We all know and have experienced bad security awareness training. People can learn, and should learn about being cyber aware. How do you build a security awareness training program that sticks?
Check out this post for the discussions that are the basis of our conversation on this week’s episode co-hosted by me, David Spark (@dspark), the producer of CISO Series, and Geoff Belknap (@geoffbelknap), CISO, LinkedIn with our guest Lisa Kubicki (@lmk2), trust and security, training and awareness director, DocuSign.
Got feedback? Join the conversation on LinkedIn.
Huge thanks to our sponsor, Drata
Full transcript
[David Spark] We all know and have experienced bad security awareness training. People can learn and should learn about being cyber aware. How do you build a security awareness training program that sticks?
[Voiceover] You’re listening to Defense in Depth.
[David Spark] Welcome to Defense in Depth. My name is David Spark, I am the producer of the CISO Series. And joining me for this very episode is Geoff Belknap, also known as the CISO of
LinkedIn, but I think what you’re most proud of is being the co-host of this show. Correct, Geoff?
[Geoff Belknap] Absolutely! The number one co-host of this specific episode.
[David Spark] Of this… Exactly! Our sponsor, by the way, for this very episode, a brand-new sponsor, thrilled to have them onboard, it is Drata – put security and compliance on autopilot. Actually, for all your compliance needs and across all those different industries you’re concerned about, Drata has a great solution for that. We’ll be talking more about them later in the show. But first, Geoff –
[Geoff Belknap] David.
[David Spark] Our topic – on LinkedIn, you asked the community how they built a security awareness training program that is not dreaded; B – sticks/resonates with coworkers; and C – actually improves security outcomes. There was a combination of both what to do and what not to do advice. Everyone seems to agree that check the boxannual “sit in a room and watch a video” training does not improve your company’s security posture. So, what did you get from everyone’s response, and I got to assume that the once-a-year training doesn’t cut it, yes?
[Geoff Belknap] Once-a-year training does not cut it, on anything. Especially sitting in a room watching a video and especially if you show the video, it took you 30 minutes, but you’re required to sit here for 45 minutes so please find something to do. These are not the things that move our security program forward. And we had a lot of great suggestions about different ways to take this. And I’ll tell you who’s going to have some great ideas –
[David Spark] It’s our guest!
[Geoff Belknap] It’s our guest.
[David Spark] Yes! Because she actually built a security awareness training program and probably had a lot of do’s and don’ts’s from that experience. It is the Trust and Security Training and Awareness Director for DocuSign, Lisa Kubicki. Lisa, thank you so much for joining us today.
[Lisa Kubicki] Oh, it’s my pleasure to be here, thank you for the invitation.
How do I start?
2:23.582
[David Spark] Jonathan Waldrop of Insight Global said, “Teach people how to protect themselves and their families online first.” That is something we have echoed many times on our other show, actually. And Dustin Barekman ofKraken Analytics said, “People often make the same mistakes in their personal lives. If you want people to care about the outcomes at your business, show people the effects of their actions in their personal lives, where they have ownership, and show them how to make improvements.” So, do you have any training, Geoff? And have you done this where you sort of start with, “Here’s how to improve your own personal cybersecurity.”
[Geoff Belknap] Absolutely. I think these are some of the best suggestions because improving cybersecurity, improving the outcomes for your business, it’s the same information you need for improving your personal outcomes in your personal cybersecurity. And teaching a lesson where it resonates really strongly with the people that are learning it, where they can apply it in their own lives, is always going to make the company more secure. There’s very rarely something you would do differently when you’re at work versus how you would do it personally, you might make slightly different risk calculus trade-offs, but you’re always going to try to do the right thing. And I think when you give a training that resonates that clearly with people, you’re always going to have a better outcome than just sort of reading the slideware.
[David Spark] And I’m going to throw this to you, Lisa, in that if you train people how to be secure at home, that is very good, and that will take you, my feeling, a certain percentage of the way, but there is also an additional percentage, because corporate information is often not something people have to worry about in their personal lives. So, where does that take us if like everyone becomes very good about their own personal security? Like how far sort of down the line does that bring us?
[Lisa Kubicki] I think it actually can take you almost the whole way.
[David Spark] Oh, really?
