Fri | Aug 21, 2015 | 8:29 AM PDT

Last Wednesday, August 5, Wombat Security CEO Joe Ferrara joined Dr. Larry Ponemon of the Ponemon Institute, Jim Zeoli, CIO of Bit9 + Carbon Black, and TeleTech CISO Sam Masiello in an exclusive SecureWorld web conference entitled, "Security Awareness and Training on Steroids." Moderated by VF Corporation Global Risk Assessment Manager Sandy Bacik, the panel presentation and discussion helped attendees identify ways to address cyber security risks associated with end-user behaviors.

During the Q&A portion, there were several topics the attendees frequently asked about. Here (in no particular order) are three of those conversation points and some of the advice shared by the panelists:

1. Measurement

There were many questions submitted about measurement of security and awareness programs and the possibility of gauging results, ROI, risk reductions, employee improvements, and other metrics related to performance.

The bottom line answer from the panelists was that an absence of metrics can hinder programs in a number of ways. The good news is that organizations can effectively measure results related to cyber security education.

Here are some suggestions from the webinar about using measurements and statistics to your advantage:

  • Masiello highlighted the importance of a baseline evaluation. An initial assessment of vulnerabilities is critical for later comparisons. It is perhaps the most essential piece of the puzzle as it's the only way you can truly gauge results.
  • Ferrara cautioned that administrators need to focus on measurements that tie to program effectiveness. Training completion percentages may be fine for check-the-box compliance requirements, but these types of numbers don't give any insights into whether employees are retaining and applying the best practices that are shared during training.
  • Dr. Ponemon emphasized ROI in his portion of the presentation, which can be measured in dollar savings tied to reductions in malware infections and the other negative ramifications that result from successful phishing attacks. A recent Ponemon study, "The Cost of Phishing and the Value of Employee Training," showed that the average organization could save more than $1.6M in phishing-related costs every year by employing a continuous approach to training like Wombat Security's methodology. (Stay tuned for more valuable insights from this study, which will be released in the coming weeks.)

As attendees heard during the webinar, measurement and analytics are important components of successful cyber security education programs -- particularly with regard to getting buy-in from C-level managers and Board members (another hot topic among attendees).

2. Making things stick

Knowledge retention is the hallmark of any successful education initiative, regardless of the topic covered. To that end, Ferrara discussed the need to take advantage of tried and true educational principles when training employees about cyber security awareness and best practices. One-a-year or twice-a-year training is not effective based on research studies, he indicated, nor are non-interactive videos and presentations. He also advised against an infrequent, monolithic training approach in favor of "bite-sized," single-topic education delivered on a regular basis.

In addition, Zeoli and Masiello emphasized the need for a top-down commitment to cyber security initiatives. All panelists agreed that creating a culture of security was a key to driving effectiveness and that organizations could not expect good behaviors to be modeled across the organization if managers, executives, and other decision-makers exempted themselves from the activities.

Moderator Bacik also spoke of the need to inspire and engage employees, and Masiello, Ferrara, and others emphasized reinforcement of key principles outside of direct education and training sessions as a key to retention.

3. Rolling out a program

Many attendees felt at a loss as to how to start a security awareness and training program, and they asked the panelists for advice on how to get started. Ferrara indicated that knowledge assessments -- using topic-specific Q&A evaluations and/or simulated attacks like mock phishing emails -- are a great way to identify the most dangerous threats and areas of vulnerability specific to a particular organization.

In addition, he and Zeoli spoke of the effectiveness of turning an employee's mistake into a teachable moment. Wombat and Bit9 + Carbon Black are seeking to do just that via a partnership that marries endpoint monitoring and remediation technologies with "just in time" employee awareness and training initiatives. As Zeoli stated, a move from integration to automation allows organizations to not only sense and interrupt risky behaviors at the point of impact but to immediately address and educate the employee who made the impact.

But in the end, it's really about channeling Nike and just doing it. Masiello cautioned against "analysis paralysis," a trap he feels many organizations are falling into. He said administrators just need to draw a line in the sand and get started. For those organizations that are struggling to find the resources to design and implement a program, Ferrara advises them to seek out a solution provider that can deliver security awareness and training as a managed service.

And this is sage advice from Masiello and Ferrara; waiting is not really an option considering that networks, data, and systems are challenged by hackers and scammers on a daily or even hourly basis. Every day, week, or month that an organization puts off training its employees is a day, week, or month that the organization is exposed to preventable mistakes that could cause disruptions and losses that will be felt for years to come.

Did you miss the "Security Awareness and Training on Steroids" webinar? It's available on demand to view it at your leisure.

Comments