In this episode, special guest, serial entrepreneur, and writer Gabriel Freidla joins us to talk about Security Awareness and Training. After all, as this episode is released, we are right in the middle of cybersecurity awareness month.
The discussion covers the important of training, the different types of training available, how to communicate properly to others, and how to apply marketing methods to get people interested in learning more about security in the workplace.
We cover both marketing and policy-based training, as well as how small and medium sized businesses work, and how you can work with them. End users are the biggest threat to an organization’s security, so it is important to create training to address phishing, compliance requirements, and poor security practices or behavior. Alternatively, your technical staff also needs the proper skills-based training to perform their roles, too.
Kip Boyle:
Hi, this is Your Cyber Path. We’re the podcast that helps you get your dream cybersecurity job. I’m Kip Boyle. I’m here with Wes Shriner. We’ve got a guest today. I’ll tell you who that is in a moment, but we’re experienced hiring managers of cybersecurity professionals. And this episode is available as an audio-only recording in your favorite podcast app, but it’s also available as a video on our YouTube channel. So just go to YouTube and search for Your Cyber Path podcast, and then you can see all the visuals that we are offering you.
So this is the next episode in a series that’s designed to tell you all about the way a cybersecurity organization is typically put together. And the idea is to help you find your dream cybersecurity job. So today we’re going to talk about security awareness and training. That’s actually a service that a cybersecurity organization is going to offer. And in the service catalog that we’re using, it’s number 26. You’ll see that in a few moments. You’ll see it on the placemat slide that we’re going to share with you. And as I mentioned, we do have a guest today, and Wes, would you please introduce Gabriel?
Wes Shriner:
Oh, I’m glad to. Gabriel is joining us from … if you’ll jump slides here. Gabriel’s joining us from Massachusetts where he is a serial entrepreneur. He has founded several cybersecurity and IT corporation companies, and currently he’s working on Wizer Security. He’s committed this part of his life to security awareness and training as a hobby, as a business, as a passion. And so I’m really, really excited to have him here with us today. He also wrote the book, Insider Threat Program, Your 90-Day Plan. So Gabriel, tell us a little bit about you.
Gabriel Friedla:
So yeah, thank you very much, first of all, for inviting me. So originally I’m from Israel. That’s where I started my cybersecurity career. I’ve been an entrepreneur most of my life, I would say, since the age of 21, 22, except for about a year that I had to pay the debt of my first business that didn’t go well, about two years actually, so I had to pay that off. And then I went back again to building businesses. So the one that is relevant for this conversation, the two that are relevant is Wizer and ObserveIT. ObserveIT I started about 14 years ago. So prior to ObserveIT, I was also a consultant, more actually in the IT space than security. And I was troubleshooting servers and issues that my customers had. I had a small consultancy company and one of the things that I used to ask them when they came in and was, “Okay, who was the last one to touch that server and what did they do?”
And believe me, that’s a such a simple question and that’s still today such a hard question to answer. So the idea back then was, and also I knew to develop very good. I was a good developer. So at that point I said, “Okay, let’s just put a camera, a software, an agent on servers, and whenever somebody logs in it starts to take screen snapshots. So next time, if somebody’s asking me what happened, we just go pull the screenshots and see who checked what box. That went really well. I started actually selling this as a product, but very quickly customers told me that they needed more for security and compliance than for troubleshooting because they had a lot of partners, remote vendors, connecting to their servers and they wanted to know what to do.
And especially there was this blame game. There was compliance requirements that required to figure out to have an audit trail of exactly what happened. So the company shifted very quickly from an IT company to a security company in compliance. So when we were just doing troubleshooting, it was enough to just look at the videos and see who clicked what, but when it became security, we added analytics and we started to actually understand what people are doing so we can create alerts and then use the behavior. And we became this biggest insider threat company, which eventually we sold about a year and a half ago to Proofpoint.
We had a lot of customers prior to the sell. It became a really big company before it was acquired. So from a point where I was dealing with understanding human behavior inside the organization and figuring out and seeing what people are capable of doing … by the way, most of the time not maliciously, but still they were putting the business at risk. It doesn’t matter the intent. They were trying to be productive, but by doing so, they were just breaking things and overriding policies. So from preventing and monitoring, for me, it was natural to be like, “Okay, we need to educate you.” The biggest problem is education because it’s honest mistakes. Honestly every time we looked at something, yes, there were some bad actors, but I would say 90% of the time, it was just honest mistakes. And there’s this culture, right, of get the job done. Right? That’s the culture in the organization, get it done now.
So your concern, that’s the culture. So you want to make it happen no matter … don’t want to come with excuses, but that culture conflicts with the culture of do it right. And in most cases they didn’t have an open door. So what do I do? Who do I call? They don’t know. And it ends up being a problem where people just override, bypass the security controls just to get the job done. And then they explain their logic and it doesn’t help, right, after the fact.
Kip Boyle:
Yeah. I’ve seen statistics that suggest that up to 80% of all security incidents are a result of an insider either being manipulated to doing something they shouldn’t do, or they made an error, right. An error could just be a misjudgment or it could be they cut a corner. So culture, it’s really interesting. I’ve noticed that culture is such a massively important aspect of how secure an organization is, but cybersecurity people in general … in general, right, don’t want to do anything with culture. It’s messy. It’s really messy.
Gabriel Friedla:
You know, there is a saying that culture eats strategy for breakfast. And I believe that because when people care and we can talk, I can do a whole presentation about culture, but it’s such an important, I would say it’s a foundation of security.
Kip Boyle:
It is.
Gabriel Friedla:
Culture.
Kip Boyle:
I absolutely believe that without any doubt whatsoever. And in my consulting work, I really emphasize that by actually including top influencers in a company as part of our assessment process, because we want to know what they’re thinking. And then subtly, we’re also actually training them about what good cyber risk management actually looks like. So I’m totally on board.
Gabriel Friedla:
But it’s hard, right? The thing is you learn and we’re going to talk about it as well. People think about cyber security technical. So we get all those certifications and we become this technical person that now somebody tells me to do culture and I’m like, “Yeah, yeah,” but we have to close and patch the service, which is also important, but culture is just underserved.