[Lisa Kubicki] Because if you’re developing those secure habits personally, yes, you don’t have that corporate information that you’re worried about protecting at home, but you have your health information, you have your financial information, you have things that mirror that, that are as private and as important and valuable to you personally that could drive your own family into the ground if it got lost or if it got stolen. So, it’s about building those habits so that it becomes second nature, and you don’t even think about it. When you come to work, it’s the same habit here. I just need to do it this way at work versus this way at home.
[David Spark] I want to ask you specifically about you’re building your program. How much of the teaching your personal security was part of that program? And can yougive me some examples of how you went about doing it?
[Lisa Kubicki] Sure. We developed something we call our personal trust stance and have used that each year. We use it with the interns when they come in, we use it routinely throughout the year with our employees and reinforce – now’s a good time to take an inventory of your assets, your access, and the assurances you have in place for your personal stuff. Do you have MFA set up? Are you making sure you’re changing your passwords and that they’re long and unique and complicated? Are you putting controls in place so that there’s limitations on what transfers can be made from your financials? Making sure that people are thinking about that, this is how it applies personally, and it’s easier to then think about why that is also important in the office.
[David Spark] What about you? That’s a good thing, because a lot of people, like I’ll talk about cybersecurity to my lay friends, and I’ll say, “Well, do you have MFA set up for your financial accounts?” and like, “You know, I should do that,” kind of a thing.
[Geoff Belknap] Yeah.
[David Spark] So, how much of sort of preparatory do you give to your own staff of, “Hey, guys. Why don’t you go and check your personal stuff for these types of things?”
[Geoff Belknap] I think for me, we try to do that pretty regularly. I know I’ve worked at other companies where we even reminded people, “Hey, here’s some additional ways you can use the funds we give you, like for benefits. You can buy yourself a password manager, or you can buy yourself a 2FAkey fob like from YubiKeyor something like that.” I also regularly post things, and I abuse the likeness of my dog on my LinkedIn feed to remind people…
[David Spark] Very cute dog.
[Geoff Belknap] Thank you – to turn on 2FA, right? It’s quick, it’s free for LinkedIn. But you can turn it on for just about all of your other services, and it’s easy to do. Most people aren’t familiar with that, or they’re familiar with doing it five years ago where it was really painful. It’s getting easier. We just need to keep trying. But I always remind people being safe in your personal business makes you even safer at work.
Does it play nicely with others?
7:06.047
[David Spark] Anthony Leece of Syntax Security Solutions said, “One of my clients told me their marketing department fed their security team some actionable threat intel that came in faster than the usual feeds. Want to build a culture of security that is everyone’s responsibility? Invite them to see how capable your technology teams are.” And Anthony Kay of Kentik said, “Cross-team activities. Get your security folks to build relationships with other teams internally. I’ve found you can’t force training like this to improve outcomes beyond a baseline. You need to facilitate regular opportunities to learn security across disciplines.” I think the story especially from Anthony, Lisa, is like the biggest win. If another department out of security is more proactive about cybersecurity than even your security department, that’s like, “Oh, my. We have hit the jackpot here!” Yes?
[Lisa Kubicki] Yes. And then you want to amplify that, you want to celebrate that, you want to make sure everybody sees, “Hey, look! They’re doing the right thing. Hey, look what they showed us and look what they shared with us.” We work with our trust ambassadors, which is our program of champions across the enterprise, so it’s not just our technical teams, to make sure that we have additional eyes and ears and mouths across the globe talking about, watching for, and helping us recognize and spot and reinforce, “Do these right things and we’re going to know it and we’re going to reinforce that you should be recognized for it.”
[David Spark] And do you have some internal channel, like a Slack channel, where everybody says, “Hey, I saw this, I saw that”? Because I always think the alerting of something, there’s this sense that it’s always kind of secret, that it’s only me to the security department, but if it was more of a public, then others could see that, “Hey, we’re all doing these alerts.”
[Lisa Kubicki] Yes.
[David Spark] Do you have something like that?
