Human Risk Management: Maturity Model webinar recap and recording

The journey to Human Risk Management can feel daunting: How do you evolve from check-the-box compliance awareness training to the ultimate goal of changing human behavior and proving the impact?

Enter the Human Risk Management Maturity Model. Living Security teamed with other providers to present this model, not only as a way to define the future of cybersecurity impact and metrics, but also to help organizations forge a path.

Watch this recorded webinar for a lively conversation about:

• Why Human Risk Management is the not-distant future of cybersecurity
• The path to a more modern, human-behavior-based cybersecurity model
• How CISOs are implementing Human Risk Management in their organizations

Here's the full transcript. 

Ashley Rose:

I am the Founder and CEO of Living Security. We're the ones hosting this webinar today, and I'm here with two of my favorite people to bring on a webinar/podcast experience. They both have tremendous amounts of experience to share from all types of backgrounds in cyber, but I'm going to let both of them, Matt Alderman and Allan Alford, both share their background before getting into it. Matt, can you say hello? Give us a brief background of who you are.

Matt Alderman:

Yes, hi. Hi everyone. I am the host of my own podcast, Business Security Weekly. I spent almost four years on the media side doing my podcast, which is out to the CISO senior leadership audience in cybersecurity. I am now also the Vice President of Product here at Living Security. I came over earlier this year. Have a lot of experience on the product side and on the practitioner side. I've been in the industry for over 26 years, so I've seen it all in some form or fashion, and I'm excited to be here.

Ashley Rose:

We're excited to have you. Thanks, Matt. Allan, could you give us a little background?

Allan Alford:

All right. Allan Alford here, president of Allan Alford Consulting. I'm a former CISO. I've been a CISO five times in four industries. In my current consulting practice I work with lots and lots of other companies as well, so I've had a lot of breadth and a lot of depth in the industry. My CISO career, interestingly enough, I've been on the vendor side of the fence twice. I've been a CISO at a cybersecurity vendor two different times, two different vendors. I've also been a CISO in the services sector in the past, which is also an interesting twist. I'm a big believer in this fundamental idea that practitioners, vendors, and services folks all need to come together to actually solve the problems jointly. And so I'm a big believer in working with Living Security on this stuff because it just a natural fit.

Ashley Rose:

Awesome. Yes. I've had the pleasure of knowing Allan for maybe the last four years, but definitely working a little bit closer with him through the last two years with the CISO Advisory Board, and really excited to be able to dig into the content today. We're going to cover where we are in terms of the evolution into human risk management from where we've been in more of a compliance focused training perspective the last few years. And then we're going to dig into our human risk management maturity model. We're going to walk through that. We're going to tell some stories.

I know Allan and Matt both have a lot to share. And then we'll give you guys a sneak peek into what's to come, what's the future of this industry. But ultimately, we're hopeful to provide somewhat of a roadmap to help you continue to improve and mature your program, especially as we're all probably deep in planning going into 2023.

But let me get just a little bit of background before we dig in. Allan, love what you said there. We have big problems in cybersecurity and things are constantly evolving, lots of fast moving iterations. It feels like by the time you get a certification or you're done studying for it, the problems and maybe even the solutions have changed. So I love what you said there that in order to solve these really big problems, it requires collaboration across the industry. Vendors, they're bringing innovation and solutions, oftentimes backed by additional capital, venture capital, private equity, growth capital. And then we have the practitioner side that continues to bring the innovation and the problem statements. They're in the day-to-day, they're seeing the change evolving on the frontline, and it's really only through bringing those two groups together that we can be the most effective in solving that.

So I love both of your backgrounds. Matt and Allan, both of you have kind of showcased this firsthand, sort of in and out of the practitioner to the vendor, back and forth experience, and as you mentioned, offer that wide array of views and perspectives. So definitely excited for the conversation.

As mentioned, we've been really lucky at Living Security to have some of the most influential CISOs on Living Security's Advisory Board to really co-tackle the programs and the opportunities around human risk management in the last couple of years. And so before we dig in, I wanted to share why Living Security decided to take a collaborative approach to the development of the maturity model. We looked at the development of a model as a problem to solve, and we said, of course, we have a lot of unique perspectives and ideas, but we really wanted to bring together the top vendor minds in the space.

We also opened up for public commentary from practitioners to give feedback and just to see how this played out in their day to day. We wanted to provide that collaboration opportunity. And really our goal is to publish a version of a roadmap to help those companies mature their programs and ultimately get the buy-in, the support and the budget from the organization to take next steps.

So a few stats to share. In a recent Gartner Innovation Report, 84% of cybersecurity leaders want to mitigate risk by managing employee behavior, but yet less than half, so 43% consistently track behavior and only deploy effective solutions. So there’s a big gap in what we're trying to get done and what we actually are getting done. And then we think about the vendor side of things, those core capabilities that have been offered by security awareness and training solutions and vendors to help us achieve regulatory and audit compliance really are failing to make the impact changes to human risk.

