A cybersecurity consultant, a vendor, and a CISO walk into a room... Sounds like the setup for an IT joke, right? Well, in this case it was the setting for an outstanding webinar on cybersecurity awareness.On Tuesday, October 19, Marianne Lindroth from Nixu Cybersecurity Consulting invited Alice Ågren and Eliot Baker from Hoxhunt to help host a webinar featuring Henri Heinon, CISO of Aktia Bank, on how to make cybersecurity awareness a proactive part of your organization. The main topics that came up were culture building, effective styles of motivation for employee awareness, risk/progress metrics, and communication strategies. Watch it here or click the image below!The expert panel gave the audience a three dimensional view of the journey most CISOs take with vendors and consultants in cybersecurity awareness programs. If you've ever wondered why world class CISOs work with external partners--and how they choose the right ones--this webinar is for you!True to form for all involved parties, the discussion was fun and engaging, and laid out clear steps for designing, implementing, and tracking the progress of successful, results-driven awareness programs.
Below is a selection of questions and answers from the expert panel. Some quotes have been slightly edited to read better in print.
Henri Heinon, CISO, Aktia:There are 2 key points with awareness programs and cybersecurity awareness. First, everybody must understand their role with cybersecurity… It is not just something that belongs to the CISO or IT information security people. It’s something that belongs to everyone, from top management and the board, to the people actually doing the work…The second point is that everyone must have the required capabilities to act in that role. That means different things for different people, for example for the IT guys or for the customer service people in customer interfaces.Alice Ågren, Hoxhunt:… There’s a trust aspect as well. You need to be able to trust the person that is leading it: the CISO. So, you if you do not have that trust how are you going to be able to ask questions and approach them?Henri:Cybersecurity might be a quite scary thing. It’s something you see in the movies or on TV series. IT guys might know the reality but then we have people who are not working in IT or security and for those people, bringing it down to the Earth and making them see that it’s just about the choices you make on a daily basis. It’s not scary stuff. We all should have the basic skills and basic knowledge and then of course there are role-based things that you have to build on. But there should be some kind of baseline that covers the whole organization so that everyone knows what to do.Marianne Lindroth, Nixu:I agree with everything Henri said… At Nixu, we use the slogan that ‘Cybersecurity is everybody’s responsibility…’Alice:… I also think it’s not just about the organization and protecting the organization; it’s actually for the people. So the employees can take that cybersecurity awareness home and protect their families. It kind of goes hand in hand as to if they know what they’re supposed to be doing in certain situations… they can bring that home and protect their family and their extended family.Henri:Yes, this was one of our key points in cybersecurity awareness month in Aktia. The first point was bringing those points you learned at Aktia to your family… We have been learning how to recognize all these phishing emails and other types of social engineering with Hoxhunt, and we encourage people to talk about these things with their family and making sure that things like multifactor authentication is taken into use by the individuals for personal use, but also within the family, with their kids and their spouses and then perhaps even the grandparents. So in that sense it’s like Alice said, it’s not just what happens in the organizations but how do you push that good information onwards so that the whole society is more aware of cyberthreats and have the necessary skills.
Henri:It’s important to have fresh ideas. Consultants and vendors see a lot of different customers and organizations. They see what kinds of tricks work in what kinds of organizations. If we would be looking just from inside our own organization, we wouldn’t get any new fresh ideas or thoughts. We would be living inside our own little bubble and thinking we are doing only great work. And this doesn’t just cover awareness programs or cybersecurity. Of course you always want to have the best expertise in the beginning when you are planning something and also later when you are executing things. My team is quite small and I have only two hands so in that sense, also, I do need people executing the awareness program. But of course there are companies that have more people internally but here also, I do think vendors and consultants bring something new to the table when you are planning stuff because they do see different implementations.Alice:I have a great story. I was talking to a CISO and he needed to learn how to code html because he needed to create a landing page for his simulations that he was sending out once a month. He spent a week preparing this and at the end of the week it didn’t’ work. So he’d wasted that entire week! He actually sent it out to the users, but it didn’t work once he sent it out. That goes really well with, “You only have two hands” as Henri said, and you can’t do it all. In these kinds of topics, where we have tested the best practices, there’s nothing wrong with having help. .. I think relying on other people who you can trust to do a good job is quite critical as well to bringing it all together.Henri:Yeah, and I’m kind of a do-it-yourself man so it’s sometimes it’s hard to let go. But it’s also sometimes about making active choices about what are the battles I can fight and what is something that I can give out, and usually it helps out a lot in that sense if--even though you are renaissance man and you do it all from scratch and you think everything you do is going to be the best in the industry--it isn’t necessarily true… Use experts! They have all of the knowledge and the know-how for how to make things work. So don’t make your life miserable, fellow CISOs!Marianne:When CISOs have small teams they can use us like sparring partners… it doesn’t have to be that we design everything
Henri:The awareness program is just a tool. What we are trying to achieve is a security culture… Information security shouldn’t be like the Spanish Inquisition. Everybody makes mistakes. I make mistakes. At that point there should be this culture so that people are empowered so that they can raise their hand and say hey, CISO, I made a mistake can you help us? And we will go there and we will help them and we will not like punish them or shame them or anything like that because we are in this together. So the culture needs to be open. It should be encouraging people to be involved.Alice:… The old way of thinking was learning by failure. We are trying to move away from that. The CISOs I am talking to want to do it differently. They want to do learning by doing: hands-on, make it more fun, engaging, so people actually want to participate... So whether you have failed, missed, or succeeded on a simulation, you can still build on top of what you’ve already been taught and become more advanced so you will be more equipped for when more sophisticated attacks come into the organization… If you have a more fun or engaging or inclusive training that also prompts the user to feel they can talk to their CISO and ask questions, therefore they will start reporting more. But they do need to trust their CISO for that to happen.Marianne:My experience is that this positive enhancement and hands-on training, and approaching things positively—not just saying, ‘No, don’t do that, that’s not OK!’--that works better. Changing human behavior is really slow. It’s a good idea to proceed step by step and create some long-term plan or roadmap on how to grow security awareness gradually and Hoxhunt is a good tool to do that.