[Lisa Kubicki] We sure do. And I know it’s controversial, even our phish drills. I am very happy to see when employees raise it on Slack to everybody else and say, “Hey! Watch out! I just got caught on this email. You’re going to want to watch out for it.” I don’t care. I don’t care that it affects the stats, because they’re doing the right thing. If it was a real malicious email that came in from the wild, I want them to tell each other, and that’s great. So, doing it even during drills – why not?
[David Spark] That is actually an extremely good point because if just one person sees it early and alerts everybody, that’s going to improve your stats and ultimately, it’s not that you’d want everyone to figure it out, you just want the ultimate final behavior to change.
[Lisa Kubicki] Exactly. For me, the drills are not a test; it is practice. And so if somebody is giving everybody else the heads up, that is the right practice to take.
[David Spark] Geoff, do you havea sort of a more public way where people sort of alert each other?
[Geoff Belknap] Yeah. We have multiple ways for people to report something suspicious going on, whether it be Slack or email or Teams or just walking down the hall and waving your hands.
[David Spark] By the way, has that happened before? Where someone said, “Hey, everyone! I just got this thing. If you get it, watch out!” That would be pretty funny.
[Geoff Belknap] Yes, I have definitely seen things like that happen. And as mortified as some engineers might be, I’m like, “This is great! Somebody’s excited.” When security is happening outside of security, I always get really excited because, boy, I’ll tell you, if my marketing team sent my information security team actionable threat intel, we would throw them a bonus or buy them drinks at the bar. That’s fantastic. We are winning beyond our wildest imaginable dreams. But I will say one of the things along this line that nobody ever talks about is if you get a little bit of budget, one of the easiest things you can do, the highest-impact ways you can spend a little bit of budget is print up some t-shirts or some stickers or some buttons that say, “I reported a phish,” or, “I saved the company,” or whatever and hand those out to people who report successful phishing attacks. Because seeing Jane or John in HR or Finance wearing their InfoSec-blazoned t-shirt because they’re very proud of the fact that they reported a phishing attack is the easiest way to sort of drum up the culture of security that not only is it fun, it’s important, and you get a little bit of a reward. Those kind of positive reinforcements go a long way. They goa lot further than 30 minutes of clickthrough training
[David Spark] We’re going to get a little more into gamification as well, but have you done that thing where you’re sort of spreading the news through other kinds of messaging so others see that, Lisa?
[Lisa Kubicki] Yep. We have a regular recognition that lets the employee know we recognize you as something we call a Trust Exemplar. It is an email that goes all the way up to the senior leader for that person, and they get a challenge coin that has a secret message in it so that they can decipher if they want. It’s a nice, heavy, unique coin they’re not goingto get any other way and are working towards a more visual identity that would go a long way on their desk, on their laptop, on their person once we’re back in the offices. So that you can really see that and feel that and who’s, “Oh. You’ve got that badge? I didn’t get that badge yet. I want that badge.” Kind of like a Girl Scout/Boy Scout kind of merit badge kind of style. Put it on your backpack, put it on your shirt, put it on the back of your desk, whatever it is.
Sponsor – Drata
12:30.553
[Steve Prentice] Is your organization finding it difficult to achieve and maintain compliance while scaling its security posture? Whether you’re on the ground floor of a startup or scaling to enterprise level, you know security is of the utmost importance. Having to worry about your compliance is the last thing you want to think about. That’s where Drata comes in. As G2’s highest-rate cloud security software, Drata streamlines yourSOC 2, ISO 27001, PCI DSS, GDPR, and HIPAA compliance and provides 24-hour continuous control monitoring so you focus on scaling securely. Sleep easy knowing and seeing that Drata has your security handled. Drata is also the only compliance automation platform with a private tenant database so you can feel comfortable knowing that your data stays with you. Countless security professionals from companies including Notion, Fullstory, and Bamboo HRhave shared how crucial it has been to have Drata as a trusted partner in the compliance process. Defense in Depth listeners get 10% off by visiting drata.com/defenseindepth.
What would a successful engagement look like?
