Challenge Accepted is a podcast from Arctic Wolf that offers listeners informative and insightful discussions around the real-world challenges organizations face on their security journey.
Hosted by Arctic Wolf’s VP of Strategy Ian McShane and Chief Information Security Officer (CISO) Adam Marrè, the duo draw upon their years of security operations experience to share their thoughts and opinions on issues facing today’s security leaders.
In this episode, our two hosts once again talk to Jason Hoenich, Vice President of Service Delivery for Arctic Wolf Managed Security Awareness®. The trio explore ethics in phishing simulations and the best practices cybersecurity leaders should consider when implementing phishing programs within their organization.
Ian McShane 0:00
Adam Marrè 0:09
Yeah, it’s usually boring training and the IT team is trying to catch me those are the two things.
Theme song plays
Ian McShane 0:28
Hi, everyone, welcome to the latest Challenge Accepted podcast. From us here at Arctic Wolf. My name is Ian McShane, our VP of MDR. And delighted as always to be joined by Adam. Hey, Adam, what’s going on?
Adam Marrè 0:40
Yeah, Adam Marrè here, CISO of Arctic Wolf, great to be here.
Ian McShane 0:43
It’s October, which means it is Cybersecurity Awareness Month, my favorite month of the year and judging by the comments on LinkedIn, and social media of your choice, either the favorite or least favorite time of year for security practitioners too.
Adam Marrè 0:56
Yeah, absolutely. And I’m really excited about today, because we’re going to talk about something that’s near and dear to my heart. Phishing, security, awareness, all of that. I think it’s really timely during Cybersecurity Awareness Month.
Ian McShane 1:08
Right. And I’m delighted again, to be joined by friend of the show, Jason Hoenich, one of our colleagues here at Arctic Wolf. He heads up the service delivery and strategy for security awareness and training.
Adam Marrè 1:19
So really excited to get into it today. And Jason, thanks again for coming back. As we get started to talk today, do you want to just give us a quick, updated introduction, current position, what you’re doing and, and we’re really excited you’re here.
Jason Hoenich 1:35
Sure. Yeah. Jason Hoenich, currently VP of strategy for the managed awareness product, and longtime security awareness practitioner by trade and a former founder myself, with Habitu8.
Adam Marrè 1:47
Excellent, thank you. Yes. And we’re really lucky to have you here.
So today, as we were discussing the topic for today, we’re talking about security awareness. As we mentioned earlier, Cybersecurity Awareness Month, this is the time of year to talk about security awareness.
And, of course, that’s the thing you know deeply about, Jason, a topic that was brought up was phishing simulations. And I see a lot of hot takes out there. I’ve seen a lot of analysis going in all kinds of directions.
I, of course, have my own opinions, as I know Ian does, too. But why don’t we start out with just talking to us about your thoughts on phishing simulations? And kind of get us started there. And we can just jump into it?
Jason Hoenich 2:34
Yeah, so the phishing topic, as you said, Adam, it’s it’s a hot topic constantly. I think that there’s a lot of contention. I think we’re at a phase of maturity in the industry, where we’re kind of like, ‘should we be doing these things in the way that we’re doing it?’
And I’ve seen a series of threads and conversations happening on different, you know, posts some of my own some of them responding to, and I’m seeing a really interesting concern coming up from the practitioners that I would look at and say, ‘oh, yeah, they’re doing the work, they’ve been doing the work for many years, they get it.’ And they’re kind of raising this concern of are phishing simulations doing good or doing bad, right?
I’m a huge believer in a security awareness program should work to build a positive culture of security at a company. I think the fastest way that you can get there is through trust, it’s also the fastest way you can absolutely destroy your program is through losing that trust. And there’s examples out there, I think, like GoDaddy was in the news last year recently, for a phishing simulation gone bad as a good example of one that really broke the trust of the employees and kind of started, I think, raising these questions. And I just find it fascinating.