To solve these problems we need to rescope our awareness programs to focus on human risk outcomes, not just regulatory and audit compliance. And then in order to do that, we need to be able to position the business case to senior leadership for investment in human risk management to be able to combat those cybersecurity challenges that arise from a spectrum of secure behaviors.

In all of that, there's an assumption that by 2030, 80% of enterprises will have a formally defined and staffed human risk management programs, up from 20%. And that by 2030, we're actually looking at the possibility that compliance and control frameworks are mandating measurable behavior change in programs over just mandatory compliance metrics. So just to wrap us up, what does that tell us? And then we'll dive in with Allan and Matt here.

Today, 8 out of 10 enterprises don't have a defined and staffed human risk management program. So probably a majority of those on the webinar today, those of you listening in, you may or may not have a program, you may be thinking about standing it up, maybe you're still focused on compliance. Well, how do we get to that next step? We don't want to be the last of those 8 of 10 to be deploying this, and we certainly don't want to be out of compliance—whether it's 2030 or 2028—whenever the regulatory environment says you need to be measuring behavior change and impact, we don't want to be left behind.

And so our goal was building this model to ensure that you have the necessary information and to be planning your technology, your processes, and also preparing your culture to stay ahead of the curve. So that's what we'll dive into today. Let's start with the current state. Allan, when you hear that only 20% of programs have a defined human risk management program, does this align with the enterprises that you're working with?

Allan Alford:

Sadly, it does. And it's interesting to me because every good CISO you talk to will describe the entire landscape of what we're trying to do in terms of three things, people, process and technology, it's the three-legged stool. There's no such thing as the two-legged stool. You need three legs minimum to actually be able to sit down and stay on the thing. And people are one of the most vital and critical legs of that stool. Every CISO will tell you this.

Yet to your point when it comes to how do we actually manage and assess and address, well, everybody's got this big fat tech stack ranging from the firewalls on down to the endpoint solutions and CASB and SASB and all the latest buzzwords. But where's the progress on the people side? Everyone says it's the most important thing, and yet their technology isn't addressing at that level that it is the other two, what are they doing to address it?

So I see you're absolutely right, the 20%, for some reason that's the case, even though we've all recognized and acknowledged the importance of it. But I am starting to see that trend you're describing. As we head to 2030, I think we're going to see more and more human risk management and measurement and all of the above taking place. It's really straightforward that if humans are the most important piece, humans are the peace you need to be doubling down on and actually working with. I think everyone gets it. I think people have been struggling trying to find a way to get there.

Matt Alderman:

What intrigued me about Living Security when I joined, and will get into more of that in a little bit, is if it is the human that's creating the challenge in the initial entry point into these breaches, why haven't we addressed this sooner? Were we too wrapped around the technology and loving the technology and we forgot about the human element? Having sat in the chair, I'm just curious, why didn't we focus on the people side a little earlier?

Allan Alford:

I think because people are complex creatures, I really think it boils down to that. Everyone talks about checkbox security as no good. Every CISO will tell you, "Oh, we don't do checkbox security." And right now a lot of us have a requirement, a framework, a mandate, something that says, "Do you do security awareness training?" Check the box, right? That's it. Check the box. With technology, getting beyond box checking and getting into something more real and concrete was a relatively easy transition because tools that report and measure and monitor and dashboards and single panes of glass and all that. So until we have something like that, until we have a maturity model, until we have a framework for human risk, we're never going to get there.

Ashley Rose:

I want to throw out another idea around this, and curious about your perspective, but I think that we've become a little bit disillusioned with the opportunity to actually affect change. And that points back to the solutions that have been in place over the last 5, 10, 15 years that have been focused on the goal of compliance, yet made claims of risk reduction, but then not data to support that. So what's your perspective on that?

Allan Alford:

It's where we find ourselves all the time in this industry, and I wish I could say this is the first time we've been down this road. We talk about, "Oh, we've solved a problem," but how do we measure it? How do we tackle it? What's our objective measurement and maturity scale? We fell into these traps with the very first technology deployments. We fell into these traps with the very first process deployments. Of course, we're falling into these traps when it comes to people deployments. It's people, process and technology, and it's a maturity journey we have to, as an industry, get through.

Again, you get a maturity framework, you get a maturity model, you cross reference that to risk, you get a dashboard in front of people, you get something that's actually measurable, you get something that's actually actionable, and now you're doing the doing. And even on the technology side, not like every shop is fully there on the technology side today. I don't want to beat people up for feeling bad, like, "Gee, why haven't I tackled this human risk problem better than this up to this point?" It's a maturity journey we all go through and we've gone through it on the other two legs of the stool, so let's get moving on this leg.

Ashley Rose:

Agreed. Matt, you had a pretty concrete theory around where we are in the industry and why Living Security or just why human risk is the next frontier. So I would love you to dive into that a little bit.