13:45.094
[David Spark] Jordan Lindsay of Vivida said, “Provide a new way so the person is happy to continue learning. Allowing the employee to learn by doing rather than sitting through a five-minute video is at least a start.” And Jacqueline Keith of Cloudflare said, “Focus on increasing employee reporting metrics versus incidents caused by employees. Lots of personal anecdotes. Live training vs. computer based. Be transparent about your own incidents and fallibility blooper stories.” And Joseph Lewis of US Department of Energy said, “Competition works really well. Set metrics and track them by department then post the results.” All right. So, Geoff, I want to get into the whole thing of gamification here and also admitting to your own faults here, but let’s start with gamification. My fear with gamification is it only lasts so long. Like at certain points, people get over itand like, “I’m done.” Do you just have to be chronically creative to come up with something new?
[Geoff Belknap] I don’t think gamification has to be you’re constantly playing the game. I think that sort of endorphin rush or adrenaline you get from playing the game during the training, that’s enough, it’s okay that you’re learning. I think though learning is a continuous process, and it has to come in a bunch of different forms. It actually – I know I’m going to be a hypocrite here – but I think it’s fine to take a 30- or 45-minute clickthrough course, as long as that is not the beginning and end of all of your training. If that’s like, “Hey, I did this as my onboard as a new employee, I went through this,” but then the next evolution of training I get is maybe I’m going to write some phishes, maybe I’m going to practice detecting some, maybe I’m going to do a capture the flag event with the security team. Whatever the thing is, as long as it’s following up, and it’s building on what you learned before, it’s great. It doesn’t have to be you get points all through the fiscal year and you add them up. I think that’s where people go wrong on that.
[David Spark] Lisa,gamification, is there a lifespan for it, do you think?
[Lisa Kubicki] I think yes and no. It can get old if it doesn’t change up but you also, as Geoff said, don’t have to put all of your eggs in that basket of this exact game or this exact way in which you’re going to do it. It’s got to be a lot of different ways in which you’re engaging people and reaching out to them, and that constant reinforcement. OstermanResearch is a group outside of Seattle here, and they have documented that if people spend at least 15 minutesa month looking at, engaging with, whether it’s reading or playing a game or taking training or whatever it is, a speaker, doing phishdrills, 15 minutes a month, they are so much more engaged in feeling accountable to the overall security culture of their organization. And so you need to think about how am I going to get them for 15 minutes a month, what does that look like, what does that feel like. It might be posters that they see in the elevator on the way up. It might be a game, it might be a quiz, it might be a speaker, it might be the series of phishdrills. One month, it’s going to go into the 45-minute training. It’s got to be all these different things so that there’s that reinforcement because what you reinforce is going to stick. And then if they have a way to practice it right away, you’re doing phishdrills, it’s easy for them to do. To make those habits, it’s got to be simple. They can’t have to think about it too hard. It’s got to be obvious and right in front of them. And you keep doing those things. For some, they love the leaderboards. They can’t get enough of the points, they can’t get enough of the achievements, and they want to getthe next level of whatever the status is. But for others, they could care less, and they’re not going to engage in that way.
[David Spark] And you know what? That’s a really good point in this. We also talk about this with media. Not everybody’s going to sit through a 30-, 45-minute video or read a 20-page article. People consume, get entertained in different ways, hence why we have a whole slew of different media. I want to though also get to the comment that was made about kind of failure stories about your bloopers. Do you find it valuable, and I don’t know if you’ve done this, Geoff, where you admit to, “I screwed up once,” kind of stories, do you do this?
[Geoff Belknap] Oh, yeah.
[David Spark] To show that like, “I am a human. The security team is not the infallible body and you’re all the screw-ups,” kind of a thing.
[Geoff Belknap] Yeah, absolutely. Two things – one, my personal brand as a security leader is to make sure that I’m accessible and that I’m relatable. That only comes from not pretending like I’m infallible. I make mistakes, I’ve clicked on phish emails before, it can happen to everyone. The other part of this though is it doesn’t have to be about just personal failures of mine, of which there are many. It also is about awareness. Not just training but awareness. One of the things that I like that our team does, that I’ve seen other teams do, is it’s great to do a monthly or quarterly meeting or call or readout of like, “Here’s all the incidents that we’ve had as an organization that don’t need to be secret, that don’t need to be nobody gets to hear this classified information.” You can just do a readout of like, “Hey, here’s the seven major incidents that we dealt with in the last quarter, and here’s what’s happened. A person clicked on them, and we saw this happen.” That is a fantastic way to breed awareness of what goes on in the organization, of why it matters that you’re being aware of security, but also like that, “Hey, if you click on that phishingemail or you get malware installed, it is not the end of your career necessarily. This happens to regular people that still work at the organization.” And then reinforce that there is a team here to support you when that goes on. And I think that’s part of a holistic program to really reinforce the behaviors that you want people to display in your organization.
