Agustin Del Vento: How to Build a Culture of Cybersecurity Awareness

okay let's get this party started thank you very much everyone for joining me in this session how to build a culture of cyber security awareness i'm very very excited to be here with you um this is my first time at b-sides and i'm actually uh based out of vancouver um and it was a real privilege for a company like ours dedicated more to security awareness-based not technically speaking security uh in the technical sense of the word uh to be part of this and so very flattered and appreciative of the organizers i know everyone has done a ton of work to get this going live and honestly this saved me a trip to uh the cold calgary weather so i'm i'm

happy with that but yeah i know out of the joke it's uh it's really great to be here and i'm gonna be uh covering today a few things that i hope are going to be useful for you if you're intending to create a security awareness program for your organization establish some form of a program and we um our company has done a lot of work with organizations in edmonton in calgary in vancouver and some in even out east so all the things that you'll see here are things that we learn from our customers and in fact maybe one or two are in the audience today so you'll maybe recognize some of these things so at the end of the session we'll i'm

going to open uh or let everyone ask questions you can open the mic if you like or or just type away but more than welcome to hear your thoughts questions you know uh even if you have ideas of things that would work for you that you would like to share as well all right with without further ado i'm just going to do a quick introduction uh and let me just bear with me because it's the first time doing this for me um myself just a little bit about myself i'm uh i'm uh the ceo of change champions consulting we're his boutique firm out of vancouver we specialize in change management consulting and education and we have done great work with some of

the leading organizations in the world and in canada in particular uh we work with some of the largest companies even though our small company but uh have the privilege to work with some amazing clients um i am a psychologist in training and i have an executive uh coach background and a bsc in uh in psychology i did my my bachelor's in argentina and then i came to canada for my master's in psychology and and my whole uh research in psychology has been in organizational behavior so i um a lot of the things that i'm going to be talking about are informed from that um from that experience and of course i have a lot of consulting experience as

well i used to work with deloitte and accenture i have a pro site certification if you heard of prosci it's a change management certification very common out there all is to say that i know some things about change management and then i learned some things from my clients about security so i hope to bring some of that examples from security as well for you and our company is really uh like i said a small company dedicated to really helping our customers with their security awareness efforts the way i would summarize it is if you need to build a program and you don't feel like doing it yourself and feel like onboarding it to someone that has the

experience to do it in it and they could do it really quick and and well uh that's us and this is not to say you can't do yourself because you can um but if you um you know are like other organizations this is our bread and butter we've created a lot of programs and we can ramp up and get going very quickly and we have actually been quite successful with some of our programs the one of our clients uh or a couple of our clients received awards for them featured in uh and articles in the media and so on so uh it's it's been really great um in terms of the goals for this presentation we're going to be talking

about the roi of the security awareness program i think most of us probably know uh why is it important why it is important but just to refresh your minds and maybe talk a little bit about why uh or how you could present this to your executive museum then um i'm gonna talk a little bit about why people should be at the center of the security i want to spawn and i'll make this more explicit as we go but what i've seen out there is a tendency for making the center of security programs more the topics that we want to cover like say password security or phishing or but not necessarily knowing so much about what users care

and what they are what they're looking to learn right and as a result i see programs that even though have the best intentions they end up being a bit let's say disengaging for users so they'll see the phishing thing once in a while and they recognize that but for the for the rest they don't really see the value of uh what the you know the tips and tricks the securities sending so i'll share with you some ideas how you can remediate that if you like and again we can make this a conversation at the end and then finally throughout this whole presentation we're showing best practices and ideas to drive more engagement so this is really the the media event all

right let's get going with then why a security awareness uh program i think again everyone probably is aware of this but just i think it doesn't hurt to remind ourselves that uh there's three core reasons at least we see coming up over and over again in our clients and one of them is and i love this quote from sans in fact is people are not the weakest link they are the primary attack vector right so hackers know that they use people on their behalf to do the things that they need to do and that's why it's so important to educate your users now there's a real shift in the paradigm when we say that people can be the strongest asset

