Are Security Awareness Training Platforms Effective?
26:50 Share

Security awareness is a key part of any security program. So why we so skeptical of security awareness?

You're listening to defense in depth.

Welcome to defense in depth many is David park on the producer of the season stories to join me as my guest go host this very episode IT is the see so for date event nana and then walls and hello.

it's great to be here and really excited to talk about the topic with you.

This is a very high topic. We've been talked about all of our programs, and we're going to get to that in second before I do want to mention our sponsor, and that's in tester, extend your security team with A I will talk about IT. Exactly how I can tells you is doing that a little bit later in this time.

I'm going to begin with this quote. I don't think security wireless training programs are that affected encode. This was the argument from jacket freeman of three tree tech. And there are so many security wireless programs out there, and there are so many debate as to how to do training and how to measures successful trend. But given those variables are so suspecting and opinions on the effectively and study warns programs can very wildly, then is a security awareness program that can demonstrate a reduction in click through rate, actually delivering and improved security program.

Well, I would say yes and no. So yes, in terms of that's the unlocked front door of the house that's about to be robed. But there are other controls that once inside are usually what result in a failure, right? And so I think the the bottom is, is important that does reduce IT. But the reason why these breach are happy isn't because you know small fraction people aren't aware because of other underlying problems in the program we're .

going to get into that. We're going to talk about security warehouse programs, how they try to pitch themselves affect how essentially ceos respond to what they believe is effective in their environment. And somebody who's actually going through this issue right now is our guest SHE, is to see so over a time, none other than sharing mills, sharing. Thank you so much for joining us.

Thank you for help me. Really glad to be here.

Where does this effort fall flat?

Sam overholt, sir, of comply, sam said, quit whenever you buy tech IT won't just magically solve all your poem. S, I would not just state this is specific to security awareness training, because any training is Better than none ultimately be. You need the right people to facilitate the training in the force or else IT is useless.

So David volkov has a very negative view of security awareness training in general, and also saying that it's a race to the bottom. And sam says, well, unique training for everything done. What do you think what .

I think we're confusing two different topics, insight of security awareness and think the first topic that we are talking about, his compliance, check the box for your regulated company or even if you're not different framework, call that use an annual security training, right? Or when people on board you have take training. So that's compliance, a security Warners.

I think what the first quote referred to is culture. Like how he changed the culture is not going to be watch this terrible power points slide deck or the terrible video. And if that's the case, yeah then you should absolutely buy the cheapest solution out there because IT is going to race the button, you just trying to check a box. So I think what gets lost in this argument, as I mentioned, is, is are we talking about changing culture? Are we talking about compliance checking box?

That is very good point. That is a good dividing line, right? They are sharing.

This is an effort that you're working through right now. Assume you have both prompts. You have to worry about. You do have probably complained to regulation issue and you also want to change culture. Yes.

yes. So and not as much as in compliance. We're not a public trade company or on there any regulations.

But one of the chAllenges downside perfectly with it's not about checking the box for me is about how do I change your behavior in the culture of their initiation, right? And how are you sure that my users think of them as part of the program, right, a part of the security program on how to keep the organization safe? I agreed in some degree with David on, like you know, most of the security awareness as training tools out there have become repetitive and stalled.

So one of the things that we have incorporated, I have started incorporate is more of a personal approach where my team members are outside of the programme. We're sitting up one on ones with department's right to really target what are the chAllenges and concerns at that department should be facing, right? right? Is not the same for my perspective to look at editorial or look at finance and thinking that they have the same problems, right? So that goes back to, I think to sams quote around he's not just buying a tool and put IT out there is when you buy that tool, how do you implemented in how you leverage across your organization?

And like we've said about a lot of solutions, its people, processing technology, a vender would like you to believe. This is how a lot of security professional feel they would like you to believe that if you install this piece of software, it'll magically solve your problems. Yes, dand, you've had that pitch before one hundred percent.

I mean, you know, you think about IT from my human risk management point of view. And those solutions very, very often you tied to are called free awareness platforms. They're useful if you get the data, it's very useful.