[Lisa Kubicki] And that’s where you’re going to get the culture shift, because people need to stop mistrusting security and thinking that we’re just a roadblock, that we’re just putting up barriers to what you can’t do, and instead see security as that resource to help facilitate how they’re going to get their work done day to day in a secure manner. And to be open to, “Tell us everything. Tell us something that happened. Let’s take care of it. It’s not to fire you. It’s not to go after you. It’s to make sure that we’re keeping things secure and keeping things tight.”
What aspects haven’t been considered?
19:54.062
[David Spark] Steve M. of Security Tinkerers said, “Poor content, poor design, poor execution, and a lack of willing participation will not be cured by gamification.” By the way, I like that comment because they talk so much about gamification and go, “If everything else is crap, a game ain’t gonna fix it.” Chris Gebhardt of Synoptek also said, “Ditch the awareness label.” I find this interesting, he said, “Adopt preparedness. Preparing someone for the attack arms them with the tools, techniques, and tactics to respond appropriately.” This takes us to another level, and it’s more of the what do you do when we get attacked kind of a thing. How far does your awareness go into preparedness, Geoff?
[Geoff Belknap] I think this is a great point, and I love… This is such a small world, I haven’t seen Chris Gebhardt in like 15 years, but here he is again providing quotes for the show that I’m on. I’m not quite as committed to ditch awareness; I think awareness is really important. But moving that into preparedness is such a great point, Chris. People need to know, “What do I do when this happens?” “Okay, I got a phishing email. I’m not sure if it’s a phishing email. What do I do? What does my team do about that email? How do we follow up? How do we engage with that?” We really have to not just be aware that phishing is out there but understand the full picture of how do we respond and contain and recover from that. I think it’s a great point.
[David Spark] That’s where a decent tabletop exercise would come in handy.
[Geoff Belknap] A decent tabletop exercise, especially for ransomware or some of these newer things that are floating around because they’re new, they’re derivatives of old things, but this isa great way to challenge people’s assumptions about how security works, how your SRE or your operations team or stakeholders in that, how your disaster recovery plan comes into play. It’s really interesting to roll those things out, let people experience them and learn from their failures of executing in a tabletop.
[David Spark] Lisa?
[Lisa Kubicki] It’s interesting. GI Joe always told us that knowing was half the battle, but they didn’t talk about what the other half the battle is, and it is being prepared. You can’t just know what it looks like and what it might smell like, you need to know what to do with it. And so yes, this is an excellent point by Chris to make, that we need to prepare them. But they do also have to know, so I don’t think we can fully ditch that awareness label. Because just because I have all the tools, if I don’t know what something is supposed to look like, and I haven’t learned how to spot it in the first place, then I don’t know what tool to use at what time, or what technique and tactic. So they have to go hand in hand.
[David Spark] Is this kind of like a digital EMT? Like if all ofsudden I said, “Oh, my God. A phish, I accidentally clicked on a phish,” or “My colleague clicked on a phish,” like how do we stop the bleeding in this? I mean, could it be seen in that light?
[Geoff Belknap] Yeah, absolutely. That’s effectively what we mean by containment. Great, we’ve got an injury, how are we going to contain that, localize it? You got a phish – how do we make sure that it doesn’t get access to my laptop? How do I make sure I contain it to that? Or how do I make sure that I know if it’s impacting anything else? I think for the incident response teams, that’s the work that they’re doing. And as much as we talk about phishing training or things like that for individual end users, you’ve got to run regular recurrentprobably more preparedness training and actual practice and operational training for your response teams. And not just security – your IT teams, any other technology teams that are going to be involved in responding to a major incident. They’ve got to have some experience doing that that is not just waiting for the battle to start.