this is something that i'm going to touch on in the next couple slides is we think of security awareness efforts that that we believe that there are better efforts if we uh give it a positive slant so rather than thinking that people are something that we need to fix and it's more about how do we equip people to make the right decisions that's what we really believe in and we craft our programs to do that the other great reason to invest in a security program plain and simple is is much more cost effective to have to go and fix average right and so we probably all know this dad but globally the average cost of a

breach is about 3.8 million dollars according to pontim and study and um not to speak about the reputational um you know impacts of of these breaches we all know that a lot of our organizations have been in the media that we know about and if not in the media we'll hear from someone else and what that does to your your organization's reputation is just mind-blowing so when an executive is doubting as to whether they want to invest in this it's very important to educate them on the uh on the research and what they uh this research tells us about you know the cost avoidance of having a security awareness program and then three and this is a very common

um fortunately or unfortunately reason why organizations have a security awareness program is because they simply just need them because of you know compliance purposes and and i say you know fortunately or unfortunately because i obviously not a big proponent of programs that are just trying to be a check of the box solution but in in some cases that's you know it's a big driver and that just frees up the budget to invest in the security awareness program so that's uh those are the three reasons why we uh normally see organizations investing and now i love this quote from mitnick uh kevin minnick the most world's most famous hacker he says you know we maintain a hundred

percent success track record uh being able to penetrate and organizations uh using a combination of technical exploits and social engineering i think this i don't know what i believe kevin midnight frankly but i i do think this is kind of uh reflective of what i was saying earlier a lot of the uh mindset in the security world and um if you're like that if you're welcome to disagree with me but i see a lot of uh it security teams investing thousands and thousands of dollars in technology uh to prevent uh you know these uh these hackers from doing what they're doing but then a huge hesitancy on investing dollars in educating users um however what we know is that um

neither our systems nor our people are bulletproof right so we need to work on everyone to get um basically everyone to be um you know strong assets for for uh secure for our security posture and there's three misconceptions and i took this light from sans so i want to acknowledge that but i really think this capture is something that i see over and over again and that you may have encountered as well if you're trying to establish your program internally and that is that executives will say or some people you know the the ones that are a little bit more uh perhaps uh apprehensive about having a program and or investing money in this they'll say well awareness for once

really don't work they just don't really do much or they they'll say you know why should we invest in this if people are still gonna click and in fact we see in our phishing uh campaigns that it's never a zero click right right there's always someone clicking um and the answer to that in our opinion is one well security awareness programs do work if you do them well right if you uh if you're doing a one-off thing where you do a cvt like uh you know e-learning and you expect that to make a difference well you know it's it's just uh unfortunately it doesn't work that way it will explain why it doesn't work that way um

and then to the argument about uh awareness programs being a failure because somebody will always click well this that's true but it's also true that uh if you have a spam filtering um you know technology it'll let spam in right or it'll perhaps uh hackers will find a way to get around that um or if you have a firewall it will sometimes let some things in so the reality here is uh nothing is bulletproof and these are all controls that we're putting in place to help uh reduce the risk of breaches and then to the point around awareness is just about human prevention what i love about this is that it's not just about um you know

being able to um reduce risk but it's also about equipping our employees our organizations to be able to report things that may be suspicious and i'll give you an example of this we we when we started to really gain traction on the security awareness front of one of our customers the hr team of all the teams sent out a survey with a weird sort of looking format uh it was an external provider i think that had given the survey and people just called out uh the the email as if it was a fish and they basically um you know rejected it so great indication in my opinion that people are learning right and you may you must have seen

this if you're doing your phishing campaigns people quickly react to these things because they are now well trained and they know what to look for all right so um to move on to now so we have the you know i think we all get the point of security awareness is important there's probably no doubt in our heads i hope anyone here um now i see two approaches to this uh issue of security awareness out there and this obviously there's there's uh you know middle grounds here but um just to contrast them and explain the differences the more traditional approach typically these employees is the weakest link link and um and i t driven efforts usually um looking to intimidate the

user because the user is someone that needs to be essentially educated and they're you know and i i don't i don't want to offend anyone but sometimes this thing of like you know users are are not educated enough or they're silly they don't know what they're doing um that that mindset um is very much linked to that compliance-based um approach which is uh the one-off thing right like well you know what um there's no point with these users so well and we do just do an e-learning and uh and get them to sign off on that at the beginning of the year and that's our security awareness you know efforts well what we know from the research is

