Webinar Recording: The CISO Perspective on Why Human Risk Management is Superior to Security Awareness & Training

Posted by Living Security Team
May 23, 2022

Share Article

On May 12th, 2022, Living Security CSO and co-founder Drew Rose was joined by Omar Khawaja, the CISO for Highmark Health, to discuss the declining state of Security Awareness & Training across the industry, and why Human Risk Management is a superior alternative.

It was a fun and engaging discussion from our speakers with insightful comments coming in from our attendees throughout the event. In the webinar, speakers Omar & Drew discussed how security awareness training, while still important, is in dire need of repair. They covered why Human Risk Management is different and changing the game, helping organizations:

📊  Filter down to the riskiest individuals, groups, or roles.

📊  Improve risk scores and up-level security awareness. 

📊  Create tailored programs that respond to risk and address the issues at hand. 

📊  Track increased vigilant behaviors, and decreased risky ones, over time. 

📊  Demonstrate improvement across the organization quickly and easily.

 

We've included a full recording and transcript of the conversation below.  If you'd like to learn more about how to apply a Human Risk Management framework to your organization's cybersecurity training program, you can download our free whitepaper here:


HRM Whitepaper Ad Variant 1 - Worker at Desk-1


HubSpot Video

 

 

Here is the full transcript of the webinar:

Drew Rose: Thank you so much. For those that have not been on one of these in the past, my name is Drew Rose. I'm one of the founders of Living Security. I'm definitely very excited about today's topic; why human risk management is superior to security awareness training. We are in such an interesting time in our space, the ones in the security awareness, human risk management space. It's a really exciting time. Really excited to bring in Omar into this conversation.

So, it's my pleasure to introduce you to Omar Khawaja. Omar has been developing and managing security solutions for startup service providers, consulting firms, and enterprises. He is currently the CSO of a company called Highmark Health. It's an $18 billion blended healthcare delivery and financing system. He serves over 35,000 employees and 50 million Americans. Prior to Highmark, he was at Verizon Enterprise Solutions, where he was responsible for a portfolio of security solutions with customers in 73 countries.

He serves on the boards of HITRUST, Leadership Pittsburgh, Action Housing, and FAIR Institute. And he's also on the governing body of Evanto, amongst others, as well as adjunct faculty for the CISO programs of Carnegie Mellon. Omar is what I call a transformational CISO. He is consistently pushing the bar of how we do things today, and how things should be done, and how we close that gap. He takes interesting and innovative approaches and is willing to take risks to help with some of those solutions, and he has some really great stances on what human risk management is and some tactical solutions of how we can close the gap between security awareness, training, and human risk management.

Omar, it's a pleasure to have you here today. Maybe you want to do a quick hi to the audience.

Omar Khawaja: Absolutely. It's a pleasure to be here. Thank you for hosting this webinar and inviting me, Drew. I appreciate it.

Drew Rose: Awesome. Yeah, it's a pleasure to have you here. We've had some of these conversations in the past. We'll start with the script, but I'm certain we will go off-script probably pretty shortly as interesting things come up on both sides. So, yeah, let's begin. Let's just start it foundationally. We have a lot of people here, and I recognize a lot of these names. When we say things like security awareness is broken, and it's been broken for a while now, I know that you wholeheartedly agree. We're not saying that it's not important. It is a critical part of human risk management. So, let's start at the basics. Why do you think that annual compliance training is simply not enough?

Omar Khawaja: Okay, for a few reasons. One is that it's only a point in time. What we do in the world that we live in, so much happens from day to day. And because I was given some messages, and they may have been the right messages, and they may have been concisely delivered, but if those messages were given to me six months ago, or nine months ago, 10 months ago, the odds that they actually stuck with me, I absorbed them, and that they're going to inform my behavior many, many months later are really, really low. So, one of the key reasons is that they're just not that effective.

Another reason is that people don't enjoy them. And if we're trying to motivate and encourage people to do certain things and to take on certain actions, we've got to do it in such a way that they want to do it. If they do it because they have to do it or because someone's forcing them to do it, the outcomes just aren't going to be nearly as good as if they feel inspired, motivated somewhat intrinsically to do the right thing.

Drew Rose: Yeah, I love to bring this part of the conversation to the mind, to the reptilian brain. The reptilian brain is our response mechanism that nature has given us: flight, fight, or freeze. We need food, shelter, and water. When we go out into the forest, we know not to leave a fire just burning in the woods. Why? Because we see things happening. Like these campfire fires right now in Southern California, we see the devastation. The reality of the negative consequences of that risk is so real to us. It's like, "Oh, if I start a fire and a fire happens in my house or this area that I'm at in the woods, that could kill me. That could hurt me or my family." Of course, rationally, I'm not going to do that.