Matt Alderman:

Yeah, and it starts with my background a little bit. From the practitioner side, my first product that I started was an early governance risk management and compliance solution called ControlPath. It was a spin out from Accuvant, and we saw the challenges with compliance and regulatory requirements and how it was feeding into the security budgets. This was back in the early 2000s, 2003, 2004. And we went to try to solve that problem and really try to get our arms around risk. In the early days, we didn't really have a way to measure risk. And so we built these systems to help us start to measure risk, right around the same time NIST came out with guidance, we started to see the different maturity models and we evolved those products. So my thesis was partially grounded in my early governance risk management and compliance background, having started a company and having built a risk algorithm.

The other part of that ties into the story is when I was running strategy for Tenable and I put together the five-year strategy plan, it was interesting. I did a lot of research into where the market was going to move, and I predicted at the time that we were going to move more and more systems into the cloud and that we would lose visibility and control around systems that we were used to controlling such as the network, the end point.

I thought at that time, "Well, if I lose control and visibility around those areas where I have a lot of investment and security solutions, what's next? As a CISO, what would I be able to control and manage?" The answer: Applications, users and data. And so I've had this kind of app-user-data area of focus over the past almost 10 years now of, how do we really get our arms around the data that our applications serve up to people? 

And so when you take the people element of that and tie it with risk management, where Living Security sits is in this really interesting intersection of human risk management, and it's something companies  don't measure. When you think about all the GRC platforms out there, how many are measuring risk at the human level? We're measuring it at the control level, at the system level. We're not doing it at the individual user or human level. That's the difference.

Allan Alford:

At the end of the day, you can take any one of those threads and call it the true model if you want to. In other words, you can say, I've got a completely data-centric model of cybersecurity, or I've got a people-centric model of cybersecurity. The reality is the apps and the systems to me are just delivery mechanisms. What we really care about is the intersection of people and data. Data can migrate around and do things in go places and be in the cloud and be on-prem and go out the door, et cetera. People are what you can never deploy to the cloud. People are the one thing you can truly keep a lasso around. So if we're not focused on the one thread we have the best focus on and the best capability to work with and manage, we're kind of doing it backwards.

Ashley Rose:

So that's an interesting point. How do you think that that has changed the CISO perspective now that we're all ... you say a little bit of a lasso, no one's in the office anymore, or it's a little bit of a hybrid solution. We've got companies that enable working from anywhere. So do we truly have a lasso today? How is that perspective changing on that post-COVID?

Allan Alford:

At the end of the day, a strong identity program is the core of all security going forward. To me, if you're going to look at tech stack, the most integral core piece of any tech stack is identity and access management in terms of you have to know who is who are and where they are and what they're supposed to do.

Once you have that, now you can do anything with the people you need to do to measure, to report, to manage, to process, to monitor. However far you care to go in your journey, managing and working with your people is at the core. So get your identity and access management game strong. Now you've got a handle on all your people and now you've got to handle on a full leg of the stool. Process is another area; we're still sort of stuck in checkbox mode on that leg of the stool sometimes too. But the people piece, I think we can get in hand. I think we can.

Matt Alderman:

Yeah, and Allan, right, there's been this big buzz around zero trust. Identity is a core of any zero trust principle, right?

Allan Alford:

Oh, absolutely.

Matt Alderman:

Along with other elements as well. And I think that's why the identity piece is so important in security programs going forward. It is one of those core components that has to be understood because if you don't understand your people and who has access to what, you're never going to affect change across a diverse environment.

Allan Alford:

Exactly.

Ashley Rose:

Interesting point around zero trust, when we think about the core premise of human risk management and maybe just why we're in business at all. We're in business to provide some sort of valuable product or service to a market, whether that's another business or a consumer. But at the end of the day, it all comes back to people and people need to get their jobs done. And I think as a good partner with the business, we need to be enabling that. And it can't always be about friction in many different situations.

And so I really like the term “adaptive trust'' quite a bit, especially when we think about the focus on people, how we are able to adapt the environment and how they get work done, and the tools that they're using to set them up for success. And that also includes the training and the policy and the process around it. But that's been sticking with me lately, the adaptive trust. So before we move into the model itself, because I think we need to have a “from” to get to the “to,” talk to me a little bit about what you're seeing as the current state of programs today. Maybe we get a little bit more tactical, kind of program driven. What are you seeing actually being executed within different customers that you're working with, Allan, or companies that you're advising or even some of your past programs?

Allan Alford:

Sure, so as we sum it all together, every place I've worked, every client I'm working with today, kind of lump it all together and say, let's look at it over the last even just five years. To Matt's point, the further back in time you go, the more ancient it is. And five years is ancient history by technology terms. The general trend seems to be that we always start with a checkbox. We eventually get past compliance, we eventually evolve into maturity and eventually we evolve into real measurement. That seems to be the journey, no matter which leg of the stool you're talking about. For example, GRC.

First, we started with just a checkbox: “I've got a policy that says this. I've got a policy that says that.” And then we get to a maturity model, there's a maturity overlay I'm seeing more and more shops adopting where you take a model like COBIT or ITIL or CMMI or as you'll see in a moment, the Human Risk Maturity Model is very similar as well.

