Lisa Kubicki took DocuSign beyond awareness to effective security behavior change and human risk management
Lisa Kubicki has steered the awareness, behavior change, and culture program at DocuSign for over 5 years, and Hoxhunt has helped her and her security team achieve award-winning results. With the rollout of Hoxhunt 2.0: The comprehensive Human Risk Management Platform, she joined Eliot Baker on the CISO Sandbox to discuss the transformative value of going beyond awareness training to change behavior on a human risk management platform.
3:20 Do you think there is a difference between pure security awareness and security behavior change and, if so, what does that difference look like?
5:37 What are the key elements of a security behavior change program to elevate it above the infotainment quality of traditional compliance-based awareness training?
9:15 Could you talk about nudging?
11:25 Many don’t believe you can send and analyze the results of 3 phishing simulations a month to thousands of users. How do you automate that?
15:15 What is human risk and human risk management?
18:42 What is a risk-based approach?
20:14 Does simulated phishing reporting give visibility into org-wide risk?
23:36 People are the eyes and ears of the company. Can they be integrated into the security stack to enhance SOC threat detection?
25:48Communication: How important is stakeholder buy-in for the awareness and behavior change program?
27:38 How do you communicate the value of a human risk management platform to the C-suite and board?
31:00What is the difference between a compliance-based approach and a risk-based approach?
32:34 Do you have any final tips for anybody looking to go beyond awareness and into a human risk management platform and a risk-based approach?
Moving to human risk management is really explaining what the (behavior change training) role is trying to do. It’s trying to manage the risk of the human element that is in the human OS in your company... It’s to make sure that you’re looking at what are the risks from the human element in the business that we should be addressing, and awareness is a part of that but it is not the bigger picture.- It’s identifying what are the risks across this particular organization, across this particular group… and adapting the security awareness program to react and responding to those risks with proactive and engaging material.
You need the security stack across the team, across IT as well, to know: where do we have our biggest risks? Who has the greatest amount of access that could cause the greatest amount of problems if they’re compromised in some way? Who’s making bad decisions on a regular basis? How can I alter communication for this group to be on this topic and modify it in a way that speaks to their “WIFM:” What’s In It For Me? Keep it super simple, and make sure that it addresses the risk that we need addressed.
That human element: they are your eyes and ears. The security team’s tools and stack can only be seeing so much and sort through so many logs and everything that’s coming in via those tickets and all of that information. The humans: if you can stretch your team to be 10,000 people suddenly look at how much more fortified you are as a company.- This is only reinforcing what your tools are going to do because something is going to slip through because the bad guys got so much more sophisticated and your tools are not yet aware of that new tactic and technique to break in, but your humans will spot it.
That risk-based approach is: I know where we have pockets of poor security decision making and this is how we’re going to counteract that and make sure those behaviors are the ones that we need them to be, and make sure that we’re asking of people to do things in a reasonable way instead of making it so complicated and overburdensome they can’t get their day to day work done because we’re just interfering. That risk-based approach is much more responsive to what are our challenges to our people, and how do we counteract that?