On March 23rd, 2022, our CEO Ashley Rose led a lively discussion with featured guests Brian Markham, CISO of EAB Global, and Shawnee Delaney, CEO of the Vaillance Group.Throughout the conversation, the panel covered a wide variety of topics associated with securing your "Human Firewall", including:
- Unique stories from Brian & Shawnee's career of empowering individuals to proactively protect their organizations from human risk
- What tools do we use to provide metrics on the effectiveness of human risk management and training?
- How do we determine when and how to more proactively address human risk?
- How do you get through to people that are experiencing "cybersecurity training fatigue"?
- If you had $100,000 to spend towards your "Human firewall", what would you spend it on?
Here is the full transcript of the webinar:
Ashley Rose: My name's Ashley Rose, I'm the CEO and Co-founder of Living Security. And I'm really excited about today's topic, The CISO Perspective: How Do We Secure The Human Firewall? With that, I'd like to introduce you to our amazing panel today. First, we have Shawnee Delaney. She is the Chief Executive Officer of Vaillance Group. Shawnee is an insider threat expert, cybersecurity consultant, and the CEO of Vaillance, bespoke insider threat consultancy and training organization. She's a decorated intelligence officer and licensed private investigator that's conducted thousands of public and private sector investigations.
Ms. Delaney spent the better part of a decade working with the Defense Intelligence Agency as an operations officer conducting human intelligence operations around the world. After the DIA, she worked alongside the Department of Homeland Security, where she coordinated and managed intelligence community relationships with the private sector. Ms. Delaney consults for fortune 500 companies, most notably in the energy, finance, pharma and tech sectors, as well as the public sector.
She's also the head of Uber's Insider Threat Program although everything that she shares today is representing herself, not the viewpoints of Uber. We also have Brian Markham, Chief Information Security Ofer at EAB Global. Brian is a cybersecurity executive with over 20 years of building and managing teams in complex organizations. Currently, he is the CISO for EAB global, a leading provider of education, technology, and services to the higher education market.
Previously, he left the security team at George Washington University and helped to build the compliance program at the University of Maryland. He also has experience as a consultant working in the homeland security and financial services sector. Brian is a two time grad of the University of Maryland and resides outside of Washington, DC. So welcome. Thank you both for joining us. We are going to get started. So first question, that's why we're all here, how do you create a human firewall? Right? How do we strengthen the team members to become a control inside of the threat? And I'll add a little bit of context there, right? We have a lot of people in our industry saying that people won't change, users are always going to be clicking on things, we need to invest in tech or lock them down. So how do you guys respond to that? Brian, why don't you go ahead and start?
Brian Markham: Yeah, sure. And first off, thanks Ashley and thanks for the Living Security team for having me here today. I'm stoked to be here. So yeah, when people say that why invest in security awareness and education, people are always going to click on stuff, you're always going to fail, I don't really buy into that. And I think it's mostly because it assumes that people can't learn. And we all know that people can learn and that most of the people in your organization are smart. And they're very good at the things that they do, their area of expertise. So I think an effective security awareness program effectively building the human firewall is about meeting them where they are and being thoughtful about the way that you engage them, the messaging that you give them, the channels in which you engage them.
I think if you do all of those things, have great content and make security accessible and easy to learn, that means cutting out the jargon, cutting out the things that they don't really need to know. They don't really need to know how ransomware works to understand how to respond to an email that could result in ransomware, right? So I think for me, it's about meeting people where they are, keeping the messages, framing the messages in a way that they can understand, and they can really relate it to the work that they do. And it's also really good for them and their home life as well. So if you can find a way to build that bridge, to keep the organization safe and to be able to protect them in their home lives, that's even better too.
Ashley Rose: Yeah. So Brian, I mean, you said something, I think that is really relevant here. You talked about, we don't need to talk about X, Y, and Z to people. And we know those industry experts that again, say we cannot fix the human, like why even try, do you think that there's a set of expectations that need to be changed? What are your thoughts on that?
Brian Markham: I mean, I think if you're expecting perfection, you're probably in the wrong business and perfection is pretty difficult in general. So I think you just have to set goals and look to achieve them. For example, things like do people show up for the events? What's the feedback that I get on those events? Do people report phishing emails? Do they report whether it's an external attacker or the campaigns that I run? Do they report those phishing emails, even if they click on the link or do the bad thing? So I think there are ways that you can actually measure how well you're engaging people and yeah, people are always going to click. They're always going to go to weird websites. They're going to download weird applications. We know that. That's why we have teams and budgets and we have detective controls and all of that.
But again, I go back to if you're just going to say, well, it's going to fail anyway, you're aiming for perfection and you're assuming that people can't learn. And I have seen people learn. I have seen people get better. I have seen an organizational security culture change for the better. I've seen the conversation change. So I know that it's possible. Is it hard work? Absolutely. Do you have to be thoughtful about it? Absolutely. But I believe that those are things that everyone on this webinar can do, because I don't believe that I'm of any greater intellect than anyone that's here and I've done it. My team has done it. And I feel really proud about what we've done. More work to do obviously but that allows me to believe that anyone can do it too if you've got a thoughtful approach around it.
Ashley Rose: I love that. Shawnee.