You take this maturity overlay and you put it on top of your GRC and you say, it's not just “Do I or don't I have the fill-in-the-blank, CMDB, do I have a hardware asset inventory? Yes or no? What is my maturity on my journey of a hardware asset inventory?” Because the odds are you have something, you might have a horrible little collection of sloppy spreadsheets scattered across three people's desks, but you've got something, it's more than a zero, it's not a full five yet. But this idea that you do a maturity overlay, so GRC goes from compliance to sort of maturity overlay, and then you get into automation, you start looking at all the tools that are starting to automate GRC. That's kind of the evolution.

You look at the tech stack, it's the same thing originally, do I have an endpoint protection? Yes or no? Okay, great. I got an antivirus. Well, let's evolve. Now we have EDR. EDR is no longer a check-the-box to say I have definition updates. EDR is now a real-time definition update. In fact, there's no such thing as a definition anymore. It's just always on, always working and always has the latest. We've gone from, “Do I or don't I have it?” to automation. It's the same story there. So we see it for GRC, we see it for technology.

Now for people it's the same story. “Do I or don’t I have security awareness training?” Check the box, right? Let's do a maturity overlay, we're about to get into that. And then we can talk about how once we have that maturity overlay, we can get into automation. Because if the intersection of people and data is where we really care to be, if the intersection of people and systems and applications, and it's always the intersection of people in something that we care about, that adaptive piece, to your point, Ashley, there are so many things that can be done.

We can look at things like, what department are you in? What systems do you have access to? Are you a habitual clicker on stupid things? There's a-million-and-one ways you can slice and dice and start to trend human behavior and then adapt according to those trends. A high-risk user might be somebody who exhibits high-risk behavior, but it could just as easily be somebody who exhibits high-risk access. In other words, their behavior's great, but they happen to have access to the crown jewels on a daily basis. That's a higher-risk user regardless of their behavior. And so you have to start sliding those levers and adapting there.

Ashley Rose:

I could not agree more. All right, before I jump into the model itself, I'm going to take a quick trip down memory lane. So this actually goes back all the way to 2017 when we actually first entered the industry as a vendor. From a maturity standpoint, we had a very strong vision about where the space needed to go. And this is slide five of my first ever pitch deck: We're looking at behavioral data, we're looking at some security logs, and then we want to provide some sort of an individual risk index in training nudges that would essentially train some sort of model and be able to visualize exactly what you're describing.

So back in 2017, we knew we needed to get here. We didn't come to the market with this initially. We knew that in 2017 we still had to go through all of those other stages. And so from a maturity perspective, and I'm talking about market and industry maturity. Now we've been able to partner with some fantastic enterprises in the space that have actually walked through those different steps and they've sort of paved this initial path to get to a point where we are applying automation, where we are applying data and behavioral intelligence and we're able to describe or visualize someone's risk state based on what they do and also what their access level looks like, inclusive of some additional modifiers that we have in our product.

So it's been a journey, and I think what's really important, what's really key as we dig into the model itself is reminding everybody on this webinar, everybody who watches it after that this is going to be a journey for you and for your company also. There should be no other expectation, and great if we can get to innovating and one swoop. Probably not going to happen. But much like, as Allan mentioned, the other areas of our enterprise risk or our cybersecurity program, what's actually important is that we're making progress in the right direction, right? Progress, not perfection, I guess I'll say.

And so having this roadmap or having a journey or having a framework built out, not only lights a path as a program owner or someone who's trying to build this but is a really great resource to then go up to your executive leadership and talk about where our focus is for the next quarter, in the next 12 months or 24 months, giving them that vision, which can then get more funding and more support. So I’m really excited to dig into the model here.

I'd love to start at the bottom. Let's start a little bit out of order because this is really where the leveling takes form. Matt, why was it important for us to label the stages in this way?

Matt Alderman:

Yeah, I mean they map to other maturity models that are in the market, COBIT and ITIL the Carnegie Mellon CMMI is there's an evolution of phases. There's one that's not on here, which is non-existent, and some models actually support the non-existent stage. We started at the initial stage, what does the process look like? What's that phase of initial moving into an HRM program look like?

And as you can tell, when you look at this column, it's going to be a lot of things that are kind of manual, ad hoc, not very super defined, not automated at all. And then as you move through the different maturity levels, what you're seeing is across each of the columns, you're going to see improvement around integration and automation components that are driving desired outcomes. It's really an outcome-based model at the end of the day. How do I take all this data and do something with it? I used to say this when I was at Archer running strategy over at the Archer team in the GRC side, we're decision support systems. We're there to take the data and help leadership make the right decisions or make a decision that drives an outcome. And this maturity model kind of walks you through those different phases of how you become more of a decision support outcome based solution.

Ashley Rose:

Absolutely. Allan, you've been working on your own risk framework, so talk to us a little bit about how the leveling and then just the model itself fits into that and how Human Risk Management fits in.

