Security Awareness Training is Your Best Stealth Marketing Campaign

Right on. Howdy everybody. Thank you for making it this far. It is 4 pm. This entire conference has led up to this. Actually, your entire life has led up to this moment. You're in the right spot. I'm Ralph Heim. I'm with the Department of Natural Resources. I'm the chief information security officer. >> Hi, I'm Liz Lewis Lee. I am also with the Department of Natural Resources. I'm the CIO. And we are here today to talk to you about clickers that do not work and the magic of them not working. >> Too far away. >> Attack. >> Yeah, exactly. I'm going to try turning it on and off again. And that won't work. Okay, I'll be over here. Security

awareness training. Um, we had a question from somebody who said uh they they were confused about what security awareness training was. I did see two presentations earlier today. Do we know what security awareness training is? like volunteers like popcorn. Yes. >> I'm literally I'm literally asking you what is it? >> Training for employees. >> Yes. >> Yeah. Like what? Like what's an example? >> Not clicking a fishing email. >> How to fish? >> Yes. >> Okay. Yeah, that's exactly right. Okay, we are on the same page. Cool. >> Uh what about a compliance? >> Uh well, that is I mean that's exactly why we do it, right? >> Right. check a box, >> right? It's to check a box. I mean, um,

what what what are like the reasons why we do security awareness training, right? Is is because you have to every year basically like that's the main >> you get an audit fighting if you don't. >> Right. Yeah. Well, or >> risk reduction, >> right? >> Right. That works, right? We teach them something. >> It's sort of an after afterthought to the compliance checkbox. Once we do the training, they never put their uh password on a sticky under their keyboard again, at least for 364 days, >> right? They they've taken the training and they magically will never pick up a USB stick in the parking lot. >> Never. Ever. >> Um >> they'll never click on a fishing email,

>> right? They will set a complex password. It won't go under their keyboard, right? Except until 364 days are over. They forget. They take the training again and boom, you have now done a shortcut to load basic cyber security defense skills in your common employees and you don't have to worry about it anymore. You've solved that problem, right? That's your control is this training. Okay. Uh story time. When I started at DNR four years ago, >> No, no, no. This is my story. >> Oh, is it? >> Yeah. Yeah. >> Sorry. Sorry. Take it away. >> Hold back there. Um so, how well does uh security training work? Right. Um, I have a friend who was going in for an

all staff and she got an email the day before the all staff that said, "Hey, we're going to have Chipotle for lunch and go ahead and click here, order your lunch." Very excited, loves Chipotle. And didn't have one in her town. So, she was very excited. She went into work the next day. Well, guess what? That was a fishing test. She failed. So, not only did she not get Chipotle, she got yelled at by security. She had to take some more training. She lost faith in her security department. and she still didn't get Chipotle. How do you think she felt about security after that? >> Right. Right. >> Boo. >> But but I mean sure you get the joy of

getting in trouble for a fishing training, but you also get the joy of corporate security awareness training videos. >> You guys have taken this training, right? >> Yeah. I mean, they have the dorky cardboard cutout and they're super generic and they they put you to sleep and it is this combination of the worst of both worlds really. Like I dislike this like clinical security awareness training more than almost anything else in the world. In fact, it reminds me of those 1950s posture videos, right? Like this. It's like people condescending to you without realizing it. And I think I think these kind of videos are hilarious in a bad way. I think bad security awareness training is

worse because it undermines trust in your team. And it I mean if if an organization is funding a security team and they're producing security awareness training that wastes your time, is condescending and kind of insulting, do you want to give that team more resources? No. They're just going to make more bad training and shove it like your way. Right. >> Or they're going to give your money to the training department and security is cut out of the loop. >> Right. Right? So, I want to change you from thinking about security awareness training as the idea that anybody's going to learn anything. Like just yes, they probably will, but forget about that as a goal. Instead, think about

this in terms of marketing and that your goal is to get influence in your organization. That's the actual outcome, right? Okay. So, now it's my story time. >> Uh, it is. >> Okay. So, when I started at DNR four years ago, uh, Liz said, "Hey, I want you to do fishing awareness training. I want you to do it live and I want you to take it to all of our business units, right? So, HR and finance and sales, but also aquatics and geology and uh forest practices and and give this training live. It's a bunch of different business units. So, I said this is great uh and I'm going to take a tip from the earlier