The risk of cybercrime and breaches and incidents is not felt as intrinsically as something that could hurt you physically. And so, it makes a lot of sense why touching on something one time a year is never going to change risky behavior to vigilant. So, what's step one? Let's say we'll kind of chart a path for some of the people on this call. If you're doing annual training right now, and you want to take one step up from compliance to human risk management, what are some other areas that we can start focusing on to get that message to really stick?

Omar Khawaja: Yeah. And I'll start by maybe calling myself out. When I take training, whether it's security awareness training or some other training, at the end of the training, I pat myself on the back, and I say, "Omar, you are really awesome. You did not need any of these messages because you already know all of these things to do, and these are so obvious for you. But I hope everyone else in the enterprise is really paying attention because they don't know what compliance really is, or they don't know what it means to be secure, or they don't know what it means to create an inclusive environment and be respectful of our colleagues." And that's really what my conclusion is at the end of almost every training that I take, the corporate training that I take. And my guess is that's true for many of my colleagues out there as well.

And so, when that's the conclusion someone taking training draws, there's not much value that comes out of the training because what we're trying to get people like me and others when we take training is to have our minds open up for us to have the willingness and openness, and ... dare, I say it ... the humility to say, "You know what? Maybe I can be a little bit better." And so, one of the easiest ways to convey to the Omars of the world that maybe you're not that good is to replace people's own conclusions and their own opinion with some data.

So, if you can give Omar some kind of a score, some kind of an indicator to say, "This is a measurement of you, of your behavior," then it becomes somewhat unequivocal, and I can't argue with that. So, if someone gives me feedback and says, "Omar, the way that you are treating certain underrepresented groups in the organization isn't very effective, and they're feeling like they're not feeling very comfortable when you're in conversations with them." Okay, well, now that I have that feedback, it's really difficult for me to assume I must be doing a good job because it's no longer me coming up with my own opinion, but someone is replacing my opinion with some data, with some facts, and with actual perceptions on how other people are feeling.

So, Drew, I'd say the best thing that we could do is, can we get some measurement, can we get some metric. It doesn't have to be perfect. It doesn't have to be complex to convey to our users how they're actually doing and, therefore, how they should actually feel about their own level of cyber riskiness.

Drew Rose: Okay, so I'm going off-script. Can you see my whiteboard?

Omar Khawaja: Which is what you promised you would do.

Drew Rose: Can you see my whiteboard, Omar?

Omar Khawaja: I can. I like it, the sad face with the checkbox.

Drew Rose: Yeah. I mean, it's so interesting. We always say, "Oh, man, checkbox compliance is bad because compliance does not equal security." But the point you just made is really interesting. It's like your goal going into compliance training is like, "I just need the check box, and I did a good job." So, not only are we not seeing risk reduction from this annual training from an overall broad perspective, individually, you have that same perception that the executive team might have like, "Oh, we have 99% compliance. If 99% of the boxes are checked, we're good. We must be in a good place."

And then, from a personal perspective, "Oh, I did it and completed it. I have a check box. I am good. I'm ready to go," versus what you were trying to explain is there needs to be some sort of mechanism to give that feedback to say, "You're doing good. Here are some areas you can do better. Here are some areas we can focus on," in terms of the risks that they're bringing to their organization. So, I've never done a whiteboard before. I'm not super great at it, but I think that picture conveys a message.

Omar Khawaja: Those are pretty decent sketching skills.

Drew Rose: Thank you. I appreciate that. How do I get rid of them? I don't even know.

Omar Khawaja: We are going to stare at the smiley face for the next 45 minutes.

Drew Rose: Forever.

Omar Khawaja: Forever. It will never end. I wonder if you can go to share screen and change it?

Drew Rose: Maybe. Maybe somebody on my team can do it. We'll start with a new one. Maybe we'll have more stuff on the whiteboard. Okay, so we've been talking about this human risk management course for a while, this train of thought. What is human risk management? How is that different? What is your perspective, your definition of human risk management?

Omar Khawaja: Drew, I think to some extent, it's a very descriptive name, which is why I like it. It is the practice of managing risk that is associated with humans. And here, we're talking about risk in the cyber-context, so that means being able to identify the risk. That means trying to determine what the appropriate treatment of that risk is, mitigating that risk, communicating that risk. So, all of those things would fall under the umbrella of human risk management. Maybe to stake it and take it a little bit further and not to define the term using the term itself, it would be what are the set of behaviors, the set of actions that introduce risk that we want to avoid, and what are the set of behaviors and actions that erode and decrease risk associated with humans, and we want to encourage and invite into our respective organizations.