But again, that data is not going to change unless you addressed the cause, which is culture. Has an example. In a previous company, the CEO was traveling to a country that was on our band list of places you could access company resources from.

And you know he want an exemption for himself. He won an exemption for he will ever travel with versus ve been other comes with the years like up. That's the role that I I don't want any special exception for that.

I'm just like everyone else because that is how important cultural security is to the C. E. O. And so I do think that always goes back to a cultural issue. In fact, if you look at, like any, the major breakthrough ports like rise and IBM and google, they all say the same thing IT all comes down to culture.

Would this work?

The debris in of alchemic technology said, good, some training is still beneficial, but in a very limited and targeted way where can help people on their regular lives as well, for example, fishing prevention and passport many practices. In fact, my cohoes, mike john, has brought this up many times. When the employees ask you about their personal cybersecurity, then you know, they're actually paying attention and they are interested.

Kevin Walker of black swan cyber security solution said, this is where defense in depth helps. Email filtering, D N S filtering and browser extensions all help protect and users security. Where is training? Still has a place, in my opinion, but it's part of a bigger picture and not a silver bullet.

Now, IT is the one of many controls, right? Turning like you can just divorce the sort of the security culture away. Just hope all your controls are going to work.

The humans are a control. Do you see the equivalent to your other sort of controlled y of pleasure? Do you see in a different way?

Yeah, I feel like security. Where to find this part of my overall security program, IT, is not mutually exclusive, right? IT comes to layer in defense, right? You got to have your tools and platforms to prevent the fishing attack to come in place to your users or your inbox.

But you still need to have your users be aware of what they should and should not be doing, right? You think about, I think i've heard discourse somewhere else, but think about an athlete, right? They constantly training and do and repeatedly drills to when they go in the game, they know how to react, right?

The same thing that we're doing with users or they we're training them on what to do and not to do. So when that happens, they know how to react. And now you also have platforms, some when they are training in those in coming place, you've got platforms that get prevented and resolve IT. So it's an overall part of the security program. You can do one without the other.

Let me actually and this goes back to what we said at the very beginning about like fishing test, we have some seasons out there. They just flat out will not do them because they think that they quite a bad ort of culture. But I just had a guess on the show.

This is, oh yeah, we will do the native us the minutes that i'm but those fishing tests that get people really upset saying like, oh, you will get a raise if you click this button or something or there's a big virus breaking out in the company. And their attitude is this is what the criminals will do. But the fear the other ceos have is, but IT creates a really bad culture, kind of like the security team is sort of beating up on the employees. Where do you stand on the stand?

I think you have to read the teas in terms of the broader culture at the company.

How are people you know punished? Or what's the consequence when there's a failure like another three of your side of clicking on A E mail like that? You know is that very punitive and heavy candidate to begin with? If it's not if it's more of, hey, hey, you know what? We're going to fish as hard as we can you know around the holiday in those fedex emails and you just purchase something on amazon.

And so you're prying thinking this is the real deal. And we're in official hard as we can because we want you to be Better and really focused IT on you. We're trying to make you a Better, more savy employee, and we're trying to keep the company safe. I think he just depends on how all that is matched at the company from a cultural point of view.

Also provider, if you had this situation where somebody falls for fishing text and they feel awful about IT and they feel they've screwed up. And also, you know what of the punitive damages are fAiling, efficient text is additional training, which no one really enjoys. So how do you manage that to keep sort of against the lighter mood or keep the positive attitude? The security culture either want you jump in.

I and I think I see where people celebrate that they were able to capture IT, right? And should sometimes it's completely meet up our test because they end up sharing with all their colleagues, hey, there's a fish going and now and they didn't know if it's actually an an email coming from us or is actually a real fish attack, right? But IT also prove my poem is actually working, because now they are sharing.

There's a fish campaign going in our organization. I don't necessary do the punitive part of IT. Like if you fail, you have to do IT again, we failed the process of the surprise attack, right? Of like they're going to be expecting another fishing campaign ing to them, I think is more around yes, you fail.