Shawnee Delaney: Yeah. I think Brian makes really good points and it's not just can people change. People are assuming that people don't want to change, right? And I think to piggyback on Brian's point, when you're educating people, not just, hey, you need to do this for the company, you need to protect our IP, when you're teaching them, hey, these are tools that you can share with your friends and your family, we want to help you protect you and your family, your friends, then I think they have more of a vested interest in following it. And they will want to change. When they understand that their actions or inactions could cause their company harm or their family's harm, I think there is going to be a desire to change and people will ultimately try to do the right thing. Humans are human though and people make mistakes. People take shortcuts. So there's always that as well, which is handy to the bad guys really.
Ashley Rose: Yeah, absolutely. So part of the question was like, how do we create this firewall and something that we've seen to be really successful at Living Security and within some of our customers organizations is doing it through storytelling, putting them in either the mindset of the attacker or just even sharing personal stories. So I know that you have a lot of fantastic stories to share from your time. In leveraging social engineering on the other side, are there any stories that you shared or you found that really resonate with the audience that maybe some of us here could take those and sort of tell to our team members or employees?
Shawnee Delaney: Yeah, for sure. I mean, as you know, I used to be a spy. I mean, we don't say spy, technically the other countries would call me a spy. I was a spy handler, but from every nation state, we all use social media, right? When I would target people, I would go on LinkedIn. Let's say there was a case where I was looking for a very specific nuclear technology and believe it or not, there were people on LinkedIn who said in their profile they worked on this technology. So it's really easy to sort through that data and find out the targets. And then it sounds so silly, but legitimately spies and social engineers leverage the exact same tactics. I looked at someone's picture, I looked at their CV and I would make an assessment just based on that information if I think that they would be a willing participant willing to meet with me. And I was successful.
That operation where I was trying to find that very, very sensitive technology, I convinced somebody from a third world country to meet with me in another country. He had no idea who I was aside from what I told him on LinkedIn, but people believe it. And so we're talking about the human firewall, I think training and awareness really is the solid foundation for anything we do. If you don't educate your employees, they all could become targets. No one's going to report anything or recognize when it's happening. Also, a lot of people don't realize that spies or even social engineers, we're not going after the CEO or the vice president. We might be going after the admin or the janitor. You don't have to be high level.
And it's not always just the placement and access that they have at the time, a lot of times we're assessing if they're going to have future placement and access. So we're trying to build that relationship and establish that rapport. So when they do get promoted and when they do have what we want, we get that information.
Ashley Rose: So this is a little side note, but every night at dinner with my kids, we play three truths and a lie. And one of my things that I put up yesterday was I spoke to a spy yesterday. And everyone thought it was a lie but I was like, no. And then just shout out to International Women's month, one of my daughters said, "Well, what did he talk about?" And I was like, "Oh, no. Not a he, a she." So Shawnee, you are a badass and absolutely love that you're there and you're able to be a role model and inspiration for young women who want to get into the industry. So shout out to you.
Shawnee Delaney: Thank you. Thank you.
Ashley Rose: Awesome. So one thing I think that's really cool that we have on the webinar right now is we have two people from very different size organizations and you guys can share kind of individually like kind of size and scope of your employee population, but you talked about the attacker is looking for probably one way in. Maybe we're trying a few written things, but we only need to find one way. So on the flip side, if we're trying to secure our human firewall, it probably isn't going to work out really well to take a spray and pray one size fits all approach. So when you're talking about tens or hundred thousand users, one thing that we talk about is how do we scale that, right? How do we scale this very human focused approach to a large number of people?
So what would you say? So first I'd love for you to share the sort of size of population, size of user base that you are responsible for and then what's the role of data and automation in terms of building a security culture and culture change in your organization. Brian, if you want to start.
Brian Markham: Yeah, I can start. So my organization's about 1700 full-time employees, add another 200 contractors. So it's small enough that I feel like I've got a pretty good handle on who the players are, who the teams are, generally where they sit. Obviously I'm not going to be on a first name basis with 1700 people. That's very difficult, but I hope that people are on a first name basis with me, that anyone in the company feels comfortable sending me an email, sending me a Slack message. So I think how I make that a little bit smaller and more manageable, and I'm really eager to hear how Shawnee is going to talk about this in some of the larger orgs that she's been in, but what I try and do is rather than figure out, okay, I got to touch everybody that's in sales or everyone that's in marketing, or everyone that's an engineering.
That can be really time consuming. So when I talk about meeting people where they are, talk to the leadership, talk to the head of sales and say, "Hey, how do I get in front of everyone on your team at the same time? Where do I meet them? Where do they go? Is there a weekly meeting, biweekly meeting? Is there a forum that I can come and speak to? What are the types of things that they're seeing? What are the types of things that resonate with them?" If you have those conversations, you really just need to know, instead of touching 1,700 people, you have to touch probably just around 10 people and you get their buy-in, their engagement, their support, and then you can go and you can give those messages to those people. And you can even tailor those messages for the types of threats that they might see, or the types of attacks that might be most meaningful to them.
