June 05, 2024

00:46:26

Episode 260 Deep Dive: Christina Arcane | Guiding Your Cyber Champions with Cyber Risk Education

Episode 260 Deep Dive: Christina Arcane | Guiding Your Cyber Champions with Cyber Risk Education
KBKAST
Episode 260 Deep Dive: Christina Arcane | Guiding Your Cyber Champions with Cyber Risk Education

Jun 05 2024 | 00:46:26

/

Show Notes

In this episode, Christina Arcane, Director from Inspire Cyber, sits down with us to discuss the crucial topic of cybersecurity awareness and training. She discusses the importance of aligning training with an organization’s brand and culture, distinguishing between cyber risk and awareness, and the challenges in effectively engaging employees in training. The conversation covers a wide range of issues, such as the need for comprehensive, personalized training, the impact of poorly executed online modules, and the critical role of engaging and effective delivery in cybersecurity training. Tune in to gain valuable insights into cybersecurity training strategies and the importance of driving behavioral change across organizations.

For her entire cyber security career Christina has been translating cyber security concepts and providing high quality awareness and training to all roles – from the company graduates right up to the board.

With a wide range of experiences across financial services and technology industries, working with startups, SMB’s and large multinational organisations, Christina has built a career on the intersection of cyber threats, risk and business objectives. In 2016 she co-founded cyber security SaaS startup BreachAware, leading its operations right through to acquisition in 2020. Recently she dived back into the world of entrepreneurship to reimagine security awareness offerings and provide her expertise through her new company, Inspire Cyber.

 

View Full Transcript

Episode Transcript

[00:00:00] Speaker A: The cybersecurity awareness and training function needs an element of marketing. We need to appeal to our audiences, have a bit of a brand that fits in with the organization's brand, have that culture and that buy in, and not just take advantage of the fact that people have to listen to us like you're trying to sell to them, that they should listen to us like, you know, you're a sexy new brand and you're trying to get new customers. This is KBCZ as a friend target for ransomware campaigns, security and testing and performance and scalability, risk and compliance. We can actually automatically take that data and use it. [00:00:43] Speaker B: Joining me today is Christina Arcane, director from InspireCyber. And today we're discussing the difference between cyber risk and organization wide cyber awareness. So, Christina, thanks for joining and welcome. [00:00:55] Speaker A: Thank you so much for having me, KB. [00:00:57] Speaker B: So let's start with the difference between the two, because again, I think people interchange terms out there. Sometimes people actually know what the terms mean. So I'm keen to get your thoughts on it first. That way we're all sort of, you know, singing from the same hymn book. [00:01:11] Speaker A: Yeah, absolutely. The difference between the two, when we look at cyber risk and organization wide cyber awareness is really what's going to reduce incidents or the impact of incidents in the organization and what is it? And that's because awareness is the one way communications. Hey, we exist. The topics here, here are some tips. Have a lovely day. Really lightweight, really light touch. But cyber risk is what we actually do, those habits that we have. So there's no shortage of awareness, in my opinion. So most organizations will have an awareness function. There are data breach incidents that are reported in the media with lots of top tips for families. And, you know, you do talk about it in your families or organizations, heaps of training on it, or, sorry, I should say awareness on it. And most of us would know about phishing and scams. But why are they still the leading point of entry of cyber attacks? Why are they still so darn effective? That to me, is the clear difference between when you have just received awareness versus when you actually know what cyber risk is and the things that you do to prevent it from happening. [00:02:14] Speaker B: All right, so let's use an example on that note. So, for example, in Australia, the sun burns a lot and we get sunburnt. So it's like the awareness is when you go out, you know, when you're a kid, it was like no hat, no play for memory when I was in like primary school. But it's having the knowledge then of when you do get burned, well, what do you do? Right. So that's the way I was drawing the parallels from what you were saying. [00:02:34] Speaker A: Yeah, absolutely. And it's like, how is that sunscreen there? Like, why? How did it get into your bag? Put it into your bag? You know, have that forethought, especially in projects. I love this message in projects because there's a lot of security embedded in projects that we don't think about before it happens. And that equivalent is before you leave for the day to go out into the sun, you've actively thought about what's the risk? And you put the sunscreen in your bag or applied it the first layer before you've left the house, and then you have it to reapply again. And in projects, this can convert to things like penetration testing. The cyber team knows penetration testing is needed. The project team might know that there are security risks as such, but everything's happening. There's lots of people involved, and at the 11th hour they're like, oh, let's talk to the cyber team. And the cyber team say, hey, there's a penetration test that's needed. And that could be two week turnaround, six weeks, if you look at from Discovery all the way to the mitigation techniques. And at that point, the project's success, whether it's on time and under budget, is severely at risk. So they're kind of faced with a decision there between ticking off the security boxes and putting the project at risk. And if we can identify that this was going to be a problem, that the cyber risk was going to be there at the beginning, we could have put the sunscreen in the bag earlier and not forget it at the point in which we need it. So it's things like that. I think that's actually a really good analogy. KB, I might use that again in the future. But why do you think people don't. [00:04:02] Speaker B: Think about the risk? Because you're right. There's a lot of awareness, a lot of documentation that we've had in companies, a lot of these posters, a lot of stuff online. But obviously it's not getting to the point where it's sinking in around, well, I've got to actively do