Cybersecurity Awareness Training is Not an Option, It’s Essential with Kathy Isaac, VP of Customer Success at Carbide

Jara Rowe: Gather around as we spill The Tea on Cybersecurity. We are talking about the topic in a way that everyone can understand. I'm your host, Jara Rowe, giving you just what you need. This is The Tea on Cybersecurity, a podcast from Trava. It is absolutely necessary to stay safe while being online. But one of the ways that you can do that is through cybersecurity awareness training. You need to know the different things to be safe online. In Season One of The Tea on Cybersecurity, we talked about how the weakest links are people. And what better way to remedy those human errors than with training? In this episode, we are going to dive into cybersecurity awareness training with Kathy Isaac, Vice President of Customer Success at Carbide. Hi, Kathy.

Kathy Isaac: Hi, Jara. How are you? It's good to be here today. I'm so glad that we're talking about this.

Jara Rowe: I know this is your first time on the podcast, so can you please go ahead and introduce yourself a little to the listeners?

Kathy Isaac: I'm Kathy. I'm the Vice President of Customer Success at Carbide, which Jara mentioned. At Carbide, we build the cybersecurity platform that helps businesses implement security and privacy within their organization, their products or services. So my background is 100% in technology. I started off as a programmer many, many, many years ago. I kind of won't age myself. I moved into project and program management over time, still working on technology projects. I kind of came up around that time where security and privacy were becoming not just a nice- to- have feature or a soft requirement, but were becoming hard legislated requirements. I worked for a little while with EMS and long- term care in the public sector. There I was dealing with health data. I was dealing with 24/ 7 services. I was dealing with end users who didn't have a desk or in an office, like EMS, they were live in the street in an ambulance. And nurses, love our nurses, but let me tell you, they don't want to use computers at all. Trying to come up with solutions that were customer- facing, customer- engaging, and yet still effectively secure, became one of the things I got really strong at and really good at doing because I was dealing with people who their jobs were saving lives and that's what they were focused on. It was my job to make sure that they could do what they needed to do in a secure way. I doubled down on cybersecurity going forward from there, started working for a services firm before coming into Carbide. My focus has always been on the user side of things, whether it be internal or external. That they get to do what they need to do in a secure way, that they're building security into their programs and services in a secure way. That's what's landed me here today.

Jara Rowe: That's fantastic. I love that background, and I can't wait to talk more about different trainings and all of that fun stuff with you today. Just want to go ahead and dive straight into it. For some people that may not even be familiar with the term, what is cybersecurity awareness training?

Kathy Isaac: That's a great question to start with because I think this is something that's often overlooked. You had mentioned in your intro that it's a critical part of any kind of cybersecurity program within any kind of business. Doesn't matter what industry you're in. You can put in all the technology and tools that you want to to be secure, but if your staff, your end users, your stakeholders, aren't aware of their responsibility and the risks that are associated with what they do, your programs will fail. So cybersecurity awareness training involves educating your employees, all your stakeholders, that could be contractors, your board members, et cetera, about the different aspects of cybersecurity. What's important to add into that is their obligations, their responsibilities, and the risks that exist. They've got a lot of power right at their fingertips when they hit that keyboard and they need to understand what those are. It's also important to indicate that the key word in cybersecurity awareness training is awareness. We're not trying to create cybersecurity experts with this training. The aim is really to make your staff and your stakeholders aware of the threats and how to respond to them.

Jara Rowe: Thinking about different stakeholders and things when it comes to training, how does a company go about tailoring the training to the different audiences?

