As a company grows, it’s only a matter of time before it becomes important to ensure that everyone in the company is aware of security concerns that your company may face. Historically, this has largely involved the creation of flash videos and little quizzes that are designed to tell the user some security information and then test them on it. Then that “training” gets put into the annual requirements and your security organization measures the completion percentage, driving towards 100% completion. If they are really fancy, they might even track metrics about which quiz questions are failed the most, what the average score is for the quizzes, etc. If you work at any large organization, I’m sure this sounds familiar.
In an effort to create a more interactive security awareness program, many companies have adopted the use of regular phishing exercises. These exercises are often run by vendors who handle crafting the phishing email, delivering it to all of the employees (or whatever random subset of employees), and providing metrics on click throughs. Many of these same vendors also offer some form of the aforementioned flash-video-style training that users have to take if they clicked the link. This is great because it means your organization, which has limited resources, doesn’t need to maintain another training system. Better still, now you can run quarterly phishing exercises and only the employees who click will have to take the training, instead of all employees having to take a generic training every quarter. Efficiency!
Years go by and you’re still struggling to reach your target numbers year over year. People are still clicking the links. People are still struggling with the quiz questions. Or even worse, people are acing the quiz questions and then still creating vulnerabilities. But you don’t have metrics for that. You could compare the number of new security bugs found per year versus your security awareness metrics and maybe you can divine some sort of meaning from that spreadsheet. But it’s still happening. Even worse yet, you were in the cafeteria and you overheard employees talking about how annoying it was that they had to complete that annual training, and how the training didn’t even apply to them. Phishes and Bugs and Hackers, oh my!
It’s not your fault that the training doesn’t apply to them. You’re understaffed and your budget ran dry 6 months ago. You’re spending hundreds of thousands of dollars on a phishing awareness platform and people are STILL CLICKING THE LINKS. Meanwhile, your management is still pushing you to reach 100% completion rate and 0% click rate. Do more with less, they say. Do more with less. Maybe you can update your internal training to include a video of leadership at the company talking about the importance of security and making some hip references so that employees feel like the CEO is one of them, like they also took the annual security training.
An underlying theme here is that we’re trying to solve a human problem, security awareness, through greater use of technology. We’re reducing our employees to a series of metrics, and then trying to optimize for those metrics. Tweak the phishing training like this. Change the annual quizzes like that. Improve the metrics. Businesses love metrics because it provides the illusion of objective, measurable, factual data. As metrics get better, that must mean that objectively the company is doing better. But please, dear reader, allow me to let you in on a little secret: Your metrics are probably lying to you.
“Alright dade, get to the point already,” you’re probably thinking to yourself. To which I say: “Tallyho!”
I’d like to propose a new way to look at security awareness. I’ll warn you now, though: this approach will make it difficult to produce metrics, which in turn will make it difficult to sell to management. Instead of (or in addition to) approaching security awareness through annual trainings and regular phishing exercises and maybe hosting some cool events that give out free security branded swag, try to break down the silos between your information security organization and the rest of the company. Get people to engage with one another, interact with one another, on a more interpersonal level.
“Seek First to Understand, Then to Be Understood” - Stephen Covey
One key element to remember when considering this approach is that you can’t go into these interactions with the mindset of “Oh I’m going to tell them everything they need to know about security.” If you do this, you will inevitably encounter the same problems that your annual security awareness trainings encounter. It becomes something that employees just have to do, and they are busy and have their own work to do and don’t have time to listen to you preach to them. In order to effectively engage with other employees, you need to talk to them about the things that matter to them. Security is not a one-size-fits-all prescription. Different people care about different things.
“But that doesn’t scale! We can’t have all of our security engineers interacting with all of our employees all the time! We already don’t have enough security engineers!” That’s true. But humans are social creatures. When we stop a conversation with another person, that other person doesn’t cease to exist. They don’t (usually) immediately forget everything about the conversation. They go on about their days and they talk to their social networks, their colleagues, the people they eat lunch with. Information is very capable of spreading organically.
“Okay so maybe you’re on to something. How can we get started with trying to introduce grassroots security awareness?” That’s a great question! I’m so glad you asked. I think that in order to run a pilot of this, it’s important to identify the people in your organization who most deeply care about security as it applies to the organization. These aren’t always the same people who are the best at fixing or finding security issues. Find 4-8 people from different security roles who would be interested in doing security outreach within the company.
Have these people spend some portion of their time, maybe an hour a week, reaching out to random employees across the organization, and ask them about what they work on, what they think about security at the company, how they think security applies to them. Ask them if they have questions about security. Don’t restrict it to just work-related security questions! Good security practices at home will carry over into the work place. Teach people to setup password managers and why they are valuable. Teach people how to safely open emails and what the telltale signs of phishing emails tend to be. Teach people that it’s okay to make mistakes and that it’s okay to ask for help.
Before a session with an employee is over, be sure that they are made aware of ways to engage with the security team. Who to reach out to if they think they got a phishing email. Who to reach out to if they have a generic security question. Encourage a healthy, positive relationship between individuals. Encourage other employees to think about security in their day to day lives and nurture their own reasons to care about it. Before you know it, you have a grassroots movement of people who are thinking about security as part of their job. Whether it’s checking their email, browsing the web, designing or developing their products, they will remember that good conversation they had with that person from security.
Sorry about your metrics, though.