Kip Boyle:
It is.
Gabriel Friedla:
There’s so much to do there and I think this is a big part off the roles in the future in the cyber. That’s what’s probably needed the most because I think all the technology solutions to some degree, they even create a false sense of security, I would say, because it’s sort of like that get rich quick scheme where I’ll buy something, I’ll put it and it will fix my problems, but it doesn’t happen like that in life in almost nothing.
Kip Boyle:
So you’re telling me the Office Depot commercial with the easy button, you’re saying that was not true?
Gabriel Friedla:
You know, 100% privacy, 100% security, all the VPNs and the average person buys that. They buy the VPN and then they feel comfortable that they’re not tracked. But have you heard about cookie? Forget about the VPN. Those that connect to free VPNs that are owned by criminals sometimes. That’s even worse.
Kip Boyle:
Yeah. I’ve got a whole rant on that.
Wes Shriner:
We’re having too much fun too early in the slide deck. So we’re going to get a chance to dive in a little further into some of this in a few slides.
Kip Boyle:
Okay, man. Want me to go?
Wes Shriner:
I do want to call out here at the bottom the WizerTraining.com and specifically related to that, there’s a security awareness and training program. It is six chapters long. The chapters are light, easy reading, and they will get you started in building your first security awareness and training program. If I were a young professional looking at one place I might consider going directly into a security organization, this might be the direction I might go in. And if I were going into an interview for anything security awareness and training related, and I hadn’t read the Wizer training manual, I would be unprepared. I say that because this is the definition for what success looks like in this space.
Kip Boyle:
And let me say Gabe is not a sponsor of this episode. Okay?
Wes Shriner:
Not at all.
Kip Boyle:
No, but we love what he’s doing so we want to make sure that we’re showing him how much we appreciate him.
Gabriel Friedla:
Thank you.
Wes Shriner:
So I’m going to tell you a story from the farm here, Kip, because it’s farm time, and farm time today is coming to you from Cancun, Mexico, Cancun, Mexico. Yes. There’s no farm in this picture. Today I am coming to you from the other side of the continent, right, from Seattle. We are here with my wife. We are here celebrating our 25-year wedding anniversary. And I know we talk a lot about the importance of work and we talk a lot about how valuable it is to be successful at what we do. I’m going to tell you there’s nothing more successful than being married to the love of your life for a long, long time and having her love you too. So let me just say today’s story from the farm is an anniversary trip from the shores of Cancun.
Kip Boyle:
That’s fantastic. Congratulations on your wedding anniversary.
Gabriel Friedla:
That’s amazing.
Wes Shriner:
Thank you. It’s a lot of fun, and I appreciate you timing this episode to allow us to continue the vacation and get it recorded. So this is fun.
Kip Boyle:
Well, listen, I just wanted to make sure. And I said this to you many, many times. I do not want to get into Mrs. Shriner’s … I don’t want to be on her crap list because I make Wes take valuable relationship building time to make a podcast. So anyway, I did my part.
Wes Shriner:
And let me turn that around and say she knows I’m here because I love it. And she knows I’m here because this is part of the fuel that burns my fire. So she was really supportive of taking a time to catch an episode here.
Kip Boyle:
That’s great.
Wes Shriner:
Let’s jump in and see what we got today.
Kip Boyle:
Okay, here we go.
Wes Shriner:
All right. So a reminder, this is the placemat of the security organization. There are 23 services of a common security service catalog. It breaks down into four parts of the organization. We’re focusing in today on the governance risk and compliance place on the left, Kip, and then you dive in deeper into the security and awareness and training service. That is number 26 there. Let’s go ahead and jump into security awareness and training. We’re going to be looking at four parts to this service today.
We’re going to look at Cybersecurity Awareness Month. That’s October. We’re going to look at the required trainings. We’re going to look at behavioral training. We’ll look at skills training. And we might catch a couple of fun posters along the way as well because there’s a lot of opportunity to push good posters out in Cybersecurity Awareness Month. I think a one of my favorite catchphrases is passwords are like bubblegum. You wouldn’t use anyone else’s or something like that. Right? You wouldn’t share it with a friend. So passwords are like bubble gum. Don’t share it with a friend. All right. Let’s jump in and see what we’ve got for Cybersecurity Awareness Month.
Kip Boyle:
Yeah. Look at all that propaganda. Oh yeah.
Wes Shriner:
This is a busy slide. I’m not going to lie. I did catch a couple different resources along the way. You’ll see links there if I pull them from the web so that you can go look them up on your own if you want to. One of the things I liked about this diagram on the left is it takes the month of October and breaks it down into what is that five specific areas that we want to emphasize and train on. And then one specific training point each day. I also call out the posters across the top, Think Before You Click. All of these are clever, they’re relevant and they’re done. The most effective trainings are memorable and they’re fast, right? If I can’t consume it quickly, I didn’t catch it. What would you guys add to this? How would you make that better?
Kip Boyle:
Well, I just love the poster with it all broken out by each day, because if you have this poster, you can create an email sequence that can go out to your entire workforce, one per day throughout the entire month. How effective is that? Marketing, branding, that’s what this really is. You want your message to stay front of mind and I just think that’d be a great way to do it. What do you think, Gabe?
Gabriel Friedla:
I think, yeah. I think we need to think like marketers and we have to understand that this is messaging and it has to resonate. How does it resonate with a person? So always involve the marketing department and that’s again those crossover skills that if somebody came from marketing and they can bring that ability to deliver a message that resonates with the employees like these ones, that’s great. So it’s not about just what you say, it’s about does it click?
Kip Boyle:
Yeah. And that’s what I did too when I became a CISO and I had to figure out what I was going to do for training and so forth, and we were always changing stuff. So I always had to let people know, “Hey, we’re going to change your work experience because we’re adding an additional log on,” or something like that. And I made the typical tech guy mistake where I sent one email, one very well-written email, send, okay, done, I’ve communicated. Right? No. So I went over to our marketing department and I just kind of humbled myself. And I said, “Please teach me how to communicate.” And they shared this entire toolbox with me and showed me how to do it and mentored me and walked me through it. I’m so much better for having done that. So Gabe, I’m so glad you mentioned that.
