S2 E16: Building an Effective Cybersecurity Training Program

S2 E16: Building an Effective Cybersecurity Training Program

Transcript

Jordan Eisner: Welcome to Compliance Pointers. I’m your host, Jordan Eisner. Returning from a little hiatus, I had some people in my spot here on some podcasts recently, but that’s okay. I’ve been traveling a lot for work, but I’m glad to be back doing this podcast.

I’m glad to have Steve Haley with me today. Steve, have we done the podcast together? Is this your first?

Steve Haley: Yeah, Jordan, this is my first one.

Jordan Eisner: Okay. All right. Good deal.

As by way of intro, I guess for Steve and for our listeners, Steve is a very accomplished information security, IT, tactical doer, executor, and security operations. Aside from that, served our country as a Marine for many years. He’s worked in a big corporate structure, IBM. He’s worked at small software organizations, and now we have the privilege of having him as our Director of Cyber Services.

Steve, thanks for being on.

Steve Haley: Thanks, Jordan. I’m glad to be here. I have been around IT for a long time. I got my first exposure in the Marine Corps doing communications, and then transitioned those skill sets out into really my first job offer, was as I helped us with IBM during the dot com boom, and took it from there and always hung out with the people whose jobs that I wanted, and organically grew my career that way.

I’ve been around in information security for a good 25 years, and really since Sarbanes-Oxley came into play is really when we started to see a lot of controls being put in place in the technology domain.

Jordan Eisner: Yeah. Good deal.

So today, we’re going to be talking about, I think a very fundamental thing of cybersecurity training. But still, something that I think is a topic for discussion. I think a lot of organizations have a check-the-box approach to security awareness training. I think the data is out there. Most of the time, it’s some sort of human error or human cause for breaches. I don’t know if there are different stats, but I’ve seen 70 percent or something like that, but that’s what we’re going to be talking about today.

Training for staff needs to be a key element of any security program to reduce vulnerabilities caused by human error.

So I guess first and foremost, what does a successful security program consist of?

Steve Haley: Yeah. So one of the core components of an effective security awareness program is really defining the policy within the organization. To go back to the statement you made on human elements, that really is the biggest vulnerabilities that organizations face are usually the human side of it, and the mistakes that humans make. We’re all human, we do make mistakes. Some of those could have a greater impact than others.

So when you’re looking at an effective security program, really is the organization defining their policy around that. It is associated with a lot of standards, as most people know, and is a core component of compliance needs that organizations have as well. But they do go into more of a, let’s check the annual security awareness training box, can get very mundane. So defining the policy and really where the requirements are for the organization is really important.

Some of the drivers that can affect policy is actually your cybersecurity insurance can affect policy. Cybersecurity insurance is actually putting a little bit more requirements or integrating more requirements into the insurance policy to reduce your rates than some of the standards.

Another area that is one of the core components is really identifying the security responsibilities throughout the organization and documenting that, i.e. through the policy and through the procedures that are associated with that.

And then establishing processes to test, monitor, and actually review the program’s success. So that’s a good starting point for most organizations, is really defining it up front first.

Jordan Eisner: High level, right? You’re talking about a basic security program there. Now diving a little deeper, so those were good, I think, basics components. Diving deeper, what about components of an IT security awareness and training program?

Steve Haley: Well, when we look at that, really, four main areas are associated with that. One is the awareness. I’ll get into that a little bit deeper in just a second.

Next is actually training. Then there’s the education component. And then there is the professional development side.

Each of those actually can have different audiences, right? If you look at awareness, that’s really into the broader sense of the organizational culture, right? So, you know, bringing the awareness to the organization as to, you know, the concerns that the organization has or the risks that the organization face from a security perspective, right? Phishing attacks, social engineering, you know, you can even get into the technical configuration sides on that awareness stuff as well. It’s really, you know, bringing attention to the issue throughout all of the individuals within the organization.

You know, when we consult with organizations, the first thing we try to do with them on this particular area, on the awareness side, knowing that it’s a cultural shift in some instances, is really to keep it simple, right?

Really a big fan of the kiss method, right? Keep it simple. Explain why it matters to the organization as well as why it matters to the individual, right? Because the individual can be impacted just as much as the organization can be impacted.