security awareness training uh presentation and I used emails from my actual organization, real fishing attacks that were coming into our people in my presentation. I used the actual uh you know fish portals that were being sent to my users and I showed them screenshots of our actual security operations center tools showing these fish attacks coming in. I really grounded it in the work that those people were doing and I made it real and immediate and the date stamps were things that had happened within the last four weeks. So it was like fresh fresh stuff and as like I had goals going into that, right? I wanted people to know that we had a new security team. it was

one person uh and that we I I was hoping maybe they would like me as a person and maybe they might respect the work that we're doing and the stuff we're trying to get done. I did not have a goal that they were going to pass a test that would check a box. I was completely disinterested in that. What I ended up coming away with was people reporting fishing emails and two more employees. That is huge, especially in government work, right? Where we finally got a security person and then boom, we got two more. So, we can tell you all the things you're not supposed to do, but what should you do? How do you get

started? Uh, what do you do? So, there's the content. There's specific ideas. We're going to talk about all of that. So, what do you do? Put time on your calendar. If you're going to do security training, do it right. Take some time. Um, it might take you a month. It might make take you two months. It might take you three months. Don't use some pre-bought security training. Don't base it on somebody else's. Take a look at your environment, your culture. What tickets are you seeing? What issues are you seeing? How does it work for your employees? Don't use chat GPT because everybody knows what that looks like now. Use yourself and take some time to

create the training. >> And I I want to second that. Make the training material yourself if you can. I understand you may not be able to. Maybe you have a communications department that restricts that stuff, but if at all possible, make your own material, right? And like Liz said, don't use Gen AI, right? Skip around that part because it's it's going to it's going to threaten your integrity, your authenticity, your sincerity. It's a little bit like going over to somebody's house for dinner and they did they like did takeout, right? Um it is a less uh relatable again from the earlier security awareness training talk. I really appreciated that. Thank you, by the way. Um it's you're you're trying to

connect and relate with people. You're trying to prepare something for them. Make it yourself, right? Make your own material. that I'm this quote from Theodore Roosevelt is great. I'm not saying you have to suffer when you make your own material. It shouldn't you don't have to bleed to make this material, but you should be prepared to go to great lengths if you're trying to make something really great and really nice and extend that hospitality to your your co-workers. You should be prepared to suffer and to put in the time and to work for it if you want to have something of value. >> Yeah. Give the training in person. So 18 years ago or so, I was uh at an agency

that had about 400 people and we had an audit finding because we were not giving security training on hire and annually, which is a state requirement. So um I was the only person in the IT department that could write since I have a history degree. Um so they said to me, hey, can you develop some security training and give it to people? So, I thought about what tickets we were seeing, what questions I got, what I thought people would respond to. I thought about what they might be doing at home and how I could affect the habits they were doing at home and bringing those into work. And I put together an hour training and

I gave it for 400 people, I probably gave it 12 or 15 times. It was exhausting, but I got really good engagement, which shocked me because I did not think anybody was going to be able to stay awake for an hour of security training. And I did that for about five or six years. I got really good engagement every year. Every year I updated it. I added new things. I thought about what people were asking, what conversations I was having. About five or six years into this process, the state rolled out an online training. And I went, "Oh, thank God. I get a hundred hours of my life back every year." So I told everybody, "Sign up for the online

training and take that." I got 300 requests to go back to doing it in person the next year. So connecting with folks, doing it live, giving them that opportunity was really important to those people. >> Lastly, be yourself. I I get that not everybody is an extrovert who wants to get up there and present live in front of other people. So if you're shy, bring your shyness to your training material. Put yourself in the work. If you like sports, put your sports team stuff in your in your training material. If you like cats, put pictures of your cat in there. You are a human being. So are your co-workers. It should be reflected in your training material.