Gabriel Friedla:
Look, it’s a multi-touch process. Like in marketing, we say you have to touch a person about five to seven times in order for them to remember you even before even listening to you. So they want to see you in different places. So again, we need to use those marketing methods because it’s our job not just to communicate, to market it and to the organization. We have to put our marketing hat and understand that we have buyers and they don’t have to buy our shit. It’s up to them whether they want to listen or not. We have to do a good job. And again, and again, talk to them and do things and activities.
Kip Boyle:
Right. And my marketing hat was made out of a day old newspaper, right. I didn’t know what the heck I was doing. So if you’re in the audience and you’re thinking, “Hey, I got into cybersecurity because I like computers and stuff. And if I wanted to do marketing, I just would’ve went into marketing.” I understand that. I totally get it. But at the same time, we’re telling you the truth, okay, this is marketing. This is marketing.
Wes Shriner:
We need each other. We need each other, and this is how we work together. And so if you’re looking for the technical job, this is not that one. But if you have not spent a lot of time in the DOS prompt, then this might be the kind of security job that might be a great place to get started.
Kip Boyle:
And you’re going to learn a lot along the way. Then if you want to hop over to a technical job, you just may well be able to do that.
Gabriel Friedla:
And by the way, there’s no one bad-ass job versus the other, right. It’s a teamwork. It’s not like a red team is better than something else because sometimes people want to be that … they want to go to the red team. It doesn’t necessarily mean that it’s … nothing is better than the other. It’s a team effort.
Kip Boyle:
Well, the red team thinks they’re better than us. That’s the problem.
Wes Shriner:
Nah, nah, they’re good guys. They’re good folks, right? You have to leave the door closed. You slide the pizza under. You hope they come back out next week sometime-
Kip Boyle:
And never, never, never let them talk to customers.
Wes Shriner:
that’s red team life.
Gabriel Friedla:
Guys playing defense is harder. Playing defense is harder. Try to play defense and see if you can stop those people coming in. Let’s switch for a second. That’s way harder.
Wes Shriner:
Right. It is because the red team has to be right once and the blue team has to be right all the time. Let’s jump ahead and see what we’ve got.
Kip Boyle:
Here goes.
Wes Shriner:
I think the next one here is this policy-based training, right? This is that initial training everyone takes every time they join a new company. This is that same training that is repeated annually throughout the lifetime of your career at any company. And it’s delivered usually through the learning management system or LMS. This training is usually based on the acceptable use policy, the data classification handling standard. And sometimes actually always, I think, it ends in a signature or e-signature acceptance. I acknowledge that I promise to be a boy scout in all these ways, right? And that is really almost a CYA for your organization to ensure that you have accepted and read and consumed those policies so you can be held accountable to them. Right?
Often these are company-centric trainings. So they’re usually done by recognizable voices inside the company, right? It might have an introduction from your CIO and it might be narrated by your CISO. There are rarely changes from year to year. There are very few changes and those changes are going to be managed incrementally, right. And they might even be lumped into a two or three year cycle so that you’re not updating this annually. Right. And then lastly, it might be paired with your privacy annual training. So you may get both of those at the same time. We call this policy-based training, because it is based on those policies. And it’s really about the organizational protection. What else would you add to this?
Kip Boyle:
Gabe, what do you got?
Gabriel Friedla:
A lot, but okay.
Kip Boyle:
Moderate yourself, we only have an hour. [crosstalk].
Gabriel Friedla:
It’s about the goal. It’s about what’s your goal, right? If your goal is to check a box and it is a goal, sometimes without checking a box, you won’t land a deal because you to train your employees. So there’s different reasons, privacy, GDPR, and all of that. So we have to distinguish between compliance and security and actually wanting to change something. Okay? So it’s just two different worlds. If it’s compliance and you just want to check a box, which is unfortunately what most, I wouldn’t say most, but a lot of companies are still at, and smaller ones as well. They just need something fast and quick. Then sometimes they don’t really care too much. They just want to cover the topics and like you said, every year it’s the same thing.
People zoom out from this, click play, go drink water, come back. So basically nothing is really happening beside that box being checked. But if you want to do an act, if you want to bundle this with actual value and educate people then requires way, way more than that. Maybe that’s the next slide we’re going to hear about it.
Wes Shriner: It does. It can be paired with behavioral training and I think we can do that here in the next slide.
Kip Boyle:
But before I advance to the next slide, I want to say that a lot of small, medium sized businesses don’t have an LMS. They don’t have any infrastructure to do this. So that’s an inhibitor for them, right? I work with them all the time on this and I wish that there was an automated solution that was at a cost that they would think is good in terms of getting that acceptable use policy every year.
Gabriel Friedla:
Oh, that’s us.
Kip Boyle:
Yeah?
Gabriel Friedla:
We have a free LMS.
Kip Boyle:
Well, what I was going to say is all my SMB customers who need training, I enroll them in Wizer training.
Gabriel Friedla:
Oh, thank you.
Kip Boyle:
Yep. I do, I do.
Wes Shriner:
Look at that.
Kip Boyle:
But there’s other parts here that are still missing. Anyway, I just want to acknowledge that for SMB organizations, some of this stuff is a little awkward because you just don’t have the scale of a large enterprise, that’s all.
Wes Shriner:
SMB organizations, that’s small to medium business. Is that right, Kip?
Kip Boyle:
Yes, that’s right. Yep.
Wes Shriner:
That has nothing to do with joining a drive of any kind? All right.
Kip Boyle:
Standby.
Gabriel Friedla:
Well, I want to touch the SMB for a second because SMB serve large organizations. And what happens with compliance, going back to this compliance, just to explain to the audience how it would work sometimes, actually a lot of times. So the big company’s saying, “I’m going to work with you, small company, but I have to do my risk assessment. So we want to know that at the minimum your employees are trained.” So the small company is like, “But I want to close the deal now. We have almost a PO, but we have to answer this questionnaire.” So what they do is they just go and look for the cheapest, easiest solution to check the box.
