This episode is a replay of Episode 40, “Security Awareness Training”.
In this episode, special guest, serial entrepreneur, and writer Gabriel Freidla joins us to talk about Security Awareness and Training. After all, as this episode is released, we are right in the middle of cybersecurity awareness month.
The discussion covers the important of training, the different types of training available, how to communicate properly to others, and how to apply marketing methods to get people interested in learning more about security in the workplace.
We cover both marketing and policy-based training, as well as how small and medium sized businesses work, and how you can work with them. End users are the biggest threat to an organization’s security, so it is important to create training to address phishing, compliance requirements, and poor security practices or behavior. Alternatively, your technical staff also needs the proper skills-based training to perform their roles, too.
Kip Boyle:
Hi, this is Your Cyber Path, we’re the podcast that helps you get your dream cybersecurity job. I’m Kip Boyle, I’m here with Wes Shriner. We’ve got a guest today, I’ll tell you who that is in a moment, but we are experienced hiring managers of cybersecurity professionals. And this episode is available as an audio only recording in your favorite podcast app, but it’s also available as a video on our YouTube channel. So just go to YouTube and search for Your Cyber Path podcast, and then you can see all the visuals that we are offering you.
So this is the next episode in a series that’s designed to tell you all about the way a cybersecurity organization is typically put together. And the idea is to help you find your dream cybersecurity job. So today we’re going to talk about security awareness and training. That’s actually a service that a cybersecurity organization is going to offer. And in the service catalog that we are using it’s number 26, you’ll see that a few moments. You’ll see it on the placemat slide that we’re going to share with you. And as I mentioned, we do have a guest today and, Wes, would you please introduce Gabriel?
Wes Shriner:
Oh, I’m glad to. Gabriel is joining us from, if you’ll jump slides here. Gabriel’s joining us from Massachusetts where he is a serial entrepreneur. He has founded several cybersecurity and IT corporations companies, and currently he’s working on Wizer Security. He’s committed this part of his life to security awareness and training as a hobby, as a business, as a passion. And so I’m really, really excited to have him here with us today. He also wrote the book Insider Threat Program: Your 90-Day Plan. And so, Gabriel, tell us a little bit about you?
Gabriel Friedla:
So yeah, thank you very much first of all, for inviting me. Originally I’m from Israel, that’s where I started my cyber security career. I’ve been an entrepreneur most of my life, I would say, since the age of 21, 22, except for about a year that I had to pay the debt of my first business that didn’t go well, about two, exactly. So I had to pay that off. And then I went back again to building businesses. So the one that is relevant for this conversation, the two that are relevant is Wizer and ObserveIT, ObserveIT I started about 14 years ago. So prior to ObserveIT I was also a consultant, more actually in the IT space then security. And I was troubleshooting servers and issues that my customers had.
I had a small consultancy company. And one of the things that I used to ask them when I came in was, “Okay, who was the last one to touch that server, and what did they do?” And believe me, that’s such a simple question and that’s still today such a hard question to answer. So the idea back then was, and I also knew to develop very good. I was a good developer. So at that point I said, “Okay, let’s just put a camera, a software, an agent on servers. And whenever somebody logs in it starts to take screen snapshots. So next time, if somebody’s asking me what happened, we just go pull the screenshots and see who checked what box.” And that went really well, I started actually selling this as a product, but very quickly customers told me that they needed more for security and compliance than for troubleshooting, because they had a lot of partners, remote vendors connecting to their servers, and they wanted to know what to do.
And especially there was this blame game. And there was compliance requirements that required to figure out, to have an audit trail of exactly what happened. So the company shifted very quickly from an IT company to a security company and compliance. So when we were just doing troubleshooting, it was enough to just look at the videos and see who clicked what. But when it became security, we added analytics and we started to actually understand what people are doing so we can create alerts and then use the behavior. And we became this biggest insider threat company, which eventually we sold about a year and a half ago to Proofpoint. We had a lot of customers prior to the sale. It’s became a really big company before it was acquired.
So from a point where I was dealing with understanding human behavior inside the organization and figuring out and seeing what people are capable of doing, by the way, most of the time not maliciously, but still they were putting the business at risk. It doesn’t matter the intent, they were trying to be productive, but by doing so they were just breaking things and breaking and overriding policies.
So from preventing and monitoring, for me, it was natural to be like, “Okay, we need to educate.” The biggest problem is education because it’s honest mistakes. Honestly, every time we looked at something, yes, there were some bad actors, but I would say 90% of the time it was just honest mistakes. And there is this culture of, get the job done. That’s the culture in the organization, get it done now. So you’re concerned, that’s the culture. So you want to make it happen, no matter, you don’t want to come with excuses, but that culture conflicts with the culture of do it right. And in most cases they didn’t have an open door. So what do I do? Who do I call? They don’t know. And it ends up being a problem where people just override and bypass the security control just to get the job done. And then they explain their logic and it doesn’t help after the fact.
Wes Shriner:
Right.
Kip Boyle:
I’ve seen statistics that suggest that up to 80% of all security incidents are a result of an insider either being manipulated to doing something they shouldn’t do, or they made an error. An error could just be a misjudgment or it could be, they cut a corner. So culture, it’s really interesting. I’ve noticed that culture is such an important, such a massively important aspect of how secure an organization is, but cybersecurity people in general, in general, don’t want to do anything with culture. It’s messy. It’s really messy.
Gabriel Friedla:
There is a saying that, “Culture eats strategy for breakfast.” And I believe that, because when we have the right … When people care, and we can talk, I can do a whole presentation about culture, but it’s such an important, I would say it’s a foundation of security.
Kip Boyle:
It is.
Gabriel Friedla:
Culture.
Kip Boyle:
I absolutely believe that without any doubt whatsoever. And in my consulting work, I really emphasize that by actually including top influencers in a company as part of our assessment process, because we want to know what they’re thinking. And then subtly we’re also actually training them about what good cyber risk management actually looks like. So I’m totally on board.
Gabriel Friedla:
But it’s hard, right? The thing is, you learn, and we’re going to talk about it as well. We turn up, we talk, people think about cybersecurity technical. So we get all those certifications and we become this technical person that now somebody tells me to do culture and I’m like, “Yeah, yeah.” But we have to close and pass the service, which is also important, but culture is just underserved.
Kip Boyle:
It is.