I think we’re at a point now where we’re trying to maybe inject a lot of empathy at the beginning of our actions and our processes here with Security Awareness, and what are the actual outcomes of these not just getting click rates and response rates? But are we doing damage to the trust within our company? The security teams are the very first interface that most employees get with like, with the cybersecurity concept, it’s the training that you get, it’s the phishing simulations.
And so someone had brought up and was like, ‘should these programs be run by folks who aren’t trained with proper educational backgrounds on human behavior and human resources and the impact of those things?’ And I just found it wildly fascinating. And so I just wanted to pitch that out here to everyone to kind of talk through.
Ian McShane 4:44
I always find it fascinating that phishing simulations are the example of a stick being used to encourage behavior change, rather than a carrot being used to try and influence change.
Jason Hoenich 4:56
And it’s by choice.
Adam Marrè 4:58
Yeah, that’s an interesting question. Jason, I was wondering if you could sort of sort of level set for this conversation, I would love to hear one, maybe even just describing that particular GoDaddy situation or another scenario of like, what’s an example of a phishing simulation program that’s guaranteed to deliver negative results so bad?
And then what would you think, a good or a solid, or an effective phishing program would look like that could bring good results? I’m just curious, I want to level set with those to continue discuss.
Jason Hoenich 5:38
Happy to talk through that. I think that there’s really approach right like, is the purpose of the phishing program to trick or to train, right? That’s kind of where I fall, if you’re trying to trick your employees, you’re probably not going to get a lot of positive positive results from that.
If you’re trying to train them through it, then you can use the same kind of tactics and the same kind of templates.
In this example, with GoDaddy, I’m just pulling from memory here, I think they had sent a phishing template that was sending to the employee saying, you’re getting a $650, or $700, or whatever was the Christmas bonus to click here to redeem it. And it’s a hard time a year people are struggling, and it was received poorly. People had posted about it, I think on like, Twitter, when it was still Twitter, and it just kind of blew up into the conversation. And I think it started a lot of this.
So that to me, would be an example of if you are intentionally tricking your employees, with an idea or concept that’s going to be emotional, it’s going to affect their personal lives in some way, or their mental well being. Like why? I think that you can do that, and get the same message across using safer tactics, right?
I think it’s all about creating a safe concept of safe space at work or safe training environments, where you can learn the same types of outcomes without feeling that broken trust, right?
Because you still have to come back into work every single day, right? You don’t want your employees to be mad every time they come in. And I think that we’re in right now is like people are kind of unhappy with phishing simulations.
Ian McShane 7:15
I remember that one from last year, I remember at the time thinking it was disgraceful. And okay, well, to us, I think it was really not well thought through. But on the other hand, from a security practitioner, what thinking like an adversary, that’s the kind of tactics I would use to get them to click on something. So this is one of the issues I have with a lot of phishing simulations is it’s not about whether or not you handed the credentials over, it actually took that step that endanger the company, is that you clicked on an email, or you clicked on a link.
And I think I mentioned this before. Last time, we had this kind of discussion a year ago or so that links were invented to be clicked, they’re not being abused. They’re not being misused, hyperlinks were invented to be clicked to be a shortcut to take you to information. And we’re trying to train users not to click on something based on their assessment of the current threat situational awareness. So that being said if that is a legitimate tactic that an adversary would use? How do you do it better?
I’m not saying that they were right to do it, I’m just saying that’s a really good way to try and engage clicks. And if the program had gone to the next step and accepted credentials, then they found people that have risky behavior. So I’m just trying to play the devil’s advocate and say, sounds like something that is a real world scenario, or could be, so what should have been done differently?
Jason Hoenich 8:37
It’s a great talking point, right? It’s a great question.
I often fall back to the statement, ‘just because we can, should we?’
And I think when your entire purpose of a program is to build a culture of security, a culture of trust, a positive culture in any way, should we do that? And you probably could do it, if you’re going to make it completely obvious that it’s a false one, right? To the point that maybe people are just like, ‘oh my gosh,’ and they’re laughing at it. But to go to depths and efforts to deceive and trick knowing that it’s going to work regardless.