Everybody has to like sign off and then they get the deal. But we haven’t actually eliminated or even reduced the risk because the big companies eventually are being sometimes attacked through those small companies. So if I’m an attacker, I go to the small company and this is the easier way in because they are not trained. Maybe the big company did training and they’re resilient, but the small company just checked the box. They are now this gateway and this big company trust the small company. So it’s all about trust. So this is how we just get in. And that happens on a daily basis where attackers get into the bigger organizations through the smaller one. So again, it’s a pity that the compliance is usually a result of an intent, but we’re not actually delivering on the promise.
Kip Boyle:
I work with SMBs all the time. And I encounter that entire situation that you’re describing. Yep. What about behavior training, if you’re ready?
Wes Shriner:
I think that’s the answer, right? Is once we get past the compliance-based training and move into behavioral training, we start looking at how can we actually change behaviors inside our organization? These trainings may be educational, or they may be live practice. They may be job specific. They may be e-learning. If the policy-based training is delivered to every staff everywhere, the behavioral training is targeted towards sometimes specific groups of staff and sometimes the whole staff organization. It’s going to create and teach behaviors that we want to see become part of our culture. We heard culture trumps strategy. Well, I think that’s going to be true here, right? We’re designing culture when we’re designing behavioral-based training. And some of the examples of behavioral-based training might be some password complexity training, or how do we handle our two-factor authentication?
Where do we hide the post-it notes with our passwords? And if your dog passes away, what’s your new password going to be? Right? Sorry. That was supposed to be funny. It’s kind of sad. Now I feel like a bad guy. We lost two of our 17 listeners because the dog thoughts there, and now all right. Sometimes we’re going to do anti-phishing in this behavioral-based training, and that’s the one I want to highlight in greater detail today. This phishing training is often done as a live test done in your inbox that may be scheduled, maybe not, maybe informed, maybe not, where maybe once a month or maybe once a quarter, a percentage or all of your staff get an email requesting you to click on the link and enter your credentials.
And for those who click on the link and enter their credentials, that’s the group of people that didn’t pass the test this time. Right?
Kip Boyle:
Busted. Busted.
Wes Shriner:
Well, let’s think about that busted, right? Is it busted because Bob clicked on the link or is it busted because we as an organization aren’t talking about phishing and talking about the phishing threat and we haven’t built it into our culture that we have a plan for how we’re going to avoid it. Right.
Kip Boyle:
I can tell you the word on the floor is busted.
Wes Shriner:
It is, it is.
Kip Boyle:
It’s a competition, right? Most employees see this as a friendly competition, right? Who’s going to get caught in the phishing net.
Wes Shriner:
And the live practice is a great way to teach, but it can cost relationships if it’s done poorly.
Kip Boyle:
That’s absolutely correct. Absolutely correct. It’s funny, I hear people arguing both sides of this, right? The security purists, for example, who are saying, “You could never tell people that you’re going to test them because then it’s going to bias the results or it’s going to spoil the whole exercise and so on and so forth.” And these are people that are trying to catch people doing stuff wrong. All I can tell you is that you’re never going to be able to build working relationships that way.
Gabriel Friedla:
It goes back to culture. Guys, if done wrong, it can hurt culture and it can have the negative effect. You want as a security team to have an open door for people. People need to feel comfortable to come to you. If you’re going to try every day to not only trick people, but also punish them, then people won’t come to you. Right?
Kip Boyle:
No.
Gabriel Friedla:
And people will be afraid. And if you do too much, by the way, people will be numb to a point that they will … even legit emails they won’t open because they will be terrified. So that’s to the extreme, but some people are like, “We’re going to trick you all the time.” And then people are going crazy and they’re just afraid. They’re delivering customer emails. Maybe it’s, I don’t know, I’m not going to open it.
Kip Boyle:
Yeah. That’s a bad scene. It can get terrible.
Gabriel Friedla:
So it’s really a question of what do you do first, phishing or training? For me, that’s again, a personal approach. You train first because otherwise you’re just wasting your time. Of course, they will click. We tell them to click, right. We send them stuff to click all day long. That’s what people in the company do, they click. We have them open the document. They send you a link. That’s our daily job.
Kip Boyle:
Yeah. Well, think about people in HR that are getting resumes emailed to them as attached emails all the time. Think about people on your accounting team that are getting legitimate invoices attached to emails all the time. Sales, salespeople are constantly getting emails with purchase orders attached to it all the time. These people, I believe, are operating in a hazardous duty zone because they have to open this stuff up. And so my challenge to cybersecurity people is what are you doing to give them extra protection?
Gabriel Friedla:
Yeah. And also think about it. So you know what? Some people are looking at percentage because 100% nobody clicks is just unrealistic. It’s wishful thinking and it’s like saying we’re going to get to a point where people never make mistakes. It’s crazy to expect zero clicks.
Kip Boyle:
There’s a whole category of insurance out there called errors and omissions insurance policies. That’s not going away anytime soon.
Gabriel Friedla:
No. It’s not. So think about it. Let’s say you have 1,000 employees and only 4% click. Okay? Not a lot, 4% click. That’s 40 open doors for a criminal. Okay? So did we solve the problem? No, we haven’t actually solved. We only reduced the risk, which risk is always a sliding scale. So A, we reduce the risk. The question is, it’s about resilience. How fast did we respond to somebody clicking on a phishing email? Did anybody else report? How many people reported? So there’s a lot of things going on when we think about phishing simulation and in my opinion it’s more about resilience to check the resilience of the organization to a phishing simulation versus the amount of clicks because 4% of people with no access almost to data, okay, versus let’s say the other way around … 4% of managers with high access that clicked versus 10% of people with low access.
What’s better? The 4% is more risky because they have a lot of access. So it’s not only about how many people clicked. It’s also who clicked.
Kip Boyle:
Yeah, which ones.