that that doesn't work because and i'll explain this in the next slides but um essentially um people don't change from one day to another particularly in in on uh they need ongoing efforts so we like to recommend a more effective approach from our experience and that is the what we call a user-focused approach so it really will revolve around around the user and it's about uh thinking of people as attack vectors as i was saying earlier um engaging in a more meaningful way with users so that they can see the value of security and there's some really great things you guys do right like there's some really thin great things that i think it's worth for

you guys to promote to users and make them understand right i'm thinking simple things like mfa you know i think a lot of people think of that as an annoyance but if we were to explain that well you know maybe we can encourage them to use that at home as well so this type of approach really drives a meaningful understanding of security and as a result of that also adoption of security best practices the other thing that is different about this approach is that it's not just a id driven effort and i know this is not easy by the way um but it's it's really a business driven effort and i'll share some ideas of how you can invite the business to be

part of this security awareness efforts and as i was saying it's not a one-off thing is an ongoing effort right and we know by research that only things that are permanent feel like they're actually making a difference in organizations so it needs to be ongoing now why does it need to be ongoing well this is a little bit of science behind the way people change in organizations and you may be familiar with this methodology is called uh ad car it's a framework a very common framework in change management and what it basically stands for is adcar stands for awareness desire knowledge ability and reinforcement when somebody in the organization needs to go from the current way of doing things let's

say i just go throughout my day without thinking about security all the way to being an expert or at least being a uh being well equipped and security awareness they go through a serious stages right they first need to understand why these could be risks then and that's probably the hardest step they need to be motivated to make a change right and this is where i believe most security programs fall short is they yeah they create awareness security awareness right but they don't really invite the user to be part of the story they don't really um do a good job at um let's say uh making the user really be engaged now once the user is engaged then we

want them to have all the right information to make the right choices and then we want them to try things out right in the new way of doing things and it's not just enough with that we need to keep reinforcing those behaviors that's why i was saying it's so important to continue to do work with our users because it doesn't work by just sending them an email or doing a kickoff to a security awareness you know in a let's say virtual town hall it's just not enough we need to continue to reinforce uh and and really keep this in mind right like a communication will tackle awareness but it won't tackle the desire right i

will be informed that the program is in place or i'll be in the know that there's a security uh phishing campaign going on but it doesn't mean that i'm and it bought into that right so we need to work on that desire and see how we can get people to to buy in and then once we have them uh work with them to understand our policies and then maybe even go one step further and um and see whether they're following those policies right a good example is when we do these phishing campaigns that's a great way to know whether in the ability front people are following through with what we already told them up front so change as

a process is not a one-off thing and that's why we need to continue doing these things the other thing that i find super interesting if you ever done any research on positive psychology in my previous life i did some counseling and it was interesting when you asked someone uh you know uh somebody that came with a problem you you asked them you know uh there's a question in positive psychology called the miracle question and you would say to them um imagine that you went to sleep and a miracle happened overnight and you woke up and the problem that you're describing to me is gone what would you be doing as a result of that right that question immediately focuses

the person on the uh on the on a situation where the problem is not there so rather than focusing on what's not working we're focusing on where uh there's a space where things are working and why i bring this example is because rather than focusing on fixing a user let's focus on what works uh and what we can do to help them so maybe there are people that are doing great things out there and we want to showcase that or we want to um have a contest of swords that promotes the right behaviors right somebody went away and took what we uh promoted and they did a safety learning with another group so how do we

focus on what's working rather than on what's not and how do we amplify what works as opposed to trying to remediate what's not working that's the challenge here with positive psychology and this again is our point of view is how we believe these programs are going to be more effective if we focus on what it's engaging and meaningful to the user and then the last thing here is uh the inherent motivation we need to tap on people's inherent motivation right we know that again the research says if people are inherently motivated they're more likely to continue with their behaviors so how do we tap on that desire that i was referring to earlier that's the key now that's not to say