Drew Rose: Yeah, and I think that's key. I think it's like when you say something like training. You are already saying, "This is something that needs to be done," versus risk management. This is a continuous process that we need to be aware of or concerned about because of X, Y, and Z, because of these reasons. You work for a very large organization. I find that sometimes when the message from the very top comes broadly, that sometimes gets, again, either lost in translation or is not relatable. How do you craft a message that all of these different job titles, roles, these different business units, how do you get that message to stick? Do you have any thoughts or strategies on communication of risk all the way down the employee chain?

Omar Khawaja: Yeah, I mean, Drew, a lot of it is explaining the why and explaining the why in a manner that's actually specific to the audience, so it resonates with them. So, Drew, we were talking about your daughter. I think she wants to play tennis. And if I said to you, "Drew, you should start playing tennis," your immediate response would be, "Well, why should I start playing tennis? I don't like tennis. I like volleyball." But if I said, "Well, your daughter likes tennis, and it'd be a great way for you to spend time together," all of a sudden, you're like, "Hmm, maybe playing tennis is not as bad of an idea as I thought."

And similarly, here, if we just focus on take the training, we just focus on don't click the phishing button, we just focus on have strong password hygiene, and we're just telling people what to do, and we're not providing context, we're not explaining to them why they should want to do it in a way that they care about in terms that is meaningful and impactful and resonates with them, then we're not doing a good job. So, every message that we send to our colleagues about human risk management, we always start the message with a why.

And so, we'll say things like 85% of cyber incidents occur because of human involvement. We know that the average cyber data breach in healthcare costs $9 million. We know that 37% of organizations claim to have at least one ransomware attack. We know that for about 30% of organizations that get hit by a malware attack, it takes them a week to come back from business. What would happen for your department, for your area, the impact on your customers if that happened as a result of some behavior that you engaged in? So, we try to make it really personal, so I feel like I have a role to play versus some department somewhere in the company on some top floor who will go take care of this for me.

Drew Rose: Yeah. Yeah, you touched on it, the personal aspect. I was in the military, and as a military 18 to 21-years-old enlisted soldier, I will follow my sergeant wherever. It doesn't matter what the big goals are. My sergeant, that's my guy. That's who I have a relationship with. That's who I've spent time with, that I have experiences with, somebody that I've been through, maybe things that are difficult together. We have that bond.

The general coming down, the 300, 400, 500 troops that he might, maybe thousands, again, it's very impersonal. But my sergeant says, "We're charging that hill," I got your back because you have my back. So, my perspective ... and I think you did a good job at implementing this ... is how do we get the business leaders, the VPs, and directors? How do we empower them to be that person to say, "Okay, you are my group of BDRs. You are my group of client support people. I know your job. We've been in this together. We've done all these great things. And if you screw up and you make a mistake, this is how it's going to impact not just the greater company, but me, and our team, and our access, and our environment, and our customers that we interact with every day."

I like to say the pendulum has swung, and this is why we named it Breaking Security Awareness because we went from this part in our life ... and anyone that's been in this industry more than 10 years can relate ... where cybersecurity used to be a cybersecurity's job. IT, cybersecurity, you handled everything. You stood up the tech. You did the investigations. That's cybersecurity's job. I don't care about that. But five years ago, the pendulum swung to, "Okay, clearly, this isn't working." And the end users are the weakest link, which I hate saying that, but that's where we were five years ago.

So, the pendulum swung from cybersecurity is cybersecurity's job to cybersecurity is everyone's job. And I do think that we put too much onus and responsibility on every end user to be understanding the risk that they bring to the organization. Some are just out of college. Some are phasing out in their career. Some of them aren't just going to care to invest and figure out what does cybersecurity's everyone's responsibility really mean? And so, we're coming back to this place, and you came back here. This is why I call you transformational because you came back to this place years ago when you started allowing your managers and directors insight into the risk.

Cybersecurity is a business risk problem. That means the leaders of these organizations need to understand the risk their teams bring to the company so that they can manage the risk. How do you empower those business leaders, managers, directors, VPs to be able to understand that and have those conversations?

Omar Khawaja: So, Drew, good question. One, what you shared with your story in the military and where your sergeant would ask you to do it, you would do it, it turns out, that that's actually backed by the change management science as well in non-military organizations as well. We look to our direct boss for sponsorship more than anyone else. So, if the CEO stands up and says, "All of you should do X," we may or may not do it. But if my boss comes to me and says, "You need to do X," it is a much higher likelihood that I'll do it. And leveraging that relationship to drive change, particularly when the scale at which we're trying to do it is we're trying to drive that culture change across a large organization, that relationship is absolutely critical in terms of how you drive change.

