May 24, 2024 • 22 mins
Ever feel like you're just checking boxes when it comes to cyber awareness training? Prepare to revolutionize your approach as Aaron Pritz, Cody Rivers, and special guest Jim Wailes dissect the urgent need for a cyber education metamorphosis. It's time to transform passive training into a vibrant culture of proactive defense, where every employee is an empowered guardian against digital threats. We're scrapping the obsolete methods and giving you the ABCD blueprint—Awareness, Behavior, Cultural Change, and Delta—to ensure your organization becomes a bastion of cyber resilience.
This episode isn't just a discussion; it's a masterclass in erecting a robust cyber awareness program. We unpack the importance of executive endorsement, pinpointing the ideal advocates, and crafting a plan that transcends the initial rollout's excitement. Jim enlightens us with the harsh realities of cyber strategy missteps and the golden nuggets of incentivizing team engagement. If your aim is to forge a formidable cyber team equipped to navigate the ever-shifting cyber threat terrain, let us arm you with the latest and greatest strategies to protect your digital domain.
Mark as Played
Transcript
Episode Transcript
Available transcripts are automatically generated. Complete accuracy is not guaranteed.
Speaker 1 (00:01):
Welcome back to Simply Solving Cyber.
I'm Aaron Pritz and I'm CodyRivers, and you're about to tune
in to our deep dive onawareness.
All right, that's enough of theintro, let's dive right in,
guys, because I think we've gotthree passionate individuals
(00:21):
here that I think know a littlebit about awareness, have some
problems with how it sits in theindustry today and hopefully
want to have some livelyconversation that can help us
change that at companies thatour listeners are part of or
work at.
Really, what we want to talkabout today is what's going on
with cyber awareness programsand do we think they're really
(00:42):
effective?
Maybe let's start with Cody.
What is awareness to you?
Oh?
Speaker 2 (00:47):
man.
Awesome, great question, so bigthing.
For me, I think it's anorganization's overall approach
to managing human risk.
It's more than just this likenebulous buzzword in the market
that they kind of coined tocapture all things of just
phishing and training.
But policies, procedures,reporting concerns again, things
that are approved, tools,things that are tailored to your
(01:09):
organization.
What's your overall marketingcampaign and education and
training to make your workforce,to upskill them and teach them
on things more important thanjust phishing and social
engineering.
Speaker 1 (01:22):
Yeah, that's right, cody.
I think we also.
I mean, personally, I'd likefor us to stop calling it
awareness.
If you ask me to tell you whatawareness is, I'll probably give
you a early 2000s definition ofwhat it was back then and
unfortunately for some companiesit's still the same answer.
It's phishing training.
It's online training.
Training's gotten a little bitmore creative, but it's once,
twice, four times a year.
(01:43):
Quarterly is the max that I seeat some of these check the box
programs and you know IT leadersthat are very tool oriented by
these tools they turn it on andthey think they're done.
But there's so much more thatthe workforce can be doing and,
quite honestly, if you'releading with phishing the
workforce as your core form ofawareness, even though phishing
(02:04):
is a problem, the workforce isconditioned to fear, fear
cybersecurity.
Like they're the police they'retrying to trick me.
I remember in one of mycorporate roles where I'd get
emails of like, why are you guysphishing me once a week?
And I kind of laughed becausewe were doing quarterly and they
were getting real phishes.
But they were assuming that itwas us.
So there's a little bit ofcollateral damage to that.
Speaker 3 (02:23):
So I think you're spot on there and it's I mean,
it's gotta be.
I don't.
I'm with you, I don't.
I don't like the term awarenessI don't have necessarily a
better word for it right now.
I thought about it and try tocome up with that.
But it's like you know, you'vegot problems with the, with
phishing, you've got problemswith cybersecurity as a whole.
You know, and we're going tomake everybody aware.
(02:45):
Well, great, you know, if thebuilding's on fire and I walk in
and say, hey guys, building'son fire?
Well great, now you're aware,what are you going to do about
it?
So it's like you know.
So we got to teach folks like,okay, yes, we have problems, but
what do you do?
How do you react?
So it's more than justawareness.
You need education for peoplethat they can act on, so they
(03:05):
have understanding of how tosolve problems.
Speaker 1 (03:07):
Yeah, jim, and on the word, and I don't know that I
have the new name right, butwhat I've been using for a few
years is ABCD and awareness,behavior, cultural change, the D
coming from the Greek symbol,change, which is the delta.
So again, abcd may be somethinga little bit catchier but,
bottom line, you got to pull itthrough further than awareness
(03:28):
to the actual behavior changeand action.
Speaker 3 (03:32):
Absolutely.
I think action's definitely themost important part of that,
you know, because if peopleunderstand, people already know
that there's problems, right,but they don't know what to do
about it, and I think thatthat's a big part of what's
missing in a lot of for lack ofa better term awareness programs
.
Speaker 1 (03:48):
So over the years I've heard several executives
usually or stereotypicallytechnical grounded or rise up
through infrastructureExecutives make comments like
humans are stupid.
We're never going to fix them.
We can do awareness, butthere's still going to be people
that are going to be clickingthe links and emails or opening
an attachment.
(04:08):
So why try?
Let's bet the whole farm ontechnology and tooling.
What are your thoughts on that?
Should we be giving up or isawareness really all that
important?