something about it. Why do you think that's the case? [00:04:16] Speaker A: I think there is a disconnect between awareness and training. We do a lot of awareness, but we need to be doing more training. So awareness should be, it needs to be there, but it should be a small part of the piece, the five, what I would say of an FTE maximum. Right. It's the training piece, the actual practice of those habits. Because Saban security is applied in so many different ways in each one of our roles. How could you possibly account for that? Unless the person is well trained in knowing how to identify well what is the cyber threat? Or what is it that I'm doing that's opening up a vulnerability? Did I make a mistake that could lead to a security risk? Am I creating automations that might have loopholes because of the way they're set up? You can't put that in a 1 hour webinar that's designed for the whole company. So this is where that emphasis on training needs to come in so that we can mitigate at that point and get that practice. Do those workshops pre think of these things to actually reduce the cyber risk outcomes that we're seeing everywhere and often? I think I saw the number this morning. 9748 data breaches in 2024 globally have been reported. I don't know the specifics of how they gathered that, but already that's a huge number. Right? So we're not talking about something that's going to be really minimal impact to the organization. We're talking about training that had a huge impact and the cost that comes with it. [00:05:41] Speaker B: Okay. I do want to get into the training side of it. However, I want to get back to the awareness for a moment, because, I mean, I've been in this space probably about a decade, and I remember, and this is part the reason why I got into what I was doing from a different sort of perspective, is you go to all these conferences and then people back then were saying, like, you know, what do you think was wrong with cyber? What's missing? It's just awareness. We need more awareness. We need awareness. Then you're sort of saying, we need less awareness and more training. So follow on from the awareness side of it. So why have people been so heavy about the awareness to the point where it's like, awareness is one thing within taking the action and de risking yourself as another? So why have people historically been so fixated on all this awareness stuff? [00:06:23] Speaker A: Yeah, look, it's a really good question, and I do wonder why the awareness has got the most, and maybe it's the most presentable. It's the most. You see it more than you see everything else. So, like when you put up to the board or to an audit committee, what are you guys doing in terms of awareness and training for cybersecurity? It's very easy to say, hey, look at the twelve articles we put on the Internet. Look at our mandatory training module that everyone has to do the 1 hour really easy top level one. Look how many people filled out this optional quiz because we offered Airpods, really tangible numbers and what you find actually. So I've done this before and these numbers, whilst they're great in the scheme of getting engagement from your employees, so let's say 60 employees signed up to a webinar. Great. You know, 250 filled out the quiz, maybe 1200. Read the Internet article. As far as engagement goes though, the second you have say a 5000 seat organization and using that 1200 number because that's the highest, that's 25%. So is it good enough when our objective is to reduce cyber risk, which is based on actions to be measuring our effort in awareness campaigns that reaches such a small subset of where our problems actually stem. So when everyone's kind of looking at, oh, we can really present the awareness, I think we actually have to go undercover and start looking at how we get training, proper training across the business and how we measure proper training across the business, which is quite hard. But then going back to a point before the phishing emails, right, we all know about them, that's a point of entry into an organization and awareness really only covers that point of entry most of the time because it has to be a high level, has to be suitable for everyone. But it only scratches the surface. But we need to start thinking about how a cyber attack, you know, ttps, there's multiple stages to an attack, how are we educating on those stages and how different roles can actually have an impact in those stages and not just the point of entry. So if a successful cyber attack happens, we're actually not equal. We're team the hacker with everything that they need to get the job done. We're reducing their impact when they actually enter the organization. And this can't be done with just awareness, this has to be done with training. And I'd love to see a more emphasis on quality training in this space. [00:08:39] Speaker B: Okay, I want to get into that, but again, I want to press on this a little bit more. So you raise a great point on the intranet 25%. You know, and I know people are going to say, you know, security is everyone's problem. Yep, okay, totally understand that. But then equally you could say, well, you know, from a finance perspective, it's equally everyone's job to reduce costs or make money, right? But here's me, I'm not going on the Internet to look up how do I reduce costs and make more money for the business? Because I'm just, you know, I'm just the cyber person. So how do you get it to the stage where you're sort of engendering that this is a thing that people should care about at the end of the day? Because the way I see it, sometimes, if you're not from security background or tech, you're just, you know, Helen and finance, you know, paying everyone's salaries every fortnight or whatever it is, why should I care that much? [00:09:23] Speaker A: Yeah, absolutely. All the examples that we see, it's that whole, when it gets close to home, people take it more seriously. What's difficult about that is you also don't want to fear monger people into caring about security. And I think we actually have to just understand that some people simply aren't going to care. That's the nature of an organization and all the different roles. Like, you're right, you don't care about finance. I've never been in finance. Finance numbers scare me. I really don't like numbers sometimes. I don't really care about numbers. And that's okay. Okay. Not to care. Where we want them to care is then when we do deliver training to them and we have them in the room, and this is something we can definitely jump into a bit more, which is, you know, what does really good quality training look like? When they're in that room, they care. In that room, they're working