And so, your question about how you empower those individual leaders to take charge and to be able to provide guidance and feedback to their respective direct reports, that becomes absolutely paramount. The way that we do that is we quantify the human risk score associated with each individual within the organization. And it's something that we call a cyber score, and we then guide the enterprise to just go to cyberscore.highmark.com so they can measure their own. They can see their own measure of cyber riskiness. And if I happen to have multiple people reporting to me, I'll also see the measure of cyber riskiness for my entire team and for each of my direct reports. It'll be sorted from highest to lowest.

So, now when we say things like cybersecurity's everyone's job, I hear that. And I'm like, "Okay, I hope someone's paying attention. I don't think they meant me when they meant everybody. I think they meant those guys over there." Well, now, if I go look at my cyber score and I see that it's not high, I don't get to make that judgment anymore because now I have data to say either I'm part of the solution or I'm not part of the solution, and it tells me exactly what I can do to become even more a part of the solution.

Drew Rose: Yeah, maybe you should take those shoulder pats away once you-

Omar Khawaja: Yes.

Drew Rose: ... [inaudible] that score.

Omar Khawaja: Absolutely, absolutely. Unless I've got a score of 100 and I really deserve it, I don't want to just give it to myself because I can.

Drew Rose: Yeah. Yeah, I absolutely agree. So, I mean, there's some interesting conversations happening in the chat and a question I want to get to. Well, I just made this analogy an hour ago. When you are tasked with eating a whale, you start one bite at a time. When you're talking about culture, it can seem like a massive task. I have 20,000 people in my organization. How the heck am I supposed to change culture?

And so, you start small. My perspective is you start with engagement. You start with positivity. You start with the relationships, then you build ambassadors, and you try to get a network effect going on, and you try to have consistent messaging around cybersecurity from the leadership, from the top down. And it doesn't happen overnight, and it's not easy, and it takes persistence to do such. But we definitely have a lot of recommendations from a culture perspective and in our community, as well as other members that we can help you on.

Omar Khawaja: Drew, you're right on. Going back to your metaphor of eating a whale, if you were to ask me how do I eat a whale, or how do I ... Maybe an easier example would be, how do I butcher a cow? How do I skin it, and how do I take the meat and cut it up, and debone what I need to debone, and preserve what I need to preserve, and do it all? That feels really, really daunting to me, but I bet there's a few thousand butchers out there that would say, "It's actually not that hard. Here's the six steps that you follow." Well, if I try to go do it by myself and figure it out, it will always feel daunting. And maybe in five years, I'll say, "I think I know how to do this because now I'm a butcher."

Or I can just go to the butcher and say, "Can you tell me what the process is? Demystify it." And I always say this to my team. When you're working on something hard, go find someone that says it's easy. And the same thing with this is if you don't know the process, if you don't have the recipe, it sounds impossible. It sounds like you're trying to eat a whale. But if you actually know the process, all of a sudden, you're like, "Wait, it's actually not that hard, and I don't have to make so many mistakes because all these other people, they made so many of these mistakes. And I can actually take advantage of that, and I can start with version 10 instead of version one," which is a lot of what Living Security and the communities you've put together are all about, collecting the best practices from the organizations that, quite honestly, have made the most mistakes. That's why they're also the most mature.

Drew Rose: Yeah, if I was more of an artist, I would've drawn a picture of the whale on the whiteboard. I 100% agree. Yeah, there's lots of people that have been through these same situations, where they walked into a large company post-breach, saying, "We need to do something. Everyone is terrified of the cybersecurity team. Everyone's afraid to report an incident. Everyone's clicking on phishing emails, and our simulation stinks. What do we do?" And there's procedural step-by-step stuff that a lot of people in this community, which I am proud to be of, will be willing to dive in and help you with.

Omar Khawaja: Maybe I'll give just one pointer and one of the things that we learned among the sea of mistakes that we made. See, I'm trying to keep your whale analogy going a little bit. One of the things that we've learned is if we use the right pronouns, and we go to the leaders, and we don't say this is security's risk, we say ... kind of like, Drew, you were implying ... "This is the risk for your part of the business. We looked, and we did the analysis on the 500 people in your division, and this is what it looks like. This is your risk. Let us know if you want our help there."

And to gamify it, we just break it down by each of their direct reports and their scores. So, invariably, what happens is the direct report of that leader with the lowest score does one of these face plants. And that is as tangible as it gets, being able to see change, culture change actually happen in real life. That person, when they come back for air, typically ends up looking at the security person and says, "Can you please help me make my numbers look good because I don't want to be at the bottom of this list when you come back in six months?" And our response is, "We are very happy to help you improve your numbers if that's what you want."

So, you get the pronouns right. You get the motivation right, and now, security is seen as someone that's supporting and helping the business versus someone that's getting in the way of the business or saying no to the business. We're a problem solver.