Gabriel Friedla:
That person had a lot of access. That’s bad. That’s spearfishing. That’s horrible. So there’s a lot to talk about phishing simulation. It can be a great tool if done right. Again, just like policy, sometimes it’s looked at … going back to this culture thing. Like I said, everything is built on culture. So if not done right, then you make it like those policies, but even worse because policies are just annoying if you do them for compliance, but phishing done wrong can hurt culture and even get to a point where you’re worse than you started.
Kip Boyle:
Anybody think we could do a whole episode on that? We’re not going to.
Wes Shriner:
I think it’d be great. That sounds like a lot of fun. Kip, if you don’t mind going back, I want to highlight two things, right?
Kip Boyle:
Sure.
Wes Shriner:
One is, if you do a phishing mail in February and you do catch five to 10% of your audience, how instructional, how powerful would it be to follow up with that a week after the phishing campaign with the here are the three to five things circled in the email that would give you a clue that that was a phishing mail, so that you can use it as a learning teachable moment, rather than this just a treachery trickery you missed it game? Oftentimes organizations that do phishing campaigns who don’t do this follow-up, people never know that they were in a phishing campaign because they never clicked on anything. So we don’t reward the right behavior and we aren’t training the wrong behavior.
Gabriel Friedla:
Totally. Reward the right behavior.
Wes Shriner:
Yeah. And then the other thing I want to call out is any of these small, medium business companies, right? You talked about high-risk jobs. They’re going to use SaaS providers for just about every outsourced function in the organization. And none of those are going to be domain branded domains that they’re going to be sending emails from. So we as an organization, as a security team, need to figure out how can we tag those incoming domains as friendly in some way in our exchange server so that when we present that email, it is from a known friend, or at least a known friendly domain, right? If there’s some way to do that, that might be an effective tool in our arsenal.
Gabriel Friedla:
And there’s also some rules that better not be broken. You don’t want to send phishing emails from the IRS or stuff like that because you’re going to get in trouble. And the thing is that criminals have no problem doing it, and they actually do it all day long. So there are lines that as company we cannot cross, first of all legally and second, remember that some people have issues and you don’t want to damage them. You can be really nasty. Some criminals are really nasty. Something happened to your kid, extortion. There’s no lines they are afraid to cross. And as companies, there are some lines that we say, “Okay, we don’t cross that line. That’s just too much.” And it’s sometimes just illegal, purely illegal.
Wes Shriner:
True. All right, let’s jump ahead to the next type of training. This is a skills-based training and we don’t have a lot to cover on this topic. So I’m going to move pretty quickly. This is specifically designed for a group inside the company that maybe needs a specific skill to be trained on. Right? How do I code securely or maybe how do we handle our own coding libraries? Or maybe it’s as simple as we’re trying to change how the organization manages APIs, and we’re going to teach a new behavior to everyone about mutual authentication encryption of our APIs, right? This is how we will standard do it in the future.
You can often find these trainings available through a spam-type organization as well. So if you’re a smaller, medium business, don’t be sad, there’s all sorts of skills-based training out there and available to you in the security arena as well.
Kip Boyle:
Yeah. So You To Me, for example, is a website that has a lot of training on it. Pluralsight is another, SANS training. So that used to stand for Systems Administrators and Network Security. I don’t think they’ve used that. I don’t think they’ve exploded their acronym in a million years, but that’s probably one of the best training organizations in our entire industry. There’s a much greater price tag than You To Me, but it’s great if you can go.
Wes Shriner:
I think you can get what you’re looking for from You To Me for the most part, but there’s lots of other great training options out there. Once you get involved and get connected, you’re going to start to see a lot more options.
Gabriel Friedla:
Yeah. I think it’s important to make that distinction between awareness and behavior changes than skill. People mix things up. So skill, usually you choose in most cases like You To Me. You go, you choose something and you actually want to learn, right. With awareness, in many cases, the company is forcing you to do that. It’s not your choice and everyone has to do that. So there’s different challenges with those two things. One, you picked your own training. You want to develop in that thing and you learn it. And the other one you’re forced to do that. So that’s harder because many people don’t have the passion for it and they still have to do it anyways. So how do we overcome that? That’s a huge challenge.
Wes Shriner:
It is. Let’s see where we go from here. Oh, this one’s going to be tough. How have we trained behavioral changes in our world in the past? And I think about when I was a young boy, my brother and I would ride in the back of the Ford club wagon van and we would wrestle while my parents traveled down the road at 60, 70 miles an hour in that Ford club wagon van. And we were just wrestling because my parents had pulled the seats out and made it a big open space for us to goof off. And somewhere along the way we had learned as young people that if the car were in an accident and if it were to roll over, we didn’t want to be in that vehicle. We’d rather be ejected out the window than to stay inside the vehicle.
This was the thinking of seven year old Wes. And it’s my understanding that was a cultural thinking in that time as well in the early eighties. But we began to see a shift in first the availability of seatbelts and then the explanation of why they’re beneficial. And then we saw influencers recommend it. Then we saw a marketing campaign from our federal government. And then we saw penalties start to step in when seatbelts weren’t in use and you were pulled over for something else, then you would get penalized for the seatbelt wearing also. And then it became a primary offense and you could now pull someone over if the seatbelt’s hanging out the door.
So the progression of teaching seatbelt behavior is such that today seatbelt behavior is not really a conversation that happens anymore. For the most part, people are putting their seatbelts on, right? And it took a generation to get there, but we’re there, and nobody wants to be thrown from the car window when the car rolls over anymore. Now we’d rather be strapped securely to the cushiony chair as it rolls.
Kip Boyle:
And we’ve got data showing that this is a better way.
Wes Shriner:
It’s a better way. And we saw that with our 55 Save Lives campaign that came out. I still remember the general standing with the baton against the American flag, 55 Save Lives. And we saw more recently Oprah starts the no phone zone, right? The be safe, don’t be distracted when you’re driving. And we’re seeing the early part of that campaign. And maybe we’re in the middle of that now where we certainly have penalties if you’re caught with distracted driving.