Speaker 3 (04:18):
I think no awareness is critically important.
Again, maybe ABCD is criticallyimportant is what I should say
to go along with that line ofthought, because it's really up
to the organization on what youchoose to invest your time into
and how to train your people.
And there's been thislongstanding kind of attitude
that you know the humans are theweakest link.
(04:39):
The people are the weakest link.
That's the failure point and Idisagree with that.
They can be your weakest link.
They can also be your firstline of defense.
That's up to you and you as anorganization and as a leader,
you need to own that.
Are you going to invest?
Are you going to work with yourpeople?
Are you going to find out howthey learn and what's working
(05:00):
for them and what's not?
Or are you going to say, well,they're not understanding that,
they're not supposed to click onthese links in the phishing
emails, so we're just going togive up?
Speaker 1 (05:09):
You've got to own it.
Great point, Cody over to you.
Speaker 2 (05:12):
I think it's extremely important.
And I mean, let's take a quickpause and look at the past 20
years.
Right, significant investmentin technology risk but very
little in human.
And look, you got firewalls,antivirus, edr, mdr, xdr you
know, configuration hardening.
I could go on for the next 15minutes on the investment.
(05:34):
No, I can't.
Well, not all humans.
Well, here's a little training.
Here is a once a month, once aquarter training.
You pick up there that mighthave some kind of relevance to
what's going on in that time.
All while social engineeringholds a commanding lead on the
number one cause of breaches.
(05:55):
That's people, that's human.
So I've got my biggestinvestment over here and I've
got my largest risk profile orbreach cause over here, and
they're not correlated.
Speaker 1 (06:06):
So let's fix that Yep , great point.
So, jim and Cody, what makes agood awareness or ABCD or
culture change program?
And then obviously the counterto that is what makes a bad
program.
Speaker 3 (06:18):
Well, I think you got to be very intentional about
your program and you've got tobe honest with yourself about
where you are as an organizationand you have to be willing to
come in and put yourself in theposition of the people that
you're trying to help.
This is not the time to come inand show off how big your cyber
brain is.
You have to take your ego outof this and you have to approach
(06:41):
this and say, okay, this iswhere we are as an organization
and, yes, this is rudimentaryfor me, this is simplistic for
me.
But if you're the cyber prowho's been tasked with solving
this problem, you can't approachit from your level of
understanding.
You have to be able to putyourself in the shoes of the
people that you're trying tohelp and be willing to step down
from your level of knowledgeand start to spread that
(07:03):
understanding of what to youmade me very simple but could be
very helpful to the people thatyou're trying to help out.
So I think, if you're willingto do that, if you're willing to
slow down and to step down andwork on those basics instead of
trying to do the one-off coolthings, that can make all the
difference in a program.
Speaker 1 (07:24):
Yeah, great point, Cody.
Speaker 2 (07:26):
Easy what's in it for me.
So I think here like makingthis, like making it relevant
topics, making it omni-channel.
So, first of all, people needto know why is this training
important to me?
How does it help me as Cody forthe job that I'm working in?
And, I think, going a stepfurther for Cody at home my wife
, my kids, my parents, mycousins, my family, my neighbors
(07:48):
, people I care about.
This news or this stuff thatI'm learning I can use here and
there.
So while I'm getting thistraining to keep my company safe
and being a better person there, I can use this other ways Also
.
Omnichannel I mean you don'thave a lot of your workforce,
it's not always going to be atan email, you're going to have
manufacturing, you're on a linesomewhere, you're out in the
(08:13):
middle of the ocean on an oilrig.
So making the content comedigitally, signage, lunch and
learn.
So, I think, having a relevanttopics, omnichannel approach.
And then I said earlier, makingit more than just a phishing
and solutions journey.
Yes, that's great, that'simportant Table stakes, that
should be there.
But how do I handle data?
How do I?
I see a concern.
Who do I report it to?
How do I report it to.
So I think arming them withthat knowledge, I think it makes
(08:33):
it a lot better.
So, to Jim's point, you educateyour team.
So instead of having 20vulnerable areas, you've got 20
sentinels that are going to, areadditional.
Now are armed, educated in yourworkforce that are reporting
back and finding things andlooking at things that may be
suspicious.
Speaker 1 (08:52):
Yeah, great point, cody.
A couple things for me.
First of all, grassroots andyou can call it a champions
program advocates, ambassadors,whatever word works within your
company.
And most importantly and thisgoes to what I see as bad
programs is a cyber leader says,okay, let me get some champions
who are my business-facing ITpeople to take the role.
(09:14):
Okay, I would take that versusnothing.
But we are missing the boat ifwe can't indoctrinate champions
within the business that aretrue grassroots, not the IT
person that they assume isalready doing cyber for them.
Get somebody in the business.
It's easier to get somebodythat knows how to influence
within their group and theculture and the actual job that
(09:35):
you're trying to protect.
And then also like multiplecountries and cultures and
states, should even states inthe US have different cultures.
You look East Coast, west Coast, midwest nice that's where most
of us sit.
Jim, you transplanted toFlorida so you can unpack later
what the Floridians are like.
(09:55):
But beyond that, if you got yourchampions, you got to next hit
them with something that theydon't expect.
More corporate training and ITPindividual learning plan
assignments is not going to getit done.
