Super Cyber Fridays!
Join us TOMORROW, Friday [11-22-24], for "Hacking E-Crime Trends"

Join us Friday, November 22, 2024, for “Hacking E-Crime Trends: An hour of critical thinking about staying on top of an ever-evolving threat landscape.”

It all begins at 1 PM ET/10 AM PT on Friday, November 22, 2024 with guests Jason Baker, principal security consultant, GuidePoint Security and Howard Holton, CTO and industry analyst, GigaOm. We'll have fun conversation and games, plus at the end of the hour (2 PM ET/11 AM PT) we'll do our meetup.

Register

Thanks to our Super Cyber Friday sponsor, GuidePoint Security

Defense in Depth
Are Security Awareness Training Platforms Effective?

Security awareness is a crucial part of any security program. So why do we remain skeptical of security awareness programs?

This week’s episode is hosted by me, David Spark, producer of CISO Series and Dan Walsh, CISO, Paxos. Joining us is Sharon Milz, CISO, Time. 

A vicious cycle

Security awareness training is beset with some significant systematic issues. There’s an overall discussion of effectiveness, but its compliance aspect can also turn it into a race to the bottom. "Most ‘awareness training’ is ineffective. The growth is fueled by the fact that almost all regulations and standards require it, and companies treat it as a checkbox item and look for the least expensive solution. If I were a leader who had to choose from dozens of ineffective security awareness products, I would choose the least expensive. Companies providing security awareness training are competing based on price, which means the quality gets worse over time. Because quality costs money, this creates a barrier for new entrants to create something that IS effective," said David Volkov of USAA.

Not all training is created equal

No one is arguing for discarding all security awareness training. But we can’t pretend that all training methods are equally effective. "Some training is still beneficial, but in a very limited and targeted way, where it can help people in their regular lives as well (e.g., phishing prevention and password management practices)," said Val Dobrushkin of Akamai Technologies.

Organizations should remember that even highly effective security awareness training is only a small piece of the puzzle. Kevin Walker of Black Swan Cyber Security Solutions reminds us that training is part of the ecosystem: "This is where defense in depth helps. Email filtering, DNS filtering, and browser extensions all help protect end users. Security awareness training still has a place, but it's part of the bigger picture and not a silver bullet."

Don’t forget the human factor

Successful security awareness training always starts from a human-centric approach. "Security awareness training companies need to hire staff that deeply understand how learners learn. Hire a behavioral analyst who can understand the psychology of how people learn and pivot the education to methods that meet the learner where they are at," said Tim Golden of Compliance Scorecard. As a human-centric discipline, we have to accept that, eventually, everyone will fail at it. "I’m wary of placing too much value in them as a preventative control since I think anyone, even security professionals, can be phished if the context of the phish is good enough. To paraphrase someone smarter than me, ‘If your security program consists of training users not to click on bad links, you’ve already lost,’” said Bill Schneller of Geffen Mesher.

We can still define success

Just because it’s hard to create an effective security awareness training platform, that doesn’t mean we can’t define what one is. We know what it needs to do; the devil is the implementation. "Phishing awareness training needs a simplified definition and approach to training that covers all phishing regardless of channel, a specialized focus to keep up with current trends in sophistication, and objective metrics that bring value by proving behavioral change," said Cary Johnson of Phishbusters Audit and Consulting.

Thanks to our other unwitting contributor, Sam Oberholtzer of ComplySAM

Please listen to the full episode on your favorite podcast app, or over on our blog where you can read the full transcript. If you’re not already subscribed to the Defense in Depth podcast, please go ahead and subscribe now.

Listen to the full episode.

Thanks to our podcast sponsor, Intezer

Subscribe
Subscribe to Defense in Depth podcast

Please subscribe via Apple Podcasts, Spotify, YouTube Music, Amazon Music, Pocket Casts, RSS, or just type "Defense in Depth" into your favorite podcast app.

LIVE!
Cyber Security Headlines - Week in Review

Make sure you register on YouTube to join the LIVE "Week In Review" this Friday for Cyber Security Headlines with CISO Series reporter Richard Stroffolino. We do it this and every Friday at 3:30 PM ET/12:30 PM PT for a short 20-minute discussion of the week's cyber news. Our guest will be Jimmy Benoit, vp, cybersecurity, PBS.

Thanks to our Cyber Security Headlines sponsor, ThreatLocker

Cyber chatter from around the web...
Jump in on these conversations

"Would you say there is an “age limit” to starting cybersecurity?" (More here)

"What made you managers not hire the person for the role in cybersecurity?" (More here)

"What is the best antivirus software for a small business?" (More here)

Coming Up On Super Cyber Friday...
Coming up in the weeks ahead on Super Cyber Friday we have:

• [11-22-24] Hacking E-Crime Trends

• [12-06-24] Hacking the AI Supply Chain

 Save your spot and register for them all now!

Thank you!
Thank you for supporting CISO Series and all our programming

We love all kinds of support: listening, watching, contributions, What's Worse?! scenarios, telling your friends, sharing in social media, and most of all we love our sponsors!

Everything is available at cisoseries.com.

Interested in sponsorship, contact me, David Spark.