RSA 2019: Is Your Company Getting Security Awareness Right? Probably Not.

To some, Ira Winkler is a recognized expert on security awareness programs. To others, he is the author of Advanced Persistent Security. And to some, he is the president of Secure Mentem, a company that provides services around security awareness. Winkler is leading two sessions at the upcoming RSA Conference: one on holistically mitigating human vulnerabilities and attacks, and another on what he’s learned about security awareness over the past 30 years. We talked with Winkler about what most people get wrong about security awareness, and how to get it right.

ITPro Today: What is your definition of security awareness?

Winkler: People often confuse awareness with training. Training provides people with a fixed body of knowledge and sometimes test them on it. Awareness is different. It’s specifically about changing user behaviors in a positive way. Generally, that takes three things: making people aware of the problem, making them aware of the solution, and most importantly, giving them the motivation to implement the solution.

ITPro Today: What are organizations getting wrong about security awareness today?

Winkler: So many things! Awareness programs that focus on just telling people what not to do don’t work,  because there is no motivation. It’s like telling people to eat smart and exercise more to solve the obesity problem. Another mistake is focusing on one security threat, like phishing. Phishing is a common attack vector, so it’s important, but it’s just one aspect of awareness. The more aware you make people in general, the more they are going to be aware of phishing, for example. A third mistake is relying on showing videos doing phishing simulations and calling that an awareness program. Sometimes the video is even funny to make it more palatable to the audience, but a funny video can trivialize the issue and sometimes isn’t to the point. So you’re spending more time being funny than getting the point across.

ITPro Today: What is the role of technology, versus people and processes, ineffective security awareness?

Winkler: It’s not really about technology, although that’s critical to security in general. Awareness is part of a comprehensive program that involves technology, process and people. In other words, it should be a holistic solution. A successful phishing attack, for example, requires many failures in technology and people. It means that a phishing message had to have cleared both the mail server and the client’s server, both of which should have filtered it out. Then it gets to a user who makes a bad decision, and research shows that one out of 20 people will click on a phishing message if it gets to the user. So the solution requires both. For example, you could install technology that warns the user that he or she is making a bad decision. Then, if the user fails to correct the bad decision, the system should prevent the user to download the malware.

ITPro Today: What makes a security awareness program truly successful?

Winkler: The best awareness program is when you don’t need an awareness program. Instead, it’s a culture that employees walk into and are automatically expected to do the right thing by mirroring their coworkers. For example, if you are in an environment where everybody wears a badge, you will wear your badge without even questioning it. If you’re in an environment where people tell you to wear your badge but nobody else does, you probably won’t wear it.

ITPro Today: How can an organization get to that point?

Winkler: It’s about strategy from the top. Someone in a position of authority, either a CISO, CIO or Human Security Officer, has to look at potential human attack vectors and figure out the best way to mitigate those attacks. Just like you need a secure baseline with security technologies, you need to do the same with people. For example, someone should be in charge of understanding the sequence of events that lead to a phishing attack: where a message can enter, how the user gets the message, how the user deals with the message and the potential impacts of the user doing the wrong thing. That person should be looking at business processes to understand where users have discretion that might inevitably cause the company damage, and then find ways to mitigate those processes.

ITPro Today: Are things improving?

Winkler: Some companies are beginning to do it right, but I don’t see massive improvements at this point. I see most companies making the same mistakes over and over. It’s frustrating that we’re still at the stage of warning employees not to give out their passwords. Telling the user not to do something isn’t going to fix much.