That’s the thing, phishing simulations are always going to work. Our goal isn’t to trick. It’s to help people think differently. And Adam I think you say that sometime, when you go when you get into your inbox you want you want people to kind of just be like, ‘Okay, I’m in not a risky kind of space right now,’ or, and just kind of have that like mentality like, ‘I can’t really trust everything. So, I don’t know how I would have done it differently. I don’t know that I would have done it.
You could do trainings on it. You can show examples of someone else having a ton, right? Right now we are using GoDaddy as the example to not do it. Right. That’s a learning moment for all practitioners right now.
Ian McShane 10:07
Yeah, I just felt like that’s the floor and phishing simulations is the good ones are done from a place where you shouldn’t do it in the first place. So what value can you derive from phishing simulations?
Adam Marrè 10:17
I think in that particular case, I think it was the cruelty involved, which is raising expectations of employees that they’re going to get some sort of bonus during a hard time. And then making it a trick. I think you can have just as effective of tests that still might be controversial, but that don’t do that.
In other words, say you’re changing HR systems, you know that as an IT professional, and then you send out a phishing thing that kind of takes advantage of that knowledge that’s around the company, that would be one that would be really tricky, but it’s not like raising expectations of a bonus or something. So it doesn’t have that level of cruelty. I think is a difference there.
But you brought something up, Jason, and this is kind of goes to your devil’s advocate point Ian that is when I’ve had conversations with employees or people, just people in general, not people who work here, that work elsewhere and talk about phishing simulations, I do frequently hear people who are upset or angry or just don’t trust the security team.
And typically, when I have those conversations it boils down to, they don’t want to be bothered in their inbox, they don’t want to have the stress of having to be in their email inbox, and always be on the lookout for getting tricked by their team that’s going to catch them.
The problem I have with that is that’s one of the exact behaviors we’re trying to train, not necessarily don’t want them to be stressed out and overly stressed out about it. But yes, we are trying to inculcate in them a sense of concern that anyone could come trick them, and certainly people who don’t have any ethics about fake bonuses, or anything are gonna come in their inbox. So when your friendly neighborhood security team does it, yeah, it’s annoying. It can feel like you don’t trust these guys. But what’s really in there currently can be some really bad stuff.
So yes, I understand that they’re frustrated and angry. But how well are you communicating that to them? When I asked them, it seems like the very thing they’re upset about is the very thing that you’re trying to create is a sense of, this isn’t a safe place and I need to be really careful in here.
Ian McShane 12:36
Yeah, yeah, these things aren’t easy. So I think something you mentioned, Jason, about building that culture of security, how do you measure for that? And what are some good indicators?
One thing I noticed, I will say, after we started taking the phishing simulation seriously here is that I would notice in Slack channels, when people have noticed there’s a phishing simulation email, and like, points out to their colleagues say, ‘there’s a phishing simulation email, don’t click it,’ which is great.
In my opinion, I saw some people going ‘well, you’re ruining the spirit of the simulation. We don’t know who’s clicked on it.’ I’m like, that’s not the point dudes, we’re talking about the phishing simulation, and people were thinking about what they’re clicking.
Jason Hoenich 13:13
Yeah, there’s sort of two points there. Adam, you had mentioned, how do you address that to a user who’s frustrated with it? And I always come back to well, how is the program being communicated to the employees, right? Is it super transparently like, ‘Hey, we are going to try and trick you, you’re not going to be in trouble. But we’re going to do some stuff.’
And if you can consistently bring that conversation up and keep it around, people don’t respond as negatively because they’re like, ‘Oh, right. Yeah, this is part of the thing.’
And then to your point Ian, that is a great measure. And it’s hard to measure, unless you’re tracking how many comments are on Slack or whatever. And I think that’s where as an industry, we’re going to always kind of struggle to prove efficacy. But people talk about it, when a great video goes out, people talk about it, or you’ll get emails, Slack is great.