And then, you know, some effective ways to actually bring more awareness into the organization is utilizing multi-channel communication methods, right? So what does that look like? Well, that can look like security awareness posters that are put in the break rooms or the lunchrooms. That can be screen savers that are sitting on, you know, that are popping up on, you know, individuals’ machines after the system locks out. It could also be, you know, internal content and websites, right? That, you know, individuals within the organization can go to, you know, to kind of get more awareness as to what threats are out there in the landscape, what threats are, you know, more prominent to the organization as a whole, and the awareness as to the need to protect not only corporate data but customer data within the organization. So that’s really where the awareness side comes into play.

Jordan Eisner: And sort of a one-team, one-dream type.

Steve Haley: That’s a good way to put it. Right, all of us together.

Jordan Eisner:  But then also what I’m hearing and all those things you talk about in the pillar is consistency. So not just a once-a-year exercise, but consistent communication and awareness around it. When you talk about posting it, you know, around the office for those going into office or having it on internal company sites, right? It’s just a reminder.

Steve Haley: Yeah, most organizations, right, when you first go in there, if they’re, you know, depending upon the maturity level, I think maturity plays a role in this as well. You know, it’s, you know, they’re busy doing their day job, right? You’re hiring people to do certain jobs. And when you’re talking about the cultural shift, it’s really, you know, getting that security-focused mindset within the culture of the organization. So they’re thinking about those types of things. When an email comes in, you know, does it look weird? You know, should I raise my hand? Should I engage, you know, help, support or, you know, the information security organization, depending upon the size of your of your company? You know, there’s different routes on how that all happens, and we’ll get into that into the training side as well.

Jordan Eisner: What else?

Steve Haley: Well, the next core piece is really training, right? Training is a little bit different than awareness. Training really gets more into, you know, training your staff on the processes and procedures and training them to recognize, you know, certain events or anomalies. That that could be suspicious. Suspicious behavior doesn’t always have to be in an email. It could be suspicious behavior. Human being or a visitor that came into the office. Right. So training individuals to have that awareness, you know, to identify anomalies or events is critical, you know, is equally important into the awareness side as well.

You know, again, you know, training them on the on risk management processes and procedures and understanding, you know, what risks their team may have specifically of what they’re dealing with, depending upon the data they’re dealing with or the technologies that they’re dealing with or the business process that they’re dealing with. Understanding, you know, if their targets are not. Training on the incident response and handle it right. If there is an incident, there are certain members in the organization that really need to understand how to react.

Right. Reaction is extremely important. Right. Especially the speed to react to identify react contain, especially in ransomware-type attacks and things like that is critical. Right. There’s a lot of statistics out there that, you know, by the time you’re, you know, dealing with a ransomware attack within literally minutes, everything could be encrypted.

So another area that you want to focus on is really the understanding logical controls, password policies, things of that nature. So your team understands the parameters that they’re working in.

Jordan Eisner: I think that’s very helpful. Anything else?

Steve Haley: Yeah, then you get into really the education side, and this is really where it gets more specific. Right. So your information security individuals, you know, they require specific training. Right. They need to understand what phishing attacks look like, gain knowledge from additional sites like CISA, those that are actually providing remediation and identification training. Right. For certain types of attacks. Right. There’s a lot of information that comes out in after-action reports and things like that that help resources in our industry understand what a certain attack looks like and how to mitigate and reduce the risk to those types of attacks.

It’s also training your IT technical staff, right, to put those hardening standards in place, understand the safeguards that they’re putting in and why they’re putting them in. Right. A lot of people will just click a button and not really understand why it’s going in there. And, you know, I was kind of told to do this, so I’m doing this, but really the core training of all of that. Right. You know, the information security people shouldn’t be the only resources that are trained on information security. Right.

They don’t need other members of the company or the organization can have ancillary education and training in information security and identifying anomalies or threats that can help be a front line to protecting, you know, the organization of the house.

And then the last one is really, you know, professional development. Right. You know, and this really comes down to when you’re doing your annual review processes, right? Build in some type of professional development, specifically those on the front lines or those that are dealing with higher risk areas within the organization that could be a target for cyber security threats. You know, ensure that you’re building that into their development and growth, not only for their career in the organization, but, you know, their overall career growth in and of itself.

Jordan Eisner: Yeah, that’s a that’s an interesting thought. I hadn’t thought about that before. All right. So that was a good bit. Right. Four pillars.