They understand they fail and they pay more attention. And going forward, I have a perfect example. We weren't really doing fishing test before I started, and I do the first that we were fAiling through the roof. I mean, IT was crazy. How high are rated words, right? And when we do the test now, I think is less than fifteen percent of people.

And I don't know if you guys recalled the reason flaw that happened with one of the major email security companies, right? And we saw a huge increase on attacks right from bali domains, which they were extremely hard for even our security team to confirm that they are actually accurate or not. And I was extremely proud of how many people in organization just send the emails to the fish alone and say, hey, can you confirm? I'm not sure this is actually real.

I don't remember like talking to this vender before anything like that, right? So he shows that even though most people think they are boring and where people think that, you know, they might not do a change in the behavior of the users, they end up doing right. Users are starting to become more about IT IT. All depends on how much in and you'd actually emphasize.

Before I go on further, let me tell you about our sponsor that would be in tester. And you're going to want to listen to this because IT has to do with your sock and alert fatigue. So I learned triumph and investigations are time consuming for security teams.

I don't need to be telling you this, but i'm just setting up because IT doesn't have to be that way. Smart security teams are using A I to automatically investigator alerts from the security tools twenty four, seven, with an average trios time of just two minutes. So how does this actually work? Well, in tester is an innovative platform that integrates with your security tools to monitor alerts, collect evidence and investigate every artifact when in teza covers evidence of a serious threat.

IT escalates the findings to the sock analyst in teaser, also reduces noise, correlated ert and automatically results over ninety percent of false positives. This means even low severity and information alert get investigated. You aren't wasting time on false alarms, and you have actionable recommendations.

First, serious threats in teza extends your team by emulating an experience c analysts with an A, I framework backed by years of industry research is designed to be a cost effective, easy to set up platform that provides detailed, transparent results that sock analysts can trust. No playbooks, no chat pot, no engineering to set up with in tester supporting your sock analyst, your team can eliminate alert fatigue and cover hide threats and stay focused on what matters most. A I won't replace your sock team, but I can be a game changer. For more go to in tester side is I N T E Z E R dot com. In tester dot com.

No one said that was gonna be easy, tim golden and compliance .

score cards that code security or waiting. Training companies need to hire staff that have a deep understanding of how learners learn, maybe focus on a hiring wonder. Two behavioral analysts that can understand the psychology of how people actually learn and private.

The education method is to meet the learner where they are at and build smell of define measures that code. I'm worry of placing too much value in them as a preventative control, since I think anyone, even security professionals, can be fish if the context of the fish is good, tough. We have heard this many times.

I'm fine with user training, provided companies are covering other basic controls as well and not using user training as a basis of their security program, meaning no defense in depth. Sounds like bye continues. Say to parisii someone smarter than me, quote, if your security program consists of training users not to click on bad links, you've already lost.

So yes, we've heard that one two. So let's get back to the original theory though, here then of the effective lifts of these programs. I think this may also fall into this thing that we hear all the time. And security, don't let perfection be the enemy of good or very good. Are we doing the same thing?

Here we are. And the other thing that I mention, two, David, is like if you think about an E D R solution, you set IT and forget IT, right? You get the asia ring on your laptop and catches the bad things.

Life goes on. You respond to them. Security awareness solutions. However, technical software Y B is not set and forget IT. Okay, every year, uh, your university gratuities tions.

I go to take your security training, you really have to contextualize IT and choose your timing to make sure you get the most out of. So as an example, when the M G M reoccurred, where he was a social meeting call, LED to the I T. Helped desk, basically got in their network, and that was the really best situation for them.

I sent an email out to the company that said, hey, here's what happened. There was a ten, nine phone call. IT could result in one hundred ten million hour loss.

Here's the things you should be careful about. We've had specific company attacks. Different companies that i've been at send out a slack message, send an email paying people on specific functions.

Hey, around the holidays. But again, like I mention me for fishing is going to go up. We see fishing go up like fishing serbo.

At least all all the companies out then is like thanksgiving, the new yeah, that's when I all the fishing comes in, right? And so just, I think, trying to take those tools that are valuable and then contextualized IT in a real world scenario for the people. So that way they can like link IT to something I think is really key. And so the answer question yes is very hard, safely, more art and science.

