What are they training for?

 

Ugh, working out and training! Is there anything less lazy than that? I don't think so, and my physique shows the proof of how much I hate hitting the gym. About the only way I can convince myself to engage in exercise is to find ways to make it fun. So, I do have a gym membership, but it's so I can PLAY racquetball. I may sweat while doing so, have sore and aching muscles afterwards, but I'm not working out, I'm playing.

Fun and games. For most people, that's the easiest way to get them to do the hard stuff. This goes back to early childhood even, when parents have to play "airplane" to get their kids to eat. Something as basic as the need for nourishment has to sometimes be assuaged with an entertainment factor. And that concept carries forward through the rest of our lives. 

When my kids were babies, I actually loved feeding them. It was an opportunity for me to provide for them directly, engage with them on a one-to-one basis, and it was always a challenge to see just how much food I could successfully deliver. But, as much as I enjoyed the experience, I knew it wouldn't be wise to let it become a habit that lasted forever. Of course, their own need for independence ensured they would not let me continue to be the one in control forever, so either way, our time together in this type of interaction would eventually have to end.

So, I did what any parent does, and tried to teach them how to use their tools properly. First we focused on the basics, using our hands to pick up the food and then shove it into our mouths. As they got more motor skills, we progressed to spoons (no forks yet, as that could lead to a painful eye gouging experience). As they got older and older, more tools and techniques get added to the table. From forks to butter knives to steak knives and so on. Now, my kids are all experts not only in the rudimentary skills needed to feed themselves, but also at more advanced meal prep (giving me a break from cooking duties at least one or two nights a week).

This is the real truth of training. It didn't happen overnight, and of course there was coaching needed along the way, and some of that coaching was laborious. Sometimes still we have to remind them not to eat with their fingers anymore, or that a sharp knife shouldn't be waved around excitedly when telling a story at dinner, but the concepts are now deeply ingrained in them and part of second-nature.

This is where I think most Cyber Security Awareness Training falls down. We either spoon feed far too long, continuing to always hold onto the tools and make our users "open wide" for the "training choo-choo," or we lay out a full formal place-setting on day one and expect our users to know the difference between an oyster fork and a fish fork, and when to use which appropriately.

Please memorize this chart and don't make a mistake. The fate of the company depends on it!

We have to do better than this. Training in a gym (ugh!) is about making our bodies better. We strive for improvements and condition our muscles to become leaner and more effective, growing stronger with each repetition of the effort, eventually moving to more challenging exercises. Why should our CSAT be any different? We have to empower our users to learn and then put their new found skills to work.

The good thing is, a lot more companies are seeing the need for the "fun and games" needed to get users engaged and motivated. Gamified training has been a HUGE boon to the CSAT world, as has non-traditional training methods. 

One of my favorites is turning training into a team event, rather than a hostage situation. Bringing 6-10 users into a room and letting them "play" at security training has resulted in way better results than me droning on and on over a PowerPoint presentation. 

Other great advances in CSAT are the companies creating short, entertaining, but relevant content that can act almost as an amuse-bouche for the heartier training materials.

As I'm sure ANYONE who works in security can attest, we get multiple daily reports of "Suspicious" emails, websites, phone calls, or texts from users. In some companies, we have a way to report these into our Secure Email Gateway and that tool then "learns" from them to get better at spotting, and hopefully stopping, them in the future. Sometimes, unfortunately, you don't have this integration, and an analyst has to do the spot checking and validation.

In either case, the user is looking for validation if their suspicion was correct. Automated or not, this confirmation is necessary, but often overlooked. This is the moment when the user is picking up their Soup Spoon and casting their gaze towards their host to see if they are about to commit a grave faux pas. 

Unless you want to always be the hand that feeds, you have to find ways to make your users more confident in the skills you've been teaching them. Of course, phishing simulations and Annual Training certifications are great for doing this, but too often these methods only provide minimal faith in their own abilities. 

If you want to create smart, aware, users, you have to reward them along the way as they take those steps towards self-reliance. Let them know they did indeed spot a phishing email, and more importantly remind them how to trust in their own abilities to verify actual "good" emails. Give them that one on one interaction early on in their training, and you will see their reliance on your input falls away. 

Of course, have those back-end tools at the ready for the inevitable slip-up, but those should be your safety net. 

A well educated, and confident, user base is ALWAYS going to be your best first line of defense.

.

C-3POh no you R2 Didn't!

I've now written a few blogs about being a Lazy CISO, and realized that I have yet to make a Star Wars reference in a single one. So, considering this is the Fourth blog post, it's definitely time I swing my meme searches to include some old stalwarts that are near and dear to my heart.

I want to talk about AI and ML, but not the way most people do.

For my purposes, I'm going to move away from the definitions of AI and ML that you know. Instead, I'm rebranding them as "Article Intelligence" and "Multiple Labs." Both of those revised definitions apply very well to the droids in question here, and also a lot of Security practitioners Ive worked with in the past. 

C-3PO embodies AI and is all about facts and figures. He knows all the details one could possibly learn, and spouts that knowledge at any given moment. He even turns out to be a fairly good storyteller in the end, with some coaching.

R2-D2, on the other hand, learns from experience in the laboratory of "life." His experience has been built over many years, and he applies his time in these lab environments onto his next predicament. His heroics often lead to praise, but tempered with caveats about his attitude. 

Many times in my career, I've come across analysts who thrive on AI. They are constantly studying texts, taking certifications, and are the first ones to pipe up with the "facts" around any given security discussion. To be honest, these are also the team members who are more impressive to management the fewer times they interact with them. They seem to have a huge wealth of knowledge, they volunteer their information (and opinion) freely during meetings, and they can quickly answer questions about how things "should be done" to combat all the threats they've just revealed in your enterprise. However, they also often lack the ability to not provide every relevant piece of information they know.

On the other side are the R2s of the InfoSec world. They tend to sit back, wait for everyone to express their concerns and engage in the head-scratching exercises of how to fix an issue, and then bound into action to implement a solution they just happen to have worked on at a previous company. The problem is, they often do so with the grace and charm that you would expect from an AstroMech Droid.

I used to loathe the C-3POs and loved having R2s on my team. The lazy part of me felt it took too much time and effort to memorize all those facts and figures, and held disdain for anyone who put that much work into always being "right." I also relished the idea that, during a crisis, all I needed was to deploy my trusty R2 to save the day. Who cares if they rolled over some toes along the way?

Of course times, and perspectives, change. Now I see you really do need the pair to be successful. The knowledge is what's important. Whether its a deep bank of information, or just practical knowledge that comes from being on the frontlines, all of it is valuable. You just have to understand when each is needed and how to temper your expectations about how you can use that knowledge.

So here's to the unsung heroes of the InfoSec community. The AI and ML are powerful allies when facing down the Sith, aka malicious attackers, and without them we're all just bullseyeing wamp rats in our T-16s.