Allan Alford:

Yeah, so like I said before, I've always been a big believer that even a "checkbox" compliant framework should have a maturity overlay, that there should be no yes/no answers in cybersecurity. It should all be on a scale of maturity. I don't care what you're facing or what you're looking at, if it didn't natively come with that, craft one and overlay it or just grab one off the shelf. Like Matt said, COBIT, ITIL, CMMI, there's a bunch of choices there. 

The whole idea to me is zero through five. You should always acknowledge the zero is totally absent, that there's just something that just doesn't exist. Okay, sometimes you're going to be that bad off and then you migrate your way from ad hoc all the way up to world class.

And so one of the things I'm always doing, I'm always trying to give free tools to the community and I'm always cranking away on silly little projects on the weekends and cranking out spreadsheets. I've got a business impact light calculator that I have had on my website for a while, but I'm now working on a risk calculator and I've already done the impact access. Next comes likelihood and then comes combining it all together.

When I combine it all together, two things are going to happen. Number one, we're going to see the maturity overlay. And number two, we're going to see a very strong human component in the risk analysis. So the idea is first of all, it should be human language. You should just be able to ask basic human questions of the business. You shouldn't come to them with, "Do you have a technology that blocks the such and such attack vector of the such and such known ransomware?" That's not how it works. You ask human questions of the business, you get back human answers. And behind the scenes you're starting to calculate technical cyber risk or human cyber risk or whatever kind of cyber risk it might be.

Once I get this model built, I'm going to be doing an open call to the community to say, "Hey, let's humanize this even further. Let's take this to the next level." And actually I'm going to be leaning hard on your team when we get to that phase because I know you guys have tackled the human side really well. But stay tuned, and stay tuned on AllanAlford.com. If you want to go look at the risk impact calculator, it's already there. Likelihood is coming, the full framework is coming and we're going to have human risk all throughout that model.

Ashley Rose:

Awesome. Yeah, I'm really excited to be involved with that, Allan. I love the vision behind it. So excited to be working on that with you. 

Well we actually just had a great question come in and I think it's a good transition to our first category, which is culture. So Terry asked that, assuming the maturity model is a mixed bag in terms of various pieces, is culture typically the last to follow? And so I think I'll take a step back first and then we'll get into answering the question.

First, the way that we've defined the model and the way that we're using it with clients, you're not going to be at one stage across the board within all categories. And so you could be well ahead in one stage, to even the innovating category and maybe you're still kind of further back in the model with another category. So let's talk about culture first and then answer that question because I think it's important for us to actually define culture and what security culture looks like.

I brought this in from Lance Hayden's book People Centric Security. I like this description. So security culture would be your workforce’s shared attitudes, perceptions and beliefs towards cybersecurity. I'm going to give some examples of some common indicators of a strong security culture and then we're going to go back to the model and I can share how that was incorporated. 

A few indicators of a strong security culture: 

• People feel safe in reporting an incident even if they caused it
• People including security as part of their job description, outside of the security team
• Employees correct and help their coworkers to be more secure
• A shared belief that security plays a strong role in your organization's success
• People feel comfortable asking the security team questions
• Frequent requests for training or briefings on security
• Ask security to become involved in projects early on.

Allan Alford:

I want to work there.

Ashley Rose:

I'm going to tell a quick side note, a quick side story about why we actually founded the company and it'll all connect here. Prior to Living Security, Drew (Rose, co-founder of Living Security) and I worked at a publicly traded large company, and he was building out their security program and that included the awareness training and education side. Drew, my co-founder, said his goal was all these things. He looked at the current program that was in place from an awareness and training perspective—and again, he was doing networking, he did the whole shebang, but training was a small part of it at the time. He looked at the awareness component and said, "We're getting the check box, but it's not helping me to build a strong security culture. I want people to feel comfortable asking me questions or coming and bringing an incident to me."

This was five and a half years ago. So there wasn't technology, there wasn't a Human Risk Management platform, there wasn't anything else out there like that. So what actually started happening was he started building games. The escape room was one of the first things that came out of that. There were board games and card games. Some of you in the audience or the attendees may have gotten Security Fluxx, which was one of the first card games that Living Security deployed. But all of this was an effort to just start building a brand around security and putting a face to the name, breaking down that barrier of being the “No!” team, the scary people within the organization.

For me, the time that it all clicked, I was in a meeting with some executives and we were looking at a new potential platform and a new vendor to bring on. One of my coworkers at the time raised their hand and said, "Do you think security should be a part of this conversation?" And never before, never again years and years ago. So that was definitely a full sort of outcome, or from a culture perspective or an indicator of what was actually being built there. And that was my aha moment that we don't need to be okay with the status quo. There is a way to positively impact people and positively impact culture.

And so to answer the question from the panelists, in that scenario, culture was actually moving forward ahead of technology. And I think from an automation perspective, there was absolutely some sort of program or product deployment, the games that we talked about. But on the maturity model, it was not anywhere near where we'd look at the right side of the screen. And there was not a ton of process there. We were still doing once-a-year training, we just made it fun and interactive.

How have you guys seen this play out? Have you seen culture lead in terms of maturity or is it typically the other way around?

