Corporate Best Practices in Security Awareness and Training Programs

Lear Corporation is a leading global supplier of automotive seating systems and electrical systems. And Lear executives, staff and contractors also understand the importance of cybersecurity. CISO Earl Duby shows us how that works so well at Lear.

by / January 20, 2019

I am often asked for security case studies and best practices in a variety of cybersecurity areas. Who is doing best in whatever the cyber-topic is? Any case studies to help? How can I learn more?

One particular area that always receives plenty of attention and lots of questions is how to improve security awareness programs. Jenni Bergal recently wrote this story on cybertraining for Stateline that offers important data around phishing and mandatory training.  

And government cyberpros and technology leaders often ask for more enterprisewide private-sector examples, since I speak and write about public-sector examples on an ongoing basis. Sadly, many private-sector enterprises are reluctant to share their security approaches about what they are doing “on the record.” 

But I am very pleased to offer you details behind a best practice in corporate security awareness from Lear Corporation. Earl Duby, the very talented CISO at Lear, agreed to be interviewed regarding their successes and approaches to dramatically improving their enterprisewide cybersecurity culture around the world.

The Best Security Awareness Examples of 2018

Every year, I participate in a variety of live events, writing articles, webinars and other activities for National Cyber Security Awareness Month (NCSAM). Back on Oct. 31, 2018, I was invited to speak on a panel discussion at a worldwide event hosted by Lear Corp., in Michigan. Some of the pictures from the event are shown. 

The event was beyond impressive and included a mix of global presentations, awareness materials and world-class cyberleaders engaging in important discussions on a range of topics. The live participants were at Lear headquarters, but Lear staff watch the event from as far away as South Africa. The topics discussed ranged from the worldwide cybertalent shortage to recent data breaches and ransomware attacks at various global organizations to the best ways to enhance an enterprise security culture. Audience questions were encouraged.    

Panelists at the Lear event from left to right: Nandit Soparkar (Ubiquiti), Brian Roberts and Earl Duby (Lear), Raj Dechen (Dechen), Jon Oberheide (Duo), Dan Lohrmann (Security Mentor Inc.)

In fact, I was so impressed with the security awareness efforts happening at Lear, I asked Earl Duby if he was willing to be interviewed for a blog on their global best practices in security awareness.

Mr. Duby has an impressive security career that started at Federal-Mogul Corp., as an information security analyst, moved to Lear as the manager over network operations, moved on to Affinia Group for multiple director roles in security and compliance, moved to GE Capital as vice president of Information Security Architecture, and finally moved back to Lear as a senior security manager and now CISO.

Duby has the respect of his peers in the automotive industry and through the cybersecurity industry. He is a pragmatic, passionate leader who gets things done, and yet he finds the time to participate in statewide groups like InfraGard and government tabletop exercises. On a personal level, he is just a great guy to work with in so many ways.     

Exclusive Interview on Security Awareness and Training Programs between Earl Duby, CISO at Lear Corp., and Dan Lohrmann

Dan Lohrmann (DL): When you arrived at Lear, what did you really like about the Lear culture? What items did you think needed improvement regarding cybersecurity?

Earl Duby (ED): Lear is a highly focused and hard-working manufacturing company. Employees at Lear will do the right thing and move mountains when needed (we once stood up an entire factory floor environment in three weeks). But they also don’t have time for fluff, so anything we do from a security perspective needs to be impactful and pragmatic. Theory and normal FUD (fear, uncertainty and doubt) tactics don’t work. I like that type of environment — it makes us work harder and think more practically about what security controls can and should be put into place.

When I joined Lear, our cybersecurity program was in its infancy and needed some improvement. We lacked a global incident response capability, and gathering insightful and meaningful data was a challenge. We have since implemented numerous upgrades and solutions that help us in the detection, investigation, and remediation processes. We have also streamlined the process for reporting simple suspicions and concerns, making it easier and more intuitive. And probably most noticeably, we redesigned our security awareness and training program and put a much bigger focus on training our employees to be extensions of our security team — re-engaging our workforce and essentially crowdsourcing security.

DL: Why was security awareness an area that you wanted to focus on?

ED: The focus on our Lear Security Awareness and Training (LSAT) program was driven by mission and necessity. On the one hand, there is little argument that most successful cyberattacks are due to human choices rather than technological failures, and attackers know this. Therefore, we felt it was our obligation to help our colleagues defend themselves, and therefore us, against these attacks. We were basically attempting to provide our teammates with digital self-defense lessons. Conversely, while the enemy is growing exponentially and benefiting from nation-state funding, it is becoming harder and harder for individual companies to keep pace in this digital arms race. We had to grow our forces without creating an exorbitant security budget. How better to do this than to enlist the thousands of employees to do just a little bit more to secure our systems and defend themselves.