And you bring up another interesting topic that is covered, controversial sometimes is, when we don’t want people talking about the simulations, but that’s what you’re training them to do is to talk about a risk yet, right? Who cares? Drop the click rate. No one cares about the click rate, right? That’s not what you’re going after, you’re going after that culture of people talking about it and sharing it.
The biggest compliment I got at Habitu8 was when somebody watched one of our videos, and they’re like, ‘Can I share this with my friends and family? How can I share it?’ And I started putting stuff on YouTube and like, people should have access to this. Right like you. That’s the response you want, like people to engage with it.
Adam Marrè 14:42
Yeah, absolutely. I figure people who don’t want people to talk to them, what do you what are you doing? That’s part of the immune system of the company. You want the immune system to work and so you want this cross chatter, you want to see what people are saying about it and how they’re communicating. ‘Hey, this is a phishing simulation.’
But Jason, I really like your point. I do think it’s both before you do a phishing simulation and after, or as you frame the phishing simulation for the company, and then after, so say we’re trying to trick you, but we’re on your side, we’re trying to prepare you. We’re trying to make this something that to give you the tools that you need to safely navigate email, and text and all these things.
And then after, after you do personal training with these folks or if you send them videos, none of that is sort of this wagging your finger shame on you. How dumb are you? None, none of that. It’s all just like, ‘hey, let me point out the things that could have helped you here.’
And also, one thing that I don’t think we think about enough, when I’ve seen the retraining is do you ask the person ‘what was your mindset when you’re doing this? Were you in a hurry? Were you just trying to go through your feedbacks, but email inbox’, so trying to hsee where they’re at. When they do I think that’s really positive. If they see it as trying to help them build the skills instead of just ‘Shame on you, you should never do this’ as sort of a Scared Straight program.
Jason Hoenich 16:08
Yeah, I think that there’s a lot of room for improvement on I always call them like the education component of that, like what happens after the click.
And I believe that you can provide as much information as you want in training. But the learning has happened the moment that that screen pops up, they’ve realized, ‘Oh, I’ve clicked on something,’ right.
And there’s all kinds of behavioral studies that show in that moment, when you’re shocked by something, your brain starts intake information at a higher rate, and you have like 10 or 15 seconds, for people to process whatever’s going in whatever you’re giving to them.
So if you’re giving them a three minute video, or if you’re giving them something that they have to click into, and click multiple times to get through, you’ve lost them at that point. And something that I did, I think, rather effectively when I was at, I won’t say the company, large entertainment company, was I created the education page, so that you could read it in 15 seconds. And this was just a training, you’re not in trouble, respond this way, right, like report to this or hit the button. And that was it. And people really love that.
And I think you can do those really hard things. There’s potentially evil things, right. But if you do it, and you announce it literally the day before, and you say, ‘we are going to phish everyone this week with something really evil, right? And we’re gonna do it in the next couple of days. People still are going to forget and they’re still gonna look at and they’re going to have that responsibility. ‘Oh, right.’ And then it’s fun. Then it’s it’s like camaraderie at that point.
I think it all comes down to how we manage and having the right skill set. I think this goes back to the original point that I was bringing up from the threads. I was saying was, how are we managing it? How are the people that are running it, communicating it? And are they qualified to understand the impact of what they’re choosing to do and stuff like that?
Ian McShane 18:02
The reason this is hard for many organizations, aside from the fact that you know, is enabled, the vendor landscape enables it to be done in a more nefarious way than we would probably want. But it’s easy to measure clicks.
And so you can track a trend, for a second suspend reality, and pretend that those click numbers are real and useful. But you can start to monitor trends. And so when when the budget holder or your boss or whoever you’ve had to convince to spend the money in the first place comes to you and said, ‘You need to articulate the value.’ If you’ve got a metric and a trend, it’s easy to do.
If we’re doing things nicely, and we’re saying, ‘Don’t worry about it. We’re building a culture and they say, ‘Well, okay, but how do I measure that in a PowerPoint?’ Like, what do we do?
