Pioneering the development of e-signature technology, DocuSign (DOCU NASDAQ)helps organizations connect and automate how they prepare, sign, act on, and manage agreements. As part of the DocuSign Agreement Cloud, DocuSign offers eSignature: the world's #1 way to sign electronically on practically any device, from almost anywhere, at any time.
Headquarters: San Francisco, California
Founded: 2003 in Seattle, Washington
“Hoxhunt gives someone a button and makes it so easy to report a threat that it becomes ingrained as an instinctive behavior. The button is key to behavior change, and that’s what I was looking for: something that would actually get people to participate frequently enough that the lessons would stick and their behavior would change.” -- Lisa Kubicki, Director, Trust & Security Training & Awareness at DocuSign
DocuSign overhauled their security awareness training program beginning with the non-traditional hire of Lisa Kubicki, who now serves as Director, Trust & Security Training & Awareness at DocuSign. Kubicki came to DocuSign with little security or tech experience after 20 years of delivering leadership development and change management at universities such as Stanford and Cornell.
Uniting her expertise in human behavior/human change management with security awareness, she and the DocuSign Trust & Security team innovated a new phishing training approach to drive a more engaged and secure corporate culture founded upon employee behavior that reduces risk of the human element. The governing philosophy was laid out as thus:
“What we need to advance the Trust Culture, the individual commitment and responsibility that each DocuSign employee feels and puts into maintaining the highest level of security and trust possible, is to have employees engage with trust much more frequently than they currently do. They need to see it, read it, play with it, hear it, and do it daily. This won’t require a huge time commitment by them, but it will require that we have some of their time, short little bites of time on a regular basis. To get them to commit to that time, it must be fun, rewarding, and meaningful. It must connect to what’s important to them and how they are evaluated on their performance. It must overcome elements of how the brain works so that we get a more secure, more trusted, and more committed trust culture. We must both acknowledge and encourage the desired behaviors.”
Her psychology-grounded approach to behavior change training includes what she calls Bad brain / Feed the brain elements.
The good news, her report continues, is that we also know how to feed the brain the dopamine hits that reward it and make it want to do it again, and again, and again.
“I had to make sure we came at people in a carrot-not-a-stick way for security awareness training. We needed to get people incentivized to want to do it. When I came in, security had that Big Brother reputation of being the “No” team. We needed to turn that around so people understood that we are here to help them do their work successfully and securely. Now, as a whole, the security team is seen as great partners and people you can go to with any weird, random questions.” – Lisa Kubicki
The first phishing platform they selected got the program started. But it was overly manual and lacked sufficient depth in its templates and functionality for long-term growth of the program.
Once DocuSign’s security posture matured, Hoxhunt was chosen from a group of 17 options. It checked all the learning-and-behavior-change boxes for DocuSign’s Trust and Security team. An as an automated platform, it would deliver sustainable results with individualized training content sent on an ongoing basis, and in a way that fosters trust and positive reinforcement. The smart algorithm, which adjusts training content to user needs and skill level, was also a significant plus.
The Chief Trust and Security Officer supported Kubicki’s behavior change model and her selection of Hoxhunt based on its positive reinforcement approach, culture-building potential, increased frequency and, perhaps most importantly, the reporting button functionality.
“It’s important that Hoxhunt rewards people for successful reports with a follow-up screen that says, ‘Hey you did the right thing. Great job! Here’s a gold star and the next shield, and now you’re further up on the leader board…’ I love the shield rankings. They motivate positive influencers to build a secure culture in the spirit of healthy competition. And for those not as interested in the gamified aspects, Hoxhunt is easy to use and readily available on desktops and mobile devices alike."
Kubicki oversees what she calls the Trust ABCs: Awareness, Behavior, and Culture, all of which have improved with Hoxhunt. Introducing a new email awareness initiative with Hoxhunt at its center was challenging for the Trust team as it coincided with a major migration of corporate systems. Even so, Hoxhunt has been well-received by leadership and employees alike. The Trust & Security team have been impressed with how the adaptive learning model matches simulation difficulty levels with employees’ progressive skill levels; it gives them real confidence in where their people and the organization stands in terms of strengths & weaknesses and social engineering risk.
Ultimately, Kubicki has built and run a CSO50 2021 award-winning security training and awareness program, in which Hoxhunt plays a significant role. In spite of—or perhaps because of--not having a technical background herself, Kubicki says that senior leadership and her colleagues alike are comfortable coming to her with security-related questions. Security culture and trust has been elevated, internal communications have been streamlined to support issues and concerns, and the security team’s profile has moved from the Department of NoNoNo! to the Team of Let’s Do It Securely with Excellence.