I know that that's hard work, but we want to be able to build this human firewall, right? We know that it's going to be hard work, but again, like I said before, you can do this. So how do we do this with automation and data? I mean, I like to lead with a very kind of hands on manual approach. I think that people don't build affinity for robots or automated emails. They build affinity for people. In fact, I just had someone say last week that they liked our sessions, our monthly lunch and learn sessions so much that we literally presented anything and they would show up. And we do those ourselves. We create all of our own content and tell stories that we think will resonate with people. So I like to start with that kind of hands on approach, where you make security really accessible and you can kind of put your own stamp, your own brand on it and then you can do things like here's some automated training based on a trigger, based on an alert.
And they won't be surprised because we've already told them that that can happen. And then obviously a lot of the alerts that we get in the background are all automated. I don't need to tell any of our systems to send me an automated email when something happens, I get those and I can then respond. And some of the responses will be, I hit a button and a thing happens or sometimes a thing happens in general and I don't have to hit a button at all. Or sometimes I follow up personally and say, "Hey Mary, I saw this happen. Do you have a couple minutes to talk about it?" So I think for me, that's kind of how I've been able to make a semi large organization, feel a little bit smaller and get ourselves out in front of them. Sorry for the long answer but hope that's useful.
Ashley Rose: No, I think that's great. So yeah, I love the hands-on approach. We're people, so we're very relational creatures. And obviously with the size of your organization, you have probably a better chance of getting upfront. Are there any outside of leadership? And so actually, we talk a lot about how do we enable the business? How do we partner with the business, empower leadership? Outside of leadership, are there other groups or particular individuals that you find yourself spending more time with?
Brian Markham: Well, we have affinity groups within the firm. So we have a women's affinity group and an LGBTQ affinity group and so on and so forth. And it's really good to kind of cozy up to those leaders and talk about what they're doing from a programming perspective and how you share messages with those folks. And again, you're storytelling. So you're bringing them things that are meaningful to them. For example, for Valentine's day, we had lunch and learn about romance scams. And yes, anyone can benefit from learning about romance scams, but there are some very specific things that I wanted the women at my company to know about romance scams, specifically women of a certain age and how they might be targeted by a romance scam, because we know some of the demographics of people that romance scammers tend to go after.
So I think it's just about knowing your people, knowing your groups. And within any org, if you're paying attention and I hope all of you are, you'll know that there are some people that are not in positions of leadership that are in positions of influence and who identify those influencers and talk to them, build a relationship with them. They could be the most chatty person in the engineering channel, the most chatty person in the pets channel, but you know who those people are. And if you build a relationship with them, they will have insights on how you can reach certain portions of the population that you might not get if you're just talking to leadership because leadership doesn't know at all, right?
Ashley Rose: Yeah. That was what stuck out to me through your talk. So influence and it sounds like also like vulnerability, finding the vulnerable groups. You mentioned, okay, who is most likely to fall for X, Y, and Z, and spend some time there. There's another role that's opening up in the cybersecurity space right now, where there's talk around like this BISO role, the business information security officer, and these are people that are put in charge of really partnering, connecting security with the business. And we're seeing these at some larger organizations. Shawnee, I don't know if you're seeing something similar, but love to turn it over to you and love to hear how you reach an organization with 100,000 people or close to 100,000 people and what role does data and automation play in driving cultural change in that type of organization?
Shawnee Delaney: Yeah. So Brian, I have to say you would be a really good spy because the way that you're doing this is the right way to do it. Even if the organization has 100,000 people versus 1700, you have to do it that way. Like I said earlier, we're all humans and everything that we're doing, all of these program buildings, it's trust, it's building trust, right? And so being able to reach out to the stakeholders, to the heads of different lines of business is critical, but just like Brian said, reaching out and touching the individuals is really, really critical. When he talked about storytelling also, I found really, really good success with case studies. So we have a working group and every month we share a case study from the company internal. It's good because it opens people's eyes to wow, this really happens and it happens to us. It's not an industry metric or a standard. It's not somebody far away on the news. It's in-house.
I also have a really brilliant colleague who came up with an idea for what she calls the risk register. And what we did again, because you're trying to eat this elephant one bite at a time, going down and sitting down and conducting one-on-one interviews with everybody that might have some information about the business to get the ground truth. So when you're talking about data, we want this to be a data driven organization, a data driven program. I'm talking about insider threat specifically, but what you're looking at the metrics is how many investigations and what type and things like that. You don't know what you don't know. You only know what is reported. And when we're talking about all these different risks, the vast majority are not reported or known about. And so when you're talking to the business owners and finding out what that ground truth is, that gives you a really good sense of where to start and where to focus.
Another thing I liked of what Brian said is you're focusing on the high risk users. I think you used the word vulnerable, right? And probably in that vulnerable dating female population which is frightening, but it's high risk to me. And so taking, identifying those organizations or those populations, and then spending one on one time with them and giving them specific training, I think is brilliant. Another thing is IP inventory. So you would be shocked at how many organizations have no idea where their intellectual property or trade secret sits, who has access, should they have access and what it's worth. And when you try to do an investigation into a potential IP theft, the business is like, I can't tell you what it's worth. So you're losing that. So being able to pull that data is really critical.