Jason Hoenich 18:50
Yeah, it’s hard. I’ve had a very similar experience where I was building an awareness program at a company as an employee, when I was working there, starting my own company, coming in to other companies and helping people is a lot of times, you need awareness for the awareness program.
And so that is talking to the IT support team and then giving them ideas and understanding how they should be responding, talking to leadership and asking for approval to do them, finding out who holds the budget, and getting them to understand that like, ‘Well, how do I put the ROI on this?’ It’s a little hard. And that’s what we struggled with for many years.
I think we’re getting closer to being able to have a more solid story for budgeting every breach that happens is, we don’t really need to justify it these days. But I see your point.
Ian McShane 19:39
I stumped the expert. *laughs*
Adam Marrè 19:44
Just one more question Ian on that. And that is, so we’re talking about ROI. We’re talking about training and employees, and employees’ perceptions, feelings, things like that, all important. I always start thinking about the actual attacks. And are you actually preparing your employees to defend against them?
Because those of us who’ve actually done a lot of incident response, we know when you show up, you’re gonna find a phishing email, nine times out of 10 that was involved in the incident, and I’ll tell you, people who never get upset a phishing tests are people who’ve been phished before and had a negative consequence. They’re always like, ‘Yeah, we should always do phishing tests.’ That’s terrifying.
So I have a family member that was at a business. They clicked on a real phishing email. Now, four other employees that the company did, too, and it’s actually one of the other employees that the attack came from, and the breach was successful. But my relative also clicked on it, and realize that they had done this. And they are like, forever now, ‘phishing tests are awesome, we should do everything. Everyone should do that’ just because of that fear that was in their belly for a number of days until all the reports on the incident came out.
So for people who really live this, really gone through a breach, they understand how important it is, like, how do we get that kind of mindset in everyone else? Who is probably to some levels of just sort of nonchalant about this and like, ‘oh, it’s overblown, and why that was bugging me in my inbox, let me just do my job. I’m just trying to sell with digits or whatever.’
Jason Hoenich 21:27
I mean, the answer is right there, right, until they’ve totally experienced that breach. I went into Sony Pictures a couple months after they had theirs to help build the program. And everybody was just like, ‘do everything, whatever you want. ‘We’ve got all this stuff. Let’s do all like, how crazy can you get with the program, and it was really funny to a lot of fun things.
But, you know, then you go to other companies, and they’re like, ‘Well, you know, I don’t wanna be bothered’ and all this stuff. And it’s like insurance and stuff like that. It’s like you don’t get the big coverage until you’ve experienced it. And you’ve had the impact. Unfortunately, I don’t know.
Adam Marrè 22:02
Yeah that does. It’s a really challenging question. And one that’s fun to to work on, as we all know, those of us that like security awareness, but Ian you had something you were gonna ask?
Ian McShane 22:11
Well, I was just gonna say if things in the phishing simulation landscape don’t necessarily translate well to good security outcomes all the time, what are the other things that organizations can think about? Like, obviously, there’s the video, kind of phishing training, security awareness training, more than more often than not, it tends to be outdated stuff that’s done once a year and takes 90 minutes to two hours of enforced no window jumping, no skipping forwards? Like, again, punishment training more than anything.
Jason Hoenich 22:41
Adam, do you want to put any comment in on your viewpoint as a CISO? And what you’ve seen?
Adam Marrè 22:55
Yeah, things that are effective? Absolutely. So I really like ongoing training. Because one of the things you’re trying to do is have security be at least somewhere top of mind of the employees at all times. So it just becomes something that they do. I think a lot of factories, manufacturing facilities, do this? With safety, right?
Their safety stuff everywhere, you are in safety equipment all the time, and no one questions that they need to be safe. Some of it’s annoying, but everybody gets it right. And I think we need to get to where security is the same thing. So it’s top of mind, something people just think about, obviously, at a security company like Arctic Wolf, it’s easier to have that but a lot of companies, it’s really difficult to get security to be up there. It’s something people think about, and so I really like things, training, programs that have frequent training and frequent reminders. And there’s lots of different examples of this.