Henri:… (In addition to it being an awareness tool) we are also using the hoxhunt report button to report the actual phishing emails. Last year, we (revealed) like 5 phishing emails targeted to our organization. So those alone paid all the hoxhunt fees back to us because we were able to react immediately. So that is something you should also consider. It’s not just learning and playing but also having reports of the actual phishing emails that your organization will have.Marianne:It’s good to have realistic goals when you start an awareness program. What is measured must be communicated. So it’s important to measure the general level of awareness before starting. Once this baseline is measured the development of awareness can be monitored by repeating these surveys… measurements can be monitored by whether behavior is changing. For instance, if your goal is to update equipment, monitor the update numbers after a training and see if awareness has had an effect. We had a webinar about the dangers of not updating your phone, and after the webinar we could see the rise in updated phones so we could see that it actually worked.*Editor’s note: if you only read one part of this piece, read Henri’s section below on how to create and communicate meaningful risk metrics and performance KPIs…Henri:You should pick up measurements or key performance indicators that suit your circumstances and your environment and those should be reviewed regularly so if there’s a change in your business strategy or IP strategy or some other changes in the internal environment, then you should adapt your goals. And if your goals are changing then you should change your measurements as well.And also, try to keep those KPIs and measurements as simple as possible. Don’t try to over-engineer it. So, it might something as simple as measuring how many security incidents or security event reports you receive. If earlier you didn’t receive any, it doesn’t mean that your company is safe and there are no cybersecurity risks. It means that there is no culture for reporting these kinds of things. So when the awareness program is going on and people are getting more aware, probably you will see a rise in those numbers of threat reports and that is actually something that you need to communicate to the top management and the board level also. They might be scared, saying, “Oh my god, now we have incidents! What are you doing? You are doing everything wrong!” No. We are making a culture where we notice these kinds of things and then we report them so that we can react and we know what is happening in the organization. It might be as simple as that.And usually with an awareness program they are quite soft measurements. As Marianne said, I think the employee surveys is one of the key things. Of course you need the baseline, so you need to have that before you do any activities… and then do it every six months and every year. And you need to plan your questions on those surveys so that you don’t need to change those.When we are watching (our progress and metrics) through what Hoxhunt offers, there is the activity rate (and the fail rate). So, how many employees are using it (and how many are failing the simulations). And it’s up to your communication and tone of communication how you engage people into that. I think active users in Aktia is quite high, something like 75%, so that is really good and that’s because it’s part of our overall awareness program and we really try to make the communication fun. This is a serious matter but it doesn’t mean that we couldn’t have fun around it. So we are trying to engage people. So there is the active members of the organization and there is the fail rate. That is something you should be following. And I don’t want to brag here, but I think that other than the evil spear phishing simulations that we are together planning with Hoxhunt (a customized high-difficulty-level simulated attack for the most serious users), but like the basic training, I think our fail rate is something like 2-4% and I think that is one of the top organizations in Europe.Marianne:My advice when creating and communicating an awareness program is that plan really well at first and then proceed step by step and then comunicate your results and interact with stakeholders and then repeat so that it is not just one tyime thing but you have to plan again and develop the program as it goes forward.Henri:From my point of view, when we were selecting partners for our awareness program, we didn’t want to take just cybersecurity experts with us, we wanted communication and marketing experts, and to involve our internal communications and marketing. They are busy with their own activities (but with them we could) seek the boundaries of the communication and marketing framework, and we were able to work quite freely within that framework with the selected partner. Cybersecurity subject matter experts are able to fill in the gaps, but I think it’s really important that the one planning and running the activities really has a strong background in marketing and communication, or presumably both, because that way you are able to figure out your main messages and what are the means to deliver those to the audience, and also how to make the message relevant to different types of audiences, like the key stakeholders that you have.