Security awareness and training programs are common across most enterprise organizations and many mid or smaller companies. These programs aim to address the common ‘human element’ that is often at the center of the most public cyber attacks and data breaches. Security awareness often consists of an annual training module employees must complete, occasional activities like phishing tests throughout the year, and of course some kind of special event in October, otherwise known as Cybersecurity Awareness Month.
Companies spend a considerable amount on security awareness. Some estimates say that the cybersecurity awareness training market will reach $10 billion annually by 2027. The question remains, are these programs effective?
This question was the topic of discussion for our first Security Leaders Debate webinar on March 14. The debate featured JupiterOne CISO, Sounil Yu, arguing the case for cybersecurity awareness programs, while the opposition point of view was held by Juliet Okafor, Attorney and CEO and Founder of RevolutionCyber.
With analogies about school levels and ‘patching human behavior,’ the debate had some compelling arguments on both sides. Let’s take a look at some of the highlights.
Making the case for cybersecurity awareness
“Education and training and awareness is something that inherently works.”
With this opening statement, Sounil set the stage for his argument in favor of cybersecurity awareness programs. Reading into his comment a little, education is something that is foundational and necessary to progress in general. Given that humans are a necessary part of business operations, and are then also part of your organization’s attack surface, it necessitates educating them on safer behavior to protect the company.
This is where the patching analogy came up.
“One of the things we do with our devices is we configure them to make sure that they’re configured properly and then we may scan them afterwards to see if there’s any vulnerabilities, and if there’s any vulnerabilities, we patch them,” Sounil said.
Relating the analogy to employees, he continued, “The configuration is usually orientation for the employee when they first come in…then we conduct a series of tests, and those tests could look like phishing simulations. And if we find that a person is susceptible to an exploit, i.e. ‘they’re vulnerable,’ then we patch them through security awareness training.”
Used as an analogy, it helps visualize where cybersecurity awareness training fits into the overall employee security posture, but it also provided an opening for the counter-argument.
People can’t be patched
“That’s the biggest problem, is that people can’t be patched. People are not devices.”
Juliet’s response, while a bit tongue-in-cheek in reply to Sounil’s patching analogy, does address one of the biggest problems with many security awareness approaches. That is, many companies employ a simple, direct approach to a problem that’s much more complex in nature.
“Fundamentally, because security teams are leading this part of things, there is this idea that we can treat people like technology, and we can’t,” Juliet said. “And part of the reason why we haven’t solved for the problem is it is a complicated, multifaceted, cross-functional problem that we’re trying to solve.”
Cybersecurity is an ongoing need and concern, yet the users of technology often have many other pressing concerns. Project deadlines, quotas, meetings, and other immediate pressures often relegate cybersecurity concerns to the background for everyday users. This can lead to risky behaviors, shortcuts, and forgetting the lessons learned from annual training modules.
This leads to an inevitable question. What can organizations do to address the problem? Both Sounil and Juliet came back to the same theme - execution and design.
It can’t just be once a year
For many companies, cybersecurity awareness is a ‘checkbox’ exercise that’s performed out of necessity. This led to Juliet’s very apt comparison to Breast Cancer Awareness Month.
“With breast cancer awareness, there is a consistent beating of the drum throughout the year. It is pharma, doctors, hospitals, government researchers, alongside patients all working together for a common goal. Security awareness inside organizations, on average, one person is tied to that, and in smaller companies, it’s a half person role with a platform…delivering very boring training in my estimation.”
She continued, “It’s actually done without collaboration, and the fact that it doesn’t tie to direct threats means that security awareness will continue to fail.”
Sounil’s approach, despite arguing for these programs, seemed to agree with Juliet’s. “We don’t calibrate it at the right level. I think we actually have a real ability to ensure that the training we provide matches the current level of skill…that’s another level of calibration we need to think through and make sure the training we provide is both at the right level of skill as well as the level of threat for that individual.”
Over the course of the debate, Sounil likened this matching skill and threat to grade level lessons. Summarized, he used the example of both putting a college student in a fifth grade class and putting a fifth grade student in a college class. In both cases, you have a mismatch of subject matter to the audience, leading to unsatisfactory outcomes and wasted effort. The lesson, then, is that cybersecurity awareness efforts need to be calibrated to the level of the users and the threats they face, while also addressing the frequency and delivery of those messages.
Was the audience swayed?
As an Oxford-style debate, the conversation between Juliet and Sounil was meant to sway audience opinion to one side or the other. The webinar audience was polled to start the session, and then again at the debate's conclusion.
So who won? For that answer, along with the in-depth conversation and excellent questions from the audience, watch for yourself, and look for more Security Leaders Debate webinars in the future!