Kip Boyle:
Yeah. I think this is an amazingly good example, Wes, because I mean, look what’s going on here. We’re seeing an orchestration of different approaches to sending the message and reinforcing the message. You’ve got marketing, right. You’ve got these campaigns, these memorable campaigns to get the message out, but then you also have penalties, right? So it’s like, “Hey, we’re going to give you the carrot. But then if that doesn’t work we’re going to give you the stick.” And all of this stuff has to come together, right? So in cybersecurity you know you’re going to do a good awareness and training, but if people are resistant to that, not just making errors, but are actively not interested in cooperating, well, you’ve got to be willing to go to the human resources department and talk to them about where in the progressive disciplinary system do these people enter.
Is it a first-time verbal warning? Is it a first-time written warning? Because if they catch you stealing something valuable, you’re just immediately fired. Right? So you can enter in that system at any level, depending on the severity of your offense. All I’m saying is that I hope you go and have a conversation so that when somebody deliberately doesn’t pay attention to what’s going on here, that you need them to cooperate, that you have a way to enforce.
Gabriel Friedla:
Yeah. I would add to that, that behavior is eventually about acquiring good habits, right? It’s more about habits and those habits need to be in our everyday life. I look left and right when I cross the road, even if there’s no cars. It’s just automatically, and it’s so hard to acquire new habits, it’s just so hard. So first of all, I’m a big advocate of starting at kids age, school, family. Online safety right now, I think it’s a major topic and it has to be addressed at school level. But for our older guys, it’s very hard to change our habits. Therefore, I think companies have to choose one or two things because it’s hard to tell them you have to change. You have to change all your habits, everything that is in this policy, 30-page document.
We’re going to tell you to read this again and again every year or twice a month, just impossible. So choose one, two [inaudible], think before you click and just emphasize it. Emphasize it.
Kip Boyle:
A year is not too long.
Gabriel Friedla:
Yeah, have this delivered everywhere, by the CEO when he talks in a town hall, by the managers, by having an ambassador program. Just push the most important thing to you and make that behavior change because one thing leads to the other. Telling people we needed to change totally altogether in one training because we said so is just, again, unrealistic.
Kip Boyle:
It’s not going to work.
Wes Shriner:
And with that, I love the idea of don’t dilute your message. Let’s keep it focused and stay on message. I believe we started this episode with, you’ve got to present it five to seven times in order for someone to hear it. I think we’re staying on message with that today.
Gabriel Friedla:
And culture, all of this behavior change, it’s culture. It’s about your parents. It’s about the society that you live in, where they’re embracing the seatbelt or not. If everybody’s embracing it, you’ll just put it on automatically. If nobody’s embracing it, you’ll be like, “I don’t care.”
Wes Shriner:
Okay. Let’s see where we go from here. This is a fun slide. I hope you can follow me on this one. I think this one’s going to be actually pretty helpful when we get there. We’re going to start at the 10 o’clock position on the clock, over on the top left corner there in the suppliers. This is our SIPOC suppliers, input, processes, outputs, and customers. And we’re going to work our way around the clock just like the SIPOC. So in the top left our suppliers for this are going to be our policies and standards. They’re going to be are current outstanding risks and they’re going to be our compliance customers, right, the folks who want to know that we did check the box, right?
We’re going to take inputs for that. Those inputs could be new regulations. It could be environmental changes or policy changes. There could be new attack techniques. We can even filter in previous campaign results because we can learn from our previous campaigns and we can get better. And of course, risk drives what we want to focus our training on. We’re going to use our training. Our processes are going to be course creation. We’re going to evaluate completion rate as well as real world results on those courses, right? Maybe that’s the phishing testing, right? And then our outputs will be the training courses, the posters, the phishing campaigns, the October awareness event. And I think the most important outcome is the new discussions at the water cooler. I realize we’re in a COVID world where there is no water cooler anymore. So maybe it’s on the Zoom side chat, right? Let’s call it the new discussions on the Zoom side chat, right?
And if we keep going around the clock there, the customers who are receiving these are going to be our compliance partners who require this kind of training. It’s going to be our knowledge workers, because if we’re hiring knowledge workers to come in and contribute to the organizational knowledge, then teaching those knowledge workers a way to think and a way to behave is going to be a big step in driving a secure culture in our organization. And lastly, I think the customer that’s going to benefit the most is actually our real customers. Because when we build a culture of security, our customers are going to be better protected.
Gabriel Friedla:
Yep.
Kip Boyle:
That’s very good.
Gabriel Friedla:
I love the cooler. At the end of the day, compliance measures, like you said, it’s completion rates, but the real value from my point of view is, for example, how many employees came to you about a new project they’re working on and they care about security? How many people came to you and asked if you have anything for the family, just because they care about it and they want to train their kids, that the inbound is more important. How many people are coming to you? That’s a good indication about that things are changing, that people care. And that goes back to [crosstalk] culture.
Wes Shriner:
I’m going to pick up on that for just a second. I think one of the most effective behavioral training campaigns that we can do is to have a security training on how to secure my home wireless router. Has nothing to do with work.
Gabriel Friedla:
You know, we haven’t talked about it, but the biggest driver for security awareness for me is making it personal because here is the thing. People relate to things that are personal to them, right? And the advantage we have in security awareness is that the threat actors, phish person the same way the phish companies, it’s the same threat vector. Right? So if I can show you how you can avoid getting scammed in your personal life, you change that behavior because now you care, you don’t want your WhatsApp to be hacked or your text message or your phone or your AT&T or whatever that is. And you’re like, “Oh wow, this can happen because some people don’t realize this can happen.” And then you’re like, “What can I do?” And then you teach them. They apply the same behavior. They take the same behavior that they apply at home, they apply it at work.
So it’s just much more efficient to just show them how to be safe at home because they will apply the same thing at work. That’s one thing. Second thing-
Kip Boyle:
Agreed.
Gabriel Friedla:
is deliver it in the same way they consume content today. Mobile, one minute videos. That’s what we do, one-minute videos. People don’t have attention span even over than 30 seconds. So having them sit down and watch a 45-minute video training, it’s just … even if they can, even if they [crosstalk], they will be zoning out. So deliver the content on mobile, let them flip quickly, let them watch it, flip, go back, take their control the pace and make it relevant to them. These are crucial things to make even the policy training that we spoke about something that people will actually want to consume.
