Earlier this month, Ira Winkler, who is a global security expert and industry thought leader, the former ISSA president, and someone I personally respect and enjoy listening at cybersecurity conferences, wrote a thought-provoking article for Dark Reading titled: The Fundamental Flaw in Security Awareness Programs.
As you read through his article (and please read his article), you immediately see many points that are not only true, but also clearly the work of someone who has studied this topic and offers years of pragmatic experience with the good, the bad and the ugly offered by various security awareness programs. Winkler has shared dozens of interesting security war stories over the years, and he certainly knows what he’s talking about on many cybersecurity topics — including this one.
Here are a few of the key points that Winkler makes that are, in my opinion, “spot on” (as my English friends “across the pond” would say) regarding security awareness programs:
- “Companies (often) buy off-the-shelf materials, which show people different tricks and offer general advice.”
- “Videos try to be funny, which makes them slightly more memorable, but that's independent of effectiveness.”
- “The off-the-shelf materials are not specific to the company and merely provide best practices.”
- Common W-2 phishing scams (and other ‘whaling tricks’) are generally not covered.
- Security managers are (often) afraid to get involved in specific business processes.
- Business processes should not be left up to individual employees to decide, if you want a secure result.
In a LinkedIn comment when the article was posted, I replied that I agree with many of the criticisms offered. However, I disagreed with other parts and would elaborate in a (hopefully thoughtful) blog response.
So here is my "don't miss the forest for the trees" analogy. Most of all, I am concerned with the general reader’s response to this article. In reply, what do readers need to know about the positive benefits offered by customized, focused, effective security awareness training programs? Or, as Paul Harvey used to ask, “What is the rest of the story?”
Contrarian: What’s Wrong with the Winkler Article?
To start, what’s the problem? Why did I feel the need to write this blog rebuttal and replace the word “flaw” with the word “STRENGTH” in all caps — while adding the word "effective" into the sentence? Allow me to explain.
The bold, secondary title and the first paragraph of the Winkler article say this: “It’s a ridiculous business decision to rely on the discretion of a minimally trained user to thwart a highly skilled sociopath, financially motivated criminal, or nation-state.
Most security awareness programs are at best gimmicks that will statistically fail at their goal. They intend to educate people so that they can make better decisions regarding how to behave or whether they are being conned. The programs intend to get people to think so that they eventually will behave better. This will at best achieve basic results.”
Response — So security awareness programs are “at best gimmicks that will statistically fail?” Really?
So should we just cancel all security awareness programs right now and be done with it?
How about bringing in cutting-edge robots or AI to replace all our workers as we head toward 2020?
I don’t think so (more on this below).
Winkler is correct that we cannot rely (alone without help) on a “minimally trained user to thwart a highly skilled sociopath, financially motivated criminal, or nation-state.” But are public- and private-sector organizations truly doing that? I certainly expect enterprises to deploy defense using in-depth security techniques. Just as soldiers in the army are equipped with a wide variety weapons to get their jobs done, so smart enterprises need many components to implement effective cybersecurity defenses.
Remember, those same soldiers must be trained and provided the needed guidance to get the job done right with their high-tech tools.
People Present the Cyber No. 1 Challenge and Offer the No. 1 Cybersolution
Or, as I have written before, can we take people out of Internet of Things (IoT) Security?
I am absolutely convinced this is a huge (and unworkable) mistake. As I said back last December, we will always have people, processes and technology — with the people piece being the hardest part. Sadly, many are making this case — promising "technology-only" solutions. This is a false choice to sell products that still rely on the people.
One (harmful) take-away (corollary) might be to eliminate people from the cyberdefense budget.
Here’s an excerpt from that article:
“The HBR [Harvard Business Review] article by Yevgeny Dibrov appears to offer an attractive answer because it promises IoT security solutions without the very hard-to-change enterprise security culture. It offers a false hope by eliminating “reliance on a human-based strategy” and offering better security with a perfect technology-driven, or bolt-on tech solution, for all IoT devices. Managers imagine saving significant money by reducing the time required for staff to be trained and/or understand and implement appropriate (and secure) business processes with innovative technology. …”
No doubt, that blog was addressing IoT security and not the business processes that Winkler covers. However, the same principles apply to all connected devices.
A Better Security Awareness Answer
So my No. 1 concern (problem with the Winkler article) is that some will read the headline, and perhaps the first two paragraphs, and stop and “throw the baby out with the bath water.” That is, just read the beginning, agree that there is a fatal flaw in all security awareness programs (not reading the rest of his excellent analysis), and never start a program. Or, others might be tempted to eliminate their security awareness program because they become convinced that all such programs are ineffective gimmicks.