Allan Alford:

Yeah, I guess I'll start if you don't mind, Matt. Of all the places I've worked, the place I was at the longest is the place that had the best security culture and there's a reason for that. It's not done overnight. I spent a solid 10 years building a product security program at a telecommunications manufacturing company. And all of those hallmarks you described, by the time that 10 years was over, we were there. Engineers would come to me proactively and say, "Hey, I was about to go do X and Y, but it occurred to me there might be a security implication." So they would come to me proactively and ask for something.

I had folks that would flag others down and say, "Hey, before you proceed further, you should go talk to the security team." I had folks that embraced security, asked for help, asked what they could do to become champions within their department and their organization. It takes time to build these things. It's not something easily done overnight, but it is something that is most definitely achievable. I have actually worked there before.

Matt Alderman:

We see our best success stories where it is coming from the top, the culture is very positive from the top of the organization down. Where we see groups struggling is where there hasn't been buy-in at the leadership level yet the department may want to do it, but if they don't have buy-in from the CISO or the rest of the leadership team, it's an uphill battle to get what they need. Where we've seen success culture is leading technology and process, which is positive because it means they're going to get the funding and the budgets they need to finish the technology and the process pieces.

Ashley Rose:

What are some of the challenges that are being encountered or you have encountered building culture, building alignment, getting that buy-in and that support? Where are the pushbacks?

Allan Alford:

I think to the question of is culture the leading or the trailing behavior? I think culture has to be leading. You can make a lot of success in technology and progress within the confines of your shop, within the confines of the security apparatus. But until you have solved the culture problem, you're not making those changes across the entire organization. So what are the big challenges that I've run into and seen there? A lot of folks start in the position that security is something that happens outside of their daily lives and that security is something that the security team manages. And getting that perception overcome is one of the biggest challenges up front.

Helping figure out every time you deploy technology, how to align it to their existing business organization, effort, structure, et cetera. The idea is you can't just go blindly and willy-nilly throwing security stuff around the shop. You're going to be negatively impacting people's daily lives. And if your life is being impacted negatively, you are not going to be part of a positive security culture. You're going to be very much against the security culture, because it's a sloppy security culture being built.

So it's imperative that consultation with the business take place. That explanation of the why's behind the decision takes place, giving people lots of warning before the transitions occur. And most importantly, every time you make a move as a security practitioner, really try to align with what their daily business life is like. If you are trying to make somebody carry 100 pound rocks up a hill, when you know that what they do all day is walk up and down a hill, aren't you better off giving them wheels instead of giving them boulders to carry? Figure out a way to give them security wheels.

Matt Alderman:

Security training wheels. There you go.

Ashley Rose:

I might throw out a word: “Empathy.” As a security professional, we need to tap into our empathy to be able to understand what are our business counterparts and our end users facing, going through, what are their pain points and also opportunities to help there? I think tapping into empathy is absolutely critical. 

There is no silver bullet for this, right? How can we actually fix this if we're encountering pushback, if there's friction trying to build out a program or we're facing budget issues? What have you seen help the cause?

Matt Alderman:

It really comes down to understanding the business and working closely with the business. And this has to be a business discussion. I think the challenge that security teams and CISOs have had over the years is that they are viewed as the department of “No,” how do they actually transform into understanding business requirements and working closely with the business to drive outcomes for the business in a secure manner. I think that is the biggest challenge that the security teams have to get through, and part of its culture, but it is the attitude and the empathy of the security leadership to really want to work closely with the business to create the right outcomes for the business overall. And I think that's the biggest challenge most organizations still face a little bit, Allan.

Allan Alford:

Yeah, I'd fully agree with that. I've got two phrases I use. The first one is: Meet people where they live. If you're going to implement security, implement it where they work, how they work, with what they work. You can't just go saying, "Here's the new security," drop it on their desk. It's got to be, "Hey, show me how you sit at your desk. Show me what you're doing at your desk. Show me what you do all day. Here's security that fits in with that." Meet them where they live.

The second one is whenever and wherever possible as a security practitioner: Be the Teflon and not the frying pan.” The idea is you should be adding speed and velocity to what they're already doing. It's not enough to say, "I meet you where you live." You want to be able to ideally say, "I'm actually accelerating some of what you do. I'm speeding up your processes. I'm not just adding security, I'm actually making you better at what you do, not just having to deal with me in a way that's less annoying, I'm actually making you better."

And an example of that might be, and this is always one of my favorite ones to do in the early stages of a shop, is if you've got a bunch of rogue IT going on around your organization, SSO, SSO with MFA, and the MFA could be something as simple as a fingerprint swipe. Imagine people that instead of thinking, "Oh no, the CISO's going to find out that my department signed up for a new SaaS app and he's going to shut us down." Instead the CISO comes in and says, "How often do you use that app? You're logging in 20 times a day? Come here, let me show you how to swipe your finger once and get into it all day long." You're adding security by doing SSO with MFA, but you're also speeding up their lives. You try to find those moments as a practitioner where you can not just non negatively deploy security but actually positively deploy security.