When it comes to automation, what I see is really, there's a push towards automation and there's a push towards tools in the industry. And I think everybody here probably sees that as well. But what I do see is that not everybody can afford that. As we all know, security and the ROI for security is really hard to prove, unless you're talking about maybe fraud, where you actually can get hard numbers. So trying to sell to your C-suite that, hey, we need this tool so we can automate, so we can see when people are doing malicious acts is a very, very tough pill to swallow in a lot of cases. So that's why, again, what Brian is saying is making sure that you're having those touch points with the actual humans that know where the vulnerabilities are, is really just so critical.
Ashley Rose: That's great. That's a great segue actually into our next question where you're talking about ROI in effectiveness, right? We know security budgets are oftentimes limited, maybe not at all companies, but in a lot of companies. And we hear a lot that the CISO is struggling to be able to go and get the buy-in from their CEO, from their board to get more budget to implement the new tool or technology or whatever type of process they're trying to roll out. So can we go a little bit deeper into things like what tools are you currently using to provide improved effectiveness metrics on the effectiveness of human risk management, what data tools and processes maybe that do you wish you had to make your job easier?
Brian Markham: Well, I think Ashley, in full disclosure EAB is a design partner with Living Security on their unified platform. So I'll talk a little bit about that, but what we really want is the ability to bring data together and to correlate it. I think some people might refer to that as XDR, but I'm not really looking for things so that I can do incident response. I'm looking to understand behavior and I have the signal from everywhere, but it's all in disparate places. So we're really excited about the promise that Unify has and allowing us to bring all that data together correlated in the one place so I can see this is the group that I want to talk to. This is the manager that I need to talk to. This is the employee individual that I need to talk to and here's why. So I'm super excited for that.
With respect to ROI, obviously for me and all the CISOs on the webinar, this is really complicated and difficult. I think Shawnee said it really well with respect to fraud. Unfortunately for me not being at a financial institution, fraud is not really something that is top of mind for me from a threat perspective, but there are certainly other things that we can use to express value in dollars. And so I'll talk a little bit about how we do that. It takes a certain amount of time for us to respond to an incident, whether it's potential credential theft or phishing or malware, and we can count the things that... We obviously want to log and record all the things that we work on. So we've got a record of it. So we can count those things that we work on based on the reports that we get, the incidents that we log ourselves and how long it takes for us to actually resolve those issues.
And what we've been able to do is by taking those number of hours and assigning a dollar amount to that we can show over the past year, over the past month, we've spent this much responding to these incidents. So then it allows you to be able to put a dollar amount on something. For example, a real easy one would be how much money did you spend in the last year outsourcing incident response to an outside firm for things you could have done in-house. So for example if you built out a forensic lab versus asking a third party to do it for $600 an hour, how much money could you save? That's actually a calculation that's pretty easy to do. And we used a very similar argument to actually build out our own forensics lab because we found we were outsourcing things that we really didn't need to outsource.
We could have done them in-house if we had the right equipment. So yeah, I mean, obviously there's a lot of other data sources as well that we look at, logins, emails. I try to take in as much data as possible just to get good situational awareness around what's going on in my environment. I had my last former president at George Washington that I just worked for said to me once, he said, "How many attacks do you see per day?" And I thought to myself, first of all, I didn't know the answer to that. And then I thought, well, what if I just said 200,000? What does that mean to him? Like, is that a lot? Is that a little? What if it's a million the next day or what if it was 50 the day before?
And so the numbers alone aren't enough. You've got to have a context for those numbers and you have to be able to establish a baseline. And so that's the stuff that we try and do so that we can detect anomalies better, so we can understand again, what normal looks like. And then when you see certain behaviors, when you see how much time you spend reacting to those behaviors, you can put a dollar amount on it and use that information as a way to get up more investment, or to be able to do some things that you weren't necessarily able to do or not necessarily to get support around before.
Ashley Rose: Awesome. Thanks Brian. Shawnee.
Shawnee Delaney: Yeah, again, he's right on point. I think in addition to external spending, you have to look at outside council. That's another big one to clean up investigations and litigations, especially we're talking about human risks. So when you have an insider threat case where someone conducted espionage or IP theft or sabotage, or whatever it was, some malicious act, usually you're going to have to have outside counsel to help you with that as well as digital forensics like Brian said, if you don't have that in-house. But I think ultimately to prove this ROI, you have to take baby steps. I want to do everything yesterday, so that's personally very frustrating for me. But being able to look at the pieces that you think that you can accomplish and do them very slowly, for example, with insider threat or having any sort of insider threat or insider risk program, that's a lot of change.
And you're training people to shift their culture, which really kind of rocks the world of some people. And so I feel like you have to be kind of delicate about it because you're changing people's patterns, you're changing how people do their daily jobs, but being able to pull the metrics like we were talking about before, things that people might not think about exit interviews, for example, why are people leaving? You can identify real risky areas for your humans, for your people when you see that there are trends, maybe there's poor communication or leaders need more training, also onboarding and recruitment, talent acquisition. Are you seeking out people that are a good cultural fit or are you just trying to check the box that they can do the job check, well, hire them?
That increases the chances you're going to have human risk or insider threat in the future. And so looking at those metrics, how many people have you onboarded? Did they leave within three months or did they turn down the offer? Those are other metrics you can look at. Ultimately, I think this whole thing is very manual. It kind of has to be. Again, it's a human problem. You have to have humans looking at it and examining it. No amount of automation or tools are going to be able to tell you what that ground truth is.
