author photo
By Bruce Sussman
Mon | Oct 28, 2019 | 6:30 AM PDT

Some people call Dale Zabriskie "Dr. Z" because when it comes to understanding security awareness best practices, he can fix you right up.

In our ongoing series of Behind the Scenes reports, we go behind the happenings of the Proofpoint Security Awareness Road Show, which Zabriskie is leading across North America.

Security awareness best practices: what experts are seeing

Zabriskie not only talks about security awareness best practices at these roadshow events, he also listens intently to hundreds of customers.

They share about their programs and help answer questions many Security Awareness Program Managers and CISOs are asking. Things such as:

  • Are there common challenges companies have, regardless of size, in implementing security awareness programs?
  • How are companies expanding their security awareness programs beyond phishing simulations to include more training of end-users?
  • What are companies doing to address "serial clickers" or end-users who refuse to take training modules?
  • What's the best metric to measure the "health" of a security awareness program?

SecureWorld used our time with Dale Zabriskie to ask these very questions. Watch our complete interview or see excerpts from the interview below:

FAQ: What are common challenges companies have implementing security awareness programs?

It's a great question, and when it comes to the challenges, they're on two sides. You have stakeholders like program managers trying to support and show their advocacy for their program. And because there aren't regulations behind it, they're not clear policies behind it. You know, what is successful? It can really be quite subjective for different organizations.

So everybody's kind of challenged on how do I present, you know, the value of this program that I'm running. And that's going to vary based on lots of influences, because you're going to have some organizations that are large and mature and they put a lot of resources behind it.

And then you've got maybe smaller organizations that are trying to figure out the best way to make it happen, don't have a big budget for it, and maybe aren't convinced that it's really beneficial. So being able to report and to say, you know, here's how we're moving the needle is something that everybody really does struggle with.

If I can use a good old adage of "clowns to the left of me, jokers to the right, here I am stuck in the middle."

And not that I'm saying who's a clown and who's a joker. But basically, you know, they've got these influences, and they kind of do feel in the middle because they're serving both the stakeholders business interest, but at the same time, they've got to be good marketers and to support the users and show that there's value and encourage them to be engaged.

FAQ: How are companies expanding their security awareness programs beyond phishing simulation to include more training of users?

The general evolution of programs is that most groups are starting with fishing simulation because it is something they can do. Even if they're a small group and they just want to create some phishing emails and send them out to their users. You can create a manual system to make that kind of happen.

The flip side of that is click rates. Everybody wants to get click rates down, don't click on the bad stuff. We hear that all the time. And so that's a starting point for a lot of organizations.

The point that I really drive home in the roadshow is that it's a three-legged stool. Basically, you've got fishing simulation, you have education, you've got training, but then you also have an assessment and knowledge assessment component that really helps the organization do the right things.

The idea of cybersecurity training though has to be evangelized within an organization. Because, hey, I've been using a computer my life. Why do I need to be trained on this stuff?

The things that an organization learns from their phishing simulations need to be coupled with knowledge assessments so that you know what your users know, and more importantly, what they don't know. Let's say that you are implementing, trying to drive home a password policy. Let's do an assessment and see how well our people understand password and creation of passwords.

When you couple the data that you get from both a fishing simulation, and from a knowledge assessment, that really helps drives what you train on.

Click rates are only giving you a sliver. If you're going to have a secure environment, and you're going to change behavior, you've got to use those components to build a program that relates specifically to your organization. And that helps you create value for the end-user.

FAQ: What are companies doing to address 'serial clickers' or end-users who refuse to take security awareness training modules?

We  will have 13 total road shows in 2019. And it's a really fun time to talk with people because this becomes really emotional for people.

And you know what I tell them?  I say,  Jesus said the poor will always be with you. And I said, well, your serial clickers will always be with you. Basically, it's kind of like that. We just have to accept that it's going to be there.

Problem children is a very politically correct name. But however they want to label it, they will have the manager consult with them. That's very common. They'll sit down and say, hey, I need you to think about this, I need you to be more aware. And look at these things. You're clicking on these too much and I know you're interested in it, but the better way is to report it right?

Access to systems is another step that a lot of organizations will take for serious situations. Because you think about it, right?

If you want to drive a car, you have to be at a certain age, you have to be able to see, to a certain extent, you have to take a test both written and perform certain skills and show that you can do these in order to have a license to drive an automobile.

There's no such requirement to have access to what is sometimes very, very critical information that exists within an organization.

And in today's world, data is currency. It's the value you see a lot of times now, data and information is being listed on balance sheets because it's so critical to the success of an organization. We hand out access to that without a lot of criteria or a curriculum that people have to go through. So that's one way to kind of explain to people that we need to go through this process. So people will lose access.

FAQ: What’s the best metric to measure the 'health' of a security awareness program?

The best metric, if you could take one metric, it would be that reporting of suspected suspicious emails is increasing. That right there is the best measurement of success for an organization because now I have a user who sees something and goes, I don't trust this.

I'm going to turn this over and let my smart people who know this stuff, look at it.

But what does that do on the user side? Now I feel better as a user because I'm not potentially letting things into the environment or kicking off some process like a macro or whatever it is, that's going to harm the environment and harm the business.

And as a professional, as a Security Awareness Program Manager, I have confidence that my user is more often than not going to submit those things. So that now the people who have the knowledge and experience and the wherewithal of what to do are given vision.

It's visibility into what's happening within the environment. And that visibility is huge. The value of that is huge to the organization.

And we hope the value of this Behind the Scenes interview with Dale Zabriskie of Proofpoint Security Awareness has also been of great value to you and your organization. 

[RELATED: City Leader Sets Up Own Gmail After Being Banned from City IT Access]