on ways to understand how it applies to them. So when they do come across that instance, because they understand it, they're naturally going to care that bit more to help rectify it. And that's something we see often when you properly understand something, when you're good at something, you're more passionate about it. So we just want to take down the barriers. And I think there's still too many barriers to people understanding security because of the way we communicate it. So if we can take down that barrier, put him in a room, and I mean that in a classroom, that could be virtually as well, not necessarily in the room, but put them in a room, get them to understand truly what the concept is about. They're naturally going to start caring about it more. And that, I think, is the extent to how you get that across. And you see that with lots of different, I guess, initiatives of the business. When you're trying to get an improvement in culture in many different facets, it's when people start participating, getting their own passion for it that you see the best results. So that mirroring that sort of strategy, I would say. [00:11:10] Speaker B: So getting back to the caring side of it. Again, now, this is important because not many people will talk about this sometimes. And again, I'm just looking at all of this objectively, is it can come across like double standards. So what I mean by that is it's like, as an industry, we want Helen from finance to care about what we do, but we don't really care about what Helen does. So how is that fair when you were to look at it from like a holistic perspective? Because it's like, well, we want everyone to care about asking about security. Hey, I'm all for it. I'm in cybersecurity as well. But then it's like, yeah, but I don't really care what any other department does or what in what's important to them. So how does that then work from a, you know, a dynamic perspective? [00:11:46] Speaker A: Yeah, it's just, I think down to teamwork, and what you've highlighted there could be the difference to when you have a very effective professional. Business professional doesn't matter what role they're in, versus an ineffective one, which is how are you influencing the people around you and getting their buy in? So, of course, there's always going to be competing priorities. And I think if we have a really good risk framework and we understand what are these key risks. Now, this isn't just across security risks, this is across any kind of risk. Fraud is a risk, privacy is a risk, workplace health and safety. And if we look at all of these different things, pull them together, prioritize the impact they're all having, and tackle it from a holistic point of view. So what I mean by that is have a front door to all the risks that a business can have and educate accordingly. Each of those topics I just mentioned, usually there's a separate module when you sign up to a business or, sorry, when you're a new employee, you'll have a different module that you have to complete in the first 45 days of starting at the company, to be educated on each of these topics. And they're all, usually the content is drafted independent of one another. And then you're like, well, privacy wants you to care about this work, health and safety wants you to care about this. But if we can bring them all together and there's a front door to the business that prioritized accordingly, and we as a team share the communications that we need and the content and collaborate better, then we can actually start reaching our audiences more effectively across all of them. Because I am quite a bit of an advocate, not just for security, but for also all the different topics. Fraud, I know in many capacities in which I worked. Most cyber incidents had a fraud component, so we had to work together anyway. So extending that relationship when finance has a problem, help them out and theyre going to help you in return. So really managing those relationships across the business to build culture as a team, I guess the bottom line there is teamwork, right. Just how we would expect it to work a lot harder when you have large organizations. But not impossible either. It's just the way you manage it. [00:13:50] Speaker B: Okay, I won't have to bow over now into the training side of it. You mentioned it, but what I want to get into before that is don't people hate training, though? Because I've been in training for four and it's like, oh, three days of training, you're falling asleep. I don't care. Person that's talking is boring. You know, the guy decided he's on his phone. Like, that just is what makes me have trigger. It triggers me when I think about training. [00:14:13] Speaker A: Absolutely. And I think you pretty much now that when you say it's dry and it's boring, and I want to correct this statement, too. People hate poorly delivered training, and we're seeing this more often. Training is very accessible, and that's not necessarily bad. It's not often presented by someone who is naturally or trained to be a really good presenter and facilitator. And that makes the difference between training that is boring, that people hate, and training that is actually engaging. And I think I'll give you a quick example. I was in an environment once where there was a change management lead. They had to do a rollout of a new product and they did a training presentation. It was about half an hour, and I had a slide in it because they did the right thing. They came to security and they said, you know, can you help me out? Is there a secure component? Yes, absolutely. Thanks for contacting me. Let me put something in there. And for the rest of the call, I'll be there as a support. So I'll answer any questions. Just call me if you need it. My mindset was so clocked out of that presentation, even though I was a part of it, for the section that I wasn't presenting, that when I was called upon, I was like a deer in headlights because all I heard was my name and it was evident. I was really embarrassed because I had to be that person who said, I'm sorry, could you repeat the question? And I put that down to that. This person wasn't an inherent trainer. They're like, how hard can it be? I'll put together a presentation. I'll deliver it across the business. Everyone's going to see this presentation, but it wasn't delivered to the quality. And I'm talking back to basics. Quality, how are you actually teaching concepts? Can you teach them from the back of the room so that people can get the concepts themselves? How can you actually deliver something with that interactive element so that the training is the best quality and then people won't hate it so much? Like, I remember the training