Ashley Rose: Yeah. I think you brought up a really good point where humans do not isolate themselves to cyber, right? We talked about tenure and culture and there's all this other kind of external context that we need to split around what's going on from a behavioral and cyber security potential incident perspective, but there's all these other parts of it. So I think right now, obviously, that I just heard it was returned. We had the great resignation now to the great renegotiation, but maybe I'll throw this around on you guys. Like what impact or what potential impact are you thinking about from a human risk perspective with what's going on probably both geopolitically, but also from just the trending post COVID of people leaving the workforce?
Brian Markham: Shawnee, you want to go ahead.
Shawnee Delaney: If I can unmute. Yeah, for me personally, I think probably two main areas, and that would be theft of intellectual property and trade secrets. When COVID hit and everybody started losing their jobs and just having general job insecurity, I saw a dramatic rise, and you can look at the metrics. I think like 82% of people are more likely nowadays, according to Code 42, if I'm right, to take something before leaving a job than they were pre COVID. So I really do worry about that. A lot of people are going to competitors. A lot of competitors are playing dirty where they're offering really inflated salaries or titles to lower level employees.
Again, remember, like I said earlier, we don't always go after the high level people. It's oftentimes the lower level people. And they're encouraging people to bring IP with them or trade secrets with them business intelligence in general and then they're firing them shortly thereafter. I also worry about what's going on in Ukraine, what's going on in the world. I really worry about forced recruitment or forced cooperation with external actors. So there are a lot of malicious actors out there, be them organized criminal groups or nation states, whatever you want, there are a lot of people who have vulnerabilities. Again, we're all human and spies like me or nefarious groups will use and leverage your motivations and vulnerabilities to get information from you.
There are tricks, there are tools that they use. It can be pure elicitation. Sometimes you don't even know that you're providing intelligence information. So I think again, I will harp on the training and awareness as being so important for people to understand how they can give up the keys to the kingdom without realizing it. And again, even if they don't have the keys to the kingdom, as an intelligence officer, all I have to do is talk to Ashley and Brian and Brandon and get a piece from everybody and then the analysts back home put that together. So I think just having people understand that we are all vulnerable and we are all recruitable at some point in our life, especially with external factors like COVID and wars and things like that.
Ashley Rose: Before we go to Brian, we just got a question in the chat and it was Shawnee, what's the biggest motivator you've found to give up the keys to the kingdom. So you see, you mentioned forced, but how does that actually happen?
Shawnee Delaney: How does forced happen or the biggest motivator or I could do both.
Ashley Rose: Let's do both. Yes.
Shawnee Delaney: Okay. So I think the biggest motivator from my experience, so I say money, but it's not that people want money, it's what are they going to do with the money, right? So many people that I recruited, obviously they needed money, but they needed it for a sick family member to get treatment for example.. There was one where he needed it to put his kids through school, because that was the most important thing to him. So every time I tried to slip this guy money (there's actually a podcast out, hit me up if you want to hear it), he would refuse. And he was like, "No, I'm not going to work for money." And I was like, "But you're providing me the secret information, I need to compensate you for your time."
And it took me a long time to figure out that instead I could caveat that and say, here, I'm slipping you this envelope, this is not for you, this money is for your kids' education. Go open up a bank account and I want you to send them to college with that money. And he was like, "Thank you, I'll take that now." So I would say financial issues are a big, probably the primary motivating factor. Revenge is probably the second one. There was someone I had who works for a very hard target country if you know what that is. And he was part of the government. And I met with him for a while. And his motivation was that his wife had died of an illness. And he felt like the government was responsible for protecting her and they did not try to help. They could have done lifesaving surgery or whatever. So he wanted revenge. He wanted to stick it to his government. So everybody's different and every case is different, but those are very common. And what was the second question? Sorry.
Ashley Rose: Yeah, that was... So well, first we said, what's the biggest motivator and then how does somebody force somebody to work with them?
Shawnee Delaney: Yeah. So that comes down to people's vulnerabilities. So again, I'll use COVID and war as an example. We're living in a global pandemic, it's going away then not going away, then going away, then not going away. We don't know if we're going to have our job tomorrow. We don't know if we're going to be alive tomorrow. So there's a lot of external pressure on people. And then when you throw in just horrible world events, a lot of people are so vulnerable because they want to provide for their family and they want to take care of their responsibilities. And so forcing someone, basically, you're not giving them an out, you're like, look, you're going to do this for me and I'll give you money and you have no other choice. It's these malicious groups who are figuring out what will make that person work for them.
And they don't always have a choice. In Latin America actually, for example, I've seen a lot of people recruiting insiders who are very low paid, oftentimes they're contractors, several companies, and they're just leveraging that. Like, you don't make a lot of money. You don't have that loyalty to the company. You're probably not going to have your job very long. You're not highly educated. So what else can you do? Here for 50 bucks a week, you're going to give us this information from that database.
Ashley Rose: Yeah. That we said both involve personal motivations. Family, that's just a consistent theme that we're seeing because at the end of the day, we're all humans and that's really where our hearts are. So I think it makes a lot of sense. Brian, so back to kind of the initial question, and I know we went a couple different directions, so we'll see where this completes us, but what's keeping you up at night right now with your human population?
