Challenge Accepted is a podcast from Arctic Wolf that has informative and insightful discussions around the real-world challenges organizations face on their security journey.
Hosted by Arctic Wolf’s VP of Strategy Ian McShane and Chief Information Security Officer (CISO) Adam Marrè, the duodraw upon their years of security operations experience to share their thoughts and opinions on issues facing today’s security leaders.
In this episode, our two hosts talk to Jason Hoenich, a security awareness expert known for creating world-class training programs for companies like The Walt Disney Company, Sony Pictures, and Activision Blizzard. In this roundtable discussion, they talk about the value of Cybersecurity awareness month, share their perspectives on what it is like to manage a security awareness program, and explore the value phishing simulations (and pizza parties) play in educating a workforce.
Levelling Up Your Security Awareness Program Episode Transcript
Ian McShane 0:04
Hello, everyone. This is Ian McShane, I’m VP of strategy here at Arctic Wolf, this is the challenge accepted podcast, the official podcast of Arctic Wolf, I guess. And I’m here today with Adam Marrè . Say hello, Adam.
Adam Marrè: 0:17
How’s everybody doing?
Ian McShane: 0:19
Hey, great to have you here. Why don’t you introduce yourself? Adam, you don’t need me. I’m your personal assistant.
Adam Marrè 0:25
Yeah, I’m Adam Marrè, the Chief Information Security Officer of Arctic Wolf and happy to be here with Ian.
Ian McShane 0:30
Awesome. Awesome. This is gonna be one of my favorite discussions, right? Because we’re coming up to October, that spooky season. It is also approaching Cybersecurity Awareness Month.
Now I have a true love hate relationship with Cybersecurity Awareness Month. I love the intention. I hate the BS that goes with it. So when I was thinking about the podcast today and thinking about the guest that it’s gonna come on in a minute and chat to us, I was out for my daily walk. And this is gonna sound like a real setup. But I’ll promise you it’s not but I just finished up an audio book that I was reading or listening to for actually, for the second time, it’s called Atomic Habits, which maybe you’ve heard of it, maybe you haven’t, it’s by a guy called James Clear. Which I’m definitely not gonna do it justice in like three sentences here.
But basically, it talks about how small improvements to things can stack into big changes. And this is why it’s gonna sound like a real setup. But I think that that caught my attention. Because I was already thinking about the podcast today was that James was talking about creating good habits takes four things like making it obvious, making it attractive, making it easy, and making it satisfying.
And these four things really resonated with me when I’m thinking about how we get our staff, our colleagues, our employees, our friends, to really get into a security first mindset and thinking about some of the stuff that I’ve already seen Adam put in place here since he joined as CISO so you know, this is going to be a topic that’s near and dear to Adam’s heart as well as that of our guest’s. And so, today, I really do.
I’m delighted to be joined by Jason Hoenich, who is Vice President of Security Awareness and training here at Arctic Wolf. Hey, Jason, how’s it going?
Jason Hoenich 2:09
Hey, Ian, it’s going well, man, looking forward to getting in and getting into this. Back and forth convo and what’s good and bad and security awareness.
Ian McShane 2:16
I know, I can’t wait. There’s gonna be some fun, fun discussions. But how about first off, tell us a little bit about yourself? How did you get into security awareness in general, I guess.
Jason Hoenich 2:26
Sure. Happy to. So for me, before coming a vendor myself, I was a security awareness professional by career. And I got into that, obviously, because I graduated with a marketing degree. Right? Obviously, everyone gets into cybersecurity. No, it was looking back it was kind of like a mishmash of starting with IT help desk and support network admin and really working directly with like my coworkers. And at the time, my first job was at a real a real estate company. And so working with realtors, who God love them, they really are great at selling homes. But technology was really never their forte back then.
So I spent a lot of time explaining how they got the viruses on their laptops that they were paying me to clean off for them. And from there was a pivot basically into cybersecurity when I was working at a bank. And the CISO there at the time saw in me, I guess, an ability to take complex cybersecurity concepts and break them down in a way that people can understand, like, how do I not get the virus on my computer.
And then I was really fortunate enough to go and make a move to Los Angeles about 10 years ago, and I got to work with a lot of really fun companies, some being Activision Blizzard. And then I went to the Walt Disney Company for a couple years.
And then after the notorious hack of Sony Pictures in 2014, I went there and built their program for them there. And then, that was when I made my pivot into being a vendor and launching Habituate. And, you know, five years later, here I am.
Ian McShane 4:09
What was it that made you start Habituate, like when I think about security awareness training, maybe traditional security awareness training, it sucked, essentially, right? It was once a year, it was like a couple of hours long, it was always old and looked like it had been filmed on like, Betamax or something and it had cheesy acting, it was it was almost like a Saturday Night Live skit. Was that the kind of thing you were looking to address? Like, what did you think it was missing when you started Habituate?