courses I've done that I've actually enjoyed it. Like, I liked the trainer. The content may have been dry, but they delivered it in an engaging way. And I remember it right. I don't remember the ones that were really bad because they just sort of disappear in the background. So I'd like to change that narrative and get people, like, training again by delivering good training and not underselling the skillset that's required to deliver good training. [00:16:19] Speaker B: Look, I agree wholeheartedly. Now, I want to sort of go into that example a little bit more. What would you say would define someone is not a great trainer just from your own experience and things that you've observed? Because perhaps people aren't aware that they're not a very good trainer. [00:16:33] Speaker A: Yeah, exactly. It like, we undersell the training skill set, so they aren't aware. They do think, how hard can it be to put it together? And in some degree it's not hard. But what is hard is you kind of have to think about what actors and actresses go through. You know, when they're in a character, they have, each character speaks differently, they have different tones in their voice, they have different pitches. Sometimes they do dramatic pauses. Right. This has taken me back to drama in high school, actually. But it really is implementing those sorts of techniques into a presentation so that you're communicating those concepts correctly. We've all heard of storytelling, right? We need to use storytelling more so that there's something for the audience to connect to. But that doesn't just mean having a story. It means being able to tell the story in a way that's engaging, too. So I think the way that these, whenever there's a presentation to be done, if there was a central unit, and sometimes, like, the learning and development team can help you train the trainer, but not just on the content, on the actual delivery of the training. Do a check in, do a practice, give them tips, tell them how to present. And if you have sort of a central control unit that helps that, then you're going to get the message more effectively out because your training is more effective? I don't. [00:17:56] Speaker B: Do you have anything that would sort of indicate as well, like, oh, this person's not the best in terms of, maybe they don't know the content enough, maybe they haven't practiced enough, maybe they seem nervous, maybe they are hungover that day, so it's not coming across great. I've seen all of these things, and you're right in terms of, you know, when I'm doing these mc things, when I'm often saying to companies and clients, it's like, yeah, okay, you could just get Helen from accounts up there, but does she really know the artist and the craft of doing this to get people excited to know, you know, when something bad happens and someone falls off the stage, how to manage that? You need to have experience to do that properly and to keep people engaged, which is hard. And I think the same sort of work in terms of the mindset is similar to what you're sort of saying on the training front. I can't really remember when I had a great experience with training. I just found it very banal. [00:18:51] Speaker A: Yeah, I've got a good example here, actually, because one of the, I guess, arguments to this is, well, we've got to give people a chance, right? People need to present. How are they going to get better if they're not practicing? And I attended an industry day, I guess, conference day where they had a bunch of speakers on stage and everyone did about half an hour each. And we got a lot of topics in. And it was a cyber security industry day at the very beginning. It was vendor backed, so it was the vendor managed the whole day. They had said that they have a program internally where they're improving the training and presentation of their people so that they have the opportunity to broaden their skillsets. Awesome. They didn't just put their people up on stage there, though. They went through weeks of building their presentation and working with experts so that the presentation was at the level that they wanted it to be in order to deliver on that opportunity. And I think there is sort of the key to doing this is you can give opportunity to people to present, but still ensure that the quality is there so you're not compromising the messages that you're trying to deliver. And this, and it comes with effort. Right. If you're passionate and you want to put in the effort, you know, you're certainly passionate. Maybe I'm passionate about what I do, and you wouldn't get us in front of people not trying to deliver our very best because this is what we do. So if we could help others do the same or recognize anytime there's a presentation that person might need a little bit of assistance to deliver, like let's do it, let's give them that opportunity, let's train them. And this industry day really sort of brought that to my attention. I'm like, hey, this is a really great way to do it because I don't want to leave people behind. There is so much room in this space. We need more training. I'm an advocate for more training, but for more training you need more trainers. And this is how you get more trainers. You help them, you teach them, train the trainer, but in a good way. [00:20:37] Speaker B: So Christina, you talk a lot about going back to basics to overcome common it obstacles. So maybe give me example, talk me through this. Now. I asked this question because I remember this was probably going back about, I don't know, seven years ago and I was in the room with the CIO of a, of a company and he was like, you know what, KB, I'll do these trainings. But the part that gets me the most about the training is they don't say why we shouldn't do it. Just don't pick up, you know, this was back then, don't pick up a USB and plug it in. But there was no why behind it. So I'm really keen to see what you think about this and inject some of your thoughts into this because again, everyone talks about the basics and don't do this, don't click on that link. But maybe it's still not resonating with people. [00:21:20] Speaker A: Yeah, absolutely. And it isn't resonating when the concepts, the it reason behind why it's missing an example is domain names. Right. I have done workshops at a high level. So this is if you're phishing, MFA, your passwords type of situation. So that the top level, I actually think of it like a pyramid when it comes to training on cybersecurity. So like all the triangle, the bottom layer is your cybersecurity professionals. So the technical layer, the middle layer is what I think business professionals need to understand, which is more in depth but not as deep as what cyber professionals