You got to hit them withsomething that's going to knock
them out of their chair, stumbleon the way into work like not
literally, whether it's humorousvideos or Netflix style crime
(10:17):
documentaries, like what ispopular on Netflix.
And how can you replicate someof that same energy through
something that's specific toyour company?
And also don't get trapped intoassuming that a out-of-the-box
Netflix style video from atraining provider is going to do
it for your company.
Does it have anything aboutyour company's specific
initiatives and culture andindustry that you're in?
(10:38):
Probably not.
Some great things.
We use them, but spend all ofyour time making it specific to
your company.
And then, lastly, measure whatworks and keep doing more of
that and dump what doesn't Allright.
Next, leadership buy-in.
And this is probably thebiggest trick, because this is
the thing that limitsorganizational uptake for
(10:59):
awareness.
If your senior leaders don'tthink it's important, you're not
going to get any energy withinthe company.
So, jim, what are your tips andtricks on how to get senior
leadership by him?
Speaker 3 (11:10):
Yeah.
So this is an interesting onefor me because I'm always this
is not just with educationalprograms like this, but with any
kind of cyber program.
I think that you know just, youmake the business case right.
Make the business case for whyit's important to invest in this
and it seems like on its face,like a lot of times, it should
be a pretty easy conversationbecause I think we've got great
evidence at this point thatwe've got years of historical
(11:32):
evidence that cyber incidentsbeing the victim of a cyber
incident is far more expensivethan any investment that you're
going to make into bolsteringyour defenses right.
And if you can circle thatconversation back to taking your
workforce and making them yourfirst line of defense and making
them something that's apositive for the organization
(11:53):
rather than being perceived asthat weakest link, then by doing
that, then it very much helpsthat conversation along to be
able to get that leadershipbuy-in.
Make it about the business andit carries over too into
people's personal lives.
There has to be value seen inthat.
Maybe you've got a greatworkforce, but if you've got all
of your employees constantlyworried about whether or not
(12:13):
they're going to get theiridentity stolen or their bank
accounts taken over and drained,they're not going to be focused
on the work that they're tryingto be doing for your business.
They're going to be paranoidabout everything going on in
their lives.
So empower them to be educatedenough to understand that
information so that they canconcentrate on what they're
doing for the business.
Speaker 1 (12:31):
Great point, cody.
Speaker 2 (12:33):
Rising tide raises all ships.
So to Jim's point.
I'll do a quick echo what hesaid.
Make it about the business.
Correlate business risk tocyber risk.
Show people why it's important.
You give me a business risk orbusiness initiative and I can
tell you how cyber affects itand cyber can put that in harm's
way.
Every business leader whetherit's finance, operations,
executive, legal compliancecyber risk is a potential
(12:58):
derailer to their strategy.
Align that with cyber risk,help have a conversation about
it, educate them on potentialand I think you get buy-in.
Speaker 1 (13:06):
Yeah, great point.
Quick story from my perspective, and this is specifically a
pharma client that we've had forseveral years Great partner,
great progress along the way.
But early on in their journeythe senior executive that the
CISA reported to was kind ofdoubting whether more training
would be effective.
And this was an executive thatwas in ethics compliance and
(13:28):
obviously training meanssomething for ethics compliance.
It's probably a little, I dareto say, old school from basic.
I mean, if we've all beenthrough compliance training, it
has to be pretty vanilla, justbased upon the topics.
But really we had to take someearly wins and batting signals
instead of home runs and triples.
But I think once we got some ofthe basics in place and we
(13:50):
started to prove the return oninvestment and the impact and
the energy that was creatingeach year we've been allowed to
expand the footprint and do somemaybe slightly more avant-garde
elements.
It's still a conservativeculture.
They're not out there doingsome of the craziest stuff that
we've been able to do at othercompanies or I did when I was on
the corporate side, but it fitswithin the organizational
(14:12):
culture.
But I think it's really likeearly wins and then more will
come once you show some growth.
So, jim, I want to come back toyou because I mentioned in my
things that what makes a goodprogram.
I mentioned champions and beingembedded in the business.
I know you went to a nationalcyber awareness conference in
(14:33):
January and came across a panelthat I know you were very
excited about and it was aboutawareness and all three speakers
were interested in it, but theynever actually achieved it yet.
They were working on it.
So, jim, talk about championsand maybe that experience.
Why should it be that hard?
Why is it hard and how dopeople get by that?
Speaker 3 (14:53):
You're right, aaron, and it wasn't just the panelists
that were interested in itmyself that was interested in it
, honestly, the entire room wasvery, very engaged in this
conversation around championsand it does seem to be something
that a lot of organizations areinterested in or trying to do.
But it is difficult and it isfairly rare that companies have
a good and well-established,well-built champions program,
(15:15):
and I think the reason for thatis it's hard, and I kind of
learned this when I firststarted building champions
programs because on its face andI'll admit that when I first
started looking at theseprograms and trying to figure
out how to build them they seempretty simple.
You just get a bunch of folkstogether that are interested in
this stuff and they're willingto talk about it.
But it's so much more than thatand you have to find the right
(15:36):
people and you have to get theleadership buy-in.
You have to have a plan for howto put all these pieces together
to get this stood up, becauseit is a distributed group and
there are dynamics to that thatare very challenging.
So, even though it seems fairlysimplistic, walking into it,
you have to have a plan on howyou're going to go about eating
that elephant, because itabsolutely is a large project to
(15:58):
take on.