Jason Hoenich 4:36
I think you kind of nailed it there as a buyer in the space for several years. And it really started with Activision Blizzard and having to work with a really unique set of developers, right. These are the guys that are designing Call of Duty and those games and so it’s an elite, tech user really and what I was running into was, I was realizing that they didn’t really need to hear from me in their opinion, but I still had to engage with them in some way.
And I had a lot of luck using a really funny 30 second video that I had found on YouTube. That just got them laughing. And as soon as they were laughing, I had their attention for at least, you know, five or 10 minutes before they decided I was boring at that point. But I had that experience. And when I went to Disney was when I really started to push that concept of like, I want to use funny videos, and they have to be well done videos, not stuff that looks like we filmed it in the back office with a couple of the IT guys but like, Disney was and is the greatest entertainment company that we know right now. And if I was going to have a few minutes with all of my 140,000, employee coworkers, it better be really good. And it better be what they’re expecting from something from Disney. And it just wasn’t there at the time.
And so as in the vendor space, I should say there wasn’t vendors that included that. So we started just producing them internally at Disney. And I would take those funny videos that I was really proud of. And I would show them to my peers in the space at the different conferences that I would go to and get a really great feedback from them. And that’s when I started to realize, oh, there’s an opportunity here to provide value to my peers, and also have a lot of fun doing it.
Ian McShane 6:23
So yeah, it’s just going back to that book, it sounds like that. Making it attractive, making it easy is what we’re driving out here. Just it’s much nicer and easier to watch something that’s been made through, with high quality with high production value. And it’s something that’s just cobbled together the week before, right?
Jason Hoenich 6:39
Yeah, yeah, exactly. And it’s one of those concepts that are just like, generally not very interesting to people. And so, that was my challenge. And it was my interest is like, how can I make this interesting? And so we always went with humor.
Ian McShane 6:53
And then Adam, over to you for a second, as the CISO of a large organization, like Arctic what’s what’s it like to oversee, or be responsible for that security awareness program at a security vendor nonetheless?
Adam Marrè 7:08
Yeah, I mean, it’s a huge responsibility, because anybody in this space knows that you can do all the technical things, you want to try to lock it down as much. But as long as we have humans involved in the process, they’re going to have the ability to do things that are maybe ill advised or outright stupid, that are gonna allow attackers to gain access. And it’s just a fact of life, we have to accept that.
And so, as a leader, what you want to do is make sure you’re securing, you know, that part of your infrastructure as much as possible. You’re trying to make all those wonderful human beings as aware as they possibly be, to try to resist and detect those attacks. So it’s a big deal. And it’s something that is, like you said earlier is near and dear to my heart, I’m very passionate about it.
And I came to it through kind of an interesting process, because, as we’ve talked previously, in the podcast, I was an agent with the FBI for quite a while. And it was during that time that I began to give a lot of briefings to companies, because, we were trying to get a foot in the door so we could get to know, business leaders, so they would trust us and report to us when, you know, bad things happen, and they got breached. And one of the ways we did that was offering these free presentations. They’re often aimed at employees doing general security awareness training type presentations.
And what I found is I would go into these organizations give these presentations, and people would be kind of blown away at a lot of them. And what I realized that wasn’t that we were saying anything that anybody else wasn’t saying, and it wasn’t that we were the greatest presenters on Earth. It was just they hadn’t been getting quality training at all. And a lot of what we did was storytelling, right?
Because we would just tell the stories that we lived, the breaches that we’ve been involved in and go back to the way that the attackers got a foothold and was often through some sort of, social engineering or interaction with a human being. And people were just captivated by that. And that it really, it really spoke to me much like what Jason’s saying is that there was a real big need here. And so that’s how I really got excited about this. And it became a big part of what I tried to do now, to your actual question. At a big enterprise and a security vendor. Nonetheless, it becomes extremely important for us to get this right. And there’s a lot of things to navigate there. When we’re talking about people who work at a cybersecurity company, we can get a masters.
Ian McShane 9:40
Smartasses like me that think they know better than everyone else. Right?
Adam Marrè 9:45
Well, so we could get into that. But that’s one of the things a lot of people like these developers, Jason was talking about, really smart people. They think they know. They think they understand. They think they’re smarter than the attackers and you know what, maybe they are but the thing is, we all need to be humble, I’m pointing the finger at myself too.
We all have to be humble and realize that we are all, we all have the ability to be tricked, we all have the ability to be tired to be moving too fast to make mistakes. And if you have that humility, you realize that I need to listen to this, I need to stop pause, listen to these trainings, remind myself of the things to do. And I think sometimes when we’re in certain spaces, like we’re highly skilled technologists or developers, or we work at a cybersecurity company, there’s a temptation to think we’ve got it all figured out. And as soon as you get into that territory, you’re in the danger zone.
Ian McShane 10:37
Let me tell you this right, a couple of weeks ago, so I placed an online order with Dick’s Sporting Goods, right. I guess it was a Monday, like right after work been down to collect my click and collect order, came back home looking at email. And there was this email saying, here’s your reward from Dick’s Sporting Goods, I’m like, Cool. I clicked on that. And it’s like, you’ve won a Yeti cooler.
