What’s the difference between good security and good compliance? In our recent webinar on security awareness training, Curricula’s CEO, Nick Santora, and Brad Thies, Founder and President at BARR Advisory sat down to discuss how to teach employees to actually defend themselves beyond checking the box for a compliance audit.
To sum it up: good security can equal compliance, but simply trying to meet compliance audit requirements will never guarantee security. Let’s dive deeper, or replay the webinar below.
Why do organizations invest in security awareness?
Before our webinar, Nick took to LinkedIn to survey his online community. He asked, ‘What do you think is the reason why companies adopt a security awareness program?’ The results were slightly disconcerting.
Only 7% of survey respondents said they were proactively doing security awareness training for employees, while the majority of respondents said it was an obligation for a vendor or compliance. And the other majority said they’d been recently hacked! Either way, this is no way to truly get started building a culture of cybersecurity.
“There’s such a human element and risk component to security,” Brad said after Nick shared the results. “How do we flip the script to make our employees feel empowered to share this information instead of thinking it’s only for compliance.”
Nick also searched Twitter to see how IT people can get ridiculed for their phishing tests and security awareness program.
“Clearly you can see how this resonates that employees go out of their way to write public comments about how silly they think phishing training is,” Nick explained. “It isn’t just to check a box, and if that’s your only motive, we’ve got to start over again.”
There’s no CISO in the world who doesn’t want to improve their cybersecurity program. Ultimately, we want to change the long-term behavior of employees to understand it’s not an us vs. employees with IT but about defending against the real bad guys – cyber criminals trying to hack you.
“We’re all on the same team when it comes to security issues,” Brad said. “Changing long-term behavior is about visibility into the enterprise. The team the CISO has reporting to them can’t be in full control of this, everyone needs to have a security role whether you’re in accounting, marketing, or whatever your position.”
Nick agreed, saying building trust and a culture of security awareness are all about the actions we want employees to exhibit. It should be about getting employees to work together to fight the bigger dangers out there.
“The best security programs are the ones sharing that motivation among employees, to catch the hackers before they do all the damage,” Nick said.
We can all become cybersecurity heroes by doing our part to protect each other. Brad discussed how we need to encourage and recognize good behavior, such as raising their hand when it comes to security awareness. It’s about building a culture of sharing information and being transparent with partners.
You can’t ‘win’ security awareness
And it’s an endless game. Nick said it best that you can’t win security awareness. You don’t ‘beat’ a SOC2 audit. If you come in with that mindset, you’ll never win.
Brad agreed that it’s not just HR or the CISO’s responsibility to check and make sure employees took the training, it’s a communications issue. Marketing should be involved to make this a company-wide initiative to make sure it’s aligned with your company’s objectives.
Nick shared how we’ve got to think about how to influence people, and that doesn’t come from words on a slide, and organizations have got to put in the effort if you want to get the results with good security. “We have to literally get people hooked,” Nick said.
There’s a risk/reward to running phishing tests and simulated phishing training for employees. “We have to run phishing tests on our employees to know how much we’re at risk,” Nick said. “If we don’t have a baseline, we don’t know our risk of getting hacked. It’s important to talk about how we approach phishing simulations – it’s a behavioral approach to build progress on defending against phishing attacks.”
Brad discussed how it’s not only about the mechanism but also about the outcome. “We’ve had organizations treat security awareness like a compliance exercise with a KPI of phishing attempts,” he explained. “But you can’t look at it only through metrics. You have to look at the context of how that person felt when they clicked that link. You have to take that feeling and empower that employee to be the extension of your security team.”
So how do we make security awareness training fun beyond checking the box for compliance?
Compliance never equals security, but good security can equal good compliance. Whether it’s a SOC report or mapping to ISO, it’s a lot easier to address those items from a compliance standpoint if you start with security.
And Curricula is here to help make your security awareness training fun! Let’s go beyond checking the box to build a culture of security for your organization.