>> I would really like the next slide to be my dogs. >> There's not a chance in hell I'm a cat person. >> All right. The content. What's going on in your environment? What's your culture? Uh what tickets are you seeing? What questions do you get? Tailor your content to your co-workers, to the things that you're seeing. Um and you can use stories from your workplace. Just be sure that you don't make fun of your co-workers, that you don't embarrass them, and that you don't say things that will make them feel bad. So, I told a story once in a training. We had an employee call in and say, "Hey, I left my iPad on the plane." So, we

immediately looked up the device she was logged into and we wiped it. And three minutes later, she called back and said, "Uh, what did you just do?" And we said, "Well, we wiped your iPad." And she said, "No, I borrowed the iPad from the guy next to me and you just wiped his iPad." And we were like, "Oh." And so that was like a lesson about they need to understand our tools and we need to have conversations about what we're doing. And so I told that in training because it's kind of a funny story and it illustrated a bunch of points. And um she outed herself. She said, "Ah, that was me." And she talked about it. And so

she didn't feel threatened. She didn't feel like I was making fun of her. And it was a good object lesson for everybody. When we're taking training to finance, we talk about finance examples. Same thing with HR, same thing with sales. When we talk to our wildfire team, we use wildfire examples or photos. >> When we talk about aquatics, >> yeah, >> we use eelgrass examples. When we talk about geology, >> yep, same thing. So, we reflect that business unit in the presentation material. Yes, it takes more work. Yes, it's worth it. uh when I'm talking about like security tools, right? I will show screenshots of the actual stuff that we're seeing so that it grounds that work. It makes it

more real to them, makes it more relatable. Um pro tip, don't disclose sensitive financial information in your screenshots and training material. Don't disclose personal uh personally identifiable information. Like, yeah, be don't disclose vulnerabilities. be be reasonable about this. But if people can see uh email addresses from people they know in your training material, that's a bonus. People are social people and they want to see each other reflected in the in the stuff we're doing. Uh next tip, always have a CTA, right? Anybody know what a CTA is? Any marketing people? >> Call it action. >> Yeah. Bingo. Right. Steal that technique from marketing and put it in your training material. Right. you get the the spam email and it says it it outlays

the problem and then it has a giant button that says do this to sign up for our mail list or to subscribe today or whatever. If you're sending out an email or messaging about fishing awareness training, have a big shiny call to action. Use the report fish button in Outlook or send a ticket to the help desk or call this number. Have an incredibly clear single call to action if you're doing security training. Give people something that they can do about it. representation matters. Um, when possible, use material that acknowledges diversity. So, if you're putting um an email address in a training slide, don't use John Smith, do use Mary Winn or Ray Chang or um, you know, fill in the

blank, but make sure that you are inclusive in your training materials. >> Uh, if if you're using video, and video is super fun when you start playing with that, make it way shorter than you think. Um there was some I think uh you had said 90 minutes is the max that somebody can tolerate in a training. I for me it's like 90 seconds. Um >> this is a a video I did where I I did Oh, it's got the audio. I don't want that. >> Sync tool opens. >> Shush. Jesus. That guy. Um >> I want to swipe by now. >> Yeah, I know, right? It's too long. Uh, I did this video for October cyber

security awareness month and I did that Tik Tok thing where you you cut out every time I take a breath or every time there's a pause to make it as short as possible. It's still too long. I wish that it was shorter. >> All right, specific ideas. So, off the top of my head, I'm going to say fishing, data categorization, passwords, free wear, uh, removable media, tailgating, shoulder surfing. That's like 18 months of trainings right there. Um, look at what their your tickets are. Look at what's going on in your organization. I know I've said that like three times, but I mean it. Uh, create a a training road map. So, there's some examples up

here. There's an awesome one that I wrote and there is a not so awesome one that Ralph wrote. At the end, we're going to have another uh place where you can go download these. So, feel free to use these as examples, as a jumping off point. Uh, you'll know once you see the quality of the work which one is mine. >> Color never hurts. Like it's you don't have to pay for it. It's right there, Liz. You can use color. >> I'm a serious business person. >> Yeah, I see. I see. Um, I I really like this next one. Hold open office hours if you can. Um, we did a a password change in this past year where we doubled the

length of the password that was required for folks. We expended uh extended the minimum uh password age and then we upped the complexity requirements. And as part of this process in terms of a technical control to get more success with this project, we did open office hours for an hour every week. Same meeting link. We just sat there and hung out in a meeting. We did a tiny bit of training. But honestly, it was more like a therapy session because when you think about it, like we think of a password as just part of the security fabric, right? But to somebody else, this is how you start your day with an intimate secret that only you know.