And then I think you have toalso have a plan for sustainment
, because getting past the pointwhere you've stood it up is
great and that's a greataccomplishment, but how do you
keep it going, how do you keepit relevant?
And I've seen other programsfail because once they got it
stood up they thought they weredone.
And it's a continuing effortand you have to plan for that
(16:18):
yeah, great point, doc Gravers,over to you.
Speaker 2 (16:21):
I mean I say, how easy is it to ask people to do
extra work for free, right?
Most programs I learned thatare champions is an additional
financial bump.
In addition, what are the keyassets that need to be
successful?
What are the responsibilities?
How often do they meet?
How do you communicate thismission statement for the
champions program to otherchampions supervisors that, hey,
(16:41):
I need some of their time eachquarter, and for what?
So it's not easy.
And a lot of folks, to Jim'spoint, this is their first
champions program, so it's notlike there's a precedent that
you can just go oh, here's mychampions toolkit.
So I think a lot of that is thefear of the unknown.
And also with a lot of things,you don't get a lot of shots on
goal, you don't come correct andyou don't have the right
messaging and the right storyand you can't get the buy-in and
(17:02):
you get shut down from theleader who says my team's too
busy, I'm not going to do it.
You got to get folks on board,make it easy as possible and
find creative ways to rewardthem and I think, like Jim said
earlier, that's just that's howyou do in year two and year
three, because that's just yearone.
So it's.
It can be difficult, but forthose who've done it a couple of
times or you've got someresources, it's not a just a
(17:25):
idea that turns out tomorrow.
Speaker 3 (17:26):
Yeah, and if I could piggyback on that just real
quick.
Cody, I think you brought up areally good point, because there
are those difficult items.
But, aaron, you asked animportant question about why is
it rare?
And it's rare because a lot of,I think, because a lot of folks
try to do this and they failbecause they don't have a lot of
other people that they can goto to say you have this
established, how did you do it?
Because it's fairly new andmost of the time when it gets
(17:49):
tried it does fail.
Speaker 1 (17:51):
There are some successful programs out there,
but people don't know who builtand who are running those
programs, so they don't know whoto go to for advice favorite
question of all topics is hey,if folks hearing this don't have
(18:11):
a program in place or it'searly stage, what is one thing
that they could take away or oneaction that they could take to
get started?
And I'll go ahead and startwith kind of my one thing.
And I'll start with not my onething, but the thing that almost
everyone starts on andsometimes stalls on is it's easy
to say, hey, there's a lot ofgreat tools out in the market
and I'm going to go buy one ofthem.
(18:31):
It's probably going to be Nova4, proofpoint, definite the
market leaders.
Both are great.
We use both at many of thecompanies that we help with
awareness.
But the problem is you spend ayear rolling that out, you get
some traction and a lot of theprograms die.
There Executives start to say,hey, we got our tool, that
should be enough.
It's training, it's industrybest practice, but they're
(18:53):
really missing the opportunityto be more strategic, to define
the business and reallyimplement that comprehensive
strategy.
So, as much as I support thesetools and basic phishing, if you
don't have a broader strategyand you start down that path,
(19:16):
you might get pressure that thatwas your last chess move that
you've made and I really try tohelp early leaders and early
CISOs avoid this, because thepeople element is the most
underutilized asset within aprogram Cody or Jim.
Speaker 2 (19:32):
Sure, I'll take it.
I'll let Jim finish up.
My thing is I think it's easierto get InfoSec people on board
for an awareness program andeducate.
I think the first thing is youneed to educate non-InfoSec IT
leaders on the risk around theircritical assets.
What are they, infosec ITleaders on the risk around their
critical assets, what are they,when do they exist and who has
(19:53):
access to them?
Build a cyber committee.
So it's my simple thing isbuild a cyber committee, get
their involvement and establishconversations around what's in
place around their criticalassets.
That's what makes them stay uplate at night to think about and
then that leads to okay.
Well, now that I know there'sthis risk, I am more apt to
awareness education.
But I first have to understandhow does the risk apply to me as
(20:14):
a non-IT, non-Infosec functionleader?
Speaker 1 (20:19):
Great point, jim.
Speaker 3 (20:20):
Yeah, I'll finish up just by saying that I agree with
what you guys are saying 100%.
I really like what you're saying, aaron, about the tool and
concentrating too much on thetool and bringing in the people.
I think bringing somebody intoyour team, or at least having
somebody identified that you canhave, that can help your team
in delivering those awareness,those training messages, is
critical because, to your point,with the tool, aaron, you can
(20:43):
bring somebody into your kitchenthat knows what a spatula is,
but they don't know how to useit.
If they don't know how to usethe tools in the kitchen, they
can't put together a good meal,right?
You've got to be able tounderstand how those pieces come
together and how they can bepresented to people so that they
understand it and that theylike it.
You need somebody who's gotsome experience with training so
that they can use those toolsthat you've already invested in.
They can use the informationthat you have so that they can
(21:05):
put that into a holistic item, apresentation to give to your
workforce that they can thenbenefit from.
Speaker 1 (21:13):
Yep, great point.
Well, that's all the time wehave for today.
If any of our listeners heardsomething that they're
interested in, any one of uswould love to pick up a
conversation with you.
We are passionate about thistopic.
Again, I think it's anunderserved opportunity.
