DocuSign overhauled their security awareness training program beginning with the non-traditional hire of Lisa Kubicki, who now serves as Director, Trust & Security Training & Awareness at DocuSign. Kubicki came to DocuSign with little security or tech experience after 20 years of delivering leadership development and change management at universities such as Stanford and Cornell.
Uniting her expertise in human behavior/human change management with security awareness, she and the DocuSign Trust & Security team innovated a new phishing training approach to drive a more engaged and secure corporate culture founded upon employee behavior that reduces risk of the human element.
Senior Content Marketing Manager, Eliot Baker caught up with Lisa in the CISO Sandbox. They talked about the behavioral psychology principles behind obstacles to learning, and how to hack through that neural circuitry with training that helps people learn and actually make cybersecurity behavior a habit.
Key takeaways
Bottom line is we need short bursts of content to make learning sticky
06:05 – 06:49
Bad brain elements: use or lose it, because we lose memory constantly
06:50 – 07:28
Things you want to do is reinforce and reward:
07:28 – 08:55
BJ Fogg’s behavior model is to make things easy
08:56 – 09:16
Osterman 15minutes per month of training to feed the brain
09:17 – 10:24
Why does DocuSign use Hoxhunt? 3 primary reasons: 1. Emphasis on positive experience and rewarding success. 2: Frequency. 3: Adaptive learning model matches difficulty level to skill level
10:50 – 13:13
Simplicity affects behavior change: One button that lets people easily know what to do, and which works even after migration from MS to Gmail.
13:18 – 13:33
Focusing on failure in training is a failed approach. Buttons and rewards rule!
13:36 – 15:33
Hoxhunt leaderboard is like a Peloton leaderboard
15:48 – 17:04
What’s the secret of your and DocuSign’s success? A dedicated awareness director role builtaround a people-oriented background
17:20 – 20:47
A design thinking approach: Going from SOC-team oriented awareness to user-friendlyawareness and threat reporting
24:01 - 27
Negative reactions to phishing failure – why we chose Hoxhunt. DocuSign wanted to makesure training wasn’t all about penalization for clicking simulations, but rathera reinforcement for doing the right thing.
30:05 – 32:36
30:05- 30:20:One of the things I was looking for when I was looking at all of the different security training vendors was I wanted to make sure that penalization for clicking wasn’t what reinforced the learning, but reinforcement of doing the right thing.
30:55 – 31:06:
The point of Hoxhunt’s program is to increase reporting and because of that increased reporting you’ll see a decrease in clicking. And so the reporting is 100% the focus and 100% of what we talk about.
31:07 – 31:46:
When I walked in, there were very negative reactions and feelings bout the infosec team that it was a finger wagging don’t’ you dare … and we’ve turned that around. Because it’s become a much more collaborative model of, “please ask us any questions please come to us and let’s see if we can work together to find a solution.
32:00 – 32:13:
It’s positive reinforcement and that’s what people are putting on slack and on the intranet and talking about. “Hey, I just got this shield!” and “Hey I just got this achievement!” and that’s what people are hearing about.
Leaderboards and recognition: a hand-written note that gives recognition from our leader that you did a great job. Challenge coins
33:02
Working with other departments and reaching out to them for help with internal comms,not competing with them: I would say it’s taken 4 years to get Trust and Security to really be something that we can claim as part of our DNA…
37:04-38:00
How long ittakes to see progress and get results in a security awareness program?
38:36 – 40:32
One of the deciding factors on security training vendors for me was the frequency. You guys at Hoxhunt are 3 times a month, every 10 days. When I pull my monthly stats, part of what I’m pulling is how many simulations went to just our active employees and it’s always over 10,000 and that’s a shocking number. If I was managing my own program and I was going to send out 10,000 simulations to our employees, holy moly, that would overwhelm me. And it’s 10,000 in one month?
40:37 – 42:46
Read more expert interviews
- George Finney: Nine steps to meaningful security awareness
- Dan Lohrmann: Cyber Mayday and leadership & incident response
- Barak Engel: From Virtual CISO To The Security Hippie
- Interview: Virtual CISO, Barak Engel, Part II
- Webinar With Garrett Cook and Michael Barone From G2
- Mastering the Management of Cybersecurity Risk, with David X Martin
- CISO: From Business Blocker Nerd To Rockstar Enabler
- Key Takeaways From Hoxhunt Webinar with Dr. Rebecca Wynn
- Key Takeaways: The Security Leader's Communication Playbook
- Women in Cybersecurity: It’s time to get more diverse
- Webinar with Kevin DeLange, CISO at IGT
- Ten key learnings from the webinar with IGT CISO Kevin DeLange
- Prof. Shoemaker: Integrating Cybersecurity & The C-Suite
- Prof. Dr. Andreas Heinemann: The Corporate Phishing Threat
Check out the Behavioral Cybersecurity Statistics Report
