How G2 built positive experience into phishing awareness training

Engagement thrives on the lighter side of cybersecurity. A narrative case study.

‍

*Editor's note: some quotes below have been edited for flow and readability.

Just an infosec problem?

The dilemma facing Garrett Cook and Michael Barone, the security architects of G2, came down to punitive vs. positive.

The cybersecurity threat landscape, including phishing attacks, was constantly changing; security risk was rising. But phishing awareness solutions—and their results—remained flat. Incumbent vendors were doubling-down on the same old, same old consequence-based training methodologies: Tedious orientations followed by dry content, which triggered stiff punishments for phishing simulation failures. Cybersecurity training had been enshrined as a negative experience.

The IT veterans saw an opportunity for a fresh approach. They'd needed to stay nimble and work fast to construct the security systems of G2 throughout its rocket-propelled growth to becoming the top software review platform on the planet for millions of people and businesses. But in 2020, having installed and integrated the core security tools and systems, a lightbulb turned on for Garrett and Michael.

Cybersecurity shouldn't have to be a bad experience. Being at G2, where positive experience is in the corporate DNA, couldn’t they turn their own company’s values and software selection wizardry around on themselves to find something different and more effective?

‍

Enter Hoxhunt

Cybersecurity is an IT problem but its solution, they realized, should be more expansive. The biggest security risks weren’t hardware or software breaches, but people's inboxes. So, people must participate in the solution. Wouldn’t an engaging experience let people learn more effectively? And wouldn't they report and remove more threats in the process?

Garrett Cook: “With the previous tools that we used, it was always a struggle to get folks to actually participate. If it was cumbersome, or if they didn't like doing it, they just weren't going to do it, and it put a lot of burden on us because we wanted folks to learn, but it was pretty evident to us that (those prior tools) were just not the right way."

Indeed, punitive security training clashed philosophically with the cultural values of G2.

Michael Barone: "We try to stick to what we call our PEAK values, which are based on: performance, entrepreneurial spirit, authenticity, and kindness. We kind of extend that out into everything that we do, and that includes the software purchasing process: how does the product align with those values that we hold for ourselves?”

‍

‍

Security at the intersection of IT, culture, and business.

GC: "We've taken that classic traditional methodology of doing security training--where it can be very punitive, and we're punishing the users for messing up or breaking the rules--and I would say we've seen the light. We've seen what's possible if you make the experience for the user engaging and interesting, and make them a participant and not just a recipient. That really helps with engagement, and it drives trust in the security team, which I think is very important."

MB: "Personally, I think it's created a more positive view of the entire process regarding security training, and phishing training. We get a lot more positive feedback. We didn't necessarily get complaints about the old tool, but nobody cared about the old tool, either. It was just kind of there, doing what it did. Now we get people coming forward and saying, 'Hey, this is great, we're engaged, we really enjoy interacting with the tool that you guys are using.' And it just elevates (and) makes us a little bit more important and it gets more eyes on the importance of information security as whole.”

‍

How do the wizards of software reviews find and choose a new software vendor?

After reading vendor reviews on their site, the G2 infosec team zero in on half a dozen solutions that fit their criteria. During the demo process, they cut through the marketing smoke and find out if the solution works as advertised, and whether it fits in with their existing suite of tools. In this case, Hoxhunt offered the positive psychology approach they were seeking and, crucially, it integrated well with their suite of tools while providing high-value and actionable data.

Michael said that with previous solutions, users’ threat reports would go to the nebulous Google cloud and often vanish. With Hoxhunt, his team could receive and respond immediately to threat reports, so users knew whether they’d just encountered an attack or a simulation, and the infosec team could remove and gain insight into new threats. The new level of engagement stimulated awareness while removing threats from the system.

MB: "With the way that the emails come in, and the reports, now I’ve got a full copy of whatever they reported that I can open in a safe sandbox and check, instead of it just floating off to Google and disappearing. I'm at least getting a copy of what was reported without having to go out of my way and request that they forward it to me and hope they did not perpetuate an email, or hope they haven't deleted it yet, or any of those situations. It actually gives me context around the reports beyond just the simulated ones."

‍

‍

Rave reviews

Hoxhunt, they said, was a game changer for users; and for the infosec team’s standing in the company.

GC: "We've received some pretty resoundingly positive feedback… It’s kind of the new way of doing things. I would say that it has both raised the trust level of our info security team, and it's kind of raised our profile."

MB: "Yeah, whereas the tools we had in place previously, I don't think we got a lot of complaints about them, but nobody was excited about them either. It was just a thing that existed and nobody was enthusiastic about it. And that's completely different with Hoxhunt."

Garrett: "I've had some folks reach out to me organically to say, 'Oh, man, I love this. This is so fun! I'm glad that we've got this.' Or, otherwise, we've reached out to folks that are high up on the leaderboard, and they said the same thing: 'This is great! Like, I didn't know that this could be a thing.'"

‍

So, speaking of risk, was it risky trying a non-traditional methodology?

Information security carries a heavy burden. Data breaches can be catastrophic, and the buck stops at the security team. Risk of a data breach is highest at the people-layer, with 93% of breaches occurring via email, when someone clicked or downloaded something malicious. Hence, the scare-‘em-straight and punish-‘em-good approach to security training. Was G2 nervous about doing things differently?

GC: "We haven't identified any risks of shifting the way we do things (to the Hoxhunt approach). Frankly, I only see it as pure upside. It really encourages the users to participate, and we've seen really strong engagement. Because, frankly, my opinion is there's no bigger disincentive to participation than if that threat of punishment is always looming over your head. No one's like… 'Okay, well, you failed three trainings in the past year and now you're fired.' I think that's just the wrong mindset to have about these sorts of things."

But is there anything they would do differently if they could go back to the beginning of the security infrastructure journey?

GC: "I think the only thing that I wish we would have done differently is that we would have done this (Hoxhunt) sooner. You know, I wish we wouldn't have had to come to this realization. I wish we would have had that data that allowed us to make this decision sooner so Hoxhunt was just the very first thing that we did."

‍

Infosec sits at the cool kids table

Garrett and Michael have seen a remarkable new level of enthusiasm for embracing information security as a cultural touchstone. For instance, new hires go through a security awareness training that they say is informed by the Hoxhunt thought process: Fun, engaging, concise.

And ongoing engagement is even rewarded beyond the gamification of the Hoxhunt phishing awareness simulations. At G2 now, if you show up on the Hoxhunt dashboard as a quarterly leader, you get rewarded with more than stars. They give out gift cards to the top three Hoxhunters every quarter. People, Michael and Garrett said, love it when the incentives extend beyond the game.

Cybersecurity is, after all, a life skill. By learning how to defend the organization from attack, people are also learning cyber self-defense.

Garrett: "When you work in security, you hear all the time that your users are your weakest link. But (as an infosec leader), if you can make what you do more engaging, more fun, more interesting, they're more likely to trust us. They're more likely to respect the requirements… Users are more willing to reach out, ask questions, report suspicious things. Because, frankly, if they're afraid of you, or they don't trust you, they're not gonna say anything. And our eyes are not everywhere. We can't predict-- we can't protect—everything. But we do our best."

Watch the CISO series webinar with Garrett and Michael here

‍