KPIs to Track, Training the Dev Team, Healthy Security Cultures

This week's edition features:

• Virtual Meetup Recap:
• --> KPI’s for your Security Awareness Program
• --> Awareness points to consider when training the Dev Team
• Building a Healthy Security Culture with Nadja El Fertasi - Video & Rewrite
• Upcoming events for this week

Virtual Meetup Recap: KPIs for your Security Awareness Program

We had a great discussion on what are good KPIs to track in our last virtual meetup.?

General discussion:

“Security is not all about protection, it’s about enabling the business” - Dennis Legori

• ?It’s important to understand that the pandemic changed things. We assume our work is the focus of the universe; but it's not. People are going through personal problems; if you’re presenting to the board at time of a breach, you naturally have their focus. If you're trying to be strategic it won't have their attention.
• Remember, though, that the board is there to help you. Be strategic and clear on what do you want from the board; what is the end result you’re looking to achieve? How can the board help you? Do you want support? More money? Issues you need their insight on.....the board is looking to help/guide. If you go in without knowing what you want from them, why are you even there?” Gaby Friedlander

Key Performance Indicators to Track for a Security Awareness Program

• If training goes well, you should expect more people to report issues; as such the amount of issues should also go up because the amount of attacks are not going to stop. Our efforts will not impact the amount of attacks so rather demonstrate the attacks are being identified. Identifying more threats than before indicates the program is being successful.
• While tracking phishing clicks can provide insights, you’ll never be able to get those to zero - there’s too many variables. But focusing on the number of employees reporting a phish, etc is crucial.
• Another key indicator that your security awareness program is not so much quantitative but rather qualitative - how comfortable is the employee community in approaching and reporting to the security team.?
• Competition and gamification are not just another attempt to make awareness less ‘boring’ but they also create opportunities to establish more open communication between the average employee and the security team. Dennis related how the openness and vulnerability they’ve been able to build at their org laid the groundwork for individuals to come forward when accidentally clicking on a link but found “the SOC was so helpful”. That type of positive feedback strengthens the security team and the rest of the org to continue to cultivate a two-way communication and a stronger security culture.
• Dennis’s team gives little weight to the clicks on an exercise but rather put their focus on rewarding those who report the phish - and rewards don’t have to be monetary. Indeed, for his multinational organization? it’s not feasible. However, they’ve found simply acknowledging and celebrating individuals with certificates, bragging rights, and celebration via internal company channels also fosters better sense of ownership.
• It’s a common practice for most companies to congratulate users immediately - it’s easy to send automated messages for some of this followup. Additionally, the program system manager also gets notified of the ‘successful report’ and the manager is encouraged to congratulate them personally as well. Some managers took this a step further and printed out a certificate as well. The point is coming from their direct managers also helps to build a ‘top-down’ approach into the culture in a positive way.
• One participant mentioned they were working on a weighted point system that rewards individuals for different actions. Once a certain threshold of points is accrued then they are entered into a specific drawing. This system allows them to see what areas are being more successful than others.

When the users themselves are voluntarily consuming content and creating engagement around scams to be aware of and the like, on their own is also a solid indicator the security awareness is working.

• Gaby shared his ideal indicators for success: People coming to the security team proactively about upcoming projects in order to include security in the sprint meetings and the like; security becoming recognized as an essential to any business endeavor and ‘baked in, not bolted on’.
• Another key indicator is around optional content. If optional content is created and pushed out through a Teams channel or some type of ‘security hub’ around family online safety or shopping scams to watch out for, etc - anything that is voluntary content to consume - track it and see if the trend is going up.
• Leave forms where people can request content they want to learn about or ask more information or help about anything security related.
• In Wizer, the platform tracks two important indicators 1) how often a video is shared outside of the mandatory training 2) in-app comments or reviews from employees. If the trend of sharing increases, it shows the content resonates with the viewer and of course positive or negative feedback is immediate info.
• It was agreed that whatever approach is used, a security awareness program should include a place that provides employees to provide open, honest feedback and share what they want/need.
• A security awareness program is essentially running a social community - don’t expect that just merely creating a channel for feedback and it will take off on its own. There does need to be some level of nurturing - then measure the amount of messages and engagement in the platform to determine how the campaigns are trending.
• Brent Forrest noted that the challenge with IT, engineers and similar tech fields that they seem like they won’t be fooled - they know tech and how this all works - but sometimes they need the most help as their confidence is their vulnerability.

Troubleshooting security awareness to Developers

“Secure code is high quality code. It has less errors and logical errors and less bugs. In general, code will run smoother, more stable, and less down time. A lot comes out of writing good code and it’s good for your developer in their career. Give them time to actually learn.” - Gaby Friedlander

• An attendee asked for ideas on how to approach the developer team she has been tasked with training. One idea was to start with the OWASP 10 and then have different dev team members create a short session where they teach their colleagues on one topic.
• An important caveat is the team members selected were then given a dedicated amount of time to work on the presentation. This emphasizes its importance and allows for opportunities to ask for help or guidance, if needed.
• Another point was made that it’s important to emphasize the importance of learning to code securely as a lot of tools don’t flag issues.
• One way to create this culture within the dev team is to have a practice to develop secure code and engage with each other. Create a closed practice community where they get to share their work and have peer review before it gets checked in, this includes checking for any security issues.
• Brent also contributed the idea to allow your internal teams to do their own pentesting of their own softwar to find the vulns and the Easter eggs. They’ll know better than anyone else.
• One big issue is to ensure developers have the TIME to be secure. Without having time to learn and practice, it is irrational to expect them to develop secure code.

Want to get a recurring calendar invite to upcoming SAM Meetups? Send Ayelet HaShachar Penrod a DM about the SAM Calendar invite along with the email you'd like added.

??

Building A Healthy Security Culture with Nadja El Fertasi

Creating a healthy security culture requires a shift from the traditional security awareness approach. It's a holistic effort that involves using and training staff in honing yours and their emotional IQ in order to more effectively understand and communicate.

?Get great insights from our latest conversation with our community member Nadja El Fertasi, expert in digital transformation and Emotional IQ for businesses.

Read the recap or listen to the full interview here.

RESOURCES by Nadja

Podcasts & Discussions

Security Awareness Training Done Right

?Articles

Role of Emotional Intelligence in Creating a Healthy Information Security Culture

Why Developing Cyber Resilience Requires Emotional Intelligence

??Connect with Nadja on LinkedIn and while you're there check out our Security Awareness Manager community.

?

Upcoming Events

Tuesday, June 15 at 11:00 Eastern - Finding Topics for Security Awareness Training - LinkedIn Live with Wizer’s founder, Gabriel Friedlander. Gaby combines his knowledge in the industry and giving multiple awareness trainings, creating hundreds of short and succinct training videos as well as adding in his own eye for identifying content in developing topics for awareness training.? Add it to your calendar here.

Tuesday, June 28 (Time TBD) - Family Webinar for Online Safety! See how to do a family webinar for your employees by attending one! Wizer's Gabriel Friedlander will be doing an interactive webinar for parents and their kids on staying safer online together! Stay tuned for details!

Thursday, June 23 at 11:00 Eastern - Weekly Virtual Meetup with the SAM Community. Weekly virtual meet and greet with other members from our Security Awareness Manager (SAM) community. Each week we'll have a topic for conversation for you to discuss with other fellow security awareness managers. Send Ayelet HaShachar Penrod - the SAM Community Manager - a DM about the SAM Calendar invite along with the email you'd like added or get on our mailing list here.

Have a topic you want discussed on an upcoming meetup? Let us know!

Join our SAM Community here.

Until next week!