As you may have gathered here on The Relativity Blog or out in the field, security awareness and building a strong security culture is a huge passion for me. I believe the people in our organization are the strongest link in the chain of everything we do in security. But getting to that epiphany didn’t happen overnight.
In August 2022, I had the distinct honor of being the keynote speaker at the annual SANS Security Awareness Summit on the topic of “Jumping the Security Awareness S-Curve”—with the help of our friends from Back to the Future.
During the summit, I shared that it took years of digging, fact finding, learning from my mistakes, and leaning into my past experiences as an archaeologist to make “the jump” into building a hyper-performant security awareness program that operates in hyper-speed. After all, in our careers, business strategies, and life in general, as Doc Brown famously said in Back to the Future: “The future isn’t written. It can be changed.”
In service of building a more secure future for your organization, here are three things you can do to make the jump into a security awareness program that changes your team for the better.
Start Slow to Move Fast
Building a Delorean, or Rome, or a good security awareness program, doesn’t happen in a day. Building a time machine that jumpstarts your security awareness program into the future requires digging into your company’s past—in what did and did not work when it comes to cultural changes, program rollouts, strategy—to get a clear picture of how your people react and respond to change. You’re looking for insight into how you should tailor your security awareness program to meet these current cultural needs, and then transform this culture into something even better 12, 18, or 24 months down the road.
This type of transformational change requires both time and buy-in, from employees and executives. One way to earn that buy-in is to create a strong vision for your program—articulated in a way people will follow, respect, and understand—and reiterate that vision through consistent messaging via channels like all hands meetings, Slack, emails, and trainings.
Once you’ve plotted your course, you need someone to lead you there. It’s up to the chief security officer, if you have one, to find your team’s Doc Brown. This should be someone who is curious, ambitious, and ready to fail fast in the pursuit of progress. You need to find someone on your team who “embraces the crazy” of the cybersecurity space and can come up with human-inspired solutions that uniquely solve the problems presented by the rigidity of the bots and machine learning techniques used by threat actors. Going through this search process thoughtfully allows you to embrace the diversity and different personalities of your team. Once you find your Doc, you can start to pick up the pace.
Move Faster with PPT
The proper implementation and elevation of the People Process Technology or PPT Framework is an integral part of building a strong security program. This is how so many of us approach our security programs and it feels like a common, comforting language when we say these words. But is it the best way to approach a future-facing security awareness program?
While the need for good, well-utilized tech remains the same, I propose a change to the two Ps. Instead of simply People and Process, I find that we generate more meaning in our security awareness program by diving one step deeper and focusing on the psychology and data science more specifically. Making these shifts allows us to better measure human risk and target behavioral change within our organizations.
Thankfully, psychology and data science work together seamlessly when it comes to building a robust security awareness program. To start, you need to uncover and analyze the behavioral data of your org to see who is low risk and who is high risk. One easy of doing this is seeing who frequently fails or succeeds in standard phishing simulations and tailoring security awareness trainings based off the results.
Another area to look at is who actively engages or comments on security awareness content on Slack, email, or in company-wide meetings. Is the interaction negative, skeptical, optimistic? This will help identify your security champions (those knowledgeable and invested in your program), your followers (those who follow the rules and do the right thing), and your skeptics or late adopters (those who question why you’re investing time and resources into this). I’ve found that this distribution often shapes out as a bell curve, with champions on one end and skeptics on the other.
Security champions are those who you go to first with new security awareness tactics and initiatives. They are your first line of defense and your best chance at ensuring widespread adoption of your program. The skeptics or late adopters are those who rebel against new ideas or thinking—but there is value to this resistance.
Bringing skeptics into the fold, listening to their comments, and adopting their feedback to better suit the needs of your org’s security culture will go a long way in ensuring those who are most skeptical turn into some of your most loyal security awareness folks. You need to approach both groups differently—through proper use of psychology and data science—to ensure your security awareness program stands the test of time.
Staying in Hyper-Speed
Now, fast forward a bit: what happens when you have this all in place? When you have your security champions engaged, your security skeptics advised, and a lot of success in measuring and responding to both low- and high-risk behaviors? Well then—you jump to the next, future-facing phase of the program, where you focus on making every employee feel like a champion. That is where we are today at Relativity.
One easy way we’re doing this here is through the continuous building of a culture of security advocacy. This culture comes to life when our employees feel empowered, both through training and from the support they feel from the security team. We want to help them feel confident to not only properly respond to employee-level threats, but to flag and elevate these threats to our team through enabled phishing tools to help ensure that other employees don’t fall victim. It’s taking the time-honored saying of “if you see something, say something” to the max, and it works.
Next, you need to continue to build positivity and confidence in your security awareness program by showing that it actually … well, works. You need to continually shout the positive results from the communication rooftops of your org and ensure that your employees feel validated in the work—even if it’s just a click of a button—in keeping your fortress secure. A simple thank you or Slack shoutout goes a long way.
And lastly—and this may be difficult to hear for techies—you do have to leverage real-time marketing skills. If you can’t sell this, you won’t get this. If you can’t create tailored alerts or content that highlights the latest threats facing your org, you won’t be successful. And it starts with what all great salespeople start with: belief in your team, in your program, and in your people. You need to believe in what you are doing, and where you are going.
Putting all of this together with a neat little bow isn’t easy. Moving fast and creating meaningful change in your organization never is. But when done correctly—when you let the data decide, trust your people, and present a clear purpose to the business—you can create a security awareness program built for the future that puts all of your employees in the driver’s seat.
To sum it up in the famous words of Doc Brown: “Your future hasn’t been written yet. No one’s has. Your future is whatever you make it. So make it a good one.”