Are Security Awareness Training Platforms Effective?
Security awareness is a crucial part of any security program. So why do we remain skeptical of security awareness programs?
This week’s episode is hosted by me, David Spark , producer of CISO Series and guest co-host Dan Walsh , CISO, Datavant . Joining us is Sharon Milz , CISO, Time Inc. .?
Thanks to Jacob Friedman of 3 Tree Tech for supplying the discussion that is the basis of this week's episode.
A vicious cycle
Security awareness training is beset with some significant systematic issues. There’s an overall discussion of effectiveness, but its compliance aspect can also turn it into a race to the bottom. "Most ‘awareness training’ is ineffective. The growth is fueled by the fact that almost all regulations and standards require it, and companies treat it as a checkbox item and look for the least expensive solution. If I were a leader who had to choose from dozens of ineffective security awareness products, I would choose the least expensive. Companies providing security awareness training are competing based on price, which means the quality gets worse over time. Because quality costs money, this creates a barrier for new entrants to create something that IS effective," said David Volkov of USAA .
Not all training is created equal
No one is arguing for discarding all security awareness training. But we can’t pretend that all training methods are equally effective. "Some training is still beneficial, but in a very limited and targeted way, where it can help people in their regular lives as well (e.g., phishing prevention and password management practices)," said Val Dobrushkin of Akamai Technologies .
Organizations should remember that even highly effective security awareness training is only a small piece of the puzzle. Kevin Walker of Black Swan Cyber Security Solutions reminds us that training is part of the ecosystem: "This is where defense in depth helps. Email filtering, DNS filtering, and browser extensions all help protect end users. Security awareness training still has a place, but it's part of the bigger picture and not a silver bullet."
Don’t forget the human factor
Successful security awareness training always starts from a human-centric approach. "Security awareness training companies need to hire staff that deeply understand how learners learn. Hire a behavioral analyst who can understand the psychology of how people learn and pivot the education to methods that meet the learner where they are at," said Tim Golden of Compliance Scorecard . As a human-centric discipline, we have to accept that, eventually, everyone will fail at it. "I’m wary of placing too much value in them as a preventative control since I think anyone, even security professionals, can be phished if the context of the phish is good enough. To paraphrase someone smarter than me, ‘If your security program consists of training users not to click on bad links, you’ve already lost,’” said Bill Schneller, CISSP of Geffen Mesher .
We can still define success
Just because it’s hard to create an effective security awareness training platform, that doesn’t mean we can’t define what one is. We know what it needs to do; the devil is the implementation. "Phishing awareness training needs a simplified definition and approach to training that covers all phishing regardless of channel, a specialized focus to keep up with current trends in sophistication, and objective metrics that bring value by proving behavioral change," said Cary J. of Phishbusters Audit and Consulting.
Thanks to our other unwitting contributor, Sam ???? Oberholtzer of ComplySAM . Thanks Intezer .
Please listen to the full episode on your favorite podcast app, or over on our blog where you can read the full transcript. If you’re not already subscribed to the Defense in Depth podcast, please go ahead and subscribe now.
Huge thanks to our sponsor, Intezer
Subscribe to Defense in Depth podcast
Please subscribe via Apple Podcasts, Spotify, YouTube Music, Amazon Music, Pocket Casts, RSS, or just type "Defense in Depth" into your favorite podcast app.
Join us TOMORROW, Friday [11-22-24], for "Hacking E-Crime Trends"
Join us Friday, November 22, 2024, for?“Hacking E-Crime Trends: An hour of critical thinking about staying on top of an ever-evolving threat landscape.”
It all begins at 1 PM ET/10 AM PT on Friday, November 22, 2024?with guests Jason B. aker, principal security consultant, GuidePoint Security ?and Howard Holton , CTO and industry analyst, GigaOm .?We'll have fun conversation and games, plus at the end of the hour (2 PM ET/11 AM PT) we'll do our meetup.
Thanks to our Super Cyber Friday sponsor, GuidePoint Security
Cyber Security Headlines - Week in Review
Make sure you?register on YouTube?to join the LIVE "Week In Review" this Friday for?Cyber?Security?Headlines?with?CISO Series?reporter Richard Stroffolino .?We do it this and every Friday at 3:30 PM ET/12:30 PM PT?for a short 20-minute discussion of the week's cyber news. Our guest will be Jimmy Benoit , vp, cybersecurity, PBS . Thanks ThreatLocker .
Thanks to our Cyber Security Headlines?sponsor, ThreatLocker
Jump in on these conversations
"Would you say there is an “age limit” to starting cybersecurity?" (More here)
"What made you managers not hire the person for the role in cybersecurity?"?(More here)
"What is the best antivirus software for a small business?"?(More here)
Coming up in the weeks ahead?on?Super Cyber Friday?we have:
Save your spot and register for them all now!
Thank you for supporting CISO Series and all our programming
We love all kinds of support: listening, watching, contributions, What's Worse?! scenarios, telling your friends, sharing in social media, and most of all we love our sponsors!
Everything is available at?cisoseries.com.
Interested in sponsorship,?contact me,?David Spark.
Thanks for hosting another great episode David Spark!
Experienced CIO & CISO | Strategic IT Leadership, Cybersecurity, Cloud Transformation | Catalyst for Innovation & Security Excellence | Zero Trust Evangelist | Security Awareness Author
6 天前Of course, I would also argue that security awareness training needs to begin much earlier since our children are very susceptible to even rudimentary social engineering attacks and other tricks that could impact their lives and their quality of life. https://www.amazon.com/dp/B0CWSZ6XVQ?binding=paperback #SecurityAwareness #Cybersecurity
Technical Readiness, Cloud & AI Specialist, SE Leadership, Marketing, Competitive Intelligence | Networking, Cybersecurity, CISO, Director, and overall Security Nerd.
1 周David Spark Oddly enough I just posted an article yesterday that discusses the entire security training ecosystem, and how we as an industry can plot a better route forward. It’s not the platforms - it’s a missed approach.
Business & Technology Leader, Innovator & Strategist
1 周Interesting event
21 Years of Experience | Cyber Security Consultant| CISM | CEng(I), FIE, SMIEEE | Security Manager | Application development consultant
1 周Good reading.. In my views, awareness training is a must have piece of the puzzle to safe our cyber and in turn physical world. Whatever level of solution deployment, human is and will be critical part of any defense system.