You just need to fill this stuff in. I’m like, cool. filled, my name is like went next. And it’s like, Oh, you just need to pay shipping. And like, I thought, hold on what? Like, I’m just gonna double check this. Do you know what? It wasn’t? Oh, I almost swore there, it definitely wasn’t Dick’s Sporting Goods. Let me tell you that. But it was just like, right place, right time. I’m not embarrassed to tell anyone because like, I know what to look for. And I almost fell for the easiest one in the book there.
Jason Hoenich 11:26
I know that one. I got that one, too. It’s easy to just kind of be like, ‘oh, yeah, okay, cool.’
Ian McShane 11:33
It was just weird. Because, like, they had YETI Coolers right by the store the door. And I remember looking at it on the way through going ‘oh, yeah, that’d be nice.’ But I’m not paying 300 bucks for a piece of plastic. Yeah, so anyone can get caught. So Jason, as you built the security tools and the videos for these programs, how have you seen that evolve over time over I guess, five years or so?
Jason Hoenich 11:54
Oh, that’s a great question. You know, when I was when I was at Disney and Activision. I don’t think security awareness was really like a thing yet. Right? I mean, I think it was, but like, it probably didn’t have a proper title role until Disney. And I think back then it was all about content. Right.
And because that was a struggle, we had something that we all expected, and it was going to be boring, and long and drawn out and PowerPoint-ish or death by 1000 clicks. And so when I started doing, I was excited. And I think the industry was excited to see the approach with humor, or just higher production quality or just highlighters or something like that. Right. And I think now, the impact of that in the last couple of years, I think is that that’s now what everyone expects, right?
I think it also goes along with what we’re seeing in our daily lives on social media, whether it’s YouTube, or Instagram, or Tiktok. It’s pretty high-quality stuff, right. And so if we’re not being presented content like that, we instantly disconnect. And so I think over the last couple years, I’ve just seen a much higher level of quality of content, overall, to the point now where I think that’s just accepted and expected now, it’s like, well, what is the next thing?
Ian McShane 13:16
Yeah, yeah. I mean, it’s an industry. I think, maybe I’ve mentioned this before in, in the podcast, but I think that the cybersecurity industry in general has a real hard time communicating, not even complex things to non-technical folks just standard technical things to non-technical folks.
So being able to see how we can deliver that in a way that’s engaging and more down to earth maybe more entertaining, ultimately, it’s been a real breath of fresh air. And I think I said to Adam before, and when I first joined Arctic Wolf, my first day you have like the onboarding, training, and then go off and do your security awareness training. I rolled my eyes immediately. Becaus I was expecting something. No, no, it wasn’t even that I knew everything. It’s just like, Oh, great. It’s just gonna be terrible. And, you know, I’m gonna have to, basically click the mouse button a million times to get past this to get through this, it’s going to be a mouse clicking challenge, and I was blown away by how different and how good it was.
And so if we, if we’re thinking about the content there, Adam, how do you align content in the security programs with not only the security requirements, but also the culture of the company that you’re working for?
Adam Marrè 14:25
Yeah, that’s a big part of it.
Actually, I want to definitely want to get Jason’s opinion on this. Because, you know, I’ve approached this as a leader who understands the importance of it, but it’s something really difficult I think, to get right.
I always try to start with the why, the most important thing I’m trying to get out is the why is this important to you? As a person and I almost feel and you know, push back on me if you think I’m not right on this, but I’ve always felt it’s almost like more important than even the production quality is this like using a story or just something that grabs people and says, ‘This is why this is important to you as a person,’ like whatever we can do humor to get them to get their attention for just a second, and then grab them with the ‘this is the why’ so that it starts to infuse itself into their person into their being like, ‘Oh, I realized this is part of what I have to do.’
Because of all these reasons, I don’t know, Jason, what’s your experience with trying to get to that, why and get it into people’s brains and not just have like a funny video or something.
Jason Hoenich 15:37
You’re speaking to my heart right now, I’m a huge behavioral science nerd. And I read a ton of those books. And one of the ones I actually really liked one of the key takeaways, I think it was called Captiveology. But the concept was like violating expectations, right. And so, like I mentioned before, like the training industry has a certain expectation that we all are expecting, right, and it’s like, so we can go in and you can make them laugh within the first couple seconds.
There’s also behavioral science that shows that once you violated expectation, you’ve got like 10 seconds where that person is hyper focused on whatever data you’re throwing at them. Right?
And so that’s what we would do with Habituate was like, we would start with something funny to get someone laughing, and then say, here’s why, at least give the intro of like, here’s why this is important. And a lot of times, it’s maybe just connecting with what we do in our daily lives and something that’s like, meaningful and say, ‘Okay, I’m listening,’ and then slowly push that over to them through storytelling, and, and humans, stuff like that.