>> Your kid's name, your dad's name, right? Hopefully not. Hopefully, you are the worst. Uh >> hopefully it's something that has no relation to you at all as a person. Um and then at some point, an arbitrary timeline, that password gets yanked away from you and you have to come up with a new one on the spot before you can get back to doing your work, right? That's a that's like a a mini tragedy that happens, a miniature trauma. So why not hold open office hours and like be there to change passwords with somebody? There's a couple of groups in the state that hold regular office hours. Fatali would know that. Yeah. Um it's so nice

to be able to like go and just hang out and talk and often we're talking about movies or something and I cannot underscore how valuable it is to make human connections when you're talking about cyber security and changes and training because uh like you were talking about earlier when there's an emotional connection or a human connection like it matters. it matters more and you learn more and you do better. Uh, okay. Second thing, making it a first class experience. So, I do October cyber security awareness month every year and I just go all out, right? I want the enthusiasm to come across to uh to my co-workers. I start planning it about three months in advance. I make

for every week I make uh word searches or crosswords. Um, I make those short videos. I make a dedicated page. I have the themes all together. Uh, and I for people that complete a crossword or word search and email it in, I enter them for a drawing for a coffee card and I I call them afterwards. I say, "Hey, you've won. Do you have a local coffee shop I can buy you a coffee card for?" It's way more of a pain in the ass than just getting a Starbucks card. But that's the kind of hospitality that I'm talking about when you want to tell people that they matter and what they're doing matters and that this training matters.

Then put your some skin in the game and and do it right and make it that first class experience for your people. >> Yeah. Give things away. So, you know, gamification is great and giving things like coffee cards away, but in addition to giving things like coffee cards away, we try to give things like this away in our training. So, we were doing a data categorization training and there's a lot of places in the state where people are expected to know their data categories and that is a really hard thing for nonIT people to wrap their heads around. So Ralph took a graphic that our geology department created and so it's personalized to our agency and

then we put examples from like actual work that we do in the agency and then we also put the RCWs in there so that people could go out and read like the entirety of why that is category 2 or category 3. that is something they could take home from the training with them. And now when they need to fill out a form for one of for us that requires the data categorization or if they're uh doing a data sharing agreement or all of these things that they need to know the data categories on, they have a reference sheet that is personalized to their work. >> And I know two people who set this as their desktop back.

>> It doesn't count if you're one of them. >> It was not me. I It's super dorky and I am so proud of those people. So yeah, um key takeaways as you're doing your security awareness training, think in terms of marketing, not in terms of memorization and and you know that checkbox part. >> Uh build for influence, not memorization. This is about creating relationships. This is about uh gaining trust. Security training doesn't teach people security. It teaches them to trust your security department. >> Yeah. I mean the ultimate goal is is culture change and in in making your brand like who you are your security team something that people think about that they relate to and they ultimately

they think where does this fit in my work life and my professional life who are these people where do they belong in this infrastructure I think that's the the ultimate goal in terms of this uh culture change so um I would really really appreciate it if you'd hit the QR code on the right to rate this talk um I know that it's an extra step from last year >> malware so they told us Five stars, A++, eBayer would do business with again. Whatever you want to write in there would be great. Thank you. >> And then the other side, it has the slides, it has the handouts, and it has our LinkedIn profile. >> This is my really good template and

Liz's kind of crappy >> so template and my awesome template. Yeah. >> Yeah. >> Yeah. >> And I think we have time for questions. >> Yes. >> Let me give you this >> two comments and a question. First of all, great shirt fits in with what you do for a living and the agency you serve. My partner made this uh clothing designer. >> Excellent. Yeah. The comment is you mentioned about scolding by the security department. You don't shame a victim. I've been in a position where I could have and in fact the victim in this case was very surprised I didn't. We used it as a motivation to get a subsidiary trained when you had the CEO laughing in

the back room because fake mics on the screen and real mics in the back room laughing. That's a good thing. The question is um you have one big advantage. you are state of Washington employees. You're probably based in Olympia. The furthest you have to drive to reach any of your other employees, unless some of them are in the other Washington doing god knows what, is probably 300 miles. What if you what if in person is not practical because we're talking 80 different countries. >> And that is a valid question. Um, I would still try to do uh live training if you can because I think even if you're on Teams or Zoom, there's something to be said for live training.

And I've I've had in the past I've always uh made a video of my training because somebody's sick or on maternity leave or blah blah blah blah blah, but I try to get 90% of the people live if I can. And I went from a 400 person agency to a 2500 person agency. So, it is much harder. But like uh Ralph said with the fishing, we took three months and we just we maybe we don't hit everybody but we hit as many people as we can >> and do a road show for you spend a day in Spokane or whatever. >> Exactly. We've traveled to Forks to do training things like that. Yeah. >> Number two.