that you shouldn't have the stick approach as well right some people are very difficult to influence and they will continue to um not want to be moved from what they're doing and they'll continue to click on that link or whatever we're doing so in that case maybe there is a follow-up that we can uh do with their managers uh to you know show that there's a real serious commitment to security here um so a good mix of curtain stick is usually the best approach that you can have all right now um off to the best practices and again these are things that we've gathered over time i love to hear your thoughts on these and

uh hopefully they're useful to you a few things that we've learned one is we need to um we need to start by identifying what our organization knows our organizational priorities i find a lot of the times when you ask it security you know why are you doing this well we have a lot of clicks or well because you know people are using the wrong passwords that's all great uh but how is that tied to your organizational goals you know the big statements that organizations make and why it's so important to do that is because you can then develop a vision in a um you know a a program that is really aligned with what your leaders want to hear

right so what could be an organizational goal well perhaps it is being a reputable organization in our industry or uh to um you know generate more profits or allow our people to work more remote remotely in the time in times of covet right so how do we tie that program to that overwriting goal and then once we have that is how do we measure that so the the how do we make the link between that goal and what we need to do in the security awareness program um and this could be going back to those examples this could be for instance reducing click rates on simulated phishing attacks or um empowering our people to share files more securely right so there

are ways in which we can measure that we're actually achieving those goals and then finally is what are the behaviors that we need to influence and this is going to tell you exactly what you need to then measure right so the behavior may be effectively click rates or it could be attendance to training or it could be file share via onedrive so depending on what that metric was then you will know which behaviors you need to you need to measure so the first step then is to align your program to your organizational goals define your metrics and those behaviors and the associated with that is documenting those metrics right we want to be able to tell

our executives uh what what is the difference we're making right and this is not just um you know it's not just psychology it's actually something that we can measure effectively right so we can perhaps have a similar plan we actually use a plan like this in our own engagements where we say okay this is the goal the organization has there's going to be an owner for that in there's going to be a measure associated with it there's going to be a data source where we can gather this information namely phishing uh results it could be compliance training reports could be a survey that we issued if we're talking about let's say working remotely there may be some office 365 reports if

you're using microsoft technology that you can pull from to inform the uh the changes that you're making and then of course there's a kpi associated with that and a goal that you may want to establish such as and the example of working uh securely from anywhere in any device could be we have been able to reduce shadow applications so we're working with you know our partners in the productivity space to help us do that and that's a combined effort now to make our employees more more secure so these are some ideas of what you can gather then to make your program very tangible and again be able to sell this to your executives so that

they feel like there's an actual uh moving the needle here the other thing that we always recommend is having a plan um and this is our you know our ip here you you're welcome to copy some of this um what we say oftentimes is there's a period where we need to align and plan execute the work and then we're gonna start scaling and iterating on the program and this is the last step is where we actually um will make the program a bit more operational now so just to go through it uh really quickly i want to share with you so we start off with goals and success criteria so as i mentioned earlier we have those

conversations with leadership and internally we oftentimes assemble an interdisciplinary team so the team may include so we have for instance meetings with hr or perhaps communications or you may have a training team or you may have a legal team or risk and compliance team that are interested in being part of this so you'll know which groups you need to assemble to create a program that is meaningful usually i find a lot of communication teams help out and maybe training or change management teams if you don't have those people to help you you can definitely source that out externally as well and then identify key groups that require training and i'll talk to this in a few slides but essentially you know

what are the needs of those specific personas in the organization and start planning the training and the awareness activities associated with those and then the other thing that oftentimes gets missed is integrating your security awareness plan with your technology or uh security plans right so if you're planning on rolling out let's say self-serve password reset perhaps there is a great that is a great uh moment to be talking about passwords and password security and ways to make your life easier by using self surpass or reset or if you're talking about you know um let's say uh fishing and or or you have done something that has to do with let's say uh spam filtering maybe it's a good time to

talk to fishing so the point here is integrate plans so that your efforts are a bit more intentional i just don't feel like scheduling passwords on a given month because we just i can is a great way of doing it it's better if there's an intentional effort associated with something that is happening in the technology world and then once you have that uh you will be able to prepare a roadmap that is going to have really a schedule of activities associated with whatever you're going to do so you may have fishing campaigns you may have your tips and tricks you may have your posters and whatnot and uh that will give you then the pathway