But I think you were asking, how do you approach that from a culture aspect? And it really is, I think you can almost make content agnostic at the beginning of your program, until you understand the culture and the whys and how to communicate those to the employees and to your coworkers and things like that.
Ian McShane 17:02
Makes sense? I think it’s also important to that, especially in the modern world that got us out, like the modern world today. Like where everything is digital, right? It’s not necessarily just about protecting the business, you can get people really invested in cybersecurity by explaining how much this benefits that personal life as well, because the good habits that we want them to form at work, are good habits that you want them to have at home, and vice versa, right?
Jason Hoenich 17:29
Yeah. Well, I think Adam will echo this, I don’t wanna speak for him. But that was a lot of the success that I had initially, doing, like live trainings, and departmental trainings was like really delivering it from a personal aspect.
And what it means to them, because I think if we’re being honest, as security awareness practitioners, we really have to start our jobs every day with assuming that no one cares about this stuff, right? Doesn’t matter, the company doesn’t matter, the clearance level doesn’t matter, the CEO level, if we assume that they don’t care, then we approach it with the concept of like, we’re being respectful for them to their interests, and then building a like, a trust level there with like, ‘Okay, now I’m listening a little bit.’
But if we assume that people want to know this stuff, that I always found that was kind of like a misstep that I would take.
Adam Marrè 18:19
Yeah, I totally, I totally agree with that. They’re there too. And, and I agree with, you know, your, your earlier point as well, but I just wanted to jump on this. Like, there’s two big problems I see with people talking about them, not caring about this one, is they have this concept of, well, no one would ever attack me. Right?
And so that goes to the first point of the personal life. Again, people will say, no one’s going to attack me in my personal life. And we always try to say, there’s no difference to the attacker, personal or business, it’s all the same to them. So that’s one thing that’s, that’s challenging to overcome.
And the other one is, I have found that there’s a resistance when it’s letting the perfect be the enemy of the good. So in other words, if you have some sort of thing you’re asking them to do, but they can think of some scenario where it wouldn’t work, well, then they don’t ever want to do it, because it’s not gonna work all the time. So I’m wondering, you know, what are some of your experiences with trying to get people over that idea of like, no one would ever attack me. I’m just some low-level employee. And the idea of if what you’re asking me to do is not perfect, then we might as well not do it
Jason Hoenich 19:36
Gosh these are two I think, I could probably go off for several minutes on each one of those points.
I think for me when it comes to the I’m just a nobody type of approach response is, right, you’re a nobody in your mind, but you have family members and you have perhaps children or aunts and uncles and those people are all connected online now.
And one of the ways I got the most people to respond was the idea of utilizing Facebook’s friends of friends default feature, so that friends of friends can see your posts, right and maybe you cover some of the stuff in your discussions. But like, first day school around here, it’s first day of school, everyone’s posting pictures of their kiddos and what grade they’re in what school they’re going to. And if you if you don’t have your default set, your settings changed to only allow friends to see that. And you have 100 friends and those friends all have 100 friends, it’s like 10,000 people that can see a picture of your kid, right and had information of what school they go to where you live?
And then how easy is it to send an email saying from the PTA association of your elementary school, I’m going to be good parent, I’m going to sign up, I’m sure I’m going to click on that Excel document. And it was just in those moments, people are just like, o’h, my gosh, I never considered that.’ Right.
And even if they go back to putting on the nobody, it’s like, yeah, but you work at a company, right? And there’s value there doesn’t necessarily mean that maybe the information that you hold personally may not be valuable to them, but your access to things maybe. And so that was one way that I kind of always tried to get over that. Yeah, but not me kind of thing.
And what was the other voice? The second, the second portion of that?
Adam Marrè 21:15
Well, I was gonna echo that and say I totally agree. I think it’s really painting scenarios for people on why they’re valuable. And getting them to realize that I even have stories where I’m like, ‘Well, if an attacker sends an email to an executive or someone in the finance department, they could probably detect that.’ But what if it came from you?
I don’t mean you sent it, someone took over your account, and they send an email through your, and then the wheels start to turn like, ‘Oh, they’re not attacking me, I am now a vector for other things.’ And so I think that’s the stepping stone. And you know, it could be for other family members.
And also, we could talk about how cryptocurrency has basically made attacking individuals much more valuable than it’s ever been. And so that’s sort of a personal why me. But the other point was the perfect being the enemy of the good. And I fight this battle with a lot of people, even very experienced security professionals, who want me to sit, who want to debate the edge cases of some sort of solution, or even if it’s like a 40% solution, or a 50% solution.
Ian McShane 22:25
So my twelve-year old is going through that phase right now, where I find one reason not to do something like one far-fetched reason.
Jason Hoenich 22:31
Yeah, yeah, I’ll definitely say, early in my career. It was like I said, death by 1000 clicks, it was probably death by 1000 yeah, buts, right.