Kathy Isaac: The tailoring is also something I recommend to my customers often. You want to start by categorizing those audiences that you have into different segments based on the roles, the responsibilities, maybe their technical proficiency, the kind of data and information they might have access to. For example, you might have an executive management segment. You might have IT staff who have a different technical aptitude and capacity. And then you have office staff like marketing, sales, general employees. So that's the first thing you want to do is figure out who are the different groups you're trying to work with. When it comes to executives and management, try to focus on high- level strategic discussions about the impact of cybersecurity on the business, the obligations, the regulatory compliance issues, reputational damage, things like that are really important that the executives and leadership understand through awareness training. When you have IT and technical staff, you might want to dive deeper. They're using the tools, they're using the technology. You have people who are doing things like network security, they're doing malware analysis. They need a completely different type of training. They need to know how to use those tools and how to read the data that's coming from them in a secure way. Then you have your non- technical staff. Simplify the content. Make it nice and easy for them to understand. Use basic plain language. Try and focus on real- world examples. Because I think that's one of the toughest parts is people seem to think, " This doesn't apply to me. I work in marketing. Cybersecurity is not my issue." Help them to understand through real- world examples of how their roles and the work that they do can actually be impacted and why it's important to them to understand concepts like inaudible phishing, managing passwords, browsing the internet safely. Things like that you really want to drill down into non- technical staff. Then you might want to get into some department- specific training as well. Take into consideration someone like a finance person. They're using tools and they have access to financial information. They need to understand, again, those obligations, those responsibilities, and the risks that exist there. Whereas someone like a marketing person might need a little more guidance on say social media security. Really think about the different roles within the organization. Start there. Who do we have, what kind of data do we have and information that we're sharing externally, and how do we go about addressing security at those levels?

Jara Rowe: You mentioned that some people just don't think it's relevant to them. But that's one thing I've learned through hosting the podcast is that cybersecurity is important and affects everyone no matter what their role is. I hope we are educating people that they all need to take that seriously.

Kathy Isaac: Some people don't think it's their problem.

Jara Rowe: One of the other things that I've been understanding more and more is that it's an entire company issue. Like everyone needs to be on board and doing their part to make sure that their company is secure. If you're like a SaaS company that your customers' data and everything is secure as well.

Kathy Isaac: And your employee data, and customer data, your business data. You definitely don't want your financial reports out there without being properly vetted, and all of it is important.

Jara Rowe: I guess still maybe poking at the people that don't really think that it's for them. There are some employees at organizations that struggle with staying on top of their training and things like that. How do you make training sessions more interactive and engaging for those people to take part in?

Kathy Isaac: I had mentioned earlier the real- life scenarios. I think that's really important. We are living in a time now where we have history. We have tons and tons of breaches that we can reference and use as examples. I think when people tend to see that when the training is framed around their real life day to day, it becomes very real to them. And nobody wants to be that person, that button. You just don't want that. Showing how cybersecurity practices directly relate to their job, and their roles, and their responsibilities, that helps to make training more relevant to people and they engage a little bit better. Then we have things like interactive content. These days it's becoming more multimedia, videos, animations, simulations. Phishing simulations are great. I think that's another thing people don't want to get caught slipping on. So like do more of those. They're great training tools, and it helps people stay aware and alert, and it engages them. They're doing it. It's interactive. They don't have a choice. They have to participate. Gamification. There's some people you're going to get them with the badge. If they can get that badge, they're going to do the work to get it. I think that's motivating for many employees when you turn it into versus department. You mentioned cybersecurity awareness month coming up. This is a good time to put these challenges and things in place. People will get on board. They'll get engaged in stuff like that. Then I think also too, having department- level champions helps them as well, especially in larger organizations. Security can seem so far away. Like I said, " That doesn't impact me. I'm just a little tiny peg on this big game board." Having department- level champions who can go out and encourage staff, and work with staff, and collaborate with staff on it is a good way to engage everyone building their security and privacy skillset.

Jara Rowe: Those are great tips. Thank you for that. What are some common mistakes companies make when implementing cybersecurity awareness training?