So newsletters, things that appear on the screens around the office, what we do with our article product, where you have training that just comes automatically in our managed awareness product, like every two weeks is the way we have it set up where people are just getting this training all the time.
Also, studies have shown, and you know way more about this than I do, Jason, but that also people retain the information more, if they’re reminded of it frequently. I think it’s also just sort of logically true for people. So that’s one thing that I think is effective. And that I like is when you’re trying to create that culture of security, keeping things top of mind. So that’s one thing that I think I’ve seen, that’s really effective.
Ian McShane 24:41
One thing for me from the consumer, the side of the consumer, watching those things every couple of weeks, the things that stuck to me, the way that there are characters that persist through those different things. I can remember their names like Rudy, for example, was one of the ones on ours, and I know exactly what he’s talking about.
Like working like remotely and all the things that you can do to protect yourself. Those are just things that have done so well that latched me on to. It’s almost like a TV show where I can remember the storylines going through it over a number of seasons.
Jason Hoenich 25:13
Well, yeah, I mean, I think you both hit on key key components, in my mind is if you’re gonna do content, it needs to be pretty consistent, at least monthly. There’s the Ebbinghaus curve, the forgetting curve, and all that stuff. And then there’s the content, the content portion, which I think the industry is inundated with content creators right now, for security awareness.
And again, it comes into question of me of like, ‘Yeah, but what’s the quality of it,’ because if we’re used to watching really great high production on our phones, on Instagram, and Tiktok, and all this stuff, like, if you’re not coming to me with that same quality of writing and production, like, of course, it’s not gonna work, right.
I don’t want to keep boasting, you know how great we are. But we’ve got a production team that produces content, almost 24/7, just constantly running. And that’s great. It’s always fresh, and you can always, never have to worry about having to reuse content, which is always an issue for a lot of companies.
And then, for me, things that I’ve seen as a practitioner, is trying to get out from behind that administrative task of managing efficient simulations, because that can be time consuming. I used to spend 30 hours a month on a campaign at Disney in Saudi, right, like managing it the whole time. It’s one quarter my month, imagine that in hours of salary, like how much when you’re investing into a product additionally, and the same thing with content, you still have to spend time going through it. But once you can get out of that you can do more fun things. I would do live events, people loved live events.
And Adam, I don’t know if he ever did this, but we would always have like a local FBI agent come in and tell stories from the local chapter. And they’re always free, always supportive of it. Even hosting our own, I would call them cybersecurity 101 sessions where a department can request a training. I would just go and talk for an hour, just kind of like this, about personal safety personal, how to stay safe online, and how to protect your family.
Again, those are all activities that help feed and plant seeds in that culture of security that’s positive and stuff like that. There was a time where everybody would do where they called, like, the fairs like the vendor fair would come in, and all the vendors would come in and give away free tchotchkes and, I look back at it now I laugh. I’m like, what a silly thing for us to assume people wanted. But they love social currency, things that they can’t have access to, like an FBI, inside stories of things that they’ve worked on stuff like that.
So I’m a big fan of those things, when you can do it when you have the ability to get out from behind the desk and do it, those are the next opponents Ambassador programs are fun, and things like that.
Adam Marrè 28:05
I did those FBI presentations on both sides, I brought people in, and I also, back when I was in, I provided those, and I really do think the ones that are effective, because also, bring an FBI agent in, and don’t know what you’re gonna get as far as the presentation. I think the effective ones are what you just said, Jason, are storytelling.
Because I think stories, obviously, we’re humans, stories are built into our DNA. And I think those stories really, really help people. And when it’s something real, and it’s from the real world, I think it really helps people to engage and understand like, ‘Oh, this is this is a big deal.’ And it’s someone outside your organization. Right.
And so there’s also that credibility coming from another organization. I think all those things really help underscore the program and make it effective.
Jason Hoenich 28:58
I want to go back, if I can to a question you were bringing up Adam, which is, how do we keep it top of mind for employees?
