Human Risk Management, Episode 321 on September 25, 2023, featuredJake Wilson, Security Awareness Evangelist atWestern Governors University. The conversation touched on the importance of security awareness programs, the role of engagement and fun in these programs, and the movement away from a compliance-focused approach to one that emphasizes behavior change over time and how data shows effectiveness.
An engaging and consistent security awareness program is essential
Jake emphasized the importance of a robust, engaging, and consistent security awareness program. He pointed out that often organizations focus on compliance checks, but there is immense value in creating a program that actively engages and educates employees.
“I feel like there's starting to be this shift... I think there's a lot more to information security than just the online courses and ad hoc kind of communications or alerts about risks or things that are happening at the time,” he said. “The biggest change we made was focusing on making things fun, making them engaging. Then we started to see more buy-in and people got excited about security.”
When discussing the structure of security awareness programs, Jake stressed the importance of moving away from long, tedious courses to shorter, more frequent ones. He believes that this approach increases learning and retention among employees while also being more considerate of their time.
"One of the pieces of feedback we get is, 'Oh my gosh, thank you so much for making this course only five minutes or ten minutes,'" he said, "because it gets them back to their main focus, which is whatever their department or whatever their role is."
Having the right people leading security is important, too. "I think if you have somebody dedicated to security awareness, somebody that obviously cares about the organization and helping individuals at work and at home, it does wonders," he said.
Cybersecurity awareness training should not be one-size-fits-all
“We don't want to roll out these training courses for every single person," he said. "We have people that are maybe the most secure person in the university and they create the best passwords, but maybe there are individuals that need additional help.”
Wilson shared how Western Governors University's program included monthly scorecards sent to individuals, showing them what they're good at and what they could improve on.
Jake uses Unify, the human risk management platform from Living Security, which enables him to see all risky users so he can prioritize delivering training or policies to those who need it most. When he sees a person or group that is exhibiting risky behaviors, he can create action plans to mitigate their risk.
Metrics are crucial in evaluating the effectiveness of a security awareness program
Jake noted that metrics should go beyond things like basic phishing click rates to instead include data on behavior change over time. He said he uses and will expand use of the Human Risk Index scores provided made possible in the Unify human risk management platform.
What's more, he can show that the "organization as a whole went from risky to vigilant; the needle moved to the right," he said. This approach gives a more holistic view of the organization's security posture and helps identify areas for improvement.
"I think it tells a really cool story to leadership, and it's something that I think it's easy to understand," Jake said. "It's not technical. It's just behavior change."
"Fast forward in a year, we'd want to focus on maybe the top risks that we could address and then take a proactive approach with the individuals that need help the most… the goal is to show that needle moved within [Unify from Living Security]," he explained.
Key Insights from This Podcast
Security awareness programs are essential for managing human risk in cybersecurity, but they're not a one-and-done exercise
Making these programs fun and engaging can increase their effectiveness.
Short, frequent courses are more beneficial than long, infrequent ones.
Customizing courses to fit the needs of the organization can improve their relevance.
The use of a human risk management platform such as Unify can provide valuable insights and data.
Metrics such as behavior change over time can be used to measure the effectiveness of these programs.
Dedicated, passionate security team members like Jake can significantly enhance the effectiveness of security awareness programs.