>> So I just wanted to kind of share a little bit of my own personal experience with gamification. Your users love it. It is the best thing ever. They think it is fabulous. they will fail that test so that they can play the game. So, if you're going to do gamification, just keep that in mind when you're planning out what you're going to do. >> I love the idea of a of a test at like intentional failing as a reward. That's great. >> All right, Dave, you're number you're you're up. >> Thank you. Um, quick response to the 80 different countries. If you're working at a company that large, you have product people and marketing people who

are experts in localization. Meet them. Have them help you. >> Um, >> I have a response to that. >> And you've got 20 seconds because there were two hands back there. >> So, the response is if you were that large of a company, you'd probably have security officers in a bunch of those areas and you have them give the training in person if possible. and in language. >> Love that you guys brought up office hours. Um, I do office hours with my community trainings and I advocate for doing office hours in my job job. However, I was just complaining about this with somebody outside after my talk about how sometimes when I run office hours, people come in and they're just

like, "Yeah, fill me with the knowledge." They don't understand what it's for. They don't understand like the value of like what they could be using that time for. They don't know where to start. It's just a completely foreign concept for them. So, I'd love to hear from you. How do you frame your office hours so that people actually get something valuable out of them and you don't run into that? >> Yeah, I can take it. So this most recent office hours was really around uh we called it the password modernization project and then it was about multifactor authentication and so we had a brief uh it was my uh one of our engineers had prepared like a seven

slide training basically talking about some of those concepts and she was prepared to give that but people would show up and it it was mostly people that were struggling with multifactor authentication and so by having it be about password modernization and having people show up with a slideshow We kept it on topic and it was pretty focused. We have not yet opened up a broad sort of whatever ills you come and talk to us. >> So there's a theme. >> It's themed. Yes, it's focused. >> Almost all of our training is very themed. We try to do one thing at a time so that we don't exhaust our people with too much. >> Uh a few years ago, um flight safety

videos started getting really like goofy and funny to keep people uh paying attention to it. A lot of companies uh Microsoft included have started to follow the trend of making goofy security training videos. >> You made a point about wanting to use your security awareness training >> to gain respect >> from your employees. What are your thoughts on turning security training into something silly? >> I have thoughts about that. So, >> so there is a an online training that all our employees actually have to take. Um, and we don't have a choice about that and it's got vampires and Frankenstein. I don't know. It's cute. >> Um, I don't think they retain anything from it. The trainings that we give,

well, while we like to use humor when we talk about things, we also want to really focus on we try to do one topic at a time. Like I said, we do a data categorization training or a a fishing training. And so we're really trying to build a relationship and impart some knowledge. Um I'm more interested in the relationship than the knowledge to be honest. Um because if there's trust, they'll come to us when they have questions. So I don't want it to just be goofy. I want it there to be respect and trust built. >> And I would add on to that a little bit and say, yes, like uh silliness lends some approachability and keeps people

engaged, but so does a really short training, like no longer than it absolutely has to be. And then a little bit of discomfort goes a long way too, right? When we talk about fishing and we talk about expected losses from from BEC or whatever it is like, yeah, I'm not going to sugarcoat it. I'm not going to make this super easy. Um, like there are unpleasant things that happen and just going to talk squarely about that. I I think discomfort is part of the learning process actually. Like being uncomfortable is part of learning. >> Yeah. Are we totally out of time? >> Okay, we got we can do two. Let's go fast. >> Really fast. Oh, two mics. Oh my god.

>> Yeah, you got to double it. >> Um, have you considered playing around with the idea of security champions? So, when you catch someone doing good and socializing that out or even like choosing someone who is a good role model for that type of work. >> I, you know, I've heard the term I haven't I haven't worked at a place that implemented that very well. There was a major software project where we had concepts of champions and it just sucked. >> But, um, I I I like the idea. I haven't I haven't played with it. >> We got one more. >> I think it's back to you. >> Well, I just wanted to emphasize a point

that you made, Liz. Um, I think you can get great traction with your colleagues if you find ways to connect the training to threats in their personal and their family life. Um, that that is incredible way to get people engaged. If they feel like you're helping them in their personal life, then they're much more likely to um be engaged in helping the business as well. >> If if they have good security habits at home, they'll bring them to work. Yeah. >> Thank you everybody. Thank you so much. >> Thank you.