need. And the top little triangle is the literally every single citizen from the second you use a computer at, well, I was going to say twelve, but I'm going to say that kids access the Internet much earlier than that these days all the way up to my grandfather, who's 85 and also uses a computer for his email, that's a top triangle. And in that top triangle, which is where your awareness comes in, that's your lightweight training. Most organizations do. A lot of people actually still don't understand how what comes after the at symbol is what determines a real email address that's legitimate from a fake one. And when I do communicate this concept and I break that down and that kind of goes hand in hand with, well, if they did click the link and they land on a webpage, how do they know that that URL at the top is the real Microsoft.com, for example, compared to something that's not Microsoft.com, but looks like it. And that to me was sort of inherent knowledge. Being in the industry, I just knew, I know how to read a domain name, but so many people don't. And we sort of skip over that sometimes when we do cis purity education, and when we skip over that, well, they're not really getting the understanding that they need to mitigate that when they come up against it. Another example is the difference between saving locally to your desktop or saving to a corporate cloud with corporate files. You know, people might say, oh, I just saved it. You know, I click save. Now, where did it go? I don't know. I know Onedrive is notorious for not telling you where it saved it. When you download a file and you're like, where did it go now? But by not understanding how your work environment is set up from sort of a really basic network structure, like, you know, this is where you should save documents. This is the cloud, this is how it works. People could be saving documents all over the place, and when they do that, they leave them exposed to sort of hackers. When they do get in finding them, and when they find them, they use them and ends up with a significant data breach or cyber incident, depending on the interests of the hacker in that instance. So there's little things like that, you know, password managers, they aren't inherently easy. I understand that. So how do we overcome that obstacle? We've got to teach them how to use it. And what are the foundations? Why are they using it in this way? If we cover those people actually start upskilling, not just committing to memory, like you said, the what not to dos or what to dos, they're actually understanding the background, which means they're going to remember it better. [00:24:17] Speaker B: So would you say generally, historically, across our space, people have overlooked some of these more nuanced things that you're saying around understanding the mechanics of how things work, which maybe gets them to think about what they're doing a little bit more before they do it. For example. Why do you think people have overlooked that, though? Because that when I look at this objectively, it does seem obvious. However, again, sometimes it's that forest is a trees analogy. Like when you're so close to something, it does seem obvious to you, but perhaps, you know, you need to explain things a bit more to other people. [00:24:49] Speaker A: Yeah, absolutely. I reckon. Because I've thought of this too, I think surely, like, how have we stumbled across this understanding and not sort of seen it before? And I think it comes down to how limited space you get in an organization to communicate security topics because it's such a small space. Like you only get an Internet article x amount of times. You only get communications out to the business here. So working with what you get versus the amount of topics you have to cover, you go straight to the good stuff. You only tell employees, don't reuse your password, don't do this, do, do this, because you have to, they only have a certain amount of time. Your employees, you have only a certain amount of space to communicate with them. So you're going to hit the main points and nothing else. And we got so used to having to do that. That was just skirting across the underlying why. And it was really hard to go back and explain the why because we just kept working with the parameters in which you have to get information across. And that sort of leads me to why we need to not focus so much on awareness and start shifting the business to prioritizing training, which is very important. There are a few things that businesses can do to prioritize training. [00:26:07] Speaker B: Okay, so maybe elaborate on that a little bit more because you're right. And I think that there is enough stuff floating around there. But I also then curious to how do you deliver these things effectively. So it's not just, oh, we're doing another training with Joan and Joan's boring as hell. Like, we want to make sure that people are actually understanding this. [00:26:23] Speaker A: Yeah. So you get confident trainers is my first one. You know, get either either train your trainers or get confident trainers in to do sort of the classroom workshops or virtual hybrid sessions. And so the presentation and the training is the quality that you need to get communication across. So first of all, that's, that has to be a priority there. The other thing is that you need, those trainers need to sort of teach from the back of the room. So stop just the one way information, overload training and start from having the sort of that's called students or the audience teach themselves based on things that you can relate to them. You can ask certain questions, you can do activities. You know, our activities these days are simply the whole, you know, like slider. You put a word in and then there's a word cloud of everybody's words. You know, that's great, but that's just the surface of some of the activities you can do to drive a message. The other thing I'm going to say is two things. These are my favorite. These are really important. The first one is meetings. Meetings are always in the way. I cannot tell you how many courses, workshops I've delivered, sessions that people have had to leave halfway through or jump in and out or not to attend at all at the last minute because they had important meetings. But another narrative going on in the business is that, oh, we need to have meeting free days because we're too bogged down by meetings and everyone gets it. This should have been an email instead of a meeting, and yet none of that is happening. We're still in those bad habits of letting meetings run the way we work. And so as long as that's occurring and we're not empowering employees to say, hey, no, you need to be in