for the following year and we usually do this over six months at a time and we come back and look and review what we planned for those six months in uh in six months time now in the execution we usually have some champions i'm not a huge fan of you know over overloading people with more work but it's good to have some people at least that you can reach out to so that they can disseminate your content and usually you know there's some people that are excellent for this like executive assistants or office managers or there's um you know just people are keen about security period they just love the subject and they want to help so it's how we mine

that and um and leverage the right people and then we oftentimes like to measure a baseline because then we can take that baseline and compare it six months down the road to our uh efforts um at the end and the baseline could be a simple survey through your phishing platform it could be maybe a qualitative server that you put together it could be something that maybe your organization is already doing from an hr perspective maybe there was a question that you could include in that hr um you know a survey that goes out every year and that just gives you another point of data to back up your efforts host coast coaching sessions awareness training

phishing campaigns training uh you know sorts those are always great things the only difference from what i see out there that it's not as much as i like it just to see is i don't see a lot of security teams uh really sitting down with a group of users and asking them questions what are your security uh concerns where should you store your data um do you work remotely and if so how do you access the data what's you know what's bothersome about that those group sessions i'll talk about this a little bit more when we talk about training that's super important because it'll give you the chance to um get a feel for what people need in

the organization and then you can target the training to that and then finally set up a a repository of content so what we see is that um a lot of security teams don't have a site in the share in your intranet or in sharepoint or whatever that is and as a result all the knowledge that you sent users is lost and so there's no place for them to come back to so what we normally do is we work with uh the organization and we we look at whether there's an intranet side or maybe even better productivity side of swords where we could uh essentially put the security message and keep adding things that are gonna be there for people over time for

onboarding like you know security policies or um best practice tips or maybe some things people need to do in the first three months of work so again having a support site is super useful and then towards the scaling what we do is we try to document our process we definitely measure the the the work that we're doing and as i said we once we have documented we'll know you know how to run an effective say webinar or how to run an effective phishing campaign we'll document that and we'll make our program more operational eventually your program can be off-boarded to a group inside the organization maybe your security phishing efforts could be imported to your security operations team maybe

they could be afforded to you know your your communications team can help with some things the point here is that your program can become operational and uh and that's just uh you know the evolution of things um and that's what we normally see as well now the other tip i want to give you is all over the research for any change management effort and a security awareness effort is no different than any other one leader support is key and so you see here uh this is pro sorry um uh sense uh data where they show that in order to move uh from a non-existent to a compliance-focused program to a promote a program that promotes

awareness and behavior and long-term change you'll see the green uh mark there the green marks are really the support from leadership so the single most important thing that you can have to make your program drive the needle is to have support from the leadership and we know that this is not easy so maybe there's you know leaders are busy and they don't have time for this but just so you know and this is something that maybe you can you can educate your leaders on uh this is just the single most important thing you can do and i just did a quick uh research on my change management data and what's funny is that when you look at processed data

and pros again there's a lot of research in change management in organizations the same exact um trend is shown here uh for every program that is a change program of sorts sponsorship is essentially correlated to meeting project objectives so the more in essence the more effective your sponsor of being visible and active the more likely uh you're going to be to be successful so maybe this is not the ceo maybe this is not your cso only maybe this is uh someone in the risky compliance group or the legal team or someone in hr that's passionate about this topic you will need to find the right fit for you but this is the this is what the data is

telling us the other thing i always recommend is not to do the program by yourself and it goes back to the point that i just made is build strategic partnerships some groups that we always see important that you include in this are your legal team your risk team you may want to work with your hr team they have a lot of influence in the organization and they know what vehicles work better for what groups so maybe is hosting a session for them showing what the art of the possible is in terms of what the security learnings you can give them could be in asking them how can they essentially reach to other groups right trying to

lean on other partners in the organization to make your program more successful and something that we've learned working with one of our customers is that you can also leverage your organizational core values to um to drive that security message and that is if for instance if one of our customers is like that uh they really deeply care about safety and we call the security awareness program digital safety and so we're really trying to um going back to that earlier slide you know trying to tie the program to a core value in the organization and then uh make it more relevant for everyone that is that is that is participating all right now this part i'm really