Drew Rose: Yes. I mean, a couple things to that subject around as a security org, we have to be receptive. Our arms kind of, "Come. I'm here for you." The moment we use the weakest link terminology or the big, heavy size or the big ... If they don't feel like they have an open door with you, they're not going to open it. And you just can't open the door and sit in your chair. You have to be at your door, welcoming people in. Hey! Hey, Sharon, looks like you have a question. I don't care what it is. Come over and ask me. Know that I'm here for you.

One of my last roles, my goal was to build a relationship with as many end users as possible, where they knew that I wanted to help them answer questions, whether it was both about their work life, and their devices, and their jobs, and access, as well as what they're doing at home or what their kids are doing. I want them to buy in to raising their hand and saying, "I'm not an expert here. I have a question, and I don't feel dumb about it." And then, I do my best to not make them feel dumb about asking those questions.

Omar Khawaja: So, Drew, what you just described and that approach to end users and really our colleagues versus calling them insider threats or calling them the weakest link, my view is I don't want to call someone something behind their back that I'm not willing to call them in front of their face. And I don't feel comfortable calling any of my colleagues an insider threat or the weakest link. So, in our program, we don't call them that because that doesn't feel like the culture that we're, we're trying to create.

One of the things that I've found is that security people have a set of skills that make them really, really good. But when it comes to how we interact with our users, and our colleagues, and how we change culture, some of our best intentions end up sabotaging those programs. And so, one of the recommendations I have for those of you that are either running these programs or have someone on your team that's running these programs, I'd say bring in expertise that has nothing to do with security. If you dissect a lot of what Drew is talking about, he's talking about marketing. He's talking about change management. He's talking about the reptilian brain, which is psychology.

So, to run human risk management effectively, you don't really need to understand IDS and IPS and IOCs and SIMs and EDRs and DLP. Throw all of those three-letter acronyms away. They're not going to be serving as assets as we build our human risk management program effectively in our organizations. But if we replace that with change management, we replace that with some positive psychology specifically, we replace that with things like marketing. Now, all of a sudden, we're creating intrinsic motivation. We're creating desire.

It's the reason I'm wearing this shirt because I wanted to. Well, I guess my wife made me, but maybe that's a bad example. We want people to do things because they want to do them, not because someone else wants them to do it.

Drew Rose: Yeah, that's awesome. We don't want to stop at culture. We want to do the things that maybe create engagement and get people excited. And we do believe that culture can change behavior and reduce risk, but it's very hard to prove. It's very hard to take that and say, "Hey, a good positive culture equates to a reduction in the impact of phishing failures." So, we want to start with the end goal in mind, which is how are the activities and the performance metrics impacting the business? What are the things that we need to be measuring? What's the data we're trying to capture?

And I think this is where we start. We need to start at the end, which is around what are we measuring and how that's reducing risk. Is that saving us money and time, or is it increasing our rev? Is it increasing our revenue or decreasing our loss? That's how we need to start. And so, culture, engagement exercises, campaign, these are all the things on the way, and there's a lot of performance metrics to get there. So, if we're starting with the end goal of mine, which is human risk management, reducing risk is reducing potential for loss, both in time and dollars and reputation and revenue, how do we close that gap? Let's get from culture to data so we can really start bringing the picture of human risk management together.

Omar, what are some recommendations for some of the participants on a call that maybe they have access to data, but they don't know what to do and they don't know how to make sense of it?

Omar Khawaja: Yeah. I'll give you a short answer, and then the long answer would be to read a book called How to Measure Anything by Hubbard. And I think he has a follow-up book called How to Measure Anything in Cybersecurity. So, I was skeptical that everything can be measured easily, and it's hard to measure things, and we don't have enough data, and it's imperfect data. After reading that book and drinking three-quarters of the jug of Kool-Aid that came with it, I've transformed. I actually no longer believe that we don't have enough data. And, in particular, there's a method that the book talks about called the Fermi Decomposition Method or the Fermi Method, and it tells you how you can take very little data and sometimes even no data and estimate answers that, if you go through a calibration exercise, that end up actually being fairly accurate. They don't have to be precise, but accuracy's kind of important.

So, in our program, we took some of those similar principles, and we said, "We don't need precision. We need accuracy. We need enough information, and the resolution of the information needs to be enough such that it can guide the right decisions and guide each of us as individuals to take the appropriate behaviors and to inspire us to do so." And so, we ended up picking eight measures, and we've changed them a little bit over the years here and there. And we don't measure anything that I think is all that novel. We just stuck it all into a simple algorithm, and it produces a score between zero and 100.

So, we look at things, of course, like; did someone click on a phishing email, did someone report a phishing email, does someone have access to high-risk internal databases, does someone have access to high-risk external websites, does someone have the ability to transmit confidential data outside the organization, is the individual leveraging a wallet for password hygiene? So, those are some of the eight measures that we use that make up our quantification of human risk management in our enterprise.