With most cyber teams, most ofthe programs that are awareness
are behind the times and stale,even with the best technology.
(21:35):
So we would love to have someof those conversations to figure
out, even if it's just aconversation, how we can help
you achieve more success withpeople.
Thanks so much and have a goodrest of the day.
Welcome back to Simply Solving Cyber.
I'm Aaron Pritz and I'm CodyRivers, and you're about to tune
in to our deep dive onawareness.
All right, that's enough of theintro, let's dive right in,
guys, because I think we've gotthree passionate individuals
(00:21):
here that I think know a littlebit about awareness, have some
problems with how it sits in theindustry today and hopefully
want to have some livelyconversation that can help us
change that at companies thatour listeners are part of or
work at.
Really, what we want to talkabout today is what's going on
with cyber awareness programsand do we think they're really
(00:42):
effective?
Maybe let's start with Cody.
What is awareness to you?
Oh?
Speaker 2 (00:47):
man.
Awesome, great question, so bigthing.
For me, I think it's anorganization's overall approach
to managing human risk.
It's more than just this likenebulous buzzword in the market
that they kind of coined tocapture all things of just
phishing and training.
But policies, procedures,reporting concerns again, things
that are approved, tools,things that are tailored to your
(01:09):
organization.
What's your overall marketingcampaign and education and
training to make your workforce,to upskill them and teach them
on things more important thanjust phishing and social
engineering.
Speaker 1 (01:22):
Yeah, that's right, cody.
I think we also.
I mean, personally, I'd likefor us to stop calling it
awareness.
If you ask me to tell you whatawareness is, I'll probably give
you a early 2000s definition ofwhat it was back then and
unfortunately for some companiesit's still the same answer.
It's phishing training.
It's online training.
Training's gotten a little bitmore creative, but it's once,
twice, four times a year.
(01:43):
Quarterly is the max that I seeat some of these check the box
programs and you know IT leadersthat are very tool oriented by
these tools they turn it on andthey think they're done.
But there's so much more thatthe workforce can be doing and,
quite honestly, if you'releading with phishing the
workforce as your core form ofawareness, even though phishing
(02:04):
is a problem, the workforce isconditioned to fear, fear
cybersecurity.
Like they're the police they'retrying to trick me.
I remember in one of mycorporate roles where I'd get
emails of like, why are you guysphishing me once a week?
And I kind of laughed becausewe were doing quarterly and they
were getting real phishes.
But they were assuming that itwas us.
So there's a little bit ofcollateral damage to that.
Speaker 3 (02:23):
So I think you're spot on there and it's I mean,
it's gotta be.
I don't.
I'm with you, I don't.
I don't like the term awarenessI don't have necessarily a
better word for it right now.
I thought about it and try tocome up with that.
But it's like you know, you'vegot problems with the, with
phishing, you've got problemswith cybersecurity as a whole.
You know, and we're going tomake everybody aware.
(02:45):
Well, great, you know, if thebuilding's on fire and I walk in
and say, hey guys, building'son fire?
Well great, now you're aware,what are you going to do about
it?
So it's like you know.
So we got to teach folks like,okay, yes, we have problems, but
what do you do?
How do you react?
So it's more than justawareness.
You need education for peoplethat they can act on, so they
(03:05):
have understanding of how tosolve problems.
Speaker 1 (03:07):
Yeah, jim, and on the word, and I don't know that I
have the new name right, butwhat I've been using for a few
years is ABCD and awareness,behavior, cultural change, the D
coming from the Greek symbol,change, which is the delta.
So again, abcd may be somethinga little bit catchier but,
bottom line, you got to pull itthrough further than awareness
(03:28):
to the actual behavior changeand action.
Speaker 3 (03:32):
Absolutely.
I think action's definitely themost important part of that,
you know, because if peopleunderstand, people already know
that there's problems, right,but they don't know what to do
about it, and I think thatthat's a big part of what's
missing in a lot of for lack ofa better term awareness programs
.
Speaker 1 (03:48):
So over the years I've heard several executives
usually or stereotypicallytechnical grounded or rise up
through infrastructureExecutives make comments like
humans are stupid.
We're never going to fix them.
We can do awareness, butthere's still going to be people
that are going to be clickingthe links and emails or opening
an attachment.
(04:08):
So why try?
Let's bet the whole farm ontechnology and tooling.
What are your thoughts on that?
Should we be giving up or isawareness really all that
important?
Speaker 3 (04:18):
I think no awareness is critically important.
Again, maybe ABCD is criticallyimportant is what I should say
to go along with that line ofthought, because it's really up
to the organization on what youchoose to invest your time into
and how to train your people.
And there's been thislongstanding kind of attitude
that you know the humans are theweakest link.
(04:39):
The people are the weakest link.
That's the failure point and Idisagree with that.
They can be your weakest link.
They can also be your firstline of defense.
That's up to you and you as anorganization and as a leader,
you need to own that.
Are you going to invest?
Are you going to work with yourpeople?
Are you going to find out howthey learn and what's working
(05:00):
for them and what's not?
Or are you going to say, well,they're not understanding that,
they're not supposed to click onthese links in the phishing
emails, so we're just going togive up?
Speaker 1 (05:09):
You've got to own it.
Great point, Cody over to you.
Speaker 2 (05:12):
I think it's extremely important.
And I mean, let's take a quickpause and look at the past 20
years.