And, you know, I think you exemplify the fact that security awareness training shouldn’t be simple. You don’t want to be over-complicated either. Right. To your point, you said it needs to be simple. Right. KIS. Keep it simple.

Or to quote Michael Scott, keep it simple, stupid. But there’s still a lot of factors there. You mentioned those pillars and how you balance those. So it’s not simple. It’s not an opposite. It’s engaging. It’s important. Right. It’s a community-type field is part of it. So how do you go about designing a program like that?

Steve Haley: Yeah. So, you know, again, designing a program like this, you know, there’s obviously key areas that you focus on. Right. To me, you know, is really, you know, assembling a team, individual or team, depending on the size of the organization, you know, who has ownership. Right. They, you know, as you know, from my background, I, you know, I realized that without ownership of certain workflows, items, processes within an organization, they usually don’t gain a lot of traction. Right. So you’ve got to have a champion within the organization, you know, to stand, start standing up the program if you do not have one or mature it. If you have one already in place.

The other thing is, is executive sponsorship is critical. Right. You need the leadership up above. That is where the cultural change really takes place.

Jordan Eisner: And you need leadership to message around it.

Steve Haley: Correct. Yeah. Correct. Right. That drives the importance to the organization. You know, the stakes are high. I mean, there’s been some pretty significant events over the last eight weeks that, you know, ransomware attacks against two major entities that were very costly to those entities. Right.

So, you know, understanding the risks that are out there and having executives message around those is really important for a successful program. Right. One of the first ones. That’s why I have it. The first two folks.

Jordan Eisner: Everybody needs to understand it could happen to you.

Steve Haley: Yeah. And then you really need to understand the limitations of your organization. Right. You know, a good example would be that, you know, resource availability. You know, other limitations around that. Do you need to build a program that, you know, you may have a 24-by-7 organization and, you know, you may need to tailor training a little bit different for after-hours resources than on-hours resources. Right. There may not be enough people specifically in an incident response on how that happened. So, understanding limitations in the organization is pretty critical as well as, you know, allocating time for training. Everybody has day jobs.

I’ve gone into a lot of organizations and actually, you know, had some peers as well that, you know, when it’s time for the annual security awareness training, we put the video on and we do work. And we just will take the test afterwards. And, you know, if I just get, you know, seven out of 10 questions and get a 70, I passed. So, you know, I think we’ve all been here with that, you know, type of training is happening. But, you know, if you’re not really paying attention, you know, how effective can you really be? Right.

Jordan Eisner: Maybe I’m jumping ahead here and you got to finish your point on that. But, you know, that kind of helps. You know, that kind of brings me to another question. How do you monitor and measure the success then? Right. Effectiveness of the security awareness program.

Steve Haley: I think that when you get down into measuring the success of the security program is really, you know, testing after your training. After you’ve gone through and had, let’s say, those video trainings on how to identify phishing attacks or social engineering attacks. And or even, you know, the physical components, right? When visitors enter the work area. And I know that our landscape has changed over the last few years. You know, but there are visitors that come in.

You know understanding through how they’re handling that upfront. Right. On those types of things. But really, the testing component is really important. You know, phishing campaigns, social engineering, even testing the physical parameters and things like that, you know, all provide KPIs or, you know, performance indicators that we can report on and measure the overall effectiveness. Of the program.

Jordan Eisner: And have you seen in your experience, right? Since most companies are going to have some sort of security awareness training these days. I’d like to think. But, you know, maybe you’ve seen some of the data, right? From point of implementation of awareness training. A decrease, right? And potential incidents and things.

Steve Haley: Yes, there’s a lot of motivation when new stuff comes out, right? When new videos come out or, you know, there’s a renewed interest in implementing or enhancing a security program. There’s a lot of motivation, right? Initially, I would say that usually lasts maybe, you know, for the first year, maybe two years. Right. But then it becomes Mundane. Right. And when it becomes mundane is really where you start seeing a fall off on, you know, people’s awareness. You’ll see, you know, failure rates going up in your phishing campaigns. And, you know, and that’s where culture change comes in, too, right? You can see the effectiveness or the decrease in the awareness within the culture.

Jordan Eisner: So you have to keep it lively.