Brian Markham: I think for me and Shawnee kind of touched on this as the world is a complicated place right now, more so than usual. We are in the midst of a global pandemic. We have a war in Europe. People are distracted. People are concerned. People have mental health issues that they need to worry about. The last thing that I want to do with my security program is stressing out more, right? So for me, it's kind of recalibrating the way that work gets done now that things do seem to be opening up a little bit, at least for some time before, hopefully we don't, but before things get bad again. People are starting to travel more for leisure and for business. People are coming to the office again. I haven't had to have a conversation with anyone about tailgating for two years.
Now all of a sudden I have to remind everyone, hey, if you see someone that you don't recognize, ask them if you can help them, "Hey, can I help you find something?" I have to get them to remember that these are all things that we used to do in the before times that we now have to start doing again, because a physical threat is real. Someone can find their way into our office and they can walk around and pretend they work there. And there's been a lot of hires in the last two years and not everyone knows each other. So it requires vigilance.
So that's one of the things that is challenging me right now, because I'm trying to figure out a way on how to do this without stressing people out more or making them feel like, oh, if I go back to the office, it's a police state because that's obviously not what we want. We want people to be safe at work. We want the work that we do to be successful. We want our clients to be successful. And the best way to do that is to make sure that there is trust across that entire landscape. So I'd say that in addition to all the other crazy things that are going on online, the wiper malware, ransomware, just your internet facing assets, that's probably the thing that I've been thinking about the most.
Ashley Rose: Yeah. You brought up such an interesting topic and there's a couple of questions in the chat I want to make sure I get to. But I really want to touch on this one because when everyone had to move home, we were sort of all thinking, okay, well, how do we train, educate our people to work securely at home? And you just brought up now, you're thinking about how we retrain, right? How are people going to have to relearn how to work securely in the office setting?
And probably a lot of us have gotten into some bad habits. Like, are we locking our laptop when we get up from our home office to run to the kitchen to get a snack, right? How do we remember? Have we retrained to do that? Tailing has always been a really challenging one because as people, you want to be helpful, you touched on this, right? We want to let people open the door and we want to trust you. And we don't want to have to question because that could be really awkward. I'm going to put you on the spot really quick, but how are you thinking about doing that? Do you have tactics or advice that you can provide to our audience today?
Brian Markham: I mean, we talked about storytelling, right? Shawnee, you can raise your hand if you have, but I'll expose myself. How many people here have broken into a building before with permission of course? People love to hear stories about this stuff. We get to do things in cybersecurity that as a kid, when I saw the movie Sneakers (I'm dating myself, I'm sorry), I was like, I want to do that. But I didn't know that was an actual profession, but now here I am 30 plus years later and that's a thing that I was actually able to pursue and I'm super passionate about it. So I want to go and talk about it. I want to go and tell those stories. So I think that's how you do it. You don't show them a policy. You don't make them click through a training and then click a box that says, yes, I'd have read this PDF.
The way that you gain trust is that you build relationships with people. You get in a room and you tell those stories, those amazing stories about things that you've done. And they can relate that to things that they've seen and experiences that they've had. And that sticks with them. Regardless of what you think of him, I remember that I saw Frank Abagnale, the Catch Me If You Can guy speak 15 years ago. And what he talked about stuck with me 15 years later because he told stories and they were memorable stories. And so you can do those same things in your environment. You tell those stories and you can get people to think about the way that they behave and hopefully to change their behavior to become more of that human firewall. I hope that answered your question actually.
Ashley Rose: Yeah. I love that, storytelling. So I know we have so many questions coming but Shawnee, I wanted you to answer this one really quick. Do you have any kind of tactical advice that you'd give to the audience today on retraining or relearning some of the things that we're going to have to do after coming back from working from home the last couple of years?
Shawnee Delaney: Yeah. I think it's important to have kind of a two prong approach if you will. So I think there should be enterprise wide where everybody gets the same training, this is how you can be a threat. These are the risks to you as a person. This is what you do if you overcome them. Here are some examples to touch on Brian's. Here are some case studies from our company in the past. So it's real, it happens here. And then have something targeted to HR and managers and people at that level. It's not that managers or HR sees everybody every day. It's actually the colleagues that see people more often. However, when you have someone's change in a pattern or behavior, when you start seeing those red flag indicators, a lot of managers and HR VPs that I have worked with in my career, they don't know what to do.
So making sure that they understand what their responsibilities are and how they can direct other employees and good advice is really, really helpful. I think having working groups, having tabletop exercises, having all of that with the stakeholders and asking them to push that information down, also having groups. At Uber, for example, there are groups who are called New Security Heroes. It's a heroes program where you can join the group, you get cool swag, everybody loves swag and then you're a champion. So you go do a physical security walkthrough, for example, and you identify where people are leaving vulnerabilities. There are a lot of different steps I think you can take to just keep this front of mind for people, especially after moving back into the office.