And something I saw on LinkedIn that I think I’m a fan of, but I don’t know. And I want to talk through here with everybody is, I asked the question, I was like, we’re asking our co workers and our family members and our employees to do all of this cyber work, right? Like, oh, the human firewall, hate it, hate that terminology, whatever.
We’re not software, we can’t be patched. But we’re basically asking us to do a lot of additional workload but yet, there’s nothing I haven’t seen many companies that actually ascribe that into job responsibilities. And is that something that we need to consider taking the conversation to from the HR and legal standpoint is because contractors have a lot of those requirements and to their contracts of you have to take the training if you do these things you’re expected to do this stuff.
Do we have to start adding in responsibility, sub bullets for job descriptions that says also, help to build a culture of security or like participate in trainings. My devil’s advocate is that’s really the only way that we can kind of hold people responsible. And to keep it top of mind is to say, ‘well, this is part of your job description.’ And is that a different approach? And is it negative or positive? I’m just like, ‘oh, that’s a rat’s nest there too.’ But there’s potentially think,
Ian McShane 30:31
How different is that to the acceptable use policies, though, that come in, when you’re on your first day? It’s like, ‘here’s what you can do with your laptop. And here’s what you can’t do?’
Jason Hoenich 30:41
And do you remember what it says? So policy highlights, I think a great component, too. But it’s a start, at least we can go back and people didn’t say, all right, like this should be top of mind, because we’ve all accepted this as part of our job descriptions that we’re all participating in this, right? Because then people want to take it back to you.
Well, if you take it back to department level and underperformance, then you can start doing budgeting for that. And inflict, not on the employees but on the managers, like maybe you don’t get as much budget for something if you’re not taking it seriously.
Ian McShane 31:18
And the only thing I would say, it reminds me of having that kind of addition to a job description, reminds me of the EULA. You click when you install software? Have you ever read a EULA from top to bottom? You just gonna go to your next job and go ‘Yeah, I’ve seen that before,’ click next whatever.
Adam Marrè 31:34
I don’t necessarily think it would be negative, maybe. But I do think most organizations, certainly mature ones already have, AUP or other ways to hold people accountable for not doing security things, people know they can get fired for that. What I would like to see if we’re going to do that, if we’re going to actually add bullet points in someone’s job description of maintaining security is that they would be rewarded for it.
In other words, does this come into their regular employee performance reviews?
And you say, ‘hey, you haven’t looked at the report, you haven’t clicked on a phishing link in six months, and you participate in the security ambassador or the security champions program, and I liked your post in the security Slack channel, whatever.’ Would that be rewarded by a manager?
I think that is where it would actually start having meaning. Because the punitive side is already something that people know about. Yeah, we could write it in there. Sure. And make it more explicit, but I don’t think people necessarily need more stick there. I think they need more carrot, that’s just my reaction to what you’re saying.
Jason Hoenich 32:46
I love that. And I think that’s kind of where I think, you say Ambassador programs, that’s how they’re affected, right? Is having a message come from someone trustworthy, that they know, an executive assistant administrator, something like that?
I’m a firm believer that people just want to be recognized for their efforts. And I don’t see many programs that actually work towards that. I think we tried some with like, the badging and the gamification. I think, for me, that’s failed miserably.
But I think people love an email from their manager saying, ‘hey, great job completing that,’ or ‘you reported a phishing email that was we didn’t know about, that’s great.’ And I think that there’s avenues there that can be explored to really be beneficial. And in that same thought, yeah, maybe we have department dudgets for positive security behavior, spot bonuses, or something like that. And it’s literally just use it or lose it right, and if they don’t have it…I’m not the payroll person or the finance person. But I think there’s ways that you can start bringing it locally and empower people to participate and earn things in a fun way.
Adam Marrè 33:59
I do think we need to build up toward that. Going back to the question of what makes a program successful, I think one of the biggest things is top level all the way up to CEO level buy in to security in general and security awareness program, specifically, so that that person becomes an example to the rest of the company. And they can do so many things to keep it top of mind.