Wes Shriner:
That makes sense. I like that. That’s a very thoughtful way to do it. One other thing I want to highlight is making it personal. Gabriel, you recently posted, or I think reposted, the contract that you might have as a father with your children or mother, right, father or mother. But I guess we’re all dads on this podcast, with your children, that would be, “Here’s how we’re going to behave online. This is what it means to be a citizen in the internet community. And these are the things we will and will not do.” I love that posting, and I think you’ve got it available on your site and as a download.
Gabriel Friedla:
Yep. Again, maybe they won’t follow it. It’s cannot be enforced, but again, we’re telling our kids our expectations. We’re sending them, in this contract, there’s not only the kid part, there’s also the parent part. Right? So we made it, what does it mean privacy? I will learn about it as well so I won’t be talking stuff that I don’t understand. So I’ll educate myself. So there’s parts the parents is also signing because it’s mutual.
Wes Shriner:
And it’s a really powerful tool because either you don’t need it now and you introduce it as a family and have the conversation, or you need it now and it’s too late.
Gabriel Friedla:
Yep.
Wes Shriner:
So that’s my wisdom on that one, I would say. Go download that one right away if you’re listening still with us, but we know 45-minute podcasts are the thing of the past. We learned that just now, too. What do we got for the next slide, Kip?
Kip Boyle:
You know it’s mistitled. I just noticed that. Forgive us, everybody. Forgive us, everybody. We got ahead of ourselves.
Wes Shriner:
All 17 listeners who are still with us-
Kip Boyle:
There’s only 15. You scared away two before.
Wes Shriner:
We lost them with the dogs comment. I’m downhill.
Gabriel Friedla: They’re all staying with us. We’re very good.
Wes Shriner:
Well, they’re just running us in double speed so they can get through it faster. This is the people of security awareness and training. And this is specifically, there are roles as maybe a training lead, or is it content creator or as the phishing’s administrator, right? Those could be full-time roles, but more likely all three of those might be a single role. The skills that might come into this role might be content creation. They might be still content or video content, and the skills are all about how do people learn and how do we teach?
Gabriel Friedla:
I think people have it. Okay, sorry, go ahead, because I’m excited [crosstalk].
Wes Shriner:
Go ahead, please. Jump in.
Gabriel Friedla:
I’m saying don’t look for the role. Okay. Let’s say you work in a company in a position and you’re in marketing or you know how to create content or you like to drive it home, or you think you’re good at messaging. Go to the security team because I’m telling you, they’re lacking the skills today. They’re lacking them. So go there and tell them I can be of help and make that role because you’re not going to be competing with all the very, very technical guys on one spot. Here, you have something that is evolving, and it’s just a huge opportunity for you to put your foot in the door. And if you later want to evolve to a tech position, then pivot, but at least now you’re in security.
Wes Shriner:
Yeah. And even more so this is the probably most underrated, most important role you can possibly have in a security organization. Think about it. What other role is going to influence the culture and the people and the families of the people who are working at your company.
Gabriel Friedla:
Yeah. This is amazing. You’re communicating with everyone. You’re going to be talking to C levels.
Wes Shriner:
That’s huge power.
Gabriel Friedla:
Yeah, this is an amazing role that I think just security teams sometimes don’t realize they need to hire this. So just go there, suggest yourself if you’re working, even in the call center or wherever you are and you have those skills, say, “Hey, I had customer calls, they talked about this. I think I can really create awesome content.”
Wes Shriner:
You should.
Gabriel Friedla:
People in the security will be like, “Wow. Yeah, can you do that?” You do it once, you do it twice, suddenly you’re there.”
Kip Boyle:
Yeah. They don’t want to market. Remember we said that earlier? They don’t want to market. Go to them and tell them you’ll market for them. They’ll love you.
Gabriel Friedla:
Exactly.
Kip Boyle:
Bring pizza.
Gabriel Friedla:
Just make it. Do it yourself. I don’t know. I’m an entrepreneur. This is my line of thought always. You make it for your own. You don’t go and ask for it. You just do it. So this is just one avoid [crosstalk] that you can fill.
Wes Shriner: Outstanding.
Kip Boyle:
I want to mention one more thing is that if you’re interested in security awareness and training, there are other jobs that you can pursue that are not baked into a larger cyber security organization. Look at Gabe. He is running a standalone training company. There are other standalone training companies that you could join and be able to produce great content. So you could teach in another kind of learning organization, a university, or I’m sure I could start listing off all the different places that does training, but I think you get my point.
Wes Shriner:
And the point was well-made, Kip. What do we got next?.
Kip Boyle:
Well, the guest gets the last word.
Gabriel Friedla:
Oh, what have been the keys to your success? Okay.
Wes Shriner:
I think we surprised him with this slide. We should probably give him a heads up or something.
Gabriel Friedla:
No, this is a great question. So look, first of all define success.
Kip Boyle:
Well, you can do that. You have the last word. What is success to you?
Gabriel Friedla:
So look, before I’m a security guy, I’m actually an entrepreneur, right? So I started very young. I’ve been optimistic and naive, which allowed me to move fast forward because I wasn’t thinking too much all the time about what if and what if, and for me, it’s like if somebody else can do it, why can’t I do it, right? Why not? Honestly, if I want to own a bank, why can that person own a bank and I can’t? It’s just a matter of do it and don’t undervalue yourself, especially for the young folks that still don’t have a lot of … I hope they don’t have yet a lot of mortgage or ties and then they can get out there and really just it’s simpler said than done, but that’s being a little bit naïve helps. I can do that.
So here I’m giving advice on the one hand, but remember that every person has their own path. I cannot even repeat my own path. What I’m doing right now with Wizer is completely different. The path that I’m taking with Wizer is completely different than the path that I took with ObserveIT, and that’s true for everyone. So listen to people, but listen to your inner self, what makes sense and an experiment. Don’t just follow … this is certificate. I don’t have a degree by the way, and I’m not advocating against it. I’m just saying in general, just follow your dreams. It sounds like so …
Wes Shriner:
I feel like Mary Poppins should start playing in the background.
