author photo
By Bruce Sussman
Mon | Apr 8, 2019 | 10:41 AM PDT

Mitch Parker describes the battle to build the human firewall as a competition with everything else organizations are doing. In the case of Indiana University Health, that includes taking care of those who are sick.

“We have competition with other parts of the organization when it comes to training, and realistically, we don’t have much time for it. That forces us to be very focused in our training because there is no time to waste.”

Parker is Executive Director of Information Security and Compliance at the organization. He kicked off the SecureWorld web conference, available to watch on demand, Human Firewalls: Fact or Fiction? 

Security awareness like a PR team

Parker says the focused security awareness training effort and the messaging around it has really paid off.

“We had everyone, including the CEO, buying into what we were doing. We considered that a big win for us. We take an approach like a PR team. We make it relevant."

That includes focusing on where employees are, which means mobile device security and awareness is a priority. And he says his team is always reachable. "People don’t want to file tickets. They want to talk to someone. You have to show empathy, you have to be personable. I cannot emphasize it enough: always have excellent customer service."

Parker also explained how his organization factors in things like alarm fatigue, 2FA, firewalls, endpoint security, and isolation technologies. 

What security awareness is not

The second presenter on the Human Firewall webinar is Dominick Frazier, Security Awareness Program Manager at Cerner Corporation.

Cerner has more than 29,000 associates in 23 countries, with security awareness team members who provide 24/7 awareness coverage for the organization.

He started by talking about what security awareness is not.


“It’s all about prevention? No, I abhor that statement; it’s not about prevention. It’s about being proactive, and a security awareness program is worth its salt when it is being proactive.”

Security awareness metrics

He also gave an overview of metrics you should be using to measure your security awareness program and its maturity, and getting strategic can carry you past "metric malaise."


For example:

A Compliance metric is: "Primary training is when people are taught all awareness material for the first time or in a single sitting, usually through online computer-based training (CBT) or on-site workshops."

A Strategic security awareness metric is more like this: "As your workforce better understands the policies and behaviors they are supposed to follow, the number of data loss incidents should fall."

Frazier also shared how security teams and awareness efforts need to reconsider the messaging around what teams are doing.

"We don’t necessarily get to come in and celebrate successes. We need to shift the narrative to being more positive. How many threats were stopped in a given time frame?”

And when it comes to stopping threats, Erich Kron, Security Awareness Advocate at KnowBe4, explained why a relevant and measured security awareness program is critical for every organization.

“We have to understand what is at stake here. We know that 91% of malicious data breaches start with a spear phishing email attack. It’s how they get in."

Emotions cybercriminals use in phishing attacks

During the web conference, he suggested telling all employees to check their emotions. “If an email comes in and it triggers an emotional reaction—you should step back. That should be a red flag.” He puts the emotional pull of phishing emails into these primary categories:

•  Greed
•  Urgency
•  Curiosity
•  Fear
•  Self Interest
•  Helpfulness

And Kron is also sharing the strategic approach to security awareness that is proven to work. It involves baseline testing, training of users, phishing users, and analyzing the results to continuously improve and demonstrate ROI to the business.


Says Kron, "We can help employees understand what they’re up against. They are called ‘bad actors,’ but they very good at what they’re doing, and that’s why billions of dollars each year are going out the door."

For more information on developing and measuring your security awareness program, check out the SecureWorld web conference, available on demand, Human Firewalls: Fact or Fiction? It is complimentary, you'll earn CPE credits, and you will learn from those with decades of experience in cybersecurity.