Kathy Isaac: The number one mistake is lack of leadership engagement. We talked about people thinking, " This isn't important to me." Every single person has to be engaged, including the CEO. I had mentioned earlier, even when it comes to training, your board members. Everybody needs to be involved in this. When I start with customers at Carbide and we get going, I actually ask them when we start talking about governance to get their CEO, their CTO, somebody from C- level on that call. One of the things I think is really important is, if a company- wide communication goes out that says, " We're starting this initiative," et cetera. But that email needs to come from somebody very senior. If it's Jara's project, it's going to fail. It has to come from the very top and you have to demonstrate that everybody is engaged in it. When you have executive support that really helps to set that structure that this is everyone is involved. I do notice that when companies don't do that, to me the number one biggest mistake is your CEO is not engaged in this. The other thing is, we talked about the tailoring, like the one- size- fits- all approach. I think that's a mistake that some people at companies make. " We're going to do awareness training. We're going to do it once a year. Here are the four courses you need to take, and everybody takes the same four courses." Well, you're going to get the lack of engagement there, especially when it's not being updated. " It's the same four courses every year. We're going to start skipping through those slides or fast forwarding through those videos really quickly." It has to be tailored and I think it has to be relevant and updated. Fear tactics. The goal here is not to terrify people. It's about an awareness. And I see a lot of companies relying on the fear- based messaging to create this anxiety. All that does is really disconnect people from it. With cybersecurity awareness training, you got to promote a positive and empowering cybersecurity culture. The emphasis should be on the benefits of good cyber hygiene, and talk about how we protect our customers' data, and how we help our customers better by protecting it, and avoid the fear- based messaging.

Jara Rowe: When it comes to frequency, what's the best practices for like new training? How often should that be done? Yearly?

Kathy Isaac: Best practices, annually. Best practices, annually. And many of the regulations or certifications companies are trying to comply with will say at least annually. I do often recommend to my customers that you mix it up a little bit with the aim and the goal of awareness. You want security and privacy to be front of mind for your customers. You don't want to inundate them with it, but you want to keep the messaging going. If you do have four courses you want people to do annually. Cybersecurity awareness month, it's not always just about somebody having staff sit there and click on a video or go through this. Maybe it's just about sending out security tips, or reminders, or in your monthly newsletter Gilbert cartoons or something that's a security cartoon. There's lots of stuff out there and content that can be used. So while I think the actual awareness training, yes, annually you want to make sure people are going through this. I like to recommend always that you spatter security awareness tips or content throughout the year whether it be quarterly, monthly. Just keep it going. You're trying to build a culture here. It just becomes routine that way. You really want to set a cultural change when it comes to awareness training.

Jara Rowe: Cool. We have all of our training and everything set. How would someone in leadership actually measure the effectiveness of the training?

Kathy Isaac: One great way is the phishing test simulations. Anytime I've worked in an organization where we're doing them and trying to execute them it's kind of like, " Okay. Shh. We don't want to tell anybody how will we get them?" Because the way that works too I think is you want to give immediate feedback. As soon as somebody clicks that button, you want to let them know that they've clicked the button. But you don't want them to turn to their neighbor and say, " Hey, don't click that button." You really want to measure the effectiveness of your training. You really have to think about how you do those simulations. That's one way. Engagement is a good measurement. Whatever tools you're using to do awareness training, and I say tools because I do know a lot of companies that just build their own internal slide deck or it's a room full of people and we do. Well, that's very difficult to measure. If you're using tools, then you can measure who's actually doing it. How long did it take them to go through this video that we know is 15 minutes long? If they did it in three minutes, is that effective training? They're just scrubbing it. You want to look at things like that. And then quizzes are always good. Thinking about the fear tactics. If somebody fails a quiz I think they should get the opportunity to redo it. Because again, what we're trying to do is teach you. This shouldn't be pass or fail. You got a few wrong. Go back and do it again before you're actually done, your training. And I think that you give them as many tries to do it as they need, but you measure that. How many times did they need to do this before they got it? That's how you start to measure the effectiveness. And then you kind of track that the next time. Jara needed three times through this six months ago. Maybe let's give it to her again. Let's see how many times. Well, she got it done the first time. Maybe it's working. Maybe it's not. I'm a data person. I love data, but I would want to collect as much information about engagement as possible to measure effectiveness.

Jara Rowe: I will say that when I miss something on a quiz I feel really bad about it.