Gabriel Friedla:
People are so much looking for the answers and for somebody to guide them and they’re not listening to their inner self about just start doing something, you’ll probably get it wrong, that’s fine, and you’ll improve. It’s about progress. What matters is progress.
Kip Boyle:
Well yeah, I mean, you were very transparent with us about the fact that your first entrepreneurial venture didn’t work out the way you thought it was going to.
Gabriel Friedla:
Oh, I had a few that didn’t work out, guys, not just one. I was depressed but again, you get up and the question is did you learn anything from this? If you learned something from this, then you’re a winner, because you’re taking that as a stepping stone for your future. If you’re just going to cry about it and how I wasn’t accepted or how it didn’t work and why you’re a victim, then you’re a victim. You just became a victim because you defined yourself as a victim. So it’s really a point of mindset.
Wes Shriner: I would add to that a statement that things worth doing are worth doing poorly and awkwardly, right? Because they’re still worth doing.
Gabriel Friedla:
Exactly. My entire career was zigzag. There’s no straight line. It’s a roller coaster and it was zigzagging and I was fortunate enough, but I think part of my being fortunate is going that path because when you’re zigzagging something, you need to hit it once and then you have this base to continue and build.
Wes Shriner:
So, Gabriel, if you were talking to someone who is in school currently dreaming of being a cyber security professional, what would you tell them to focus on? What would you recommend for them in their study?
Gabriel Friedla:
So, first of all, within what we spoke about today, and by the way, my kid [inaudible] yeah maybe because of me, but he actually really, really loves it. Before that he loved music and I always told him do whatever you want. You don’t have to be security, do music, whatever you want. But I guess from the things that I told him, he got excited about it, but he found his own path. He’s more into specific things in security. So learn what do you like in cybersecurity and don’t make it about money. It’s not about, “Oh, this is a hot topic.” Learn, experiment before you decide to hone in on one thing, and just practice, just do a few things. Don’t rely on the certificate only.
Don’t just try to prove people that you have a certificate. That certificate helps, but it’s not enough. So work with the community. There’s a lot of help in the community that people are willing to help. So collaborate with people, talk to them, help others. That’s an amazing tip, help others. As you learn something find people to help them, because when you’re starting to help other people, you become better. It’s just like that. And you’re building appreciations and people start to recommend you and talk to you and you become the center of attention, and that’s, by the way, how leaders become. They serve others and they become leaders. You don’t accept the leadership. Nobody puts the leader on you.
The more people you serve, the better leader you are. So start small, teach people, like what you guys are doing right now. You’re helping other people. You’re not asking for anything in return and that’s how it works. So it doesn’t matter if you’re day one, you just learned something, blog about it, write about it, comment about it, ask a question, help other people because there’s always people that are learning now what you learned yesterday. You can help them. So that’s a huge one, helping others, honestly.
Wes Shriner:
So now that you know, you’ve learned it a day before they did. So now, what do you wish you knew? Or what do you know now that you wish you knew then?
Gabriel Friedla:
First of all, I’m happy. I’m going back to being naive. I’m happy that I didn’t know then what I know now, because I would have not taken that … the risks are so big, at least in mine, because I’ve been an entrepreneur most of my life. So knowing now the amount of risk I took, that probably means that I wouldn’t have done it. I would have known how hard. That’s why sometimes I don’t like talking to young folks and telling them. They ask advice and I’m afraid to tell them what to do, because I’ll just shed light on all the difficulties. And sometimes I don’t like doing that. So I’m like, “Yeah, try that,” even though I know they will fail because failing is part of the journey. So I would say again I’m just happy that I didn’t know then what I know now, honestly.
Wes Shriner:
Outstanding.
Gabriel Friedla:
Honestly.
Wes Shriner:
Very good. So Kip, what are our key takeaways for today? I think they are that security training is often overlooked. It’s actually a life skill and it has huge opportunity to impact the company and the families that are supported by that company. Right? This is a great area of opportunity for non-technical people to move into a security space. I hopefully saw as well that this awareness and training is an outcome of what did we do last week in our policy, right? And once we have our policy set, we have trained our organization on that. Next week we’re going to look at strategy and architecture and see how do we apply that in our technical spaces in our plans for the future. Over to you.
Kip Boyle:
Excellent. Excellent. All right. Hey, everybody, I sure hope you liked the episode today and the things that we shared with you, Wes, Gabe and myself. If you do like our podcast, definitely go back and check out previous episodes. I think you should also consider grabbing a free guide that we made for you, person who’s trying to break into cybersecurity. It’s called Play To Win, Getting Your Dream Cybersecurity Job. And what we did is we took the whole idea of capture the flag. And we said if you can capture the flag as part of your training, then you certainly can take those skills and apply them to your job hunt. And so that’s what this 20-page visual guide actually does for you is it teaches you how to do that. And you can see on the slide here, a little excerpt, this is pages six and seven.
There’s four blockers that we talk about. We talk about how to overcome each one of those blockers. If you want it, it’s yours. Just go to yourcyberpath.com/pdf. That’s yourcyberpath.com/pdf. Grab it. If you love it, I’d love to hear from you. If you hate it, I’d love to hear from you because that means I have to make it better. And I want to make it better. I want it to be something you guys are going to get a lot of use from. So remember, you’re just one path away from your dream cybersecurity job. Thanks for being here and we’ll see you next time.
Wes Shriner:
Thanks, all.
Kip Boyle:
Thank you.
YOUR HOST:
Kip Boyle serves as virtual chief information security officer for many customers, including a professional sports team and fast-growing FinTech and AdTech companies. Over the years, Kip has built teams by interviewing hundreds of cybersecurity professionals. And now, he’s sharing his insider’s perspective with you!
YOUR CO-HOST:
Jason Dion is the lead instructor at Dion Training Solutions. Jason has been the Director of a Network and Security Operations Center and an Information Systems Officer for large organizations around the globe. He is an experienced hiring manager in the government and defense sectors.
Don’t forget to sign up for our weekly Mentor Notes so you can break into the cybersecurity industry faster!