Do you think sharing, though you're winning with your other controls Better than you are with security culture? Because IT just seems like that's always going to be the case. I mean, because humans don't work like computers.

I think it's a combination of both. I don't think I can just depend on one.

No, i'm nothing just depend. But the thing is, the dealing with a computer is always going to be probably an easier situation than dealing with the human right. agree.

And I think that would that explain is is not easy to to change their behavior, users writing to make them think how you want them to think first, right? And things are changing quickly, right? If you think about now, we have been an increase in voice fish attacks, right? That perfect ample of M, G, M.

And i'm seen an our natural case, right? So we just have to continue to adapt. And that's not something that I think any perform would not be able to do no matter how much tools or platforms you're going to implement your security program.

I think you need to have that human piece of IT in the loop. And IT is the hardest part of our security problems. We can control IT, right? And we can just simply tunit and say, all right, they know what to do going forward.

The one thing that is this, if you think about that titanic thinking, right, why I think so fast and IT wasn't because IT hit nice's g IT was because the ship was designed poorly and all the chAmbers, the weather resigned a lot to fly quickly. So in the same analogy, hitting the ice are just click on the email once the attacker gets in through the email. If you're network or your environment is wide open, just like the titanic are going to think quick, IT is is just an entry point and you have to have very strong controls, thus your program to be successful.

And this is why we talk a lot about segmentation and blast radius essentially, right? Just don't let the damage go too far.

What are the elements that make a great solution?

Curl jay of fish busters audit in consulting said, quote, fishing awareness training needs these three things, one simplified definition and approach to training the covers, all fishing regardless of the channel. And so we talked about that.

So he reversed to text, email, voice, social media to a specialized focus in order to keep up with current trends and sophistication and three objective metrics that bring value by providing behavioral change. Right then I want to lean on that very last one there. The one that is most used is click rates for fishing emails.

But what we have heard again, again, all depends on the sort of the difficulty level of that fish. So my question to you is, how do you show demonstrates change to yourself, the team, to sort of a plotter? You say here, we need to work harder. And to the board, like what do you do to show change IT .

depends on the maturity organza that I am currently in. I've just started a date event, so I still evacuating this. But in previous organza, if I understand the identities of the people, clicking someone, clicking in a very specialized all in finance that has all the company, you know, bank accounts in top financial secrets, that's a much worse click.

Then maybe someone who's in the mail room as an example, and that's a terrible analogy bit. You get my point right. The more access you have, the more damage that you can recently do. The company.

And I would assume you give that person a lot more training, that's right. And you want them to be more ingrained with a security culture than somebody out.

that's right. So showing that I think is very, very I opening to executives, I should want report to A V P. His response was like, you can shut off the internet to my employees computers.

He was so scared about IT because of the function that he was overseeing. okay. Now that's obviously we to do that.

I think those metrics are good. I think you everything like a board is gonna to see that you're doing the basics. And to a board member's mind, the basics is fishing.

But your average board member, your average business executive knows what fishing is, right? They don't know what defense in depth is, they don't know what application security is, they have no idea what that stuff is that you know what fishing is. And so to a degree that helps to understand that, yes, we are doing the basics, and we will consider this the basics.

Do they understand? The fishing comes through multiple and three.

five years ago, they getting a lot of questions now about what about deep fakes and things like that. So I think would like the rise of A I and these alternative social engineering tactics. You know, they're definitely .

became aware of that. We are hearing a lot about deep fakes, specifically through whats up right now, voice first by the one right cheering. What do you do to measure? Because I know this again, you you had mentioned this is something you're sort of struggling with right now. And you don't know whether these security programs are working or not. So what do you do to sort make you feel that you're spending the right money and doing .

the right training? So two things that mention wanted kind of looking at the reports, but one of the things i've noticed is have been an increase in respond from our teams include in all the way to our security level rights. No concerns before.

Now it's getting a text in the midst afternoon and saying, I got this email, can you check IT, i'm not sure is safe, right? That wasn't happening before IT, right? So that means the culture in the behavior of the the organza is changing to be more cautious. And jose, click on, seen or looking at a text and responding.