Gabriel Friedla:
And there is so much to do there. And I think this is a big part of the roles in the future, in the cyber, that’s what’s probably needed the most because I think all the technology solutions to some degree, they even create a full sense of security I would say. Because it’s sort of like that get rich quick scheme where I’ll buy something, I’ll put it. And I get, and it will fix my problems, but it doesn’t happen like that in life in almost nothing-
Kip Boyle:
So you’re telling me the Office Depot commercial with the easy button, you’re saying that was not true?
Gabriel Friedla:
You know, 100% privacy, 100% security, all the VPNs, and the average person buys that. They buy the VPN and then they feel comfortable.
Kip Boyle:
Yeah, yeah. They think that.
Gabriel Friedla:
That they’re not tracked, but have you heard about cookie? It’s like, forget about the VPN, you know? And those that connect to free VPNs that are owned by criminals sometimes, that’s even worse.
Kip Boyle:
Yeah, I’ve got a whole rant on that.
Wes Shriner:
So, we’re having too much fun too early in the slide deck. So we’re going to get a chance to dive in a little further in some of this in a few slides.
Kip Boyle:
Okay, man. Want me to go?
Wes Shriner:
I do want to show out here at the bottom, the wizer-training.com, and specifically related to that, there’s a security awareness and training program. It is six chapters long. The chapters are light, easy reading and they will get you started in building your first security awareness and training program. If I were a young professional looking at one place I might consider going directly into a security organization, this might be the direction I might go in. And if I were going into an interview for anything security awareness and training related, and I hadn’t read the Wizer Training Manual, I would be unprepared. I say that because this is the definition for what success looks like in this space, so-
Kip Boyle:
And let me say, let me say, Gabe is not a sponsor of this episode, okay?
Wes Shriner:
Not at all.
Kip Boyle:
No, but we love what he’s doing. So we want to make sure that we’re showing him how much we appreciate him.
Gabriel Friedla:
Thank you.
Wes Shriner:
Indeed. So I’m going to tell you a story from the farm here, Kip, because it’s farm time.
Kip Boyle:
Yeah.
Wes Shriner:
And farm time today is coming to you from Cancun, Mexico, Cancun, Mexico. Yes. There’s no farm in this picture. Today I am coming to you from the other side of the continent, from Seattle. We are here with my wife. We are celebrating our 25-year wedding anniversary. And I know we talk a lot about the importance of work and we talk a lot about how valuable it is to be successful at what we do. I’m going to tell you there’s nothing more successful than being married to the love of your life for a long, long time, and having her love you too. So let me just say, today’s story from the farm is an anniversary trip from the shores of Cancun.
Kip Boyle:
That’s fantastic.
Wes Shriner:
That’s my-
Kip Boyle:
Congratulations on your wedding anniversary.
Gabriel Friedla:
That’s amazing.
Wes Shriner:
Thank you, it’s a lot of fun. And I appreciate you timing this episode to allow us to continue the vacation, and get it recorded. So this is fun.
Kip Boyle:
Well, listen, I just wanted to make sure, and I said this to you many, many times. I do not want to get into Mrs. Shriner’s, I don’t want to be on her crap list, because I made Wes take valuable relationship building time to make a podcast. So anyway, I did my part.
Wes Shriner:
And let me turn that around and say, she knows I’m here because I love it. And she knows I’m here because this is part of the fuel that burns my fire. So she was really supportive of taking a time to catch an episode here.
Kip Boyle:
That’s great.
Wes Shriner:
Let’s jump in. Let’s do what we got today.
Kip Boyle:
Okay. Here we go. Thanks, man.
Wes Shriner:
So a reminder, this is the placemat of the security organization. There are 23 services of a common security service catalog. It breaks down into four parts of the organization. We’re focusing in today on the governance risk and compliance place on the left. Kip. And then you dive in deeper into the security and awareness and training service. That is number 26 there.
Let’s go ahead and jump into security awareness and training. We’re going to be looking at four parts to this service today. We’re going to look at Cybersecurity Awareness Month, that’s October. We’re going to look at the required trainings. We’re going to look at behavioral training. We’ll look at skills training. And we might catch a couple fun posters along the way as well, because there’s a lot of opportunity to push good posters out in Cybersecurity Awareness Month. I think one of my favorite catchphrases is, “Passwords are like bubblegum. You wouldn’t use anyone else’s,” or something like that. You wouldn’t share it with a friend. So password’s like bubble gum, don’t share it with a friend. All right, let’s jump in and see what we’ve got for Cybersecurity Awareness Month.
Kip Boyle:
Yeah, look at all that propaganda. Oh yeah.
Wes Shriner:
This is a busy slide, I’m not going to lie. I did catch a couple different resources along the way, you’ll see links there, if I pulled them from the web, so that you can go look them up on your own if you want to. One of the things I liked about this diagram on the left is, it takes the month of October and breaks it down into what is that, five specific areas that we want to emphasize and train on, and then one specific training point each day. I also call out the posters across the top, “Think before you click.” All of these are clever, they’re relevant and they’re done. The most effective trainings are memorable and they’re fast, right? If I can’t consume it quickly, I didn’t catch it. What would you guys add to this? How would you make that better?
Kip Boyle:
Well, I just love the poster with it all broken out by each day, because I could, if you have this poster, you can create an email sequence that can go out to your entire workforce one per day throughout the entire month. And how effective is that? I mean, marketing, branding, that’s what this really is. You want your message to stay front of mind, and I just think that’d be a great way to do it. What do you think, Gabe?
Gabriel Friedla:
I think, yeah. I think we need to think like marketers and we have to understand that this is messaging and it has to resonate. It’s, how does it resonate with the person? So always involve the marketing department and that’s again, those crossover skills that if somebody came from marketing, and can bring that ability to deliver a message that resonates with the employees, like these ones, that’s great. So it’s not about just what you say, it’s about, does it click?
Kip Boyle:
Yeah. And that’s what I did too. When I became a CISO and I had to figure out what I was going to do for training and so forth. And we were always changing stuff, so I always had to let people know, “Hey, we’re going to change your work experience, because we’re adding an additional logon or something like that.” And I made the typical tech die mistake where I would just like, I sent one email, some one very well written email, send, okay, done, I’ve communicated. No. So I went over to our marketing department and I just kind of humbled myself and I said, “Please teach me how to communicate.” And they shared this entire toolbox with me and showed me how to do it and mentored me and walked me through it. I’m so much better for having done that. So Gabe, I’m so glad you mentioned that.
