishing is not the Answer
There is a reason that ethical phishing campaigns get the emphasis in cyber awareness programs that they do. Most cyber-attacks have historically started with a phish, and ethical phishing programs are extremely simple to measure and “show value”. In my experience, the tactic is a necessity but if it is your programs’ primary focus, the program will miss key opportunities to empower and engage workforce members. In the worst case (when done poorly), they will create a fear-based culture that will alienate the info sec team from the workforce.
Annual online training has been another staple of information security workforce awareness programs for a long time. However, this approach doesn’t work, as it’s merely a checkbox for compliance and doesn’t help facilitate real change in employees’ security practices. Formal training can be a necessity to show compliance and acknowledgment of accountability but shouldn’t be a primary approach to enabling positive behavior and culture change.
To make these programs more effective, they need to be less like a checkbox and more like an engaging marketing campaign and comprehensive workforce change management effort.
Diversify Your Cyber Workforce Facing Talent Base
In an era where employee mistakes, scams, trickery, and deceit are the mainstay of every cyber-attack, tight budgets and part-time emphasis make the workforce a limited focus of a cyber program. There is a need to diversify the talent base when it comes to cyber workforce awareness as the traditional cyber skill set may not make for a good awareness leader. It’s crucial to find people who can explain the risks and potential consequences to non-technical people. Moreover, we need to question whether “awareness” is even the right name for the need. At Reveal Risk, we have leveraged “Awareness, Behavior, and Culture Change (ABCD)” as better representation of the necessary capability. ABCD recognizes that increasing awareness is necessary, but not sufficient by itself. Culture and sustainable positive change in learned behaviors needs to take place for human defenses to be successful.
We utilize a diversely experienced spread of individuals including military veterans, ex-law enforcement agents that have a track record for explaining deep technical nuances to unskilled jurors, corporate cyber practitioners that understand the workforce and business context, six sigma/process improvement experts, and agency-experienced creative talent to bring company context and meaningful behavior change to life in new and compelling ways.
Embed True Agents of Change
In building grass roots-oriented efforts such as champions programs, fight the urge to appoint local IT support or representative to the cause. While they can be helpful, reserve these opportunities for diverse business representatives that are part of the organizations and divisions you are looking to grow support and knowledge in. After all, many workforce members don’t believe that cyber is their responsibility. So why send an IT person to inspire them vs a respected peer that has jumped in to help within their work community.
Enable or Improve the Workforce Experience, Processes, and Supporting Technology
Long lists of bad behaviors to avoid are tough because they quickly become white noise or impossibly difficult rules to remember. Cyber programs should scrap the list of “do nots” and shift to redefining the workforce experience around cyber and data protection.
What makes the most popular products and devices sustainably popular? (Think Apple, Tesla, etc.). Intuitive experience, clarity of purpose, simple processes, and aesthetics to name a few.
Many (even well-funded) cyber programs don’t have clear instructions about some of the basics like secure transfer, communications, and data protection. It can also be unclear how/when/why to use them. On top of the lack of clarity in the workforce, many business processes are so broken or misaligned with protective technology that even when people want to do the right thing, they are destined to fail or at least make periodic mistakes.
This is a process improvement guru’s dream. What are the most critical business processes from a cyber risk standpoint? How can you dissect them and rebuild them in security and productivity boosting ways? Cyber professionals often lament the lack of a seat at the table or sufficient budget. Well…. Here’s your opportunity, go get a “hat trick” win by improving the employee experience, improving business performance, and reducing security risk all at once!
Company and Industry-Specific Workforce Cyber Campaigns
What makes a marketing campaign successful and sustainable? If you think back across the last 20 years and search online for the best of the best, you will get various top 10-30 lists of famous campaigns:
• Nike: Just Do It
• California Milk Processor Board: Got Milk? Campaign
• Wendy’s: Where’s the Beef?
• Coca Cola: Share a Coke
These examples and many others share some key components:
• Provocative
• Memorable
• Evolving with the product
• Simple and clear
• Inclusive of calls to action
Most cyber professionals would love a successful brand or action-oriented campaign that would garner support for what they are doing and what they need from people. Unfortunately, but unsurprisingly, most cyber professionals are not marketing and sales experts (although I have known some really good ones that came from these fields and are killing it in cyber). Even with this apparent limitation, cyber teams need to embrace the unknown through external partnerships, diverse hires, and throwing support and dollars behind an element of the cyber programs that could be a little avant-garde.
If the concept of a traditional cybersecurity awareness program (as described at the top of this article) could be turned on its head to become something more like one of the successful marketing campaigns, I firmly believe that the very hard job cyber professionals have would become a lot easier and a lot more rewarding for all.
It has taken me over 10 years and multiple programs to cultivate my workforce-facing playbook, staff, creative experts, and constantly evolving/improving approaches. I enjoy helping clients skip all the trial and error and get accelerated speed to value. But most importantly, working with them to understand the business, culture, and context to create specific tactics that work for their company and culture.
Whether you use outside help or want to pave your own way, I hope this article has inspired you to think differently about how you can score some wins with the most important defensive control you can put in place:
Every.
Single.
Person.
At Reveal Risk, we evaluate, design, and deliver strong processes and results in cyber, privacy, and risk that work efficiently, are fit-for-purpose, and are sustained. If you want assistance building your company’s cyber security strategy, governance, and plan towards desired state maturity, please don’t hesitate to contact us at info@revealrisk.com.
317.759.4453
About the Author
Aaron is a former Eli Lilly IT and security senior IT/Security/Audit/Privacy/Risk leader with over 20 years of experience in the pharmaceutical and life sciences sector. He founded the risk management working group for the H-ISAC (Healthcare Information Security and Analysis Center) which enabled information sharing and benchmarking across pharma, payers, and health care providers. Aaron is a certified Six Sigma blackbelt with career emphasis on building and improving internal processes and controls.