I think the one big example I have was, was trying to introduce the concept of a passphrase for passwords. And this was at Activision, I think, and I was working at this concept. And I think it still holds up to this day. But it was the idea of thinking of two or three things that you love. And then a year that’s meaningful for you and combining them and then adding something for whatever site you’re on.
And it was always, well, yeah, but if they get that, and they see what the site is, and they know the pattern, and they do all these things. And I was just like, ‘Yeah, but it’s better than what you’re doing right now.’
If that password is being hacked, you have bigger issues, yyou have other things you should be doing in your career and in your life to protect yourself. But for the average person, it’s like I can get into the debate on people harping on the past SMS MFA. Like the password manager books that they’re sold online, that’s actually not a bad resource for folks at home who are given less of a chance of getting burgled than you do getting hacked, right. So I would tell my dad or my older family members, write them down and keep them in your drawer you’re not going to get broken into.
Ian McShane 23:49
I used to use this as an example. Tell you what, like this time of year is great for figuring out which people you don’t want to hire in InfoSec. It’s like look on LinkedIn, in cybersecurity month and you’ll see people ripping the really mocking end users like, left, right and center and I saw one this week, I kid you not, I was speaking to someone else about this today, a VP from another security companies as someone that should frickin know better, was ripping on a passwords book. Right?
But that’s not even it note, this password book. On the first page, it had a guide to creating a passphrase is like pick a memorable sentence or pick three memorable things like this is how you create passphrase I’m like, ‘That’s literally the best password book I’ve ever seen.’ And all you can think about is taking making fun of people that you know can’t use technology.
Jason Hoenich 24:36
It’s that narrow minded like we know better mentality I think that exists in the IT space. And that’s what as security awareness practitioners, we’re constantly up against, right because we try and bring like a right brain approach to like, ‘Okay, I’m gonna use funny videos. I’m gonna break this down into simple statements that someone can understand.’ And it’s like, well, yeah, but all this stuff and it’s not one thing is going to answer everything. But if you apply the Pareto Principle and 80% of your workforce is using an eight character password, and you can have them all or a good portion of them go to a 12 character 16 By using passphrase. Great, you know, you’ve reduced risk at that point.
Adam Marrè 25:12
Yeah, this is another one of those failures to contextualize. And I also think failures to teach a concept. Because what you’re trying to teach with, in my mind was security awareness, there’s a couple levels, you could teach the level of, ‘hey, just do this thing.’ Like you don’t even think about it, just do this, trust me.
But there’s the other level where you’re teaching people the concept, so that they take it into themselves. And then they can apply the concepts to many different contexts. Because, like with a password book, you obviously wouldn’t want a password book sitting on your desk at work with a lot of people.
It’s essentially a public space and a lot of ways someone could get to that. But at your home, it’s a totally different context. And having that password book there, very few people are going to see that only the people that get your home, and even if somebody does burgle your house, what are the chances they’re gonna steal your password book and then log into your, you know, Yahoo account or whatever.
Jason Hoenich 26:02
Your AOL account?
Adam Marrè 26:05
Exactly. Pretty low. So yeah, I think if we could really get to that conceptual phase, that conceptual level, where we’re saying, ‘This is why we’re telling you to use a password manager or something like that,’ instead of, ‘I just use a password manager, instead of creating a Tom batons that you create people that really think for themselves,’ then I think we can get past some of these things. And even they might be able to call BS on some somebody trying to be smarty pants on, you know, social media, but telling people possibly the wrong thing.
Jason Hoenich 26:34
I was just gonna add to what Adam was saying, in that I think that there’s this mentality of perfect. I forget who it was, it might have been one of my business partners before or something. But it was this idea of, we’re not trying to teach you how to do surgery. But we are trying to teach you how to do CPR. Right.
And I think from the IT space, sometimes the expectation is we need to do everything perfect. And you do know how to do surgery, but the average person just needs to know how to minimize damage, right? And if we can just teach you the high-level concept of here’s a password manager, here’s why it’s great. And just start by using your bank information, right? Just plug that in, and then just let it right. You don’t have to do this whole big thing. Just start with one. Just how it is.
Ian McShane 27:25
Yeah, that perfect being the enemy of good. I see it all the time. I’ve spoken to so many organizations and we’ve got too many people, we can’t roll out MFA like, ‘What about the privileged accounts? How about your IT admins, they can definitely use it. So how about rolling out just to them?’
The other famous discussion is, MFA is pointless if you’re using SMS because you can clone someone’s SIM card. That’s my second favorite threat model and everything else.
All right, so Adam, tell me this, like, I’m a jackass. And I think I know everything. And I think phishing, simulations suck, I genuinely think they suck. And so I’m looking to you as the CISO, to explain to me why they’re useful. And I’m gonna tell you why I think they suck. I think they suck because it’s a way for us to trick employees into clicking something and to try and train them away from doing something that a hyperlink was designed to do. So tell me why I’m wrong.
Adam Marrè 28:18
I really think this is not an either or question. Because I think there’s so many nuances to how you roll out a program like this. And I’m not saying I do it perfectly, but I can tell you sort of some of the concepts where I think this can be a useful tool in your arsenal, to try to fight against phishing.
