RSA CONFERENCE 2021 — If you're a security leader looking to improve your organization's defensive posture, ask your human resources chief to have coffee. It worked for Steve Luczynski.
Steve Luczynski, currently the lead for the COVID Task Force at the Cybersecurity and Infrastructure Security Agency, told the story of how a coffee talk led to markedly improved security awareness when he was a new CISO working for a previous employer — a company he refers to as "well-established" but with just OK security. There was still plenty of work to do.
"What wasn't fully developed was a security program," he says. "People didn't understand their role and importance they played."
His mandate was to get an enhanced security program in place — and quickly. Luczynski soon began chatting with Valerie Utsey, currently chief human resources officer with T-Rex Solutions, and she suggested ways he could introduce culture to his program. While he had already added some security awareness changes, like monthly training instead of yearly, Utsey saw room for improvement
"Many employees were still responding the same way they always do with something that takes time out of day-to-day duties," she says. "I thought Steve might learn from my experience developing corporate culture. "
In their session at RSA, titled "Partnering with HR to Build a Culture of Cybersecurity," Luczynski and Utsey laid out how they worked together to make security more personal and meaningful to employees. The goal was to move security training and awareness from a process to an embedded part of corporate culture daily — a task Utsey felt could be accomplished only through collaboration.
"He had a heavy, unsteady thing he was trying to move on his own," she says. "Regardless of the size of company, look to people you can partner with to further your cause."
Some of the new initiatives put in place by the two included getting employees started with security right at the outset of onboarding. Rather than a forced, 60-minute security training video and test, Utsey started inviting Luczynski to speak to new hires in person at orientation. The two also started partnering on lunch and learn security events as well. While free lunch never hurts, Utsey says it's the fun atmosphere and friendly competitions that keep employees engaged, interested, and motivated to learn.
The payoff was measurable. The company saw, for example, phishing click rates go from 30% to below 3% — and stayed there. Luczynski also notes he found employees were compliant about taking their training monthly and that repeat offenders — those employees who had clicked repeatedly on bad links in the past — improved and were no longer falling for phishing bait.
Employees Are Your Best Asset in Security
Another session in the Human Element track at this year's RSA Conference echoes many of the lessons from Utsey and Luczynski. That is, security training needs to be frequent, personal, interesting, and engaging — and it takes time to accomplish all of those things in an awareness program. Great levels of awareness won't happen overnight.
In "Leveraging Human Risk Data to Strengthen Cyber Resiliency," speakers Masha Sedova, co-founder of Elevate Security, and Michelle Valdez, chief information security officer of OneMain Financial, discussed the transformation at OMF to a shift-left style of security awareness and an overall strategy that Valdez describes as "defending forward."
"If you invest in educating your employees and taking time to teach them about good security decisions, you start to see a value add," says Valdez. "We are now starting to spend more of our time on tuning and tooling so we can defend forward and less time cleaning up."
Valdez says the way to defend forward is based on multiple components that aim to get in front of the chain of events that occur when an employee makes a poor security decision. They are:
- Understand your human risk at an individual and org level. What good and bad security decisions are your employees making?
- For areas of strength: Reinforce and spotlight good performance to create a positive security culture.
- For areas of improvement: Gave tailored guidance on what employees need to do better and why.
- Adjusted controls and security tools based on individual areas of risk.
"Take time to understand the risk employees are introducing to your environment, both at an individual level and a team level."
Valdez says with that information security leaders can focus efforts on rewarding good behavior and correct bad behavior with targeted training. Targeted being the key word as the presentation also suggested gathering data that breaks down risky behavior by department and offering training specific to each team if needed.
Left unaddressed, employees will continue to be what the talk referred to as the "shifting sand" in security defense. When given personal and proper training, they can be the security team's greatest asset in defense.
"This is one of the most critical areas for innovating in security today," says Sedova.
While many security leaders may feel employees are the biggest risk to an organization, Valdez advises flipping that script around. "If you take the time to help them understand what their role is in helping to protect the company and how everything they do on a daily basis can make a difference, that can transform a company to have a strong, cyber-resilient workforce."