Can I confirm that? That is the number one response you really want. Please tell me this looks fishy. Please tell me if that succeed.

exactly. That's what we want our users to be. Hey, i'm not sure. Check IT for me.

I'll take a look at IT or ask around, ask your coworker, hey, I got a new more about paying this vendors this right? Or I got a emo to share this report with somebody. Is this seems too good to you, right? That's what i'm seeing, lily, on or from a culture perspectival in the organza. And I think that proof the value of the things that were doing to change .

that behavior IT may not be a one to one meaning like that you're seeing like clicking rates go down because it's hard to tell depending on how difficult or easy the fishes are. But if you're seeing that kind of behavior, unfortunate, that seems more in total than truly measurable, right at that point. correct.

But I think IT also because we're seeing IT across the board where people are reporting the actual email as fish, right like so we actually have set up a fishing report in our email platform, right where people are t reporting that we are seeing those things increase, right where people I hate, I got this. I don't know what to do.

What should I do? We are seeing even the executive level team is getting back to my team, to my management team and say, hey, I got this email. I got this text. I don't want to say anything until you guys take a look at IT. Please take a look.

by the way, of the percentage. They say this seems fishy. What percentage is IT?

Fishy is actually pretty high. I would say if I have to put a number, i'll say seven percent is fish either be a email or tex. We actually have a counter, a few boys as well. So yes, a lot of other fish.

I asked you the same question of the people say, hey, this seems a little fishy to me. What percentage are they truly like fishy I to .

have yeah I mean, there's also different types of officials too. Sometimes people will send a anny or just see if the emails of valid one. And so it's more like you're not nessy fishing for I mean, you're fishing to see if the emails well and not necessary fishing to send mail where may be doing some merchants or something like that. But yeah, I say generous about half.

Well then that's definitely worth that. They're reporting of those percentages are so done high. Well, now we are at the point of the show sharing in we asked each of you which quote was your favorite .

and why I think some our whole start about what is that, that no fancy platform tool is going to fix everything. If you think about even when you buy a game equipment, you don't get fit just because you have IT in your house, right? You have to work out every day to get consistent. The same thing that happens with, you know security worth a strain or any other platform that you set up on your program, right? You have to got to customize, say you have to spend the time, you have to think about how, if it's your organization culture, and ensure that you are applying that accordingly.

I danie ve had a one.

Kevin Walker, where talks about defense in depth, right? You're gonna analyze someone for looking on an email. And you know, you have no network segmentation, you have no automated technical critic controls in place.

That seemed pretty ridiculous. So I think email filtering, he said, I think you mention email fells in the rather extension, all those tools that are kind of surrounding the user as are doing their job. I think he hit them on the head with that robe.

Well, that comes to our very universal, and I want to thank our sponsor that's in tester. In tester. Extend your security team with A I remember the website in tester I N T E Z E R dot com for more on exactly that.

Sharon, thank you so much for coming. I appreciate we unfortunate missed each other. We were at the same conference over in florida.

I had no idea you were there. I wish I had known so we could mean person, but I hope you had a good time. The confidence this was a cool conference where they gave out badges that were five and a half floppies pretty aren't cool. And you have a new gig. Are you hiring at your new gig?

Hi you search dat careers and look at the I T is security section of the website. We are hiring a variety of security and professionals love the child focus.

They're looking at a move. Are you hiring people remotely?

I am yet to the data vent is a remote first company. And so that was definitely possibility.

Well, thank you. Thank you very much to share miles who is the see so over a time and also done while is the c so over a day event. And thank you audiences. We greatly appreciate your contributions and for listening to defense in depth.

We've reach the end of defense in depth. Make sure to subscribe so you don't miss yet another hot topic and cyber security. This show thrives on your contributions.

Please write a review, leave a comment on, linked in or on our site. See so series dot com, where you will also see plenty of ways to participate, including recording a question or a comment for the show. If you're interested in sponsoring the podcast, contact David Spark directly at David at CEO series dot com. Thank you for listening to defense index.