excited about uh i think this is where um a lot of programs fail and i want to tell you what i think about uh about this as you may have seen a lot of programs are if you're doing your program maybe in this situation is you're doing a one-size-fits-all approach right where you know you schedule say security uh awareness month one month you may put passwords in another month and you may have phishing and maybe mobile security on a different month it's great it does create awareness it's a good step towards you know um effective and really cultural change but it's just not enough because the reality is it's hard for the user to see the

connection between social engineering and what i do on a day-to-day basis or password strength and what my problems are way more complicated than that right i have three systems because i don't have ssos enabled and then i have three passwords so are you telling me that i'm gonna be you know uh now having to put a more complicated password that's just crazy right so i think we need to be mindful of this and we need to determine how can we bring people up to speed with our security knowledge without uh without sounding like um you know or without with with helping them understand the connections right so a couple of tips that i want to give you

one is um consider integrating security and productivity and i'll share with you uh in a slide uh actually that but before i do that actually one of the ones that i like the most is develop some personas so what you can do is um you know internally you could maybe engage some partners like nhr or and sit down and just like if you were developing a new um app or if you were um you know going through a training needs analysis type situation where you want to know what are the differences between different core groups in your organization what makes them different and how do they um how what would make them tick right like

what would be of interest for them so an office worker is likely going to be very different than a mobile worker a privileged user is going to have really different uh you know needs because or needs or even requirements because they are handling you know systems that they may put the company at jeopardy if if we don't educate them on the right things for online people have completely different needs because they're usually you know not in a in a sing in a place they may be using kiosk right and they may all have the same password for that kiosk so how do we help that group and then partners business partners like vendors and what about them right like they

they're not even our employees what can we tell them another group could be high-risk groups this could be either people who click on links too much or it could be people who are executives and eas that are constantly targeted right new hires legal hr there's so many you know um different needs right when you think about legal you can talk to them about e-discovery if you talk to hr and then they're an ap you can talk to them about frequent ap scams so how do we find out a little bit more about the groups and then craft a real sort of uh you know training journey think of it as you know there's five things that this

group needs to know that are important for what they do on a regular basis and that just goes way more uh in terms of engaging the user because they'll find it that is actually meaningful to them so my recommendation would be for instance uh work with your guitar or training team say look we have this idea that we want to segment our users and we want to create a curriculum for them and that curriculum will consist on a few courses perhaps one of them is basic security that just goes for everyone but then for our um let's say mobile workers it'll include definitely mobile security aspects for our privileged users it'll include something a bit more

complicated because they're now very techy tech savvy maybe there's some help desk folks there we want to talk to them about resetting people's passwords don't send you know so there's very specific use cases that you'll want to cover and use to educate people as opposed to just plain and simple password security you know that just talks to no one right so good example uh good um good tip there to to share with you and uh i'd love to hear how that resonates with you the other thing that i personally really love because i come from it from the end user side of things right is uh integrating security and productivity message so in here these these are examples of

uh uh we we work with a platform that allows us to create personas and then assign training and the training that you see here could be assigned to specific groups and so you'll see for instance um that the message is combined so you have for instance not just security plain and simple but in there are some courses like that that we have but there's also courses like managing risk by securely sharing files right at the top there or um i can read uh safe work um habits uh with your device right uh so here you can cover things like windows 10 security assuming that's the you know the systems you use there could be um

how to communicate more securely using outlook and perhaps you can tell people hey did you know you can recall a message you know if if that happened or you can tell them hey uh did you know there's a better way than sending an attachment to an email there's a there's something called onedrive we have access to it companywide so how can you work with your business partners in it to embed the security message and everything that you do as opposed to again uh just talking about you know uh file storage or um gdpr or you know those are great topics but again it's difficult for the user to connect the dots right so we need to

teach them in context in the context of what they do and productivity happens to be one of those areas that people love because it just saves them time and so if you can connect the dots you'll be much more successful at engaging with your users all right the other thing um is integrate your awareness efforts with your governance and technology efforts so what i see a ton and somebody needs to explain this to me because i'm not an expert in technology security but um is i see [Music] organizations that have a security awareness program without having policies i see organizations that have policies but don't have program awareness right i also see organizations that have technology that is running on