(Side note to remember: A significant percentage of security articles use similar clickbait to get attention and overstate a premise up front. This is good at getting attention, but not necessarily the best way to encourage needed reform.)
What is a better answer? Implement an effective security awareness program that addresses Winkler’s concerns, is personalized for your specific business processes and changes employee behavior (and culture). Build a program that is brief, frequent and focused on real security issues that matter. As I have written many times, general-purpose videos or “Death-by-PowerPoint” slides that are repeated over and over and only "check the compliance box" are a waste of time — as Winkler points out.
In addition, awareness programs should not focus on punishing employees who make mistakes. In a healthy security culture, all front-line staff are proactively well trained on information and physical security, know what to do (and not do), where to report incidents, when to ask for help, who to contact and how to work together effectively. Staff have a good relationship with the security team — because the cyberpros are helpful. There is not an “us vs. them” problem.
I wants to keep specific product features and comparisons out of this discussion, but several companies such as Security Mentor, offer meaningful, customized to the business, security content that is constantly updated in positive ways to meet (and enhance) the security culture. Understanding risk (by all staff) in various scenarios is an important component of this security relationship. The security awareness training can be a positive bridge to start meaningful conversations to enhance business projects, integrate streamlined processes and apply appropriate technology.
Second — Winkler is right that business processes must be properly addressed. Managers do need to understand the root security weaknesses and specifically address potential process vulnerabilities. This is what audit findings are all about with material and reportable weaknesses. Security awareness needs to be constantly updated to address current threats. Targeted security training for different roles and audiences, as described by the NIST guidance, is an essential element.
But going down the list, employees can also learn by practicing the right behaviors as well. Phishing simulations, gamification (game-based learning) and interactive content that challenges the status quo and tests staff responses in different situations is key.
So my second response is that enterprises need to be constantly upgrading skills, just as we upgrade our smartphones, databases, cloud architectures, security infrastructure and other technology tools and apps.
Culture Change: The Fundamental STRENGTH in EFFECTIVE Security Awareness Programs
And last but not certainly not least, let’s discuss positive benefits.
The fundamental STRENGTH in EFFECTIVE security awareness programs is that they offer a key component to ongoing security culture change. Just as people eat right and exercise to stay physically healthy, staff can become more security minded within business areas to develop healthy cyber etiquette habits.
Of course, we want our staff to understand core processes, required security actions and responsibilities within the business function that they are accountable for. They must take appropriate security steps, such as identify phish (not just with email phishing links but in every channel such as phone, text message, social media or fax as well) and not "take the bait."
But we also want them to think for themselves, outside the box, when appropriate.
What does that look like? Report suspicious things, see something — say something — without fear. Develop the disciplines and skills to know and understand what "normal" looks like and what an anomaly looks like. We want to enable them to do amazing new things and also innovate on the job when the opportunity arises.
Think. Don’t just give a list of do’s and don’ts — because the bad actors will get your "secret" list and modify their cyberattacks — avoiding items on the list.
Yes — cybersecurity is a moving target, and we all need to be constantly improving. As I discussed in previous blogs, cyberdefense teams can help explain data breaches using football and other sports analogies. There is an offense and a defense, and we need to be prepared to quickly adapt to what is happening on the ground to be able to stay in the game.
Another aspect of strengthening cyberskills is regular practice. We all improve at the things we do over and over again. For example: In football, quarterbacks throw a fade pass to wide receivers hundreds of times in practice each week so they can complete the pass just once on weekends.
I want to end by reiterating that I highly respect Ira Winkler, and he raises valid flaws in his security awareness program article. Read as a whole, his analysis is an indictment of poor security awareness programs.
But pick any single security “black box” solution, and most security experts can offer a similar analysis. No doubt, security awareness programs are not a “one pill cures every security disease” type answer. Effective security awareness programs are just one piece of a much wider security program with management buy-in being another key success factor.
Nevertheless, with spear-phishing attacks now confirmed as tool used by the Russians military to interfere in the U.S. political process, and with ransomware and other malware coming in through social media attacks all the time, effective security awareness programs remain a vital part of top cybersecurity programs in the public and private sector.
True, there are real weaknesses in security awareness programs to watch out for. But these faults can be overcome or avoided in an effective security awareness program built on best practices that are a part of a comprehensive, enterprise security program.
Simply stated: These problems are NOT fatal flaws.
The fundamental STRENGTH in effective security awareness programs is that they can mitigate specific cyber- and physical threats while strengthening and enhancing your culture of security.