Last week’s Wombat Wisdom Conference featured three days packed with presentations and panel discussions by Wombat staff and customers, as well as keynotes, updates on our products, and opportunities for attendees to network and learn from peers. Topics ranged from analyses of the current threat landscape to upcoming product features to practical advice on getting the most from phishing assessments and security awareness training.
Incentivizing Your Security Awareness Program
There’s been plenty of debate over whether to use positive or negative reinforcement to drive participation in security awareness training — and to keep people from clicking on a phish. Customer presentations at this year’s conference addressed the effectiveness of both the carrot and the stick.
According to Joe Krock, Humana’s Cyber Training and Awareness Leader, “Recognition and rewards are the way to drive behavior and shape behavior.” His program uses positive reinforcement to drive participation in cybersecurity activities, encouraging users to earn badges, win prizes, and earn incentives through the company’s larger wellbeing program. “I really strongly encourage it,” Krock said. “Incentives have been instrumental to our ability to get people’s attention.”
Other customers don’t hesitate to escalate with repeat offenders and users who do not complete their training. Dacia Gilkey, Information Security Officer for the Georgia Technology Authority, favors moderate enforcement techniques. In her program, users who do not complete their training by the due date are notified and given another 24 hours to finish. If that doesn’t work, the employee temporarily loses email access. Gilkey said this approach gets about 95% completion with training assignments, and the rest is largely due to “good-faith” oversight. Some presenters favored even stricter measures, but most acknowledged that enforcement can be a slippery slope and that HR teams should be involved when developing a consequence model of any kind.
Understanding Your Company Culture — and Building Relationships
Again and again, presenters emphasized the importance of understanding company culture when developing a security awareness program.
Assessing company culture and context was a particular emphasis in the pre-conference workshop, “Implementing an Effective Security Awareness Training Program: Leaping Tall Buildings in Many Small Bounds.” This well-attended event featured collaborative activities that challenged participants to identify program goals, pinpoint potential obstacles, and identify key audiences (i.e., stakeholders). These activities can help with creating a mission statement that aligns security awareness with a larger company culture.
Part of understanding company culture is knowing what your security awareness program can include — and what it can’t. In the healthcare field, for example, sending phishing simulations to employees on the front lines of patient care “is very sensitive,” one presenter cautioned. While assigning security awareness training may be appropriate for a healthcare organization’s admin, IT, and other departments, the company culture may not support training for clinical teams — at least not initially. (As was noted in the workshop, something that is off the table at one point could be on the table later. And you should always be an advocate for training users who have access to critical systems and data — which includes clinical teams.)
Understanding your culture can also mean working around the challenges of a decentralized setting, like that experienced by Teresa Banks, Manager of Information Security and Compliance Programs for the University of Arizona’s Information Security Office. For her, that means giving presentations to individual departments, and showing that she respects their particular areas of research as well as the mission of the university. “There’s nothing more important on a university campus than having relationships in every department,” she said.
On one level, aligning your program with company culture helps to reduce obstacles and gain buy-in from leadership. But it also opens doors to collaboration with other groups across your organization.
As this year’s conference emphasized, the threat landscape is rapidly changing, and Wombat’s solutions are constantly evolving to help organizations keep pace with the attackers. With that said, it’s good to acknowledge that our essential outlook, goals, and commitments remain.
As Ferrara said, “Our goal has always been — whether it’s Wombat as a standalone or Wombat as a part of Proofpoint — to develop the most effective security education programs and enable you to roll out these programs easily and get the best results. That’s always been our goal, and it continues to be the goal today.”
We’ve shared the slides and videos from almost every presentation in the 2018 Wombat Wisdom Conference group in Community, and will be adding more content as it becomes available. (If you’re not already a member of this group, simply request access.)
Visit the Wombat Wisdom Community by clicking “Community” in the top right-hand corner of the Security Education Platform; the 2018 Conference group is featured on the homepage.