Ashley Rose:

I love that. And that's a great transition into our next category of technology. Matt, as our head of product, would love for you to walk through the technology and maybe we can focus on where we see most customers today. And then you already touched on this a little bit, but which customers do we find the most ready to move forward into a more mature human risk management program?

Matt Alderman:

Yeah, the technology evolution is very similar to the GRC technology evolution that's happened over the past 15, 20 years. It starts with a spreadsheet, typically it's Excel. It's pulling some metrics out of my training platform and or my phishing platform and I'm pulling it together and I'm trying to understand engagement rates, click rates, report rates, very kind of manual excel based. And quickly organizations start to realize, well that doesn't scale very well. That, yeah I have the data, but is it really the right data? Is it really helping me identify where things are?

And so you start to see this journey of connecting systems together, different systems through APIs and starting to connect them. Where do you connect them? Maybe I started connecting them in the wrong place. There's some really interesting technologies out there like your SIM to look at activities. The challenge with some of those technologies is they're really meant for incident response. So they're to the right of boom, right—the incident's already happened, I'm collecting data, I'm doing the forensics, I'm trying to figure out how to mitigate that.

There haven't been a lot of systems on the left of boom that give me the insights into activities that are happening where we can identify pockets of risk in order to get ahead of them proactively instead of waiting for the event to happen. And that's kind of where we are right now in the cycle. We're starting to see technology solutions come to the market like Living Security where I can bring in signal data that is starting to predict behaviors and activities that look risky and giving me the ability to then do something about it. As those technologies evolve, where we're naturally going to see how to automate some of these components.

The insights to drive actions and then the need to automate those actions not only from this system but from existing other systems. So for example, maybe it's shifting a policy in my email security side or shifting a policy on my endpoint detection response system. That's where I can see the evolution of automation and these API integrations being very powerful in the technology stack. 

So where are people today? Moving off the spreadsheet I think is where we're seeing some good traction right now, getting into a system that can actually do risk analytics and starting to take the scale and the volume of the data to start to create these really interesting insights on where pockets of risk are in the organization, whether it's by segment or by certain behaviors that people can start making decisions from.

And the organizations that are succeeding in that space right now are the ones that have a very positive security culture. Culture is a big driver for this. It's typically coming from the top down, because the challenge is getting the integrations of this data into a system like this instead of manually pulling the data out, how do I get that real time integration of the data? So this is real time updates of risk, not once a month, once a quarter risk calculations. That's where we're starting to see it. And if you don't have that cultural buy-in at the top, it's hard to get those data integrations done to create that kind of real time risk reporting that these platforms provide.

Ashley Rose:

I think you did an incredible job, and probably for the sake of time we'll move into the process area of the maturity model. For many of you, many of the attendees here and people watching, this is probably the most familiar to you in terms of it really encompasses the functional structure of our teams, our awareness, our human risk teams, and ultimately the program we're running and then the metrics which we measure success by. 

I want to share a few more stats before digging into this one. There was a survey done by Gartner, 43% of the respondents, and this is focused on their awareness program, said that their metrics measure employee behavior. So I'm going to throw something out. I think if we took out phishing simulation clicks as the often sort of lone wolf or the lone behavior metric, I would argue the stat is significantly lower. We can have a conversation about that.

And then in terms of team or functional structure, 56% of cybersecurity teams have less than one dedicated FTE on awareness or human risk, and 81% have one or less for their entire organization. So we're often under-resourced, we don't have the people, we don't have the support. And so without the top level support, the funding or the tools, it's really challenging then to mature on the process side of the program. 

I think that's where we kind of get into this dichotomy where although 84% state the primary objective of human risk or awareness programs are to provide measurable behavior change and risk reduction, we see programs on all across the spectrum, from compliance to more of a calendar-driven delivery of training teams with metrics that are somewhere around completion or eyeballs or engagement.

And I certainly don't want to provide the perspective that these things are bad, because they're absolutely not. We talked about this earlier, they are the starting point. Living Security provides a lot of tools and support to help programs mature beyond that checkbox. The engagement ultimately and oftentimes feeds a lot of that culture. And so I think if your program has already taken these steps and you're adding the engagement and you're seeing sort of eyeballs increase and you're having champions programs, you're probably building that foundation of culture that just like Matt said, actually has prepared you for the last two years to be ready for the next steps in some of the technology in the process.

I think that's exciting. I think it's exciting that we've been able to partner with hundreds of companies in the cybersecurity space to help build that foundation over the years and ultimately help them take that next step forward. So Allan, as a CISO, how have you thought about the Human Risk Management program at past companies? What kind of budget relative to other initiatives was it given?

Allan Alford:

Historically, just like I said before about, you can see it's heading in the right direction, but historically it's not been there. The same story with the budgets. Historically, it's been a low-cost item. Somebody will throw down for a cheap LMS and have their own people do crappy content that nobody wants to watch. Or maybe the next level up they'll throw down for a security awareness training product that's at least better than that, but still lowball bidder wins the prize. Of all the spaces you see lowball bidding win the day, that seems to be one of the ones that historically has gotten there.