I think if you really use it in what feels like a partnership with your employees, where you say, ‘Hey, we’re gonna send you out these phishing simulations.’ You know, don’t call it a test. We’re not trying to trick anybody. And I also don’t really believe in punishments for this. But you roll it out in a way where you say, ‘Hey, we’re going to show you what some of these look like. Now, this will give us and by the way, don’t click on it. Please report it, if you see it.’
Because we want to see what number of people are going to click on this but as a way for us all together to understand this better, and to give you a chance to see these on a regular basis. So you’ll know that they’ll be coming in it just it increases your awareness. And I think if you can get to more of a feeling like that, where it feels like a partnership, they’re helping, like you as an employee feel like ‘oh, my security team is helping me recognize phishing, helping me understand it. And yeah, when I click on it, I’m gonna feel dumb, but they’re not gonna get mad at me. They’re gonna come and they’re gonna say, Hey, tell us what was effective about this. Tell us what was going on.’
I’ve had some great conversations where I learned some key insights about phishing, one of which is one of the things I think people are doing is they’re moving way too fast to their email, and they’re just not processing it. But I learned that because we’d send out phishing emails and I would have these great discussions with people and I’ll tell you this, the first thing I do when I sit down with them personally, and the first thing I do is say, I’m not mad. We’re just sitting down, I just I want you to tell me what was going through your head. Because what we can do is we can take these lessons learned, we’ve given everybody, and then all of a sudden they become a partner. So I think phishing tests can really be useful that way.
But yes, I agree with you. If they’re sent out and they feel punitive, and they feel scary. You’re gonna become an antagonistic relationship. And that is absolutely the last thing you want with your security team and your employees is to have that antagonistic. We gotcha style of relationships. So anyway, there’s a few of my thoughts.
Ian McShane 30:41
tThat’s great. I didn’t feel wholly comfortable asking my CISO why I thought phishing simulations were terrible. Jason, how about you? Has that been part of your security awareness practices before?
Jason Hoenich 30:56
Yeah, I sympathize. And I aligned in with your statement a lot, right? I think that it’s a necessary evil. And that’s as being a practitioner. And I want to I want to back my answer up just a little bit. And say that when I started using phishing simulations, there was two, maybe three vendors in the space.
Though, at the time, the analysts were really using to define what security awareness and training was, and they were fishing simulation vendors. They’ve all since changed names or gone been acquired and stuff like that. But this is kind of the gripe that I have as a practitioner is that that’s what everyone now thinks of security awareness and training is that it’s all phishing simulation. Right? And phishing simulation is important and training.
But to me, it’s a one of four or five keystone, elements of a robust security awareness program. But I think I come from a different viewpoint, in that, for me, it’s really about vocabulary. And like what Adam was saying, it’s not about tricking. So I always highlight with my peers and say, you’re not testing them. This is a phishing training, they’re responding to a training that shouldn’t be offensive. So they’re not a repeat offender. They’re just a repeat responder, right.
And when you start to use positive language versus negative language, when you can instill that within your IT team and your InfoSec teams, you start to subconsciously, tear down that users of the weakest link mentality. And I think I am in a completely anti-punitive program, advocate. But I do realize that there’s some industries and some companies specifics where like, that could literally bring down the country in some way. Right. And so maybe it is applicable. And I still think it’s all about strategy, and how you’re managing that program and having a good program plan for how you’re rolling out your fishing simulations, right. And so I don’t like them, but I think they serve a purpose, for sure. And I think that they’re valuable. But it really comes down to like Adam was saying, you have to do it in the right way.
And I’ve had similar experiences where I had one person who was like an executive assistant to a marketing VP and another studio that I was working at. And this person clicked literally on every phishing simulation I had sent out that year. And like Adam said, I’m just going to reach out. So I started my repeat responder program, and my top 10% of responders I would go to and just, I’d sit down with them. And this person told me, she’s like, ‘I work for the VP of Marketing. My job is to open up every email because we could miss an opportunity.’
And I was like, ‘Oh, that is great information to know.’ And at the time, this was still kind of like when you could hover over a link and see that it was coming up something different. And I asked her if she was aware of it. And she said, ‘No.’ And I showed her how to do it.
This was like a seven minute conversation at her desk, right? Like I went to meet her. And after that point, she never clicked on a phishing simulation email. And I would follow up with her and be like, ‘Hey, we’ve done six, you haven’t clicked on any’ and she would be super stoked about it. She’s like, ‘Yeah, I use that all the time now,’ and may not be as effective now that tip, but it really is about being transparent, being open about what the goal is of the training program, that you’re not in trouble. Depending on the company and the corporation, you’re not going to lose your job that this is just to better the program. Right? Yeah. That’s the trouble. Yeah, then you can be valuable in that way.
Ian McShane 34:22
I think there’s a history of security being the punishment stack, right. Where you hear from the security team is because you screwed something up you stupid end user.