training. This is what you're going to do. We've already got an expert trainer, so we've taken down the obstacle of it being boring. Now we need to let them know. Ditch your meeting. It's okay. I want you in this training. And a way to sort of the concept there is the sharpening of the axe. Training is the sharpening of the axe. And I'm referring to that analogy about the, the wood chopper and keeps chopping all day, but then another one keeps going for a break every hour, whatever it is. And he's like, well, how are you ahead of me when you're taking so many breaks? Because I'm sharpening. My training is sharpening the axe. So we have to give it the attention and the break that it deserves. But meetings get in the way. And so the last one is more effort into marketing. The cybersecurity awareness and training function needs an element of marketing. We need to appeal to our audiences, have a bit of a brand that fits in with the organization's brand, have that culture and that buy in, and not just take advantage of the fact that people have to listen to us like you're trying to sell to them, that they should listen to us like, you know, you're a sexy new brand and you're trying to get new customers, really put that marketing perspective in and look that can apply to most functions, actually, not just cybersecurity. I think everyone, if they put a little bit more into marketing, you know, their own personal brand, we might get a little further with the messages we're trying to communicate. [00:29:18] Speaker B: Okay, so there's a couple of things in there that I want to get into. I want to start with getting, like you said at the start of your conversation here around getting good trainers. So now one of the thing that gets me is when I've been in corporates before or even at conferences, and it's like, okay, everyone stand up and shake your hands around like I'm taking my niece to a Wiggles concert. It kind of feels like that. I find that personally, Christina, real cringe. So would you agree or disagree that would be a high caliber trainer? Or maybe not. [00:29:50] Speaker A: That's a hard line because it depends the context that they've done. I don't like making people dance. I think not everyone likes it. And, you know, it is feels like a bit like a widow's concert. I do see the value in circulating the blood. It's like when you're sitting at home all day and you haven't moved for a while, you know, a few hours gone past, you're working, and you have a actually got those endorphins going. The same reason why, you know, when you exercise, you have. There's so many benefits because your blood is moving. So also, like, to the clarity of your brain. So I wouldn't say, you know, if it's just, hey, out of nowhere, get up and shake, right? Not so much. But there are other ways you can do that. You can get people up physically to do an activity if you're in a classroom environment, right. So that if you're putting them into groups to do an activity, you know, make sure the groups are so people have to physically move across the room. Or if you're teaching a concept, does everyone have to be sitting to learn that concept? Let's go over here. I've got a poster that I pre bought, brought with me that I've designed to communicate a concept. So let's go look at it. I've put it over here at the back of the room. So let's get up, walk over to it, have a discussion around the poster, and you're sort of achieving the benefits of physically getting up and moving without the whole, you know, let's put on a wiggles routine and have a bit of a go, right. So, you know, pros and cons of such. Such a skill set, there are ways to do it that aren't so cringe because I get it. Like, we don't want to be cringe. Yeah. [00:31:13] Speaker B: And look, this is really important for me as someone who has participated in cringe worthy content before working at companies, whether it's, you know, online training, which we'll get to in a moment, but I remember explicitly working in the bank and then the GM gets out and then everyone looked around like, why are we doing this? Like it's so awkward. Or when you're at a convent's like, hey, everyone, how's your day? And then it's like, you didn't say it loud enough. I can feel the awkwardness in people sitting around me thinking, I don't want to do this. So for me, like, when I look at cringe training, for some reason, we just seem to be cringe in our space. And that's what bothers me because it actually does the opposite of what we're trying to do. It actually gets people so off cybersecurity to be like, those guys are a bunch of weirdos. There's, hey, those guys are really intelligent. The way that they did their training is intelligent as well. So I've found just over decade of I've been in rooms and around this type of security awareness training where I've genuinely felt embarrassed. That's the stuff that we're putting out and that we're trying to tell people to be like, hey, we're the cool kids. [00:32:23] Speaker A: Yeah. Look, I would love to hear your opinions, KB, at another time on the Apple releases and the Microsoft releases, have you seen them where the executives would get up on stage and it's like a full on concert to release the new iPhone. It's sort of that, that vibe is what I'm getting. That can be a bit cringe. You literally have on stage a whole bunch of people, very technical in nature, and they're sort of doing a dance like they're, you know, lead guitarists in a band. And there's something that I don't know, I watch them and I think I'm kind of like, cool. Like, you know, we're doing it differently, we're giving it a go. And then I'm also like, there's something about this sometimes. So I think my mood can depend on whether I'm for or against that. But cringe, cringe has its place sometimes. And the reason I say that and sort of to challenge that notion is when you have such a diverse workforce, different people, cultures, ages, demographics, sometimes that like low hanging fruit, the cringe of corporate humour because you don't want to, you know, offend too many people. You want to make sure that you're doing it respectfully. So there has to be potentially, like, a small layer of cringe that helps. But I don't. I've never been personally called cringy or cringe worthy. So I think there are other techniques you can do that aren't cringey, that actually get engagement. And I've always got really great feedback. So, you know, maybe there is a better way to do it than in stealing corporate cringe. [00:33:49] Speaker B: Well, I'm asking this question because I go out and I ask people on market about what they think and then whether I inject some of that into the interview that I'm running with you today, I've personally