Gabriel Friedla:
Yeah, look, it’s a multi-touch process. In marketing we say you have to touch a person about five to seven times in order for them to remember you, even before even listening to you. So they want to see you in different places. So again, we need to use those marketing methods because it’s our job, not just to communicate, to market it to the organization. We have to put our marketing hat and understand that we have buyers and they don’t have to buy our shit. It’s up to them whether they want to listen or not. And we have to do a good job and again, and again, talk to them and do things and activities.
Kip Boyle:
Right. And my marketing hat was made out of a day old newspaper. I didn’t know what the heck I was doing. So, if you’re in the audience and you’re thinking, “Hey, I got into cybersecurity, because I like computers and stuff. And if I wanted to do marketing, I just would have went into marketing.” I understand that. I totally get it. But at the same time we’re telling you the truth, okay? This is-
Wes Shriner:
We need each other.
Kip Boyle:
This is marketing.
Wes Shriner:
We need each other and this is how we work together. And so, if you’re looking for the technical job, this is not that one. But if you have not spent a lot of time in the dot prompts, then this might be the kind of security job that might be a great place to get started.
Kip Boyle:
And you’re going to learn a lot along the way. And then if you want to hop over to a technical job, you just may well be able to do that [crosstalk].
Gabriel Friedla:
And by the way, there’s no one badass job versus the other. It’s a teamwork. It’s not like a red team is better than something else, because sometimes people want to be that, they want to go to the red team. It doesn’t necessarily mean that it’s … Nothing is better than the other. It’s a team effort.
Kip Boyle:
Well, the red team thinks they’re better than us. That’s the problem.
Wes Shriner:
Nah, nah, they’re good guys, they’re good folks, right? You just, you have to leave the door closed. You slide the pizza under. You hope they come back out next week sometime. That’s kind of red team like.
Kip Boyle:
And never, never, never let them talk to customers.
Gabriel Friedla:
Guys, playing defense is harder. Playing defense is harder. We have to get-
Kip Boyle:
It’s way harder.
Gabriel Friedla:
Try to play defense and see if you can stop those people coming in. Let’s switch for a second, that’s way harder.
Wes Shriner:
Right. It is, because the red team has to be right once and the blue team has to be right all the time. Let’s jump ahead and see what we’ve got.
Gabriel Friedla:
Here goes.
Wes Shriner:
I think the next one here is this policy based training. This is that initial training everyone takes every time they join a new company. This is that same training that is repeated annually throughout the lifetime of your career at any company. And it’s delivered usually through the learning management system or LMF. This training is usually based on the acceptable use policy, the data classification handling standard. And sometimes, actually always I think it ends in a signature or e-signature acceptance. I acknowledge that I promise to you be a boy scout in all these ways. And that is really almost a CYA for your organization to ensure that you have accepted and read and consumed those policies so you can be held accountable to them.
Often these are company-centric voices inside, company-centric trainings. So they’re usually done by recognizable voices inside the company, right? It might have an introduction from your CIO and it might be narrated by your CISO. There are rarely changes from year to year, there are very few changes and those changes are going to be managed incrementally. And they might even be lumped into a two or three year cycle so that you’re not updating this annually. And then lastly, it might be paired with your privacy annual training, so you may get both of those at the same time. We call this policy-based training because it is based on those policies and it is really about the organizational protection. What else would you add to this?
Kip Boyle:
Gabe, what do you got?
Gabriel Friedla:
A lot, but okay, so.
Kip Boyle:
Moderate yourself. We only have an hour [crosstalk].
Gabriel Friedla:
It’s about the goal. It’s about, what’s your goal. If your goal is to check a box, and it is a goal, sometimes without checking a box you won’t land a deal because you haven’t trained your employees or, so there’s different reasons, privacy, GDPR, and all of that. So we have to distinguish between compliance and security and actually wanting to change something. So it’s just two different worlds.
Wes Shriner:
It is.
Gabriel Friedla:
If it’s compliance and you just want to check a box, which is unfortunately what most … A lot, I wouldn’t say most, but a lot of companies are still at and smaller ones as well. They just need something fast and quick. Then sometimes they don’t really care too much. They just want to cover the topics. And like you said, every year it’s the same thing. People zoom out from this, click play, go drink water, come back. So basically nothing is really happening beside that box being checked.
Kip Boyle:
Yeah.
Gabriel Friedla:
But if you want to do an act, if you want to bundle this with actual value and educate people, then it requires way, way more than that. Maybe that’s the next slide that we’re going to-
Wes Shriner:
It does.
Gabriel Friedla:
hear, but it’s-
Wes Shriner:
It does. It can be paired with behavioral training. And I think we can do that here in the next slide.
Kip Boyle:
But before I advance to the next slide, I want to say that a lot of small, medium sized businesses don’t have an LMS. They don’t have any infrastructure to do this. And so that’s an inhibitor for them. And I work with them all the time on this. And I wish that there was an automated solution that was at a cost that they would think is good in terms of getting that acceptable use policy every year.
Gabriel Friedla:
Well, that’s us.
Kip Boyle:
Yeah?
Gabriel Friedla:
We have a free LMS.
Kip Boyle:
Well, what I was going to say is, all my SMB customers who need training, I enroll them in Wizer training.
Gabriel Friedla:
Oh, thank you.
Kip Boyle:
Yep. I do. I do.
Wes Shriner:
Put your bet.
Kip Boyle:
But there’s other parts here that are still missing. So anyway, I just want to acknowledge that for SMB organizations, some of this stuff is a little awkward and because you just don’t have the scale of a large enterprise, that’s all.
Wes Shriner:
SMB organizations. That’s small to medium business, is that right, Kip?
Kip Boyle:
Yes, that’s right. Yep.
Wes Shriner:
That has nothing to do with joining a drive of any kind? All right.
Kip Boyle:
Samba.
Gabriel Friedla:
I want to touch the SMB for a second, because SMB serve large organizations. So, and what happens with compliance, going back to this compliance, just to explain to the audience how it works sometimes, actually a lot of times. So the big company is saying, “I’m going to work with you, small company, but I have to do my risk assessment. So we want to know that at the minimum your employees are trained.” So the small company is like, “But I want to close the deal now.” We have almost a PO, but we have to answer this questionnaire. So what they do is they just go and look for the cheapest, easiest solution to check the box. Everybody has to sign off and then they get the deal. But we haven’t actually eliminated or even reduced the risk, because the big companies eventually are being sometimes attacked through those small companies.