Jason Hoenich 34:29
Yeah. You have the idiot mentality and all that stuff. And so I think that’s been like a personal passion of mine is trying to reverse that. That mentality and also help bridge better relationships between the security team and end users.
Ian McShane 34:45
Yeah, and honestly, go ahead.
Adam Marrè 34:47
I was gonna say I do want to add you can’t avoid the conversation about the seriousness of phishing and how prevalent it is and how successful it is, and how it’s pretty insane. I’m just gonna say it. It’s insane in the modern world that we’ve decided to continue to use email, for really important functional business. And we essentially set it up in a way where we say, all right, all employees at my company, you’re all at the gates, you’re guarding the house. Good luck. Yeah, don’t do anything dumb and then we come down on, I’m like, ‘Oh, my gosh, how did you not detect this?’ It’s a little bit crazy.
And so in that environment, we have limited tools. One of them is to try to get an idea of how good our employees are at this, because we have asked them implicitly, I wish I could make a different decision. You’ve asked them to do this. And because of how I cannot tell you how many series investigations I’ve done, that started with phishing, and we’ve all heard the stories, you know, it’s like all of them.
Ian McShane 35:56
It’s all it’s either credential reuse or phishing, right?
Adam Marrè 36:00
Yeah, exactly. And so I just have to underscore this conversation. Phishing tests aren’t the best, but phishing is super scary, super successful, or super effective for attackers. And we don’t have great ways to defend against it. I mean, we got lots of whiz bang tools out there. But once again, as long as we’re telling our humans, ‘you’re the ones that got to detect this.’ It’s really hard. And as Jason pointed out, there are some no fault situations out there that people are in where you can not be the one to do that.
Ian McShane 36:34
And the irony is not lost on me that I said phishing tests are terrible. And then I admitted not five minutes ago that I almost gave my credit card company details to phishing.
Jason Hoenich 36:45
To circle back to the earlier conversation with my time at Activision. I think phishing simulations are really great for elite users, because it does kind of show that humility of like, I can still get you, right? Like, you don’t know everything. And it doesn’t have to be like an aha, gotcha moment, it could just be like, hey, we’re here, you’re gonna listen a little bit now. Or at least llet me let me just take that chip off your shoulder, I was preparing to get ready to put it back on.
Ian McShane 37:12
You know what I’ve after you after this conversation, I’m thinking that phishing, phishing testing could be the best way to take people down a peg or two that you know, think they know better. I love it.
Jason Hoenich 37:20
It’s a humility exercise.
Ian McShane 37:24
Yeah, I could show us a dose of that myself, I’m sure. So thinking about we’ve already talked about not letting the not letting good be the enemy of not letting perfect be the enemy of good, good God. A company has limited resources. That’s a known thing. So when they can’t do everything, where should they start, and there are still hundreds of thousands, if not millions of organizations, they’re not doing any of this stuff, right?
There’s people that don’t have any security acumen or employees dedicated to it whatsoever. So if they have limited resources, and nothing to do, what can they do? What should they do? Well, what can they do? Jason, let’s start with you.
Jason Hoenich 38:05
So I’ve been that resource that had zero budget, zero everything but had to do something, right. And what I found is you can still be very effective. I think, a majority of a successful security awareness program is relationship building and trust building. And so there’s plenty of open-source tools that can run phishing simulations. And I think with enough coaching and guidance, you can establish an advisory board within your company, depending what size it is, and get those key stakeholders on board and just say, here’s what I’m proposing is important to us.
Do we all agree and getting that buy in so that you can take that and begin doing some of those initiatives that are that important? And it’s really just understanding what’s your biggest risk? And how do you how do you clear out most of that, in the first effort, and understanding cultural differences within the company and things like that. So I think it’s really just most practitioners could spend six to nine months of their first year running a program, understanding the company and the nuances and the relationships there before being effective, and that’s one thing I always kind of offer to new programs is like, you need to communicate with your leadership team, they’re not going to see an overnight and over month return of investment on this.
This is an annual thing that you’re gonna start showing reduction of risk, and it takes a lot of time and effort to engage program and be effective.
Ian McShane 39:38
Yeah, what about what about you, Adam? And just thinking back to the first podcast where I learned a very important lesson about asking the FBI for help.
Adam Marrè 39:45
Yeah, I was gonna say it just goes back to that concept, do something. Just because something is better than nothing. And also one of the most effective things that you can do. In security awareness training is have the top level leaders be involved and passionate about it. So if you lead an organization and you’ve got 10 employees, you’re the CEO, you do it, do something, you know, it could even be just you doing an hour of research one evening, and then having a 20 minute discussion with your company, ‘hey, this is what I think we should be doing.’