Drew Rose: That's really helpful. And now, there's clear ways to do this. They take some time and some initiative, but let's talk about you're a new CSO, new organization. Let's cast a vision, Omar. You have a team. They come up to you and say, "Hey, Omar." They run your security awareness program or your human risk management program, and then they want more resources. They want more budget. They want swag. They want to do these speakers and these cool sessions. What's your response?

Omar Khawaja: I'd say if it makes people happy, if it improves the branding for security, do it. Those are good reasons to do it. If you truly think that's going to move the needle on human risk management, measure it. And if doing those things in your organization and your culture, and given the savvy of your colleagues in your organization, if that causes the needle to move when it comes to how you're measuring human risk management, the proof's in the pudding. That was awesome.

If, on the other hand, you say one of your objectives is we want more people to do a better job with credential and password hygiene, and so you say, "We want to see how many people sign up for a password wallet," and at the end of those weeks of activities, you have a thousand people sign up, that could be awesome. Or if 50 people sign up, you may say, "You know what? We invested 50 hours into this, and we only got 50 people to sign up. Maybe that wasn't successful."

So, I'd say, identify some measures, identify some outcomes and then take your activities and align them to that. So, in our case, for instance, this morning, I did a session that one of my team members hosted. It's called Java With What, and every month I get together. And we typically have somewhere between 50 or 100 people show up from the enterprise, and they just ask me whatever's on their mind, or they share their frustrations, and we talk about stuff. The only thing I care about at the end of that is that my cyber score needs to go up by some number of points.

Now, it's an hour of my time invested, so I don't need it to go up for 100 people. But if 10 people's cyber scores go up as a result of that session, it's worth my time. So, if you were in that session ... It was a 50-minute session this morning ... We must have mentioned cybescore.highmark.com no less than eight times because that's the call to action. Go there. So, I'm not going to tell you you should get a password wallet. I'm not going to tell you you have too much access because I don't know your particular situation, but I know that you can go to this website, be empowered, and then you will drive to action on your own.

Drew Rose: Yeah, start with the end goal. Start with what you're trying to achieve, which is going to be some sort of increase in vigilant behavior or decrease in risk behavior. It's something that's measurable. We can talk OKRs. There's many books there, and then craft a strategy to get there and test and iterate on the way. I mean, as simple as Omar put ...

Imagine you want to increase password manager adoption. That's a very simple thing that you can easily measure. So, I have an idea. I'm going to send these chocolate bars out. I'm going to mail a chocolate bar, and it's going to look like a password manager. I don't know, just something like that. It's going to have a wrapper on it. It's a password manager chocolate bar or something like that, and I have a little message. It says, "Download me. Go here. Fun from your team," so on and so forth. And you say, "Okay, I'm going to-

Omar Khawaja: And, Drew, what you just described is a marketing campaign, and you're talking like a marketeer, which, I think, is exactly what we need to do when it comes to human risk management.

Drew Rose: Yep. And so, we start small. We start with a test. I'm going to send it to 100 people. It's going to cost me $200, $300 to get the chocolate bars, maybe five hours of time to wrap them, to ship them out. If I want 20 of them, I want 20% to sign up for password managers, that's effective. You send it out. You measure results. If you got 20%, now you can go to Omar and say, "Omar, I want to send 5,000 chocolate bars out because I'm going to increase password management adoption by 20%. I think Omar's way more willing to open up his checkbook and find a line item for you in his budget than saying, "Hey, this is an idea that I think people are going to like."

Omar Khawaja: Yeah, and throw in a little bit of targeted messaging and targeting and segmenting your market. So, if you send it to 1,000 people in 300 departments, now there isn't going to be as much of a peer effect. But if you look at all the people in your organization and say, "These three departments have the lowest proliferation of password managers. I'm going to target these three departments," and instead of just sending it, sending the message to them from Omar, I'm going to go to the VP of that area and say, "Hey, do you want to be a sponsor here? We're going to send your team chocolate, so they're going to be happy." And the VP's likely going to say, "Yes, you're going to do all the work, and you just want me to sign my name and get credit for sending my team chocolate?" Yep. That's all we want.

Okay, now the VP's engaged. You've got his sponsorship. Now, you've got other people saying, "I got my chocolate. Did you get your chocolate?" Now, you're starting to really make your driving change.

Drew Rose: That's awesome. All right, well, we're running out of time. We do have at least one question, and I want to open up the floor to anybody else that might have a question. Feel free to drop it in the chat, or put it in the question and answer form. This question from James. Any tips on ways to draw home the point on why employees should care about cyber risks? For example, when speaking to the importance of passwords, we recently made it relevant internally by letting people know that last year's gas shortage on the East Coast was caused by a compromised password at Colonial Pipeline. Is that enough?