one side and security efforts that are running parallel somewhere else and they're not connected so how do we integrate all of them uh there's got to be a way folks so if we talk about security uh you know sharing passwords or sharing survey files securely perhaps there's uh a comment we can make about our governance uh around that right like we uh we ask that you'd never save files that are company wide in your onedrive i don't know like there's got to be a way to integrate these things where it makes sense to the user because when we continue to have these policies in one place our technologies in another place and our security efforts somewhere else

it's just very difficult for the user to keep it all in in a single cohesive uh message so we gotta work on that and i don't know honestly how you do it but that's uh that's something that i've seen and i wanted to convey to you is let's work to integrate these things into one single message and i'm almost coming to my end of my presentation here i i think everyone has a phishing campaign if you don't obviously this is something that is a no-brainer a couple of things here um don't forget to communicate the why people sometimes get a little bit wary about it so i always recommend that you work with your executives to help them understand why

you're doing this how often it's going to happen what are the ramifications of it what happens if we if somebody clicks more than three times and all those great questions you may want to increase your difficulty as you go perhaps you want to target a group of users i find that you know targeting a group of users with the permission of the manager and then using that to make it about let's talk about security it's a great way again to have one of those group sessions where we can talk about security without feeling like you know or we're coming to teach you something it's more about conversation and then of course share your lead your

results with your leadership team and and don't just do one campaign a year please um you know do at least the quarterly campaign if you can i would say even more and you can perhaps segment your users and just do you know one every month uh it's just that simple to do it right like you can schedule it all these tools all you schedule it so it's not a big deal and then uh last one here is uh think of us out the box so you know i just came out of a session where we did with a client a session on um you know we invited a vendor uh in this guest speaker session using

microsoft teams live event first time using it it was great um you know people could make comments uh the event is recorded it's just it just amplifies the the the message of security so much more because this organization had never done it before and now i t security is the one trying it out and doing it for the first time it just right it it puts your role out there and it really positions push it positions here sorry as a business enabler the other thing we find is having a brand is always great because branding obviously helps with things standing out as you can see there on the right hand side we have a couple of

little uh digital assets that we created that have the little uh squirrels and and that was obviously for uh forestry company so there's ways to do it having a resource site as i mentioned in sharepoint today sharepoint is is very user friendly if you have sharepoint online um it makes it look great and then perhaps having an online community if you use yammer if you use microsoft or you know even facebook whichever systems you're using try to think of outside the box because you won't be able to connect with your users always through email right so how do we combine their efforts so that you can um touch to your touch your users in different ways

so to recap and leave you with my uh my few tips here one again remember tie your program to your organizational goals it'll resonate with your leadership and it'll it'll make them feel like you're really listening to what's a strategy in the organization and how you can type to that define your goals and you find your your success criteria and then measure against that have a plan uh of attack right and you can update your plan every six months or so engage with the right people so you always want to have the the leadership support if you can tailor your training and make it meaningful stop just talking about password security just just not great uh it's okay it's not great

and then of course fisher users develop action plans for the repeated offenders and think outside the box thank you very much everyone and now off to your questions if you have any uh again super thankful of the opportunity to be in here

you

brodie says here um our orgasistic method due to recent events and i'm trying to encourage rewards for positive fish reports etc any tips when bringing this up to senior leadership um [Music] i'm not sure what you mean uh brody if you can help me i'm trying to encourage rewards for positive fish reports what do you mean by uh by that rewards for positive fish reports are you trying to encourage people to uh or leaders to see that the what you've done in the fishing space is improved people's recognition or

oh great basically i want to change the culture where users are scared to click on emails to being active and excited to help the organization succeed yeah i think that brodie um as i was saying you know for me it all starts with talking to a few groups in the organization starting to develop your personas right and understanding what is it that they need right so you could go to them and say you know maybe some friendlies start with some friendlies and you can say tell me a little bit about your uh you know your day-to-day work how do you work they'll say you know and perhaps you can you can make it more specific to