Steve Haley: You do need to keep it lively. I’m actually glad you brought that up. We’ve seen a lot of companies start to innovate and we’ve consulted with some companies that, you know, let’s start, you know, building on top of just a traditional, you know, learning modules that come out and get delivered, you know, through a laptop or your system. And let’s start doing, you know, hybrid. Look at implementing a hybrid solution where, you know, maybe we’re doing a couple of topics semi-annually with an audience, with a live audience. Maybe there’s a critical security event that needs, you know, greater scrutiny and awareness. Maybe we need to pull everybody in a room and talk to them about that. The other one, the other innovative things people are doing is really putting a program together where they’re rewarding people for identification or, you know, scoring higher on a test where, you know, they’re giving little prizes out. Or maybe a Starbucks card or something to that effect. Right. Where now, you know, it becomes a game. I talk about the gamification of security awareness training. Right. Making it more, you know, game-orientated. You know, we’ve found that to be successful as well.

Jordan Eisner: Now I see your motivation for doing this podcast. You want that to be a policy here so you can get Starbucks gift cards.

Steve Haley: That’s right. That’s right.

Jordan Eisner: Because that may save you a lot.

Steve Haley: It will save me a couple hundred bucks a month if I can work it out.

Jordan Eisner: All right. Well, as we start to near the end of this, you talk about needing to keep it lively, needing to keep it simple, but there’s a lot here too. And there’s a lot at stake, a lot of risks. So what resources are available to companies to design an effective security awareness program?

Steve Haley: There is a wealth of information out in the market space on, you know, designing an effective security awareness program. I’m a fan of tying, you know, programs to a methodology. Right. Or a standard.

First and foremost, I would recommend people go take a look at the NIST SP 850, which is building an information technology security awareness and training program. That’s one of the best references that are out there. Right. You can always tie it back to something. It’s defensible. It has good underlying structure for the program and process. The other is, you know, understand the needs of the organization. Right. What compliance needs are in the organization. And I think that, you know, you need to reference those standards as well to make sure that you’re covering those areas.

Also, you know, there are certain ones like PCI and things like that, that, you know, if you’re not accounting for those types of things, it can impact, you know, your certification programs as well. I think looking at the requirements of GDPR and what they have to offer as well are good reference points and data points for the organization to understand and design around.

There are partnerships out there. Right. Knowbe4 is a partner of ours. You know, and they’ve got a lot of good content out there. And then relying on consultants like CompliancePoint. Right. We’re in the trenches every day. We’re helping, you know, customers either stand up, mature, you know, their programs and security awareness is one of those pillars that always can use maturity.

The threats aren’t going away. In fact, they’re getting more sophisticated. You look at AI coming into the mix and now, you know, we’re really up against it on how to defend them against some of this stuff. So some of the threats are actually out there. And so, you know, taking it seriously, being creative while keeping it simple at the same time and making it fun for the organization goes a long way to getting a culture that actually is security-centric.

Jordan Eisner: Well, I think that’s a good wrap-up there. I was going to maybe ask a couple more, but I think that’s a good stopping point. And I think the point of making a frontal organization, I know for me personally, I would, I think that would go a long way for an employee base and recognition on the positive side, not just always, you know, when somebody is falling for a fishing thing, having some sort of penalty as part of it, but some recognition for the good stuff.

You know, all these auto insurance companies do that. I see the commercials all the time about the benefits of being a good driver. You know, it’s a similar type of thing. It’s a similar concept.

Steve Haley: Yeah. Usually, you’re just getting hate mail from HR or your manager saying, hey, you’ve got like 24 hours to finish this training. Right? Yeah. And it’s not always, hey, thanks for finishing early. You know, these five bucks, there’s a cup of coffee on them. I’m going to stay on the coffee thing.

Jordan Eisner: I know you are. Well, Steve, appreciate you joining us. Thanks for the interview. I appreciate you joining us. Thanks for the for the knowledge, expertise and experience you just shared on the podcast. For our listeners, thank you for listening.

As always, if you’re seeking more information about CompliancePoint, if you want to talk with Steve, if you want to talk with me about cybersecurity awareness or, you know, the variety of different things we do in the data security and data privacy space, please don’t hesitate. Reach out to us on LinkedIn. See us on LinkedIn. I’m on LinkedIn. Reach out on our website. You can book a call with us. You can email in many different ways to contact us should you want to learn more about what we offer and do in this space. And then I would say too on our website, and it’s a great resource of blog posts and other content webinars on this very topic and others. So, yeah.

Steve Haley: Well, thanks for having me, Jordan. I really appreciate it.