Omar Khawaja: I think that's a really good example. This is where the art part of marketing comes in in human risk management. You have to figure out what drives your audience. So, in our case, Highmark Health is a very mission-driven organization. Our mission is to create remarkable health experiences, freeing people to be their best. And so, if we can connect it to how what we do is going to positively impact the mission, or if we don't do it is somehow going to erode our ability to deliver on that mission, that seems to resonate with a lot of people in the organization.

If there's some parts of the organization that are more driven by growing the organization, then we may talk about how this will impact their reputation and impede their ability to grow and bring in more customers. If there's another part of the organization that is very, very customer-centric, and they really want their customers to love them, then you can say, "How would your customers feel if dot, dot, dot."

And so, I'd say spend a little bit of time with that part of the business, or tune in to one of their all-hands meetings, or read their strategy document. At some point, they're defining what's important to them, and hone in on some part of the message that's important to them, and make it about that. So, for instance, on the insurance side of our organization, we're very big on reputation within our markets and within the country. And so, that really matters. However, when I go to the hospital side, they kind of care about their reputation, but not a whole lot because most people go to the hospital that's close by. They don't really pay attention to whether their reputation is good or bad.

But it turns out, at the hospitals, what they really care about is their ability to deliver care to the patient. So, every message at the hospitals is about impacting or not impacting the ability to deliver care to the patients. But on the insurance side, we'll make it more about reputation. Some cultures are a lot about integrity and just doing the right thing. If you've got core behaviors or guiding principles in your organization, you can tie it to them. Use that. If you've got numbers and data and maybe a story or two like the Colonial Pipeline example, make it about that.

Maybe the last thing I'll say is I think it was Aristotle that says there's three ways of persuasion. There's ethos, there's pathos, and there's logos. Ethos says do this because it's coming from me. I don't think that works very well in most cases unless you happen to be the Pope. Logos is all about driving on logic. So, anytime you're using numbers and data, that logo works. And then pathos is about stories and tugging at people's emotions. I find that combination of ethos and pathos is a very, very strong combination.

Drew Rose: Yeah, that's a great, great answer. And there's some great comments in the chat. Got a couple more questions, and then we'll jump out. So, I have a tail for you.

Omar Khawaja: Okay.

Drew Rose: Tail, you get it, like a whale's tail?

Omar Khawaja: A whale's tail. Very nice, nice.

Drew Rose: I was trying. I was trying. Look, I got all the whales.

Omar Khawaja: Nice. I was thinking T-A-L-E. I just misspelled it in my head.

Drew Rose: Same. So, Anna asked, "Is it better to start with end users or take a top-down approach improving culture?" I think you have to do both. I had a competition once where I asked all of the employee base to craft a phishing email that they wanted to target one of the senior leaders. I got approval from my team to allow me to do this, and so I was going to send a fake simulated phishing email that they crafted to one of the senior leaders. One of the people, she ended up picking somebody that had already gotten picked. And I challenged them, "Why don't you craft a phish for the CEO?" And she was like, "Yes, I'm going to do that. This is great."

Now, this is kind of a burn on my part, but I'm fine throwing myself under the bus. So, she crafted this great email. I worked for a student housing development firm. She crafted this great email that was about a new deal, and he wanted the CEO to contact him and click on this link, and so on and so forth. I didn't do my background, so don't make my mistake. She actually used a real competitor and that person's real name and email, so it came from the CEO of a competitor. And instead of clicking on the link, the CEO forwarded it to his chief investment officer, who immediately got on the phone with the competitor.

So, number one, I thought I was about to lose my job. I was like, "Oh, my gosh, this is all blown up." But I think the culture of the company really came out and actually helped my case tremendously when he would show up in company-wide meetings, talking about this experience and how even he was duped by the email with all the red flags that were there and that it's something that everybody ... She went, "Yeah, he was such a tremendous sport about it." I kept my job, and that kind of sent waves down to the team of like, "Oh, man, even the senior execs are falling for these types of things. That's a big deal."

And so, that was a way of tackling both the people at the bottom kind of wider and the people at the top because everyone at the top talks. And so, as they're getting impacted and influenced by different types of cybersecurity experiences in their lives, whether at home or at work, they're talking to each other, and then it's coming back down.

Let's answer one more question. Not that one. Okay, this is a very tactical question from Tyler. What do you see to be the minimum full-time employee time to drive culture change of an org that has 5,000-plus associates across the globe?

