Like every other month, we had our thought leadership webinar. This time, we welcomed Walmart’s Chief Security Architect and best-selling author Ira Winkler. The topic “The Hidden Cost of Security Awareness” was lifted from his latest book, “Security Awareness for Dummies.”
The webinar focused on investments that organizations make in Security Awareness programs that significantly impact bottom lines but are rarely considered by CISOs. But that was not all we talked about during our session. Here are some of the highlights.
Social Engineering vs. Security Awareness
From the beginning, Ira tried to assess why some Security Awareness training initiatives did not yield the expected results. In some cases, he observed some organizations performed worse after a training session.
For him, the main difference is in the approach.
“There’s a different philosophy. Social engineering deals one-on-one with a person. Security Awareness deals with how we influence a large group of people for more secure behaviors.”
Security Awareness is Part of Everyone’s Job Description
Ira addresses the need to incorporate Security Awareness as an employee responsibility rather than an optional employee trait. For him, secure behaviors are not negotiable. While the organization has to offer the resources to properly guide the workforce and teach good behaviors, the employees must ultimately incorporate these behaviors as part of their job.
“Frankly, we need to acknowledge that good security behaviors are not something we should beg users to do but part of an employee’s responsibilities from day one.”
Security Awareness Pros Shouldn't be Marketers
Ira also brought up the importance of enforcing the desired behaviors in the organization. For him, Security Awareness doesn’t stop at communicating, and it’s not about firing employees, but the expected behaviors must be enforced to be incorporated into work routines.
“I’m not saying fire people, but enforcement means this is part of your security-related job. I think most security awareness professionals just really have to change their perception of what their job is. Their job is not marketing.”
As a consequence of good enforcement, Security Awareness professionals must ensure that behavior is conditioned by implementing security measures around the users. As he said, “You could tell people what a good password should be. Why aren’t good passwords embedded within computer policies to ensure these systems enforce a good password?”
Should Airline Pilots Use Flight Training Hours to Take Security Awareness Training?
Going into the webinar topic, Ira talked about employees devoting productive hours or even training hours to Security Awareness training and how these impact the overall organizational results.
Although no one disputes the importance of Cyber Awareness, how you spend these hours is of significant significance, mainly depending on how critical is the job of the person taking the training. He said, “you’re going to take time away from a pilot making sure he’s a better pilot, so make sure you consider how much you’re costing the company but also think if doing it the right way.”
As a consequence of good enforcement, Security Awareness professionals must ensure that behavior is conditioned by implementing security measures around the users.
The Metrics, Tangible and Intangible
Metrics were also a part of the conversation. Ira mentioned that some professionals are incorrectly measuring their Security Awareness programs, using factors that ultimately do not support behavior change.
“Many awareness programs are driven by touting their likability and engagement. I hate to say this, but you know people say ‘we love your materials,’ and for the most part, they’re saying, ‘I like doing that instead of my job.’ Is that valuable?”
One of the most exciting metrics covered by Ira during the conversation is intangible metrics. These are directly related to the satisfaction users feel that drives good behavior and makes them inclined to support Security Awareness across the organization.
Live Demo: Automate Your Cyber Awareness Program
Watch our next live demo on August 18 (Asia-Pacific) and 23 (USA) and get access to our special offer for Cyber Awareness Month!