where do you store your data how do you share files uh where do you uh normally work from you know all those questions that will give you indications of what their pain points are and then once you know those you'll be able to to tell what you can educate them on or what kind of things what kind of tips and tricks you can give them uh and then even develop some training perhaps to help the rest of their teams so i find that creating those business relationships will give you a lot of insights that you can then use for you for your program and there's other there's some groups that are better than others like for instance hr is a great

group because they'll give you the um they know the feeling in the organization and what works right so i would try to partner with those groups that uh that are not just you know in ite but but beyond i.t to see if they can help i think i think that's what i would say but i hope that helps the other thing i would suggest is that uh any program any activities that you do to create awareness that they always have a positive slant to it right so rather than saying this is not working or say for instance the security uh or the latest stats in our phishing campaign show that we uh we continue to be

x or we we did this many clicks i would say is hey you know out of x amount of people only nine percent clicked and so it's you know it's painting the truth in a slightly different way um so work with your communications team perhaps you know to help you with that as well i think it's just about positioning the message there jody says i really like this talk there seems to that there could be a lot more positive overlap between security and user experience yeah 100 i feel like there's um there's a lot of things that we should work with other groups i feel like um security oftentimes is working in isolation from other groups even in i.t

and it's just a shame right because there's so much that we could integrate uh in the message so definitely an opportunity for that i feel

uh there's a company that does personality profiles to identify the type of risk taker a person is sounds a bit like your persona approach i'm trying to find their name does it ring a bell uh or anyone here good question i actually don't know i what do you think of social profiling um to your point though trent i i would say the persona approach is a little bit more i'll just go back to that slide it's a little bit less about um you know um looking at a personality profile because i'm not trying to uh analyze you know the psychological sort of underpinnings of those people but it's a bit more about how those people work right so i don't

i'm not making an assumption as to whether they're risk takers or not what i'm saying is they have just more uh because of the virtue of the work that they do they will be more affected by fishing for instance because they're let's say leaders and we know hackers go after them or because they are mobile all the time there are some things they need to know that uh you know someone that is sitting in front of a desk all they doesn't have to do or or because it's a partner vendor of sorts they they may need some special onboarding on our organization's uh best practices because they they're not so so that's the approach it's not so

much a psychological approach as it is more of a you know groups of people based on uh how they work uh and their trades um but i appreciate that comment and that's uh i'll see if i can find who who that company is uh we have here karen says what do you think of social proofing example you are for more times to engage with malware than your peers take these trainings to um [Music] to level up um i guess i'm wondering um i actually never heard the term social proofing i mean i'll look it up how would we know that that person is um more four times more prone to be affected by malware um i guess that's uh that's what i'm

wondering but sounds interesting um [Music] yeah i think guys the uh the whole persona thing is something that uh honestly it's not to be our thought too much i i believe that we all know who our personas are in the organization right and all it takes is perhaps a conversation with a few users that represent those personas to get a bit more uh specific about what those are and then when you have them you'll know you know i usually ask you know what do you do on a day-to-day basis for work what are your key uh pain points right and they'll say well i i'm constantly trying to access files through the vpn and you know what are the key points and

then what are the opportunities right um well i wish i had a password manager it would help me so much right and then um that's just giving you the instill help that group with whatever they need so those are the three questions that i normally ask and then you'll you'll find the personas very quickly proof is a psychological phenomenon where people conform to the actions of others under the assumption that those actions are reflective of correct behavior oh yeah milgram yes yes i know this you know um i think this could be actually a good uh psychological theme to use with executives that say uh that they don't have time to um to invest in the security awareness program

you can tell them that all their peers have a security awareness program and everyone else is doing it in their industry and that's a way to make them conform and and go ahead with it i i don't necessarily feel like telling people that you know that i don't know if this is going to work so much for for creating awareness but who knows thank you karen for for that one

well with that uh oh i see another trend found it cyber i uh cybercon iq it's the company name great not a customer but the founder dr james snorri gave an interesting presentation to that local great job during last june i'll look them up that's a good um that's a good tip thank you

super folks thank you so much for your time i'm glad this was of interest to you and uh like i said it is a pleasure to be here uh talking to security professionals and i look forward to continuing with our b-sides calgary have a great day everyone