Right, significant investmentin technology risk but very
little in human.
And look, you got firewalls,antivirus, edr, mdr, xdr you
know, configuration hardening.
I could go on for the next 15minutes on the investment.
(05:34):
No, I can't.
Well, not all humans.
Well, here's a little training.
Here is a once a month, once aquarter training.
You pick up there that mighthave some kind of relevance to
what's going on in that time.
All while social engineeringholds a commanding lead on the
number one cause of breaches.
(05:55):
That's people, that's human.
So I've got my biggestinvestment over here and I've
got my largest risk profile orbreach cause over here, and
they're not correlated.
Speaker 1 (06:06):
So let's fix that Yep , great point.
So, jim and Cody, what makes agood awareness or ABCD or
culture change program?
And then obviously the counterto that is what makes a bad
program.
Speaker 3 (06:18):
Well, I think you got to be very intentional about
your program and you've got tobe honest with yourself about
where you are as an organizationand you have to be willing to
come in and put yourself in theposition of the people that
you're trying to help.
This is not the time to come inand show off how big your cyber
brain is.
You have to take your ego outof this and you have to approach
(06:41):
this and say, okay, this iswhere we are as an organization
and, yes, this is rudimentaryfor me, this is simplistic for
me.
But if you're the cyber prowho's been tasked with solving
this problem, you can't approachit from your level of
understanding.
You have to be able to putyourself in the shoes of the
people that you're trying tohelp and be willing to step down
from your level of knowledgeand start to spread that
(07:03):
understanding of what to youmade me very simple but could be
very helpful to the people thatyou're trying to help out.
So I think, if you're willingto do that, if you're willing to
slow down and to step down andwork on those basics instead of
trying to do the one-off coolthings, that can make all the
difference in a program.
Speaker 1 (07:24):
Yeah, great point, Cody.
Speaker 2 (07:26):
Easy what's in it for me.
So I think here like makingthis, like making it relevant
topics, making it omni-channel.
So, first of all, people needto know why is this training
important to me?
How does it help me as Cody forthe job that I'm working in?
And, I think, going a stepfurther for Cody at home my wife
, my kids, my parents, mycousins, my family, my neighbors
(07:48):
, people I care about.
This news or this stuff thatI'm learning I can use here and
there.
So while I'm getting thistraining to keep my company safe
and being a better person there, I can use this other ways Also
.
Omnichannel I mean you don'thave a lot of your workforce,
it's not always going to be atan email, you're going to have
manufacturing, you're on a linesomewhere, you're out in the
(08:13):
middle of the ocean on an oilrig.
So making the content comedigitally, signage, lunch and
learn.
So, I think, having a relevanttopics, omnichannel approach.
And then I said earlier, makingit more than just a phishing
and solutions journey.
Yes, that's great, that'simportant Table stakes, that
should be there.
But how do I handle data?
How do I?
I see a concern.
Who do I report it to?
How do I report it to.
So I think arming them withthat knowledge, I think it makes
(08:33):
it a lot better.
So, to Jim's point, you educateyour team.
So instead of having 20vulnerable areas, you've got 20
sentinels that are going to, areadditional.
Now are armed, educated in yourworkforce that are reporting
back and finding things andlooking at things that may be
suspicious.
Speaker 1 (08:52):
Yeah, great point, cody.
A couple things for me.
First of all, grassroots andyou can call it a champions
program advocates, ambassadors,whatever word works within your
company.
And most importantly and thisgoes to what I see as bad
programs is a cyber leader says,okay, let me get some champions
who are my business-facing ITpeople to take the role.
(09:14):
Okay, I would take that versusnothing.
But we are missing the boat ifwe can't indoctrinate champions
within the business that aretrue grassroots, not the IT
person that they assume isalready doing cyber for them.
Get somebody in the business.
It's easier to get somebodythat knows how to influence
within their group and theculture and the actual job that
(09:35):
you're trying to protect.
And then also like multiplecountries and cultures and
states, should even states inthe US have different cultures.
You look East Coast, west Coast, midwest nice that's where most
of us sit.
Jim, you transplanted toFlorida so you can unpack later
what the Floridians are like.
(09:55):
But beyond that, if you got yourchampions, you got to next hit
them with something that theydon't expect.
More corporate training and ITPindividual learning plan
assignments is not going to getit done.
You got to hit them withsomething that's going to knock
them out of their chair, stumbleon the way into work like not
literally, whether it's humorousvideos or Netflix style crime
(10:17):
documentaries, like what ispopular on Netflix.
And how can you replicate someof that same energy through
something that's specific toyour company?
And also don't get trapped intoassuming that a out-of-the-box
Netflix style video from atraining provider is going to do
it for your company.
Does it have anything aboutyour company's specific
initiatives and culture andindustry that you're in?
(10:38):
Probably not.
Some great things.
We use them, but spend all ofyour time making it specific to
your company.
And then, lastly, measure whatworks and keep doing more of
that and dump what doesn't Allright.
Next, leadership buy-in.
And this is probably thebiggest trick, because this is
the thing that limitsorganizational uptake for
(10:59):
awareness.
If your senior leaders don'tthink it's important, you're not
going to get any energy withinthe company.
So, jim, what are your tips andtricks on how to get senior
leadership by him?
Speaker 3 (11:10):
Yeah.