[Lisa Kubicki] Yeah. My only caution with the preparedness is to what extent does it reach because in my opinion, the general employee, they don’t need to know all this stuff. They don’t need to know what it is and how it happened and where it went. They just need to feel comfortable and confident that they know how to report, “Hey, something’s weird,” and who that goes to and getting it to us right away without fear of any kind of retaliation or that something bad is going to befall them. So, making sure that they just tell us and let all those teams that are supposed to clean it up or stop the bleeding can get to it as quickly as possible.
[Geoff Belknap] Yeah, the telling us part is really important. You have to positively reinforce the telling us if something’s wrong. Problems can’t be secrets and people have to know when they tell you that they did something wrong, you’re going to be there to support them.
[Lisa Kubicki] Mm-hmm. And that they just did something right.
[Geoff Belknap] Exactly.
[David Spark] Excellent, excellent advice and we are going to wrap it there.
Closing
24:29.153
[David Spark] But now, we come to the part of the show where I ask you – which quote was your favorite and why? And I’ll start with you, Lisa.
[Lisa Kubicki] I have to say going back to Anthony Leece from Syntax Security Solutions talking about thattheir marketing department fed themactionable threat intel. That would be amazing.
[David Spark] That’s unbelievable.
[Lisa Kubicki] Yeah. That would be awesome.
[David Spark] Heck yeah.
[Lisa Kubicki] Once in a while something comes in that somebody found, but to have that level of awareness and contribution from those other teams, I think that would be just phenomenal.
[David Spark] Geoff, your favorite quote and why?
[Geoff Belknap] I’m going to go withJacqueline Keith from Cloudflare. I especially like this part, “Focus on increasing employee reporting metrics versus incidents.” This also goes on to say lots of personal anecdotes, live training is really good, especially blooper stories. I think this is really important. A lot of times we get lost, and I’ll say “we” very generally for security organizations, we think the objective of training and awareness is to reduce phishingincidents, and it’s really not. I think, to Lisa’s point, it’s to increase people reporting them. I want anyone out there to be my eyes and ears and quickly report to the information security team when a phish is out there so that we can take action. I don’t want it to exist in 4,000 mailboxes and just feel good that nobody clicked on it. I want to be able to action that, investigate it. And I think as a follow-up to that, being transparent about your own incidents and helping people understand that it’s not just looking for perfection, everybody screws up. I think both of those things just go a long way to a great training and awareness program.
[David Spark] Excellent point. Well, that brings us to the end of the show. I want to thank our sponsor, Drata. Drata, thank you so much. Remember – put security and compliance on autopilot. You can find more about them on their site, and also we have a link to them from this very episode as well. Lisa, I’ll let you have the very last word here, and the question I always ask our guests – are you or the security department at DocuSign in general hiring? My guess is yes. Don’t say anything yet. I let you have the last word. Geoff, I speak for Geoff sometimes at this point where LinkedIn is always hiring.
[Geoff Belknap] Always.
[David Spark] And if for some demented reason you would not want to work for Geoff, you can also find a job on LinkedIn. But any other last thoughts on this topic, Geoff?
[Geoff Belknap] No, I think the most important thing is to remember you’re training people to be your ally, not to teach them how dumb they are.
[David Spark] Ah. Very, very good point. Lisa, your thoughts on this topic, and is DocuSign hiring?
[Lisa Kubicki] DocuSign is definitely hiring. We have a new CISO and would love to have more members join our team and build out what we’re going to do. But to reinforce what Geoff said, it also has to be a positive experience. So don’t focus on where people did something wrong. Focus on when they did it right and amplify it and celebrate it and make sure that others can see so that they want to duplicate that same behavior. And that is how you will spread that culture across the globe, across your enterprise.
[David Spark] Awesome, awesome advice. Thank you to our audience as always. We greatly appreciate your contributions and for listening to Defense in Depth.
[Voiceover] We’ve reached the end of Defense in Depth. Make sure to describe so you don’t miss yet another hot topic in cybersecurity. This show thrives on your contributions. Please write a review. Leave a comment on LinkedIn or on our site – CISOSeries.com – where you’ll also see plenty of ways to participate including recording a question or a comment for the show. If you’re interested in sponsoring the podcast, contact David Spark directly at David@CISOSeries.com. Thank you for listening to Defense in Depth.