Kathy Isaac: I don't like when you can't go back and fix it or if they don't show you the right answer. Show me the right answer. I have no idea, did I learn something or not? I didn't learn anything.

Jara Rowe: I know a lot of companies now are remote work and they have distributed teams. How does cybersecurity awareness training adapt to address the unique challenges of this new work environment?

Kathy Isaac: I think some of the things that I focus on is what the changing workplace looks like. So when I speak with my customers, I try to think about remote work specific scenarios, and I try to use those examples when we're talking because I have tons of examples. I actually had a customer recently earlier this year that working from the coffee shop went up to the counter to get his drink, and as he was returning to his table he watched his laptop walk out the door. Using those scenarios and thinking about that when speaking with customers or with employees in training is starting to think about what you can and can't do or how you should and shouldn't behave in remote work situations. So you want to address things like securing your home Wi- Fi network, or connecting to the Wi- Fi network at the coffee shop. We used to say, don't do it. Now everybody does it, so now we have to talk about how do we do it securely. On using personal devices, that's one thing that I think we really need to talk about a little bit more. People are using their personal devices more, and more, and more. Setting rules around what they can and can't do and making sure employees are aware of what those rules are. And thinking about just the threats in a work environment, they do go beyond just cybersecurity threats. Shoulder surfing, people looking over your shoulder and seeing things that they shouldn't see. One of the big things I talk about too is printed documents, hard copies. It's no longer digital. Did you need to take that financial spreadsheet to the coffee shop with you when you went to work? If you don't need to, don't do it. If you do need to, okay, fine, but you don't throw it out in the garbage there when you're done. You take it back with you and dispose of it properly. That kind of training needs to come into place. Outside of just the training. This is where companies too would also want to implement things like remote working policy, BYOD policies, making sure their staff are aware of what those policies say, what their obligations are under those conditions, and that they're signing off on those as well.

Jara Rowe: Fantastic. Thank you again for your time. I hope the listeners learned just as much as I did. That wraps another episode of The Tea on Cybersecurity.

Kathy Isaac: That's awesome. Thanks for having me, Jara.

Jara Rowe: Now that we've spilled The Tea on Cybersecurity awareness training, it's time to go over the receipts. I really enjoyed my conversation with Kathy. She taught me a lot about cybersecurity awareness training and even some of the intricacies that I never thought about. So I hope you as a listener got a lot out of that conversation as well. There were a handful of things I took away from Kathy, so let's dive straight into those receipts. The first receipt that I have is, what is cybersecurity awareness training? It's important to tailor the courses to each stakeholder, whether that is someone from your marketing team, an engineer, all the way to like a board member. Another thing I took away are a few mistakes that companies make. One of the biggest ones that companies make when it comes to cybersecurity awareness training is having a lack of leadership engagement. This really needs to be a top- down initiative. If staff members see that the CEO isn't taking it seriously, then they probably won't as well. We all, for the most part, work remote and on like a distributed team, so when it comes to remote work there opens up a new set of cybersecurity challenges or threats. But Kathy also pointed out that with remote work also comes physical threats. So when you think about cybersecurity awareness training you may want to throw something in there about physical threats as well. Kathy shared an example with me of someone she knew was at a coffee shop, left his laptop on the table, went to get a refill of coffee, and turned around to seeing someone leave with his laptop. I can only imagine all the important data that didn't necessarily need to be in anyone else's hands, so think about that as well when you work remote. The final receipt that I have for this episode is how cybersecurity awareness training is changing to suit different learning styles. So Kathy talked about micro- learning, which is coming in bite- sized pieces of training, so think about like a TikTok- style video. She also talked about how AI can help customize for different roles, and that VR is probably going to be a big thing as well where you can have simulated attacks. I hope you took as much away from this episode as I did, and that wraps another episode of The Tea on Cybersecurity. And that's The Tea on Cybersecurity. If you like what you listened to, please leave a review. If you need anything else from me, head on over to Trava Security. Follow wherever you get your podcasts.