What you just said caused me to ... I'm crafting a new model as I go, so forgive me if I stumble for a moment, but picture this. As we talk about the breakdown of culture, technology and process. And I'm going back to Terry's question about, is culture the driver and the leader or not? Think about the fact that in almost every shop, historically, technology is always the strongest of the three legs on the stool. And my new hypothesis is that technology is the least dependent on culture.

If we're going to take the hypothesis that culture is the driver, process relies a little bit less on culture than technology does, or a little more rather, and people rely even more on culture than does process. So by definition, if culture is the problem area, technology should be strongest, people should be weakest, and process should be somewhere in the middle. So the hypothesis seems to hold valid there. But what we're talking about doing with this model and what we're talking about doing with human risk management in general is actually closing the loop that connects people to culture in the first place.

In other words, the actions and behaviors of people become the culture that dictate the actions and behavior of the people, which becomes the culture. It goes in a circle. So if we can close that loop, if we can focus on altering human behavior in positive ways that don't make them resentful and don't make them angry and don't make them paranoid and looking over their shoulders, human risk management can actually shape the culture, which in turn is going to force-feed all three legs of the stool to strengthen. That's my new model.

Ashley Rose:

Well, I was going to say we already have a term for this internally, Matt. We call it the feedback loop. And what's really important to us is that, and I've heard from countless end users over the years, that people say, "Hey, my team says security is important, but I hear from them once a year, they give me this training and then they never talk to me about it again." So when we think about that driver, and it is really that chicken before the egg, can technology drive culture? I would actually argue yes, by technology creating a feedback loop, by giving managers a way to leverage data to actually start building that culture. What things are we doing well at? Where do we need to improve? If you can have business conversations led by data that can oftentimes start sparking that culture in the right direction.

So I don't think that it's hopeless for companies that may say, "Hey, I've not done a lot of work on the culture side," but I do think that it could go in the other direction. I just think it's often easier to start with the cultural foundation. So yeah, that's good stuff. 

Matt, we often work with teams, and you actually talked about it earlier about the spreadsheet, who have either built or attempted to build something internally for this. So maybe talk a little bit about what we have seen in terms of homegrown solutions. What is your perspective on how they differ and what are they missing maybe that an off-the-shelf platform can provide?

Matt Alderman:

When you build your own product or technology stack here to try to do this, there are a couple challenges. One, data integrations, specifically around changing data integrations. We've heard from some that have attempted to build their own solutions that every time they change their security technology vendor, it breaks the entire model. So there's this upkeep of making sure that the integrations and the data are flowing together well. So that's one challenge.

The second one is risk analytics. It is very hard to build very robust risk analytics engines on your own. You need some data scientists, you need the expertise, you've had to do it or have done it before because some of the risk metrics that some of these systems are pulling are pretty basic. And the challenge, is it really surfacing the right data, the things you should be taking action on? So I see a combination of immaturity on the risk model, but then also just the maintenance of the integrations and keeping the data flowing into the systems are really tough. 

People who have built it see the value in what we build here at Living Security because they don't have to manage any of that. They don't have to manage the model and they don't have to manage the integration. And that's a huge benefit.

Ashley Rose:

Allan, I know from some of the groups that you're in that there are a lot of builders in the security community. I think there's a lot of innovators and these are certainly the people that I surround myself with. But what is your recommendation to them when it comes to maturing their program and thinking about that build versus buy question?

Allan Alford:

Yeah, so I'm running a lot of circles with a lot of CISOs. I'm in a lot of Slack groups, I'm in a lot of LinkedIn groups. I'm all over the place. I go to lots of conferences. I meet and greet and I'm a very extroverted and very connected CISO as a result. You mentioned this earlier that you feel like the practitioners are really where the problem statements get creatively addressed and then solve the solution side on the vendor side.

I agree with that model, but I want to emphasize that the problem statement is a lot trickier than people think. It's not as easy as, “This thing isn't working.” That's not the real problem statement. So what Matt was just saying about the data, you have to really roll up your sleeves to figure out what's the actual problem. When you've stubbed your toe on a thing on the floor, what is the real problem? Is it the presence of the thing on the floor? Is it the design of the entire house? Is it the work paths? You have to really think through the problem statement, and then try to solve that on your own as a practitioner. This is when it's time to bring in your vendor buddies because the practitioners are going to struggle with trying to solve these things on their own unless they're just going to be using spreadsheets, and that's a yucky mess.

Ashley Rose:

This is such a great conversation. I just want to give everybody the next steps on the maturity model. It was open for public comment through November. We're actually now working with a handful of industry experts to finalize the first publication, which should happen sometime in January 2023. This is really exciting for us. But in the meantime, if you have any thoughts or ideas around the model going forward, please don't hesitate to send us a note. Email Events@LivingSecurity. 

We appreciate your time spending here with us. Allan, Matt, thank you so much for your time and your wisdom and your insights. It's certainly been a productive conversation. Have a great afternoon.

See how your organization can benefit from Living Security.