So if I’m an attacker, I go to the small company, and this is the easier ways in, because they’re not trained. Maybe the big company did training and they’re resilient, but the small company just checked the box. They are now this gateway, and this big company trusts the small company. So it’s all about trust. So this is how we just get in. And that happens on a daily basis where attackers get into the bigger organizations through the smaller ones. So again, it’s a pity that there’s, the compliance is usually a result of an intent, but we’re not actually delivering on the promise.
Kip Boyle:
I work with SMBs all the time and I encounter that entire situation that you’re describing.
Gabriel Friedla:
Yeah.
Kip Boyle:
Yep. What about behavior training?
Wes Shriner:
I think that’s the answer, right? Is once we get past the compliance-based training and move into behavioral training, we start looking at how can we actually change behaviors inside our organization? These trainings may be educational, or they may be live practice. They may be job-specific. They may be e-learning. If the policy-based training is delivered to every staff everywhere, the behavioral training is targeted towards sometimes specific groups of staff and sometimes the whole staff organization. And it’s going to create and teach behaviors that we want to see become part of our culture. We heard culture Trump’s strategy well. I think that’s going to be true here. We’re designing culture when we’re designing behavioral-based training.
Kip Boyle:
Yeah.
Wes Shriner:
And some of the examples of behavioral-based training might be some password complexity training, or how do we handle our two factor authentication? Where do we hide the Post-it notes with our passwords? And if your dog passes away, what’s your new password going to be? Sorry, that was supposed to be funny. It’s kind of sad. Now I feel like a bad guy. We lost two of our 17 listeners because the dog thoughts there and now they’ll [inaudible].
Sometimes we’re going to do anti-phishing in this behavioral-based training. And that’s the one I want to highlight in greater details today. This phishing training is often done as a live test done in your inbox that may be scheduled, maybe not, maybe informed, maybe not, where maybe once a month or maybe once a quarter, a percentage or all of your staff get an email requesting you to click on the link and enter your credentials. And for those who click on the link and enter their credentials, that’s the group of people that didn’t pass the test this time.
Kip Boyle:
Busted, busted.
Wes Shriner:
Well, but let’s think about that busted, right? Is it busted because Bob clicked on the link, or is it busted because we as an organization aren’t talking about phishing and talking about the phishing threat, and we haven’t built it into our culture that we have a plan for how we’re going to avoid it?
Kip Boyle:
I can tell you the word on the floor is busted.
Wes Shriner:
It is. It is.
Kip Boyle:
I mean, it’s a competition, right? Most employees see this as a friendly competition, right? Who’s going to get caught in the phishing net, so.
Wes Shriner:
And the live practice is a great way to teach, but it can cost relationships if it’s done poorly.
Kip Boyle:
Absolutely correct. Absolutely correct. And it’s funny, I hear people arguing both sides of this. The security purists, for example are saying like, “You could never tell people that you’re going to test them, because then it’s going to bias the results, or it’s going to spoil the whole exercise and so on and so forth.” And these are people that are trying to catch people doing stuff wrong. And well, all I can tell you is, is that you’re never going to be able to build working relationships that way.
Gabriel Friedla:
It goes back to culture guys, like if done wrong, it can hurt culture, and it can have the negative effect. You want as a security team to have an open door for people. People need to feel comfortable to come to you. If you are going to try every day to not only trick people, but also punish them, then people won’t come to you. And people will be afraid. And if you do it too much, by the way, people will be numb to a point that they will, even legit emails they won’t open because they will be terrified. So that’s to the extreme, you know? But some people are like, “We’re going to trick you all the time.” And then people are going crazy and they’re just afraid, they’re dealing with customer emails. Maybe it’s, “I don’t know. I’m not going to open it.”
Kip Boyle:
Yeah, it’s a bad scene. It can get terrible.
Gabriel Friedla:
So it’s really a question of, what do you do first, phishing or training? For me, that’s again a personal approach. You train first, because otherwise you’re just wasting your time. Of course, they will click. We tell them to click. We send them stuff to click all day long. That’s what people in the company do, they click. We ask them, “Open the document.” They send you a link. That’s our daily job.
Kip Boyle:
Yeah. Well, think about people in HR that are getting resumes emailed to them in attached to emails all the time. Think about people on your accounting team that are getting legitimate invoices attached to emails all the time. Sales, sales people are constantly getting emails with purchase orders attached to it all the time. These people I believe are operating in a hazardous duty zone, because they have to open this stuff up. And so my challenge to cybersecurity people is, what are you doing to give them extra protection?
Gabriel Friedla:
Yeah. And also think about it. You know what? Some people are looking at percentage, because 100% nobody clicks, it’s just unrealistic. It’s like, it’s just, it’s wishful thinking. And it’s like saying, “We’re going to get to a point where people never make mistakes.” It’s crazy to expect zero clicks, but-
Kip Boyle:
There’s a whole category of insurance out there called errors and omissions insurance policies. That’s not going away anytime soon.
Gabriel Friedla:
No, it’s not. So think about it. Let’s say you have a 1,000 employees and only 4% click, okay? Not a lot, 4% click. That’s 40 open doors for a criminal, okay? So did we solve the problem? No, we haven’t actually solved. We only reduced the risk, which is always, risk is always a sliding scale. So A, we reduce the risk. The question is, it’s about resilience. How fast did we respond to somebody clicking on a phishing email? Did anybody else report? How many people reported? So there’s a lot of things going on when we think about phishing simulation and it’s, in my opinion it’s more about resilience to check the resilience of the organization to a phishing simulation, versus the amount of clicks. Because 4% of people with no access almost to data, versus … Let’s say the other way around. 4% of managers with high access that clicked versus 10% of people with low access, what’s better? The 4% is more risky because they have a lot of access. So it’s not only about how many people clicked, it’s also who clicked.
Kip Boyle:
Yeah, which ones?
Gabriel Friedla:
Who clicked? That person had a lot of access. That’s bad. That’s a spear phishing. That’s horrible. So there is a lot to talk about phishing simulation. It can be a great tool if done right. Again, just like policies. Sometimes it’s looked at, it’s not, going back to this culture thing, like I said, everything is built on culture. So if not done right, then you sort of make it like those policies, but even worse, because policies are just annoying if you do them for compliance, but phishing done wrong can hurt culture and even get to a point where you’re worse than you started.