Ashley Rose: Well, that's awesome. So I'm going to transition to a couple of questions from the audience. I like this one a lot and we talked about people being at risk, being recruited away, it's happening, I mean, up very, very obviously in the technology field specifically with our engineers and I would say probably our cyber security personnel, right? We have a very large work force gap right now. So the question was around sometimes I feel like technologists aren't priorities in security wise training programs. I'd actually maybe append that to say, it's not that they're not prioritized, but maybe they're not paying attention or they feel like they're above it. And there's more of a focus on the business. So how do we help to train the people that are literally configuring our firewalls to be our human firewall? Like, what are your takes on that?
Shawnee Delaney: If I just real quick jump in on that one, what I've seen is that the people configuring the firewalls are heavy on the tech side, and this is not everybody, but a good chunk of them believe that the risk is a cyber risk or vulnerability. And so I think educating them that this is actually a human risk, it is the skin behind the keyboard as Don Freecss says that is actually doing that act. It takes a person to click on a malicious link. It takes a person to set it up and send it. They are using cyber technology to enable whatever they're trying to do. So making sure that the watchers, if you will, and the people working on the tools and the automation and the rules understand that component of it because I think there's a lot of misunderstanding about human risk there. Sorry, that was my soapbox.
Ashley Rose: Brian.
Brian Markham: I think that's an excellent point, Shawnee and your soapbox is awesome. So I mean, I think it's about making it a team sport. Like a lot of the heavy tech people at my company and my former employer, they were interested in security from a hobbyist perspective. They loved those stories. They were sending me articles on things that I hadn't seen before. So it's again, meeting them where they are, figuring out what are going to be the things that appeal to them and help engage them. If you can dive in deep on a specific topic... I mean, like if you look at what's been going on in the last couple days with Okta, there are some lessons to be learned from that. Are you talking to your IT staff about that, about those lessons?
And so those are opportunities to have those conversations. And again, if you're really good at storytelling and you bring all the facts to the table, you can have really great conversations with people. And many of these people, again, if you know who the influencers are, you know who to get on your side. Shawnee talked about that heroes program. We've also seen it called Security Champions. You really get those evangelists that are passionate about security, but their full-time job is not security. It can be UX. It can be DevOps. They can be a software engineer. They might not even work in IT at all. We have some of our best members of the human firewall in finance. Like just try and get them to click on something, they won't. I shouldn't say that publicly, but the goal is to create these communities and engage these communities at their level where they are.
And if you're doing a good job of that, I think you'll get the kind of feedback that you want. And I think also we worry so much about, well, people don't listen to me. People don't read my newsletter. People don't show up for my things. First of all, someone reads your newsletter. Someone shows up for the things, right? So don't get upset because you didn't engage everybody. You're never going to engage everybody. You're not supposed to. If you engaged everyone in your company on your monthly webinar or your quarterly webinar, you would run out of Zoom licenses and they wouldn't even let you. It would top out like 300 or something. So you can't even do that. The point is that you need to be on multiple channels. You need to have multiple messages for multiple groups. So don't look at it as a failure if you don't get a 100% buy-in. You're only going to get partial buy-in and you should be satisfied with that.
Now, you definitely want your numbers to go up over time, but what you really want to be doing is listening. We care so much about, are they listening to us, but are we listening to them? Are we going where they are? Are we having conversations? Do we ask them things like what are you worried about? Is there something about the newsletter that interests you? Like, what would you like to see more of? And we ask people those questions because we don't know it all. And what we hear is actually really insightful for how we build out our awareness programming over the course of the year. So I would encourage all of you to think a lot about that. Think about how you're listening rather than worrying about like, are people listening to me because I can guarantee you some percent of the population is absolutely listening to you.
Ashley Rose: Those are great ideas. Do you have something to add, Shawnee?
Shawnee Delaney: Yeah. Sorry. Brian just made me think when we're talking about training and retraining and keeping it fresh, someone made a comment, I took this two years, making it interesting, changing it, making it different and we keep talking about telling stories. Oddly, there are funny and entertaining stories about this kind of stuff. Like, did you all ever hear the one about the nun who committed massive fraud? She was an insider threat. So you can tell things that really fascinate people, like a woman who took a vow of poverty and stole almost $900,000. Like that's fascinating. So if you're telling the right stories to illustrate whatever point you're trying to make, people will be engaged and people want to know more. And when you're talking about cybersecurity or human risk or insider threat or any of this stuff, this is sexy stuff. If you tell it right, you're going to get a lot of interest.
Brian Markham: Absolutely.
Ashley Rose: Awesome. I was going to put that question up. So I think that's great answering Jennifer's question around, how do we keep people engaged when we're retraining? So this is a lot of really good qualitative human focused responses and ideas. And I'm going to push us a little bit harder to go back to some of the quantitative stuff here at the end of the hour. So doing all these things, doing these webinars, telling stories, getting people on a Zoom meeting, knowing that some people of the population come and some don't, how do we actually, and what kind of return on investment does that establish for the security program? How are you proving this?
Brian Markham: So for me, Ashley, again, it's a difficult problem to try and prove it quantitatively. So what I try and look at is I look at how we're engaging the community and how it results in actual things happening. So for example, if a message comes in, how many people are hitting that report phish button versus how many people are sending me a DM in Slack, sending me an email, sending it to the help desk. We tell people during orientation, we touch every single person on orientation and we tell people exactly what to do. How many people do a different thing versus the thing that they're supposed to do? And we keep track of all of that because we want to be constantly refining our messaging and going back to people and saying, hey, we've noticed that this is happening. Let's talk about this.
