WISDOM

Wisdom after Wisdom: Culture and Behavior Change in the Spotlight

image-20210618115629-1

“I don’t think there could be a more important time to do security awareness.”

“Security awareness has never been more critical to the overall mission of cybersecurity than now.”

Alan LeFort, General Manager of Proofpoint Security Awareness products and Ryan Kalember, Executive Vice President of Cybersecurity Strategy set the tone for Wisdom 2021.

image-20210618115629-2

Today 85% of breaches involve human error according to the 2021 Verizon DBIR, so the risk with people is clear and present. If you haven’t gotten the same interest from your leadership about security awareness, Jason Cox, CISO of Elevate Textiles recommends, “Focus on the risk because that’s what the business understands. What will cost them the most money.”

Elevate: Security Awareness to Leadership and Stakeholders

“You cannot facilitate change without your executives and HR. You can’t even do security.” - Jason Cox

One of the common themes from all of the presenters was to get leadership and key stakeholders involved and elevate the security awareness conversation. We know security awareness means different things to different organizations, but the days of it being a once-a-year activity or an afterthought are over. Boards and C-level staff are asking more questions about awareness programs than ever.

image-20210618115629-3

Security awareness should never be an island, and working with executives or creating advocacy programs improves how norms are reinforced. Dr. Keri Pearlson, Director of the Cybersecurity at MIT Sloan, spoke about the importance of working with others:

“When you hear it from the CEO or a marketing or finance director and not just security, you know it’s important to them and therefore more important to you.”

When you elevate security awareness, you have to speak to it in positive terms that speak to benefits for your stakeholders.

Empathy: Align Security Awareness With Your Organization’s and Individual’s Goals

By working with other parts of the organization, you can change the perception of IT Security as the department of “no” to the department of collaboration. The theme of empathy came up many times in designing an impactful program.

“I think a lot about getting to know the learners and practicing empathy – so we design things that work for different user populations. It can’t be one-size fits all.” – Masha Arbisman, Behavioral Engineering Manager at Verizon Media

“Make it personal. Tell a story of someone they know. Make users understand what’s in it for them.”- Jason Cox

image-20210618115629-4

In order to understand your learners, you also have to understand your organization. And Karen Letain, in outlining her vision for the future of Proofpoint Security Awareness, spoke to this:

“What are the values and beliefs that drive the organization? How do those get transferred down and impact the different groups, business units, and ultimately employees?”

image-20210618115629-5

Model of Cybersecurity Culture

(Reference: Huang, Keman, and Pearlson, Keri (2019). “For What Technology Can’t Fix: Building a Model of Organizational Cybersecurity Culture.” HICSS URI: https://hdl.handle.net/10125/60074 ISBN: 978-0-9981331-2-6)

After you have executive buy-in, and a clear understanding of your organization, you have to design a memorable program. And our customers and experts had some great ideas to get user attention.

Cookies: Think Outside the Box and be Creative

image-20210618115629-6

Our keynote was with Nir Eyal, an acclaimed author, professor, and entrepreneur who spoke about the science of building habits. One of the key takeaways was taking knowledge and putting it into action.

“If knowledge were the problem we’d all be millionaires and have six packs, but how many of us actually do it? Knowing is not good enough.”

He recommended making awareness programs easy, like for instance having short 1-minute videos spaced a week apart rather than longer 15-minute sessions every quarter. He also talked about the idea of variable rewards to incentivize users:

“We see lotteries work as motivation in vaccine rollout as example because the reward is variable. But rewards don’t have to be monetary. They could be rewards of the tribe or self because of mastery, consistency, and control. Rewards from peers can be highly effective.”

Our customers also had some great ideas for engaging users and being creative:

“A company in Brazil offered a cookie for reporting cybersecurity incidents. He ran out of cookies in a few hours!” - Dr. Keri Pearlson

“Positive attitudes can be just as contagious as a negative attitude. Take that momentum [from rewarding users] and build on it so people want to be a part of that.” – Jason Cox

“My biggest recommendation is to hire outside of the security space. They’re product marketers, data scientists, behavioral scientists. Stop looking for the cultural fit and start looking for the cultural add.” – Masha Arbisman

Elevating the conversation, empathizing with users, and cookies are all great. But ultimately you have to prove how this is changing your organization’s culture and your user’s behavior

Culture: Summing up Security Awareness in one Word

“Instead of us being the STOP here, it’s more of an engagement model with leaders coming to us saying they want to do it fast, and agile, so we’re in there when they’re building it. When you see that happening, you have hit the culture.” – Robbie Meitler, AVP & Director Global Cybersecurity at Liberty Mutual Insurance

image-20210618115629-7

Jeff Bezos once famously said, “Your brand is what other people say about you when you’re not in the room.” Masha Arbisman penned a similar quote at Wisdom 2021:

“The best way to measure is what people do when nobody’s looking.” 

By rethinking security awareness as more than just phishing simulations or training, you can rethink how to measure impact. Think of human-driven impacts of security awareness like:

  • Are more users reporting suspicious messages?

  • Are less credentials being compromised?

  • Are there less machine remediations because of malware?

  • Are departments engaging security with their projects?

  • Are more people voluntarily participating in awareness activities?

By rethinking impact, you can rethink your entire approach to driving a culture of cybersecurity at your organization. To learn more watch replays from Wisdom 2021 or hear other customer stories about security awareness success.

Subscribe to the Proofpoint Blog