Omar Khawaja: You know my answer is going to start with it depends. I think everyone knows that. I'd say it could be as little as a half a person. It could be as many as maybe two people, and what it depends on is where you are versus where you need to be. It's kind of like saying how much should a kitchen renovation cost? Well, it depends. How bad is your kitchen, and how much better do you want it to be? So, you could do a kitchen reno for 1,000 bucks, and you could do a kitchen reno for 100,000 bucks. So, that's what it would depend on.

But here's what I would say. And this is the guidance I give my team is, don't create content because the content you need to create is already out there. It's already been created. And even if you end up with three people doing this, the quality of the content you're going to create is not going to match the quality of the content that an organization whose mission is to do this, their quality of content is going to be way better all day long. So, I'd say don't build the content yourself. Go get the content from somewhere else. The quality will be better, and it'll end up costing you way less. And they'll keep it up to date, and you're not going to have to worry about the person that used to do it left, and now, you're not sure what to do.

Rely on an organization to go do that work for you. I'd say focus on the things that you really have to do yourselves. As Drew was talking about, build those business relationships, understand what the leaders need, build those bridges, those connections, put things into the context of the organization, but don't go out there and build a campaign for how to reduce phishing or how to do a phishing test. Go buy that off the shelf. And the benefit of that is also that it de-risks it, so there's less of a chance you're going to make a mistake because you're working with an organization that does this professionally and does this for hundreds of other clients. So, I'd say anywhere from half an employee to maybe up to two or three employees.

Drew Rose: Yeah, that's very helpful. And that's a great question also for our community page because you'll get answers from hundreds of members and their experience at their company. This is my last question. This comes from one of my favorite people, Kitty Barra. We go way back. Any suggestions on how to get leadership buy-in for more fun and engaging awareness?

Omar Khawaja: Yeah, for a few years, we hosted Security Feud, and I think we actually got the content from Living Security for that because the content was awesome. There's no way. It would've taken us six months to put the game and the content together, so we got the content from Living Security, and then I just reached out, and my team reached out to some of the leaders that we thought would be really good to play the game. And the key is, keep the security people off the stake.

So, I could have hosted. I didn't host. There's a senior vice president that I thought would be an awesome host. We had them host. The next year, we had an executive vice president host, and we'll bring in leaders from across the enterprise to play the game. And it's a lot of fun. During Cybersecurity Awareness Month and, for that matter, for other activities, it used to be that I'd get up on stage. I enjoy speaking, as you guys can tell, and I would deliver messages. And then, I realized after a while, Omar was delivering messages about the importance of security, hmm. Yeah, what else is he going to talk about? Of course, he's going to say security's important.

When I self-assess that, I was like, "I need to deliver as few messages as possible. But when the chief operating officer, or the chief legal officer, or the chief financial officer, or the head of diversity and inclusion, or someone else is out there talking about security, not only am I getting them up the commitment curve on security, but their teams are listening and saying, 'My boss's boss cares about this. This just isn't someone else that cares about this.'"

One year, I was like, "Who do I want to kick off Cybersecurity Awareness Month?" And I was very nervous because I didn't think anyone else would do it justice because no one else has been thinking about cyber for 20 years. And I was like, "Who could possibly do this better than me?" I'm like, "No one, so I'm going to do it." And I was like, "Nope." I just set a target. I said, "I'm not going to do it. I need to find someone that's going to be better at me." And I said, "Who is the best person in our entire enterprise at telling stories?"

Typically, in most organizations, that person has the title of CMO, the chief marketing officer. So, I went to our chief marketing officer, and I asked her if she would. I asked Cindy if she would be willing to do it. And I talked to her about it, and I said, "Cindy, you can bring all the creativity to this that you want. I will support you. My team will support you. We want this to be done the Cindy way." And she made up games, and she got the senior leaders together. We even brought the CEO in, and she hosted it, and it was awesome. And I just sat in the first row and enjoyed the show.

Drew Rose: That's awesome, Omar. That's great. Again, it becomes leaders understanding risk is on them, and everybody's seeing that happen in real-time. That's awesome. Omar, thank you so much for joining me today. This is always such a pleasant conversation.

Omar Khawaja: My pleasure. This was a lot of fun. I enjoyed this, and I feel like I'm going to be thinking about whales at least until the weekend.

Drew Rose: Yes, for sure. Thank you, everybody else, for joining. Again, this will be sent out tomorrow. If you don't know Living Security personally, feel free to reach out. We are spearheading human risk management, bringing data solutions into this area of human risk that we've been focused on for the last five years. We'd love to have a conversation with you on what human risk management is to us and how we help organizations execute it with different types of content, applications, material, integrations, and data. We want you to be the superhero. We want to be your superpower, and we're here to partner with you for life.

Thank you, everybody. I hope you all have a wonderful afternoon and evening, and look forward to seeing you on the next one. Take it easy.



Subscribe to Learn How to Prevent Cybersecurity Breaches

Additional Reading