DL: Can you describe the steps you have taken to improve the security culture over the past few years?

ED: Building a culture of security is not just about providing informational resources to employees. More importantly, our strategy hinges on genuine engagement of our people. We’ve modified the conventional corporate training model going beyond the normal posters and email approach to awareness. We “market” InfoSec best practices as a matter of personal importance that promotes the protection of home and family, not just Lear. Incentivized learning, gamified training modules, podcasts, animations, onsite events and activities are combined with innovative thinking to create a diverse and multi-channeled learning environment. We created an internal social media presence and inspired a volunteer group to form a community around this environment. We adopted “Challenge Coin” awards and gave them to employees who support the information security mission. Finally, we fully embraced October as “security awareness month” and went all-in with a full month of educational opportunities.

DL: Can you share any recent examples that show that Lear’s workforce are taking this security message to heart?

ED: Absolutely. Our internal Yammer social media group is strictly voluntary, and only marketed through our Security Awareness communications, yet it has grown from under 100 members to over 1,000 in just over a year. Our intranet homepage has regularly featured articles from all over the company. Most importantly, our suspicion/incident self-reporting rate has risen by over 700 percent, and click-rates on our self-phishing tests have dropped in high-risk regions by at least 4 percent and as much as 11 percent. Beyond this, the most striking sign that we are engaging employees is the number of photos they have sent us of themselves and/or their teams showing off awareness displays or proudly holding a Challenge Coin. It’s amazing to see the look of enthusiasm on so many faces from around the world.

DL: You take Cybersecurity Awareness Month very seriously, and offer global programs and challenges. Tell us about that? Why is that important to you?

ED: We just finished our second annual Security Awareness Month (SAM), and we are already planning for 2019! Our normal cadence of communications revolves around monthly, multi-channeled messaging, but October kicks it up a notch. During SAM, we put out weekly educational articles that are supported by global email broadcasts and onsite digital signage. Every computer around the world has a temporary desktop wallpaper that changes to a message driving people to our resources. We globally broadcast educational events, and incentivize attendance with vendor-sponsored giveaways. This year, site locations around the world were encouraged to print and hang large Security Awareness pledge banners where employees were encouraged to support the information security mission by signing the banner. Sites then competed for the most signatures. There’s a lot more that we do, including the creation of a special intranet hub for SAM materials, but the basic idea is a communications blitz that is varied enough that it doesn’t become noise.

SAM is important because it offers us an annual, highly focused chance to bring InfoSec education to the forefront of the organization’s activities. October is the one time a year that the entire company places a dedicated focus on digital self-defense lessons to our employees, and it offers an unparalleled opportunity to help our people understand that awareness is something they can and should take home with them.

DL: What improvements do you still want to see moving forward? Where do you see things headed as we move towards 2020?

ED: We are expanding the messaging cadence and techniques of our internal communications campaign. It is critical to keep things entertaining through variety. One big focus is on delivering our information to targeted audiences, rather than the general population of Lear employees. For example, we are starting a second monthly podcast that deals entirely with the security of product development. We are also devoting 2019 to the theme of “action.” As a result, we are going to profile specific departments or divisions, and how they might go about establishing awareness action plans unique to them.

As for where things are headed in terms of general cybersecurity at Lear, I think it is going to be increasingly important to demonstrate the ongoing value of InfoSec through increased employee engagement, such as self-reporting and phishing click-rate metrics. Additionally, we still need to deal with the basics of information security including addressing the increasing number of attacks, increasing customer requirements, and proliferation of global data privacy and data protection laws.

DL: Is there anything else you’d like to add? Please brag.

ED: I think our LSAT program has achieved something great in its multi-channeled approach. Beyond showing value through increases in self-reported suspicions and significant decreases in self-phishing click rates, we’ve demonstrated success through metrics on employee engagement, as evidenced by the number of hits for our online resources and the numbers involved with our Yammer group’s growth and activity. I feel much better knowing that the people who are at the heart of our organization, and the targets of an ever-increasing threat landscape, are getting educated and are doing so enthusiastically.

DL: I want to thank Mr. Duby for participating in this interview, which I think represents best practices for the global corporate companies that I work with at Security Mentor Inc. on a regular basis.

Well done, Lear!

I urge others in the public and private sectors to follow Lear's examples in their security awareness training program.