Kip Boyle:
Anybody think we could do a whole episode on that? We’re not going to.
Wes Shriner:
I think it’d be great. That sounds like a lot of fun. If you don’t mind going back, I want to highlight two things, right? One is, if you do a phishing mail in February and you do catch five to 10% of your audience, how instructional, how powerful would it be to follow up with that a week after the phishing campaign with a here are the three to five things circled in the email that would give you a clue that that was a phishing mail so that you can use it as a learning teachable moment, rather than as just a treachery trickery, you missed it, game. Oftentimes, organizations that do phishing campaigns who don’t do this follow up, people never know that they were in a phishing campaign because they never clicked on anything. Or, and so we don’t reward the right behavior and we aren’t training the wrong behavior, so.
Gabriel Friedla:
Totally. Reward the right behavior.
Kip Boyle:
Yeah.
Wes Shriner:
Yeah. And then the other thing I want to call out is, any of these small medium business companies, you talked about high risk jobs. They’re going to use SaaS providers for just about every outsourced function in the organization. And none of those are going to be domain-branded domains that they’re going to be sending emails from. So we as an organization, as a security team, need to figure out how can we tag those incoming domains as friendly in some way in our exchange server, so that when we present that email, it is from a known friend or at least a known friendly domain. If there’s some way to do that, that might be an effective tool in our arsenal.
Gabriel Friedla:
And there’s also some rules that better not be broken. You don’t want to send phishing emails from the IRS or stuff like that because you’re going to get in trouble. And the thing is that criminals have no problem doing it. And they actually do it all day long. So there are lines that as company we cannot cross, first of all, legally, and second, remember that some people have issues and you don’t want to damage them. You can be really nasty. Some criminals are really nasty. Something happened to your kid. They can, sextortion, there’s no lines they are afraid to cross. And as companies, we, there are some lines that we say, “Okay, we don’t cross that line. That’s just too much.” And it’s sometimes just illegal, purely illegal.
Wes Shriner:
True. All right, let’s jump ahead to the next type of training. This is a skills-based training and this is, we don’t have a lot to cover on this topic, so I’m going to move pretty quickly. This is specifically designed for a group inside the company that maybe needs a specific skill to be trained on. How do I code securely, or maybe how do we handle our own coding libraries? Or maybe it’s as simple as we’re trying to change how the organization manages APIs and we’re going to teach a new behavior to everyone about mutual authentication encryption of our APIs. This is how we will standard do it in the future. You can often find these trainings available through a SANS type organization as well. So if you’re a small and medium business, don’t be sad. There is all sorts of skills-based training out there and available to you in the security arena as well.
Kip Boyle:
Yeah. So Udemy, for example, is a website that has a lot of training on it. Pluralsight is another one. SANS training. So that’s, used to stand for systems, administrators and network security. I don’t think they’ve used that. I don’t think they’ve exploded their acronym in a million years, but that’s probably one of the best training organizations in our entire industry. There’s a bunch of greater price tag than Udemy, but it’s great if you can go.
Wes Shriner:
I think you can get what you’re looking for from Udemy for the most part, but there’s lots of other great training options out there. Once you get involved and get connected, you’re going to start to see a lot more options.
Gabriel Friedla:
Yeah. And I think it’s important to make that distinction between awareness and behavior changes, then skill. It’s very, people mix things up. So skill, usually you choose. In most cases like Udemy, you go, you choose something and you actually want to learn. With awareness, in many cases, the company’s forcing you to do that. It’s not your choice and everyone has to do that. So there is different challenges with those two things. One, you picked your own training, you want to develop in that thing and you learn it. And the other one, you’re sort of forced to do that. So that’s harder, because many people don’t have the passion for it and they still have to do it anyways. So how do we overcome that? That’s a huge challenge.
Wes Shriner:
It is. Let’s see where we go from here. Oh, this one’s going to be tough. How have we trained behavioral changes in our world in the past? And I think about when I was a young boy, my brother and I would ride in the back of the Ford Club Wagon van. And we would wrestle while my parents traveled down the road at 60, 70 miles an hour in that Ford Club Wagon van. And we were just wrestling because my had pulled the seats out and made it a big open space for us to, I mean, to goof off. And somewhere along the way we had learned as young people that if the car were in an accident and if it were to roll over, we didn’t want to be in that vehicle. We’d rather be ejected out the window than to stay inside the vehicle.
This was the thinking of seven-year-old Wes. And it’s my understanding that was a cultural thinking in that time as well in the early ’80s. But we began to see a shift in first the availability of seatbelts and then the explanation of why their benefit. And then we saw influencers recommend it. And we saw a marketing campaign from our federal government. And then we saw penalties start to step in, when seatbelts weren’t in use and you were pulled over for something else, then you would get penalized for the seatbelt wearing also. And then it became a primary offense and you could now pull someone over if the seatbelt’s hanging out the door.
And so the progression of teaching seatbelt behavior is such that today seatbelt behavior is not really a conversation that happens anymore. For the most part, people are putting their seatbelts on. And it took a generation to get there, but we’re there. And nobody wants to be thrown from the car window when the car rolls over anymore. Now we’d rather be strapped securely to the cushiony chair as it rolls, and-
Kip Boyle:
We’ve got data showing.
Wes Shriner:
and it makes a lot more sense.
Kip Boyle:
And we’ve got data showing that this is a better way.
Wes Shriner:
It’s a better way. And we saw that with our 55 Saves Lives campaign that came out. I still remember the general standing with the baton against the American flag, 55 Saves Lives. And we saw more recently Oprah start the No Phone Zone, right? To be safe, don’t be distracted when you’re driving. And we’re seeing the early part of that campaign. Maybe we’re in the middle of that now where we certainly have penalties if you are caught with distracted driving.
Kip Boyle:
This is an amazingly good example, Wes, because I mean, look what’s going on here. We’re seeing an orchestration of different approaches to sending the message and reinforcing the message. You’ve got marketing. You’ve got these campaigns, these memorable campaigns to get the message out, but then you also have penalties, right? So it’s like, “Hey, we’re going to give you the carrot. But then if that doesn’t work, we’re going to give you the stick.” And all this stuff has to come together. So in cyber security you’re going to do a good awareness and training.