But directly related to this, if you got an attaboy from, you know, senior executives, or they’re asking about it regularly, and performance or when they talk about someone getting promoted they highlight some of the security things they did, I think that kind of thing would go a long way to making security an actually part of the culture because people see ‘oh, if I do security things, then I get rewarded for it and it helps my career’.
Otherwise, it’s always going to be seen as a cost rather than, you know, a benefit.
Jason Hoenich 34:55
And you opened up a next layer there for at least when you said it, it doesn’t necessarily have to just be a sub bullet and a job description or a role responsibilities, but it can be and it can also escalate through leadership, right? Where those expectations are also for senior executives and for people managers and stuff like that.
I’m just trying to expand like an ambassador type program thought into, ‘how can we at least attempt this,’ it probably won’t work, it’ll probably fail, because again, it comes down to management and expectations and skill sets on how to do this stuff, right. And I think that’s what got us to where we are right now in the first place.
Adam Marrè 35:39
And this is way beyond the scope of this conversation. But there’s a collective, universal denial of reality, when it comes to how dangerous or risky things are online.
People just don’t want to accept that the online world is not a safe place, and that they’re constantly people out trying to trick you, whether it’s through fraud or through phishing, or vishing, or all this. And it just stupefies me, sometimes when I talk to people, and they just act like, ‘well, it shouldn’t be this way. And I agree with them 100%. It should not be this way.’ But it is.
I’m so sorry, this is the world we all live in you can be phished in your home email box, your work email box all the time, anyone in the world can get your email address, guess what? They can come trick you. Nothing you can do about that.
Ian McShane 36:33
I guess one last thing before we wrap up here. And I’m characteristically I’m going to try and put a positive spin on things. We’ve been talking doom and gloom a little bit here about how things are used for in nefarious ways. But honestly, I think security awareness in at the upper levels of business has improved exponentially in the past 10/15 years. Like where, to your point, Adam, from the CEO down, they are embracing things like security awareness, or at least the bones of a security awareness training. Is that what you see Adam, as well, like you’re comparing when you were in the FBI to today? And what about you, Jason?
Adam Marrè 37:09
For me, I do think it has improved somewhat. I think it really depends on the organization. But I would say there are more organizations who are engaged in this, engaged on it. More senior executives that are taking it seriously, many of them have been through breaches. So yes, I think I think it has improved. So trying to stay glass half full? Yes. There’s obviously a half empty side of that, too. But I’ll leave that for now.
Ian McShane 37:37
And how about you Jason, like, you must have seen some pretty incredible behavioral changes your times that the other companies who worked out?
Jason Hoenich 37:44
I mean, I will say glass half full. I mean, there’s definitely an uptick in acceptance and visibility. And I think it’s because of all the bad things that we’re seeing in the news, or, CISOs are a tight knit network sometimes, and you have friends that experienced it, or you can just start imagining yourself having to deal with it, like, the budgets start to begin to open up a little bit.
Then there’s the compliance requirements. And if you have a well educated board of directors that is worried about that stuff. It’s all helping slowly, I still think we have tons and tons of space to make up and until we can move away from practitioners with just a toolkit to practitioners who understand how the programs should work and run like. It’s gonna take some time.
Ian McShane 38:33
Well, thanks, Jason, for being a friend of the show. And coming back again, would you like to plug anything or would you like, is there a way folks can get ahold of you on LinkedIn? You’ve mentioned it a couple of times today.
Jason Hoenich 38:40
Yeah, I love connecting on LinkedIn. It’s just Jason Hoenich. I think I’m confidently titled myself the security awareness provocateur, or something like that. So just look for my idiot face and connect with me there.
Ian McShane 38:57
Well, perfect. Thanks for joining us today. And Adam, thanks, as well. Everyone, be sure to like and maybe subscribe if you enjoyed this episode and share it with your friends if you want to.
Adam Marrè 39:09
It’s a fun topic. Really enjoyed your time spent with us, Jason? Yeah. Thanks, everybody for listening.