So this is an interesting onefor me because I'm always this
is not just with educationalprograms like this, but with any
kind of cyber program.
I think that you know just, youmake the business case right.
Make the business case for whyit's important to invest in this
and it seems like on its face,like a lot of times, it should
be a pretty easy conversationbecause I think we've got great
evidence at this point thatwe've got years of historical
(11:32):
evidence that cyber incidentsbeing the victim of a cyber
incident is far more expensivethan any investment that you're
going to make into bolsteringyour defenses right.
And if you can circle thatconversation back to taking your
workforce and making them yourfirst line of defense and making
them something that's apositive for the organization
(11:53):
rather than being perceived asthat weakest link, then by doing
that, then it very much helpsthat conversation along to be
able to get that leadershipbuy-in.
Make it about the business andit carries over too into
people's personal lives.
There has to be value seen inthat.
Maybe you've got a greatworkforce, but if you've got all
of your employees constantlyworried about whether or not
(12:13):
they're going to get theiridentity stolen or their bank
accounts taken over and drained,they're not going to be focused
on the work that they're tryingto be doing for your business.
They're going to be paranoidabout everything going on in
their lives.
So empower them to be educatedenough to understand that
information so that they canconcentrate on what they're
doing for the business.
Speaker 1 (12:31):
Great point, cody.
Speaker 2 (12:33):
Rising tide raises all ships.
So to Jim's point.
I'll do a quick echo what hesaid.
Make it about the business.
Correlate business risk tocyber risk.
Show people why it's important.
You give me a business risk orbusiness initiative and I can
tell you how cyber affects itand cyber can put that in harm's
way.
Every business leader whetherit's finance, operations,
executive, legal compliancecyber risk is a potential
(12:58):
derailer to their strategy.
Align that with cyber risk,help have a conversation about
it, educate them on potentialand I think you get buy-in.
Speaker 1 (13:06):
Yeah, great point.
Quick story from my perspective, and this is specifically a
pharma client that we've had forseveral years Great partner,
great progress along the way.
But early on in their journeythe senior executive that the
CISA reported to was kind ofdoubting whether more training
would be effective.
And this was an executive thatwas in ethics compliance and
(13:28):
obviously training meanssomething for ethics compliance.
It's probably a little, I dareto say, old school from basic.
I mean, if we've all beenthrough compliance training, it
has to be pretty vanilla, justbased upon the topics.
But really we had to take someearly wins and batting signals
instead of home runs and triples.
But I think once we got some ofthe basics in place and we
(13:50):
started to prove the return oninvestment and the impact and
the energy that was creatingeach year we've been allowed to
expand the footprint and do somemaybe slightly more avant-garde
elements.
It's still a conservativeculture.
They're not out there doingsome of the craziest stuff that
we've been able to do at othercompanies or I did when I was on
the corporate side, but it fitswithin the organizational
(14:12):
culture.
But I think it's really likeearly wins and then more will
come once you show some growth.
So, jim, I want to come back toyou because I mentioned in my
things that what makes a goodprogram.
I mentioned champions and beingembedded in the business.
I know you went to a nationalcyber awareness conference in
(14:33):
January and came across a panelthat I know you were very
excited about and it was aboutawareness and all three speakers
were interested in it, but theynever actually achieved it yet.
They were working on it.
So, jim, talk about championsand maybe that experience.
Why should it be that hard?
Why is it hard and how dopeople get by that?
Speaker 3 (14:53):
You're right, aaron, and it wasn't just the panelists
that were interested in itmyself that was interested in it
, honestly, the entire room wasvery, very engaged in this
conversation around championsand it does seem to be something
that a lot of organizations areinterested in or trying to do.
But it is difficult and it isfairly rare that companies have
a good and well-established,well-built champions program,
(15:15):
and I think the reason for thatis it's hard, and I kind of
learned this when I firststarted building champions
programs because on its face andI'll admit that when I first
started looking at theseprograms and trying to figure
out how to build them they seempretty simple.
You just get a bunch of folkstogether that are interested in
this stuff and they're willingto talk about it.
But it's so much more than thatand you have to find the right
(15:36):
people and you have to get theleadership buy-in.
You have to have a plan for howto put all these pieces together
to get this stood up, becauseit is a distributed group and
there are dynamics to that thatare very challenging.
So, even though it seems fairlysimplistic, walking into it,
you have to have a plan on howyou're going to go about eating
that elephant, because itabsolutely is a large project to
(15:58):
take on.
And then I think you have toalso have a plan for sustainment
, because getting past the pointwhere you've stood it up is
great and that's a greataccomplishment, but how do you
keep it going, how do you keepit relevant?
And I've seen other programsfail because once they got it
stood up they thought they weredone.
And it's a continuing effortand you have to plan for that
(16:18):
yeah, great point, doc Gravers,over to you.
Speaker 2 (16:21):
I mean I say, how easy is it to ask people to do
extra work for free, right?
Most programs I learned thatare champions is an additional
financial bump.
In addition, what are the keyassets that need to be
successful?
What are the responsibilities?
How often do they meet?
How do you communicate thismission statement for the
champions program to otherchampions supervisors that, hey,
(16:41):
I need some of their time eachquarter, and for what?
So it's not easy.
And a lot of folks, to Jim'spoint, this is their first
champions program, so it's notlike there's a precedent that
you can just go oh, here's mychampions toolkit.