But if people are resistant to that, not just making errors, but are actively not interested in cooperating. Well, you, you’ve got to be willing to go to the human resources department and talk to them about where in the progressive disciplinary system do these people enter. Is it a first time verbal warning? Is it a first time written warning? Because if they catch you stealing something valuable, you’re just immediately fired. So you can enter in that system at any level, depending on the severity of your offense. All I’m saying is that I hope you go and have a conversation so that when somebody deliberately doesn’t pay attention to what’s going on here, that you need them to cooperate, that you have a way to enforce.
Gabriel Friedla:
I would add to that, that just, behavior is eventually about acquiring good habits, right? It’s more about habits and those habits need to be in our everyday life. I look left and right when I cross the road, even if there’s no cars, it’s just automatically. And it’s so hard to acquire new habits, it’s just so hard. So first of all, I’m a big advocate of starting at kids’ age, school, family, I hope to, online safety right now, I think it’s a major topic and it has to be addressed at school level.
But for our older guys, it’s very hard to change our habits. Therefore, I think companies have to choose one or two things because it’s hard to tell them, “You have to change. You have to change all your habits, everything that is in this policy, 30 page documents, because. And we’re going to tell you to read this again and again every year or twice a month, or whatever,” just impossible. So choose one, two things, think before you click, and just emphasize it, you know? Emphasize it-
Kip Boyle:
A year is not too long.
Gabriel Friedla:
Deliver it. Yeah, have this delivered everywhere. By the CEO when he talks in a town hall, by the managers, by having an ambassador program. Just push the most important thing to you and make that behavior change. Because one thing leads to the other. Telling people, “We need you to change totally altogether in one training, because we said so,” is just, again, unrealistic.
Kip Boyle:
It’s not going to work.
Wes Shriner:
And with that, I love the idea of don’t dilute your message. Let’s keep it focused and stay on message. I believe we started this episode with, you’ve got to present it five to seven times in order for someone to hear it. I think we’re staying on message with that today.
Gabriel Friedla:
In culture, all of this behavior change, it’s culture, it’s about your parents. It’s about the society that you lived in, were they’re embracing the seatbelt or not. If everybody’s embracing it, you’ll just put it on automatically. If nobody’s embracing it, you’ll be like, “I don’t care.”
Wes Shriner:
Right. Okay. Let’s see where we go from here. This is a fun slide. I hope you can follow me on this one. I think this one’s going to be actually pretty helpful when we get there. We’re going to start at the 10 o’clock position on the clock over on the top left corner there, and the suppliers. This is our SIPOC, suppliers, inputs, processes, outputs, and customers. And we’re going to work our way around the clock, just like the SIPOC. So on the top left our suppliers for this are going to be our policy stand policies and standards. They’re going to be our current outstanding risk and they’re going to be our compliance customers. The folks who want to know that we did check the box.
We’re going to take inputs for that. Those inputs could be new regulations. They could be environmental changes or policy changes. There could be new attack techniques. We can even filter in previous campaign results because we can learn from our previous campaigns and we can get better. And of course, risk drives what we want to focus our training on. We’re going to use our training to, our processes are going to be course creation. We’re going to evaluate completion rate as well as real-world results on those courses. Maybe that’s the phishing testing, right?
And then our outputs will be the training courses, the posters, the phishing campaigns, the October Awareness event. And I think the most important outcome is the new discussions at the water cooler. I realize we’re in a COVID world where there is no water cooler anymore. So maybe it’s on the Zoom side chat. Let’s call it the new discussions on the Zoom side chat, right?
And if we keep going around the clock there, the customers who are receiving these are going to be our compliance partners who require this kind of training. It’s going to be our knowledge workers, because if we’re hiring knowledge workers to come in and contribute to the organizational knowledge, then teaching those knowledge workers a way to think and a way to behave is going to be a big step in driving a secure culture in our organization. And lastly, I think the customer that’s going to benefit the most is actually our real customers. Because when we be build a culture of security, our customers are going to be better protected.
Kip Boyle:
Yep, I dig it.
Gabriel Friedla:
I love yeah, the cooler. And at the end of the day compliance measures, like you said, it’s completion rates, but the real value from my point of view is, for example, how many employees came to you about a new project they’re working on and they care about security? How many people came to you and asked if you have anything for the family, just because they care about it and they want to train their kids. That the inbound is more important. How many people are coming to you, that’s a good indication about that things start changing that people care. And that goes back to just the time culture.
Wes Shriner:
I’m going to pick up on that for just a second. I think one of the most effective behavioral training campaigns that we can do is to have a security training on how to secure my home wireless router? That has [crosstalk] nothing to do with work.
Gabriel Friedla:
We haven’t talked about it, but the biggest driver for security awareness for me is making it personal, because here is the thing. People relate to things that are personal to them, right? And the advantage we have in security awareness is that the threat actors phish a person the same way the phishing companies. It’s the same thread vector, right? So if I can show you how you can avoid getting scammed in your personal life, you change that behavior because now you care, you don’t want your WhatsApp to be hacked or your text message or your phone or your AT&T or whatever that is. And you’re like, “Oh wow, this can happen.” Because some people don’t realize this can happen. And then you’re like, “What can I do?” And then you teach them, they apply the same behavior. They take the same behavior that they apply at home, they apply it at work. So just much more efficient to just show them how to be safe at home, because they will apply the same thing at work. That’s one thing.
Second thing-
Kip Boyle:
Agreed.
Gabriel Friedla:
is, deliver it in the same way they consume content today. Mobile, one minute videos. That’s what we do, one minute videos. People don’t have attention span, even over than 30 seconds. So having them sit down and watch a 45 minute video training is like, it’s just, even if they can, even if they-
Wes Shriner:
That’s what we’re doing.
Gabriel Friedla:
they will be zoning out. So deliver the content on mobile, let them flip quickly, let them watch it, flip, go back, control their pace and make it relevant to them. These are crucial things to make. Even the policy training that we spoke about, something that people will actually want to consume.
Wes Shriner:
That makes sense. I like that. That’s a very thoughtful way to do it. One other thing I want to highlight is, making it personal. Gabriel, you recently posted, or I think reposted the contract that you might have as a father with your children.
Gabriel Friedla:
Yeah.
