Ugh, working out and training! Is there anything less lazy than that? I don't think so, and my physique shows the proof of how much I hate hitting the gym. About the only way I can convince myself to engage in exercise is to find ways to make it fun. So, I do have a gym membership, but it's so I can PLAY racquetball. I may sweat while doing so, have sore and aching muscles afterwards, but I'm not working out, I'm playing.
Fun and games. For most people, that's the easiest way to get them to do the hard stuff. This goes back to early childhood even, when parents have to play "airplane" to get their kids to eat. Something as basic as the need for nourishment has to sometimes be assuaged with an entertainment factor. And that concept carries forward through the rest of our lives.
When my kids were babies, I actually loved feeding them. It was an opportunity for me to provide for them directly, engage with them on a one-to-one basis, and it was always a challenge to see just how much food I could successfully deliver. But, as much as I enjoyed the experience, I knew it wouldn't be wise to let it become a habit that lasted forever. Of course, their own need for independence ensured they would not let me continue to be the one in control forever, so either way, our time together in this type of interaction would eventually have to end.
So, I did what any parent does, and tried to teach them how to use their tools properly. First we focused on the basics, using our hands to pick up the food and then shove it into our mouths. As they got more motor skills, we progressed to spoons (no forks yet, as that could lead to a painful eye gouging experience). As they got older and older, more tools and techniques get added to the table. From forks to butter knives to steak knives and so on. Now, my kids are all experts not only in the rudimentary skills needed to feed themselves, but also at more advanced meal prep (giving me a break from cooking duties at least one or two nights a week).
This is the real truth of training. It didn't happen overnight, and of course there was coaching needed along the way, and some of that coaching was laborious. Sometimes still we have to remind them not to eat with their fingers anymore, or that a sharp knife shouldn't be waved around excitedly when telling a story at dinner, but the concepts are now deeply ingrained in them and part of second-nature.
This is where I think most Cyber Security Awareness Training falls down. We either spoon feed far too long, continuing to always hold onto the tools and make our users "open wide" for the "training choo-choo," or we lay out a full formal place-setting on day one and expect our users to know the difference between an oyster fork and a fish fork, and when to use which appropriately.
Please memorize this chart and don't make a mistake. The fate of the company depends on it!
We have to do better than this. Training in a gym (ugh!) is about making our bodies better. We strive for improvements and condition our muscles to become leaner and more effective, growing stronger with each repetition of the effort, eventually moving to more challenging exercises. Why should our CSAT be any different? We have to empower our users to learn and then put their new found skills to work.
The good thing is, a lot more companies are seeing the need for the "fun and games" needed to get users engaged and motivated. Gamified training has been a HUGE boon to the CSAT world, as has non-traditional training methods.
One of my favorites is turning training into a team event, rather than a hostage situation. Bringing 6-10 users into a room and letting them "play" at security training has resulted in way better results than me droning on and on over a PowerPoint presentation.
Other great advances in CSAT are the companies creating short, entertaining, but relevant content that can act almost as an amuse-bouche for the heartier training materials.
As I'm sure ANYONE who works in security can attest, we get multiple daily reports of "Suspicious" emails, websites, phone calls, or texts from users. In some companies, we have a way to report these into our Secure Email Gateway and that tool then "learns" from them to get better at spotting, and hopefully stopping, them in the future. Sometimes, unfortunately, you don't have this integration, and an analyst has to do the spot checking and validation.
In either case, the user is looking for validation if their suspicion was correct. Automated or not, this confirmation is necessary, but often overlooked. This is the moment when the user is picking up their Soup Spoon and casting their gaze towards their host to see if they are about to commit a grave faux pas.
Unless you want to always be the hand that feeds, you have to find ways to make your users more confident in the skills you've been teaching them. Of course, phishing simulations and Annual Training certifications are great for doing this, but too often these methods only provide minimal faith in their own abilities.
If you want to create smart, aware, users, you have to reward them along the way as they take those steps towards self-reliance. Let them know they did indeed spot a phishing email, and more importantly remind them how to trust in their own abilities to verify actual "good" emails. Give them that one on one interaction early on in their training, and you will see their reliance on your input falls away.
Of course, have those back-end tools at the ready for the inevitable slip-up, but those should be your safety net.
A well educated, and confident, user base is ALWAYS going to be your best first line of defense.
.
No comments:
Post a Comment