been involved with it. And, you know, even before doing our interview, I was, like, asking people on my network, like, what do you think of security awareness training? Or like, just generally people are, oh, it's cringe. It's boring. It's, you know, we're just doing it for a tick in the box. So I try to get a bit of a, you know, a rounded approach from industry to sort of see, like, what is going through people's mind and then getting someone like you to respond on that. And that was something that came up was, it's cringe. So again, these are things that we have to do better in our industry that, you know, it's getting people like you on the show to explain, hey, we haven't done this so great in the past, but this is how you can go about improving it moving forward. [00:34:37] Speaker A: I don't agree more and absolutely, like, improve it moving forward and actually acknowledge the skill for what it is and that we have to put that asset in. You know, it's cringe because we're not putting asset in the other thing as well that can help with that is the security awareness and training teams. Most organizations will limit it to one, maybe two people. You really aren't going to get quality with that many people working that function. We're trying to say that security is everyone's responsibility. We're trying to distribute cyber skill sets amongst the business, but we're limiting the team that are trying to achieve those objectives. So what's the bigger picture here? Like, we should be getting, or at least collaborating with collaborating, sorry, with more people and not just making it the sole responsibility of one, maybe two people, because that's the outcome you're going to get. So I completely agree. I'm all for this entire conversation, sometimes I just look on the other side as well. I think, well, what is the obstacles to achieving this? Quality training and budget management buy in all the things that are coming down from the top. So now the conversation is, well, how do we get them to see that this is not working? And if we want to reduce the costs associated with cyber incidents and get our people truly understanding it, this is what it's going to take. Quality training, more people, bit more budget, and move it up that way. [00:36:02] Speaker B: What about online training? Now, I have worked a lot with a lot of online training, and I remember when I was an internal employee in security, I was on the list for people who hadn't completed it. And the reason I hadn't completed it was it was cringe, boring, terribly executed. And then I just clicked next, next, next. And that is, that is 100% true because I didn't feel it was engaging. And so then I thought, I'm in security and I'm thinking, this is bad. Imagine what other people, institutional banking, are probably thinking of this. So I was let down by that because I invested a lot of money into this. And then I think that, you know, now people aren't really reading it or watching the little video, they're just clicking next to get through it and hoping they get a pass to get off the, you know, the normal compliant list. [00:36:48] Speaker A: Yeah, and that's, that's the problem. Right. It's a module designed for compliance, so you're never going to get take on that. I agree with you. I click through like as fast as I can for those modules. You know, not just the sidewalk, the privacy one, the fraud one. I think there's one on project frameworks as well, whatever that may be. I'm clicking through as fast as I can because they're limited to what they can communicate. And instead of trying to build these huge modules, right, you got to, like, why are they there? We want people to know, to be introduced to the world of cybersecurity because this is our front door to when someone starts new. We want them to start working in the ways that we work here and thinking about security. Seriously, that's number one. Number two is what we want. When order comes, we say, yeah, every single person has done training. Here's the list. Because you can actually test that. These people have done it, the logs for it, and here's the module. Read through it and it's going to make sure it ticks the boxes. You can still tick the boxes, but communicate in a much simpler way. The why shouldn't start in a compliance module at the beginning of somebody's work relationship. They should be shorter, simpler. Hey, this is who we are. Here are some of the things we'd like you to keep an eye on throughout the next six months. We're going to engage with you in other ways as well, and you tell them that in the module. So you start it like it's a relationship. You can still seek your compliance boxes and now actually start an effective relationship with the newbies in your organization and take them through a journey as they go on, where they're actually digesting those concepts that you have. And the reality about digital based security training online modules is they're needed. We have too many remote workforces that will never be in the room at the same time, even because we have too many time zones across our larger organizations, we have people who prefer to sit behind the computer and learn. They're not people who want to be in a classroom in front of people. That's too much for them. So you can still use modules to target these audiences in beneficial ways, but that everything in one module upfront that's terribly boring and people click through just to get to the end isn't the way to do it. [00:39:04] Speaker B: So what you're saying is you have to be a little bit more selective with the modules and then how you are distributing those across your organizations, etcetera, based on your how people learn, for example, because you're right, what I've seen in the past is just people just calling up some vendor, getting off the shelf solution, and then we're just going to implement it across x many thousands of people who all learn differently. I'm an audio person, some people aren't. They have to read stuff, they have to watch stuff. So would you say companies need to have a blend of all of the things and when I mean all of the things, actually doing it right as well, not just getting a generic off the shelf solution in order to keep the powers of the be happy. [00:39:43] Speaker A: Yes, absolutely. You want to achieve both. You will keep the powers that be happy, but you also do it effectively. And if I tell you what that looks like, because that can be really hard to find. Some people, it's have a 15 minutes cyber module, so it's so short, but even less. That just hits the main points when they start and literally introduces them to what's going to happen over the next six months. And in that six months, through that