Wes Shriner:
Who are, or mother, father or mother. But I guess we’re all dads on this podcast, with your children, that would be, “Here’s how we’re going to behave online. This is what it means to be a citizen in the internet community, and these are the things we will and will not do.” I love that posting. And I think you’ve got it available on your site and as a download?
Gabriel Friedla:
Yep. Again, maybe they won’t follow it, it cannot be enforced, but again, we’re telling our kids our expectations, we’re setting them. In this contract there’s not only the kid part, there’s also the parent part. So we made it, what does it mean, privacy? I will learn about it as well, so I won’t be talking stuff that I don’t understand. So I’ll educate myself. So there is parts that the parents is also signing, because it’s mutual.
Wes Shriner:
Yeah. And it’s a really powerful tool, because either you don’t need it now and you introduce it as a family and have the conversation, or you need it now and it’s too late.
Gabriel Friedla:
Yeah.
Wes Shriner:
So, that’s my wisdom on that one. I would say, go download that one right away if you’re listening still with us. But we know a 45 minute podcasts are a thing of the past. We learned that just now too. What do we got for the next slide, Kip?
Kip Boyle:
You know, it’s miss titled.
Wes Shriner:
All right, we’ve got-
Kip Boyle:
I just noticed that.
Wes Shriner:
Sorry about that.
Kip Boyle:
Forgive us, everybody. Forgive us, everybody. We got ahead of ourselves.
Wes Shriner:
All 17 listeners who are still with us.
Kip Boyle:
There’s only 15. You scared away two before.
Wes Shriner:
We lost them with the dogs comment. I’m down here.
Gabriel Friedla:
They’re all staying with us. We’re very good, you know? It’s-
Wes Shriner:
Well, they’re just running us in double speed so they can get through it faster. This is the people of security awareness and training. And this is specifically, there are roles as maybe a training lead or as a content creator, or as the phishing administrator. Those are, none of those … Those could be full-time roles, but more likely all three of those might be a single role. The skills that might come into this role might be content creation. They might be still content or video content, and the skills are all about, how do people learn and how do we teach?
Gabriel Friedla:
I think people have-
Wes Shriner:
The tools-
Gabriel Friedla:
Okay, sorry, go ahead. Because I’m excited.
Wes Shriner:
Go ahead, please. Jump in.
Gabriel Friedla:
I’m saying, don’t look for the role. Let’s say you work in a company in a position and you are in marketing or you know how to create content or you like to draw at home, or you think you’re good at messaging. Go to the security team, because they’re, I’m telling you they’re lacking the skills today. They’re lacking them. So go there and tell them, “I can be of help.” And make that role, because you’re not going to be competing with all the very, very technical guys on one spot. Here you have something that is evolving and it’s just a huge opportunity for you to put your foot in the door. And if you later want to evolve to a tech position, then pivot. But at least now you’re in security.
Wes Shriner:
Yeah. And even more so, this is the probably most underrated, most important role you can possibly have in a security organization. Think about it. What other role is going to influence the culture and the people and the families of the people who are working at your company?
Gabriel Friedla:
Yeah, this is amazing. You’re communicating with everyone. You’re going to be talking to C-levels.
Wes Shriner:
That’s huge power.
Gabriel Friedla:
Yeah, this is an amazing role that I think, just security teams sometimes don’t realize they need to hire this. So just go there, suggest yourself if you’re working. Even in the call center or wherever you are, and you have those skills say, “Hey, I had customer calls. I talked about this. I think I can really create awesome content.” And, you know-
Wes Shriner:
You should.
Gabriel Friedla:
People in the security team will be like, “Wow yeah, can you do that?” And you do it once, you do twice, and suddenly you’re there.
Kip Boyle:
Yeah, they don’t want to market. Remember we said that earlier? They don’t want to market. Go to them and tell them you’ll market for them. They’ll love you.
Gabriel Friedla:
Exactly.
Kip Boyle:
Bring pizza.
Gabriel Friedla:
So just make it, you do it yourself. I don’t know, I’m an entrepreneur. I’m always, this is my line of thought always. You make it for your own. You don’t go and ask for it, you just do it. So this is just one, a void-
Wes Shriner:
Outstanding.
Gabriel Friedla:
that exists that you can fill.
Kip Boyle:
I want to mention one more thing is that if you’re interested in security awareness and training, there are other jobs that you can pursue that are not baked into a larger cybersecurity organization. Look at Gabe. He is running a standalone training company. There are other standalone training companies that you could join and be able to produce great content. So you could teach in another kind of learning organization, an university, or I’m sure I could start listing off all the different places that does training, but I think you get my point.
Wes Shriner:
And the point was well made, Kip.
Kip Boyle:
Well, guest-
Wes Shriner:
What do we get next?
Kip Boyle:
The guest gets the last word.
Gabriel Friedla:
Ah, what have been the keys to your success? Okay.
Wes Shriner: I think we surprised him with this slide. We should probably give him a heads up or something.
Gabriel Friedla:
No, this is a great question. So look, depends on defines, first of all, defines success, you know?
Kip Boyle:
Well, you can do that, you have the last word. What is success to you?
Gabriel Friedla:
So look, before I’m a security guy I’m actually an entrepreneur. So I started very young. I’ve been optimistic and naive, which allowed me to move fast forward, because I wasn’t thinking too much all the time about what if and what if. And for me it’s like, “If somebody else can do it, why can’t I do it?” Because-
Wes Shriner:
Yes.
Gabriel Friedla:
why not? If I want to, honestly, if I want to own a bank, why can that person own a bank and I can’t? It’s just a matter of, do it and don’t undervalue yourself, especially for the young folks that still don’t have a lot of, I hope they don’t have yet a lot of mortgage or ties and then they can get out there and really just, it’s simpler said than done, but that’s, being a little bit naive helps, I can do that. And don’t look, I don’t like … So here, I’m giving advice on the one hand, but remember that every person has their own path. I cannot even repeat my own path.
What I’m doing right now with Wizer is completely different. The path that I’m taking with Wizer is completely different than the path that I took with ObserveIT. And that’s true for everyone, you know? So listen to people, but listen to your inner self what makes sense, and experiment. Don’t just follow, I mean, this is a certificate. I don’t have a degree by the way. And I’m not advocating against it. I’m just saying in general just follow your dreams. It sounds like so-
Wes Shriner:
I feel like Mary Poppins should start playing in the background.