And the other thing is, if you’re a company like that, there’s no security practitioners at all. You’re just trying to do business. Again, it starts at the top. But there’s almost always somebody in the company that’s passionate about this, or at least interested. That’s what I found, when I would give presentations to companies, there’s always somebody that would come up to me at the end, say, ‘Oh, I detected this thing.’ There’s always that person that’s excited, find out who that is. Assign them, and say, ‘Hey, can you give us you know, a 20 minute 30 minute Q&A, discussion, briefing, whatever it is, next week on phishing or whatever, just start with something.’ And especially if you’re leading it from the top, if you’re the CEO, CFO, whatever it is, you will start to build that security culture.
And if they see you walking around, not letting people tailgate after the door, you’re wearing your badge as a leader, your employees will follow. So I think there’s something every organization could do. Now, if you’re not a leader, and you’re at a small organization with limited resources, you could take it on yourself to start doing this, offer it up, talk to your leaders and say, ‘Hey, I think we really need to get serious about this. ‘There’s, there’s so much that can be done.’ TThat’s better than nothing.
And like you mentioned, Ian one of those things is a lot of places, the FBI or other organizations, would be happy to come over and give a presentation. If you reach out. I gave presentations to some pretty small realtor like title companies, because I remember back then they were getting hammered pretty hard with a lot of these business, email compromise and kind of man in the middle email attacks. And so I gave a lot of presentations to smaller companies, again, just trying to give back to the community and get involved. And so I wouldn’t think ‘We’re too small, they’re not interested in us reach out.’
Also, there are tons of resources online. tons of free stuff. Now is all of it the same high quality stuff Jason’s talking about No, but it’s something.
Ian McShane 42:19
Something is better than nothing, much better than nothing.
Jason Hoenich 42:22
And I really want to underline or underscore the FBI reaching out to the FBI or something. Every single year as a professional, I had FBI come in and present sometimes multiple times because it was such a hit. And people felt like they were getting access to something that no one else is getting and getting this inside story and they love it. And it’s free. Right? Like, just bring them in and do it and then mimic, create a deck after that and mimic like the similar stories and talking about people love that stuff.
Ian McShane 42:51
Honestly, since Adam blew my mind by saying you can just ask the FBI for help. I have in turn blown many people’s minds by saying have you ever thought about contacting the FBI? They’re like, ‘why would I do that? I’ve done anything wrong.’ I’m like, ‘No, hold on.’ Like, it’s incredible. So really, really golden piece of advice. So we’re coming to the end of the time here. So Cybersecurity Awareness Month.
How about Adam, what do you want people to be aware of in cybersecurity this month? What’s the one thing one piece of advice you’d want someone to take away? Right now.
Adam Marrè 43:21
I always, like I said, I always start with the why. So I think there are really good campaigns out there. I think what CISA the United States is going to do is really good. I’ve seen some of their materials. But the biggest thing I want people to know is that they are responsible for their own security, just like you’re responsible for your own safety.
And the other thing is to feel empowered, that you can do it. You can get in your car, and you could put your safety belt on and you could drive the speed limit. Same thing. Security online does not have to be something that you immediately turn your brain off, I don’t understand it, I can’t do it. You can. You can do it. There are simple things that you can do each day, just learn what they are. Start small build from there, but it is your responsibility.
You’ve got to protect yourself, for your privacy, and the security of your information and those you love. And wherever you work, you’ve got to take responsibility for it. It’s, you know, I want it to be an empowering message. I want people to feel like they can do it, but it is your responsibility. I think that’s the biggest thing. You can’t expect the latest advent of technology, or some other tool to come along and protect you like your phone isn’t going to do that. You’ve got to take responsibility for it.
Ian McShane 44:31
Jason, what about you?
Jason Hoenich 44:34
I’ll probably speak more to my peers and the practitioners that are trying to prep for that month. And I just want to give a shout out the reason why the month exists is because of the NCSA and it stay safe online. Really just building campaigns every year and getting bigger and bigger under Daniel Elliot I know let it my friend now. Lisa Meyers. She’s running a great program there.
There’s resources out there. They put really great resources together so staysafe.online.org is the site you can you can sign up to be. I forget what they call an advocate or something. Champion. And if you’re feeling overwhelmed, check those out first. And just try and talk to people about how it’s relevant to their personal lives and how they can protect their families, their friends, their parents, and stuff like that. And just be creative and have fun.
Ian McShane 45:25
I love it. That’s a great takeaway. Thanks, Jason, so much for your time. It’s great to have you not only at Arctic Wolf with all the great content and great work you do, but it’s great to spend some time with you today, man. Appreciate it.
Jason Hoenich 45:36
Yeah, happy to join. Appreciate it.
Ian McShane 45:37
Adam same to you, man. Thanks so much for being here. So everyone, be sure to like, share, and subscribe. I feel like an idiot saying that out loud. Like, share and subscribe to this podcast on you know, whatever platform of choice whether that’s Apple, Spotify, where else the cool kids listen to things like button. Smash that bell ding ding ding. This is the challenge accepted podcast from Arctic Wolf. Well, thanks so much for joining us today and catch you next time.
Transcribed by https://otter.ai