group of new starters, you distribute different types of education and communication. So this is now blending where because you have to start with awareness. They have to know that you're there. That's what I mean by it before. Like, there is still a place for awareness, but you have to shift it into training. So then, so maybe it's an email out to them within the first week saying, hey, you know, remember our training. This is our information security policy. You please have a quick look when you have a chance. You know, maybe there's an Easter egg hidden in there that we'd love or a question we'd love you to answer on it, you know, may be a little boring, but it's simple. It's one touch point. We haven't done it in ten different concepts with ten questions at the end all at the same time, you know, and then maybe it's two to three weeks later, we're like, hey, we've got a 15 minutes with like all the new starters from this month jump into and we're going to have a quick discussion about cybersecurity for those who aren't the fan of jumping into that 15 minutes. And it's like, hey, we've just sent you all a video and the video might be very different and engaging. And then those who preferred that video, you know, they're watching that, they're getting the message through. So drips and drabs and what I can't stress enough is it has to be a continued journey, understanding your audience and getting feedback at every point of the way and pivoting so that we're, yeah, like you said, getting something better than pleasing the powers that be. The module at the top, top of the day. [00:41:28] Speaker B: So you want to be able to give people options around, hey, here's the video verse here comes along for this training thing. And when you say continuous, what does continuous look like in your eyes? [00:41:37] Speaker A: Yeah, so in my eyes, and what's best for an organization may be two different things all the same, in the sense that in my eyes, it will have to fit the organization. So there's a degree of general advice I can give and there's a degree of, hey, I'd love to know these bits and pieces about your organization to give something more specific that would work. Yeah. But nonetheless, the generic advice that I would apply to say, well, what does it look like if we're touching base more frequently, is to have ten minute modules distributed quarterly on cybersecurity concepts that can be done in a creative way, but not necessarily like, I'm not asking like for movies. I've seen some modules where it's a movie to get across a cybersecurity message. And look, that might suit your organization. It just depends. Right. I've had engagements with companies that are very traditional because of the way the nature of the company. So, you know, sort of similar to your banking structures. And I've had engagements who are primarily tech companies. A completely different audience. Again, you would not communicate to a tech company audience the same way you communicate to a banking company audience, unless you're looking at the banking's tech team. It would be different, maybe more similar to the tech team. So you want to have a suite. So I would say you kind of build all your content upfront and have a suite of options, ten minute videos, quick articles, activities at the ready, and then understand your channel. And then for each of your identified groups where you can kind of bundle, what would their training personalities might be like, or how are you going to reach this audience? And that's going to be in combination of not just what their training needs are from, I prefer videos to written articles, sort of flavor, but also how is audit going to track? But you've hit the groups that you need to hit because there is a balance here, right? You want it to be engaging, you want to reduce actual cyber risk. We do also have to hit compliance and regulatory requirements. There's more and more of that happening. So once you have a full layout of all these components, it's very simple to deploy them at a schedule that's easy for your environment. Where are you injecting interest topics? If you find a really cool article that's suitable for, you know, secure developers, how are you getting it to them? So you set the framework and it's really just plugging in as you go, different components that you've already got, so that we're building that up. What's most important for me, because this is a full, rounded program, is then whether it's every month, every quarter, it depends on your workload, how many people you've got, how many people in the company, what are your target groups? You'd have that classroom training for those who need it most. And this could be your risk and compliance teams. Right. They're often doing a lot of cyber risk and managing the risk frameworks, but they don't have the cyber knowledge that they might need your audit teams, how they're auditing something they don't know could take a lot of time. Business analysts, project managers, developers, some of the other groups, get them in a room or hybrid, of course, virtual as well, can deliver a course like training module. So that could be unit like just the hour, get them for 2 hours, have activities and actually deliver something meaningful to that group and do that more than what we're doing it now. I don't even think some organizations correctly do that without and unsolved. This is the difference between just really lightweight training that companies would do or an online module between that and like a full two day cybersecurity course. There's an in between that we could be giving to our people, and that's where I think the sweet spot is. [00:45:10] Speaker B: So, Christina, is there any sort of closing comments or final thoughts you'd love to leave our audience with today? [00:45:16] Speaker A: I think it's just about thinking of the impact that you need your training to have. Realizing what it's going to take to get it and actually executing it is what's most important. And it really is about quality of the training. That's what we have to focus on if we want to get the reduction of real cyber risk across the organization. This is KBCast, the voice of cyber. [00:45:48] Speaker B: Thanks for tuning in. For more industry leading news and thought provoking articles, visit KBI Media to get access today. [00:45:56] Speaker A: This episode is brought to you by Mercsec, your smarter route to security talent. Mercsec's executive Search has helped enterprise organizations find the right people from around around the world since 2012. Their on demand talent acquisition team helps startups and midsize businesses scale faster and more efficiently. Find out [email protected] today.

Other Episodes