Let's talk about what happens when you do things the right way. So we keep track of all that. We do phishing campaigns every month. We like to call it phishing with empathy. We don't punish people or call people out, or we don't have a wall of sheep at the company. But what we like to do is we like to measure how many people are reporting, how many people are doing the thing and then reporting anyway. It's how we measure how comfortable people are with us, if they make a mistake and then they're willing to come to us and say, I made a mistake.
And we track those numbers every month and we report that to leadership to show how we're doing. So those are just a couple of ways. Again, I pay attention to the number of emails, number of email threats, pickup blocked, false positive rates, things like that, incidents that we see both reported and initiated through our various alert programs. So we are keeping an eye on all of that. But unfortunately, it goes into this blender up here, if you can see where I'm pointing in my head, and sometimes you get a qualitative answer, which I think is just indicative of how difficult it is even with really great tools to be able to stick a number on something and say, "Look, I did a good security thing."
Ashley Rose: Shawnee.
Shawnee Delaney: Yes, yes. Everything he said. I think what's hard also for a lot of companies, especially if you're just starting programs to measure and track human risk and insider threat, you have to start from somewhere. So for example, if you can beg, borrow and steal from internal audit, ER, HR, global investigations, anyone who's doing investigations and start putting the pieces together, you have to start from scratch. So that's something. The metrics and the ROI is something that's really hard to prove in the beginning especially. That's something over time that you'll be able to when like Brian is saying, like you have that increase reporting.
So you do your training, you see an increase in reporting because people now know they should report and who to report to. And then hopefully as you continue the training or you're doing micro-learning or whatever you're doing to keep it fresh, you see a decrease in incidents or investigations because people are not doing it. For that vast majority of human risk, it's unintentional, it's negligence. And so hopefully that can be trained away. And then you can focus on the higher risk malicious acts and things like that.
Brian Markham: If I can add something, Ashley, a good example that came up in the last couple days is stolen and lost laptops. People on my team are like I can't believe people are losing laptops or bringing them to all these crazy places, leaving them in cabs, bringing them to foreign countries and getting them stolen. And look at the numbers, four in the last year. How many times is a laptop lost? Four. How much money is lost in a given year due to a lost laptop? Four. Four times the cost to replace the laptop, right? Is that something that we want to invest in? Is that really the thing that we're worried about or need to get wound up about? Being able to demonstrate that you actually understand these numbers and talk to your team about those numbers and talk to the org about those numbers can really help you not get wrapped around the axle about the thing that seems bad when in reality there are most definitely worse things that your org that you're either A, not looking at or B, not measuring.
So that's just one thing that has come up in the last couple days that I was like, I'm so glad I found this number because we can stop really getting wound up about the lost laptops. Yes, it's frustrating and annoying and we don't like it, but four, four.
Shawnee Delaney: I'm jealous.
Ashley Rose: Oh yeah, I'm sure there's lots of people leaving laptops in their cars or their Uber transportation with you Shawnee but what I heard there was part of the ROI can be, are we prioritizing our resources to the things that are the greatest risk for our organization? We can't try to combat everything. We don't have unlimited people. We don't have unlimited time, but unlimited resources is another thing... So that is one ROI, it's like, let's get the biggest bang for our buck. So if we know where that is, where our greatest pocket of risk is, we can address that head on and that's going to make a much bigger impact for the organization than trying to train or put some sort of policy in place around lost laptops when there's four of them. Makes sense. So I love this question. We only have two more minutes so I'm going to wrap us up with this. Let's imagine you were given a preset of $100,000 but you had to use it to strengthen your human firewall. What is the best way to spend it?
Shawnee Delaney: Data analyst. I would hire a data analyst, a really solid data analyst because just like we're talking about proving the ROI, having those metrics and being able to quantify as much as you can for the business, as well as using that data analyst for targeting those high risk areas and helping manage the program I think would be amazing. That would be a huge win.
Brian Markham: Shawnee, that's a great idea. I might offer a little bit of a different take on it. And that is what I would really want is I would want my tentacles closer to each group. So I would try and recruit with money, with swag, with prizes. I would try to recruit as part of a formal program that certain people across the org are going to do their jobs, but every so often they're going to come in and they're going to report. And they're going to tell me what they're seeing. They're going to tell me what their teammates are saying. And it is going to increase my situational awareness so I know what's going on across the org, I know what risks people are taking, I know what things in the environment are problematic for them that they have created workarounds, which make us more secure or insecure or blunt the effectiveness of the controls. So I would probably use it to recruit an army across my org to feed some data into what we're already doing to learn about the organization.
Ashley Rose: Both are great answers. Well, we're here at time. Thank you Brian, thank you Shawnee for spending your time with us and sharing your knowledge and expertise. I know there were more questions that were not answered, so we will likely follow up with you and post some of this in a blog that is attached to the webinar. Thank you to our attendees today for spending an hour with us. And we hope that you were able to get some really tangible takeaways that could help level up your program and your human person. Thanks so much.
Brian Markham: Thank you.
Shawnee Delaney: Thank you.