Lisa Kubicki has steered the awareness, behavior change, and culture program at DocuSign for over 5 years, and Hoxhunt has helped her and her security team achieve award-winning results. With the rollout of Hoxhunt 2.0: The comprehensive Human Risk Management Platform, she joined Eliot Baker on the CISO Sandbox to discuss the transformative value of going beyond awareness training to change behavior on a human risk management platform.
How is human risk management different, and more effective, than just awareness?
Moving to human risk management is really explaining what the (behavior change training) role is trying to do to manage the risk of the human element that is in the human OS in your company... It’s to make sure that you’re looking at what are the risks from the human element to the business that we should be addressing. Awareness is a part of that but it is not the whole picture.
It’s identifying what are the risks across this particular organization, across this particular group… and adapting the security awareness program to react and respond to those risks with proactive and engaging material.
How does a behavior change program provide greater threat visibility for human risk management?
You need the security stack across the team, across IT as well, to know: where do we have our biggest risks? Who has the greatest amount of access that could cause the greatest amount of problems if they’re compromised in some way? Who’s making bad decisions on a regular basis? How can I alter communication for this group to be on this topic and modify it in a way that speaks to their “WIFM:” What’s In It For Me? Keep it super simple, and make sure that it addresses the risk that we need addressed.
What is the value of human threat detection to enhancing response and reducing risk?
That human element: they are your eyes and ears. The security team’s tools and stack can only be seeing so much and sort through so many logs and everything that’s coming in via those tickets and all of that information. The humans: if you can stretch your team to be 10,000 people suddenly look at how much more fortified you are as a company. - This is only reinforcing what your tools are going to do because something is going to slip through because the bad guys got so much more sophisticated and your tools are not yet aware of that new tactic and technique to break in, but your humans will spot it.
What is a risk-based approach?
That risk-based approach is: I know where we have pockets of poor security decision making and this is how we’re going to counteract that and make sure those behaviors are the ones that we need them to be, and make sure that we’re asking of people to do things in a reasonable way instead of making it so complicated and overburdensome they can’t get their day to day work done because we’re just interfering. That risk-based approach is much more responsive to what are our challenges to our people, and how do we counteract that?
3:20 Do you think there is a difference between pure security awareness and security behavior change and, if so, what does that difference look like?
5:37 What are the key elements of a security behavior change program to elevate it above the infotainment quality of traditional compliance-based awareness training?
9:15 Could you talk about nudging?
11:25 Many don’t believe you can send and analyze the results of 3 phishing simulations a month to thousands of users. How do you automate that?
15:15 What is human risk and human risk management?
18:42 What is a risk-based approach?
20:14 Does simulated phishing reporting give visibility into org-wide risk?
23:36 People are the eyes and ears of the company.Can they be integrated into the security stack to enhance SOC threat detection?
25:48 Communication: How important is stakeholder buy-in for the awareness and behavior change program?
27:38 How do you communicate the value of a human risk management platform to the C-suite and board?
31:00 What is the difference between a compliance-based approach and a risk-based approach?
32:34 Do you have any final tips for anybody looking to go beyond awareness and into a human risk management platform and a risk-based approach?
The changing of the guard from old-school awareness training software to security behavior change and Human Risk Management Platforms is officially happening. Gartner reports that legacy awareness training solutions “do not meet current CISO needs” and predicts that “by 2030, 80% of enterprises will have a formally defined and staffed human risk management program, up from 20% in 2022.”
The industry is moving beyond awareness.
Hoxhunt is leading that change. With the official rollout of three new product packages—Comply, Change, and Respond—the reinvented Hoxhunt Human Risk Management Platform comprehensively builds compliance, security behavior change, and enhanced threat detection and response capabilities. It’s about increasing resilience and risk mitigation capabilities without adding resources.