So I think a lot of that is thefear of the unknown.
And also with a lot of things,you don't get a lot of shots on
goal, you don't come correct andyou don't have the right
messaging and the right storyand you can't get the buy-in and
(17:02):
you get shut down from theleader who says my team's too
busy, I'm not going to do it.
You got to get folks on board,make it easy as possible and
find creative ways to rewardthem and I think, like Jim said
earlier, that's just that's howyou do in year two and year
three, because that's just yearone.
So it's.
It can be difficult, but forthose who've done it a couple of
times or you've got someresources, it's not a just a
(17:25):
idea that turns out tomorrow.
Speaker 3 (17:26):
Yeah, and if I could piggyback on that just real
quick.
Cody, I think you brought up areally good point, because there
are those difficult items.
But, aaron, you asked animportant question about why is
it rare?
And it's rare because a lot of,I think, because a lot of folks
try to do this and they failbecause they don't have a lot of
other people that they can goto to say you have this
established, how did you do it?
Because it's fairly new andmost of the time when it gets
(17:49):
tried it does fail.
Speaker 1 (17:51):
There are some successful programs out there,
but people don't know who builtand who are running those
programs, so they don't know whoto go to for advice favorite
question of all topics is hey,if folks hearing this don't have
(18:11):
a program in place or it'searly stage, what is one thing
that they could take away or oneaction that they could take to
get started?
And I'll go ahead and startwith kind of my one thing.
And I'll start with not my onething, but the thing that almost
everyone starts on andsometimes stalls on is it's easy
to say, hey, there's a lot ofgreat tools out in the market
and I'm going to go buy one ofthem.
(18:31):
It's probably going to be Nova4, proofpoint, definite the
market leaders.
Both are great.
We use both at many of thecompanies that we help with
awareness.
But the problem is you spend ayear rolling that out, you get
some traction and a lot of theprograms die.
There Executives start to say,hey, we got our tool, that
should be enough.
It's training, it's industrybest practice, but they're
(18:53):
really missing the opportunityto be more strategic, to define
the business and reallyimplement that comprehensive
strategy.
So, as much as I support thesetools and basic phishing, if you
don't have a broader strategyand you start down that path,
(19:16):
you might get pressure that thatwas your last chess move that
you've made and I really try tohelp early leaders and early
CISOs avoid this, because thepeople element is the most
underutilized asset within aprogram Cody or Jim.
Speaker 2 (19:32):
Sure, I'll take it.
I'll let Jim finish up.
My thing is I think it's easierto get InfoSec people on board
for an awareness program andeducate.
I think the first thing is youneed to educate non-InfoSec IT
leaders on the risk around theircritical assets.
What are they, infosec ITleaders on the risk around their
critical assets, what are they,when do they exist and who has
(19:53):
access to them?
Build a cyber committee.
So it's my simple thing isbuild a cyber committee, get
their involvement and establishconversations around what's in
place around their criticalassets.
That's what makes them stay uplate at night to think about and
then that leads to okay.
Well, now that I know there'sthis risk, I am more apt to
awareness education.
But I first have to understandhow does the risk apply to me as
(20:14):
a non-IT, non-Infosec functionleader?
Speaker 1 (20:19):
Great point, jim.
Speaker 3 (20:20):
Yeah, I'll finish up just by saying that I agree with
what you guys are saying 100%.
I really like what you're saying, aaron, about the tool and
concentrating too much on thetool and bringing in the people.
I think bringing somebody intoyour team, or at least having
somebody identified that you canhave, that can help your team
in delivering those awareness,those training messages, is
critical because, to your point,with the tool, aaron, you can
(20:43):
bring somebody into your kitchenthat knows what a spatula is,
but they don't know how to useit.
If they don't know how to usethe tools in the kitchen, they
can't put together a good meal,right?
You've got to be able tounderstand how those pieces come
together and how they can bepresented to people so that they
understand it and that theylike it.
You need somebody who's gotsome experience with training so
that they can use those toolsthat you've already invested in.
They can use the informationthat you have so that they can
(21:05):
put that into a holistic item, apresentation to give to your
workforce that they can thenbenefit from.
Speaker 1 (21:13):
Yep, great point.
Well, that's all the time wehave for today.
If any of our listeners heardsomething that they're
interested in, any one of uswould love to pick up a
conversation with you.
We are passionate about thistopic.
Again, I think it's anunderserved opportunity.
With most cyber teams, most ofthe programs that are awareness
are behind the times and stale,even with the best technology.
(21:35):
So we would love to have someof those conversations to figure
out, even if it's just aconversation, how we can help
you achieve more success withpeople.
Thanks so much and have a goodrest of the day.
Popular Podcasts
United States of Kennedy
United States of Kennedy is a podcast about our cultural fascination with the Kennedy dynasty. Every week, hosts Lyra Smith and George Civeris go into one aspect of the Kennedy story.
Stuff You Should Know
If you've ever wanted to know about champagne, satanism, the Stonewall Uprising, chaos theory, LSD, El Nino, true crime and Rosa Parks, then look no further. Josh and Chuck have you covered.
Dateline NBC
Current and classic episodes, featuring compelling true-crime mysteries, powerful documentaries and in-depth investigations. Follow now to get the latest episodes of Dateline NBC completely free, or subscribe to Dateline Premium for ad-free listening and exclusive bonus content: DatelinePremium.com