On Tuesday, May 5th, at 12:00 pm ET, I opened up my laptop, poured some coffee and joined hundreds of security awareness professionals at the Security Awareness Virtual Summit, 2020, hosted by Terranova Security and sponsored by Microsoft. The next 3 hours were chockfull of presentations, expert advice, a hands-on workshop and a deep dive into Terranova Security training.
Speak the language of business by using data
Brian Reed, Senior Director at Gartner kicked off the day with his keynote speech: “Three Ways to Gain Support for your Security Awareness Program.” Brian focused on a problem many security awareness professionals struggle with – how to secure executive buy-in for an organization’s security awareness program. Demonstrating ROI can be hard in the absence of standard metrics, and behavior change is difficult to measure. Brian advised professionals to “speak the language of business” translating the outcomes of security awareness programs into business outcomes and drilling down into the financial implications of improved awareness.
Later in the day, Terranova Security CISO, Theo Zafirakos also highlighted the importance of measuring total cost of breach. Designing and deploying a security awareness training will incur some cost, but if done well, it will save far more in lost productivity, remediation expense and downtime.
Storytelling is your secret superpower to boost engagement
An important takeaway from Brian’s speech was the power of storytelling in improving engagement and participation in security awareness training. Brian urged security awareness professionals to harness the power of stories to build emotional connection. Humans are hardwired to respond to stories—with elements like character, obstacle or challenge and eventual triumph. Usually, Brian said, we use a traditional crime or spy story in the realm of risk and security, but for awareness programs, and he encouraged the audience to think outside the box and experiment with adventure or humorous narratives to increase engagement.
Adopt an Attacker mindset through phish simulation to detect and quantify risk
Microsoft PM Lead, @Brandon Koeller discussed the importance of simulated phishing to your training program. As Brandon said, “Phishing is THE risk, capital T-H-E” when it comes to people.
Using phish simulations that accurately simulate your threat environment will help you establish a baseline of awareness, detect vulnerable users, quantify behavior change, and demonstrate the effectiveness of training. Koeller reminded us that as security professionals we tend to inhabit a defender mindset but to truly prepare and protect your employees, you need to inhabit an attacker mindset. Phish simulation that mimics real threats in your environment – using context-specific lures and the types of emails most likely to land in your employees’ inboxes.
The expert panel, featuring Lise Lapointe, CEO of Terranova Security, Erin Csonaki and Blythe Price, Program Managers for CyberSecurity Awareness and Education at Microsoft and Bill Dunnion, Director of the Cyber Resilience Office at Calian highlighted the organizational behavior axis of security awareness – they reminded listeners that their security awareness programs are not merely compliance checklists but a key component of security culture. They urged the audience to frame security awareness training as a key tool in elevating the importance of security and cyber hygiene in the minds of their employees.
If you missed out on signing up for the virtual summit and want to catch up on the learning, best practices, tips and advice, you’re in luck. The recorded Virtual Summit is available to watch here
Let us know what you think in the comments!