Gabriel Friedla:
But it is, just people are so much looking for the answers and for somebody to guide them and they’re not listening to their inner self about, and just start doing something, you’ll probably get it wrong, that’s fine. And you’ll improve, it’s about progress. What matters is progress.
Kip Boyle:
Well, yeah, I mean, you were very transparent with us about the fact that your first entrepreneurial venture didn’t work out the way you thought it was.
Gabriel Friedla:
Oh, I had a few that didn’t work out, guys, not just one. And I was depressed and, but again, you get up and the question is, “Did you learn anything from this?” If you learned something from this, then you’re a winner, because you’re taking that as a stepping stone for your future. If you’re just going to cry about it and like, “How I wasn’t accepted or how I didn’t work, and why you are a victim,” then you’re a victim. You just be became a victim because you defined yourself as a victim. So it’s really a point of mindset. So-
Wes Shriner:
It is.
Kip Boyle:
Sorry.
Wes Shriner:
I would add to that a statement that, “Things worth doing are worth doing poorly and awkwardly.” Because they’re still worth doing.
Gabriel Friedla:
Zigzag. My entire career was zigzag. There’s no straight line, that’s just, it’s a rollercoaster. And it was zigzagging. And I was fortunate enough, but I think part of my being fortunate is going that path. Because when you’re zigzagging some, you need to hit it once and then you have this base to continue and build.
Wes Shriner:
So, Gabriel, if you were talking to someone who is in school currently, dreaming of being a cybersecurity professional, what would you tell them to focus on? What would you recommend for them in their studies?
Gabriel Friedla:
So, first of all, within, what we spoke about today, within this … And by the way my kid likes, maybe because of me, but he actually really, really loves it, you know? And I told him, and before that he loved music and I always told him, “Do whatever you want. You don’t have to be security, do music, whatever you want.” But I guess from the things that I told him he got excited about it. But he found his own path. He is more into specific things in security.
So learn what do you like in cybersecurity, and don’t make it about money. It’s not about, “Oh, this is a hot topic.” Learn, experiment before you decide to hone in on one thing, and just practice, just do a few things. There’s a lot of, just don’t rely on the certificate only. Don’t just try to prove people that you have a certificate. Certificate helps, but it’s not enough.
So, work with the community. There’s a lot of help in the community that people are willing to help. So collaborate with people, talk to them, help others. That’s an amazing tip, help others. As you learn something, find people to help them. Because when you’re starting to help other people, you become better. It’s just like that. And you’re building appreciations and people start to recommend you and talk to you and you become the center of attention because … And that’s, by the way, how leaders become, they serve others and they become leaders. You don’t accept the leadership. Nobody puts the leader on you. The more people you serve, the better leader you are.
So start small, teach people, like what you guys are doing right now. You’re helping other people. You’re not asking for anything in return. And that’s how it works. So doesn’t matter if you’re day one, you just learn something, blog about it, write about it, comment about it, ask a question, help other people, because there’s always people that are learning what you, learning now what you learned yesterday, you can help them. So-
Wes Shriner:
Indeed.
Gabriel Friedla:
that’s a huge one helping others, honestly.
Wes Shriner:
So now that, you’ve learned it a day before they did. So now, what do you wish you knew? Or what do you know now that you wish you knew then?
Gabriel Friedla:
First of all, I’m happy. Like going back to being naive. I’m happy that I didn’t know then what I know now, because I would have not taken that. The risks are so big, at least in my, because I’ve been an entrepreneur most of my life. So knowing now the amount of risk I took that is probably means that I wouldn’t have done it. I would have known how hard, that’s why sometimes I don’t like talking to young folks and telling them, they ask advice and I’m afraid to tell them what to do, because I’ll just shed light I on all the difficulties. And sometimes I don’t like doing that. So I like, “Yeah, try that.” Even though I know they’ll fail, because failing is part of the journey. So I would say, again, I’m just happy that I didn’t know then what I know now, honestly.
Wes Shriner:
Outstanding.
Gabriel Friedla:
Honestly.
Wes Shriner:
Very good. So, Kip. What are our key takeaways for today? I think they are that security training is often overlooked. It’s actually a life skill and it has huge opportunity to impact the company and the families that are supported by that company. It’s a great area of opportunity for non-technical people to move into a security space. And I hope we saw as well that this is, awareness of training is an outcome of what did we do last week in our policy, right? And once we have our policy set, we have trained our organization on that. Next week we’re going to look at and architecture and see how do we apply that in our technical spaces, in our plans for the future. Over to you.
Kip Boyle:
Excellent. Excellent. All right, hey, everybody. I sure hoped you liked the episode today and the things that we shared with you, Wes and Gabe and myself. If you do like our podcast, definitely go back and check out previous episodes. And I think you should also consider grabbing a free guide that we made for you, person who’s trying to break into cybersecurity. It’s called Play to Win: Getting Your Dream Cybersecurity Job.
And what we did is we took the whole idea of capture the flag. And we said, “If you can capture the flag as part of your training, then you certainly can take those skills and apply them to your job hunt.” And so that’s what this 20-page visual guide actually does for you is it teaches you how to do that. And you can see on the slide here, a little excerpt, this is page of six and seven. There’s four blockers we talk about, we talk about how to overcome each one of those blockers. If you want it, it’s yours. Just go to YourCyberPath.com/pdf. That’s YourCyberPath.com/pdf. Grab it. If you love it, I’d love to hear from you. If you hate it, I’d love to hear from you, because that means I have to make it better. And I want to make it better. I want it to be something you guys are going to get a lot of use from. So remember, you’re just one path away from your dream cybersecurity job. Thanks for being here, and we’ll see you next time.
Wes Shriner:
Thanks all.
Gabriel Friedla:
Thank you.
YOUR HOST:
Kip Boyle serves as virtual chief information security officer for many customers, including a professional sports team and fast-growing FinTech and AdTech companies. Over the years, Kip has built teams by interviewing hundreds of cybersecurity professionals. And now, he’s sharing his insider’s perspective with you!
YOUR CO-HOST:
Jason Dion is the lead instructor at Dion Training Solutions. Jason has been the Director of a Network and Security Operations Center and an Information Systems Officer for large organizations around the globe. He is an experienced hiring manager in the government and defense sectors.
Don’t forget to sign up for our weekly Mentor Notes so you can break into the cybersecurity industry faster!