Ira Winkler, CISSP, is the Chief Security Architect for Walmart and author of the books, You Can Stop Stupid and Security Awareness for Dummies. He is considered one of the world’s most influential security professionals and was named “The Awareness Crusader” by CSO magazine in receiving their CSO COMPASS Award. Most recently, he was named 2021 Top Cybersecurity Leader by Security Magazine. He has designed and implemented and supported security awareness programs at organizations of all sizes, in all industries, around the world. Ira began his career at the National Security Agency, where he served in various roles as an Intelligence and Computer Systems Analyst. He has since served in other positions supporting the cybersecurity programs in organizations of all sizes.
Eliot: You have written a book called, "You CAN stop stupid," and now you've written for the iconic series, "Security Awareness for Dummies." I've got to ask, if we take the titles literally, who are the dummies this is for?
Ira: So here's the thing. Let me talk about "You can stop stupid." It's my belief that behind every stupid user is a stupider security professional who allows this stupidity to create harm in theory. That's not to say there aren't stupid users. There are many really stupid users. Let's acknowledge that. But a user can only cause harm to the extent you provide the ability to cause harm.
Eliot: You spoke of gamification and phishing simulations. How do you implement those effectively in a security awareness program?
Ira: First off, the term "gamification" is one of my pet peeves, where everybody thinks gamification is a game. Gamification is not a game. Gamification is actually a very specific business principle that says, "We are taking game principles and applying it to solve a business problem." The game principles essentially involve creating a reward structure that says, "If you do the behaviors we want, we reward you and therefore provide positive reinforcement for the behavior... Let's say you make a fun game on how to learn good cybersecurity. You take a quiz and you say, "Here's a quiz, take this quiz, this is fun." Maybe they'll get an 80 and you'll give them a reward and say, "Here's a reward." Well, you're basically rewarding somebody for learning. That's providing them with information. That's not providing them with demonstrating (awareness); catching the behavior in the act and rewarding the behavior in the act. If you reward them with catching the behavior in the act, such as someone reports a phishing message and you congratulate them for the reporting of a phishing message or whatever the case is, that's gamification. On the other hand, telling people, "Here's a game! I will give you a reward if you play the game." That's not gamification. So implementing gamification requires determining the rewards, determining the program structure, how you go ahead what behavior you want to reward, how do you catch them, how do you track it, and so on. So that's gamification.
Phishing simulations: that's a plethora (laughing)... of topics such as, which phishing tool do you run? What type of phishing lures are you going to use? How frequently do you do it? Again, I appreciate what Hoxhunt does. Hoxhunt sends out the phishing messages appropriate to the level of knowledge of the person. If you don't have a tool like that, you need to figure out, "How am I going to structure phishing messages that are going across the entire range of potential phishing knowledge?"