Jara Rowe: Gather around as we spill the tea on cybersecurity. We are talking about the topic in a way that everyone can understand. I'm your host, Jara Rowe, giving you just what you need. This is The Tea On Cybersecurity, a podcast from Trava. It is absolutely necessary to stay safe online, but how does one go about doing that? In this episode, we're diving deep into the world of cybersecurity awareness training. In season one, we talked about how people are the weakest links, and what better way to remedy those human errors than through training? On this episode of The Tea On Cybersecurity, I'm joined by Kathy Isaac, Vice President of Customer Success at Carbide. As we dive into the web of cybersecurity awareness training, Kathy is going to be our guide. Hi, Kathy.

Kathy Isaac: Hi, Jara. How are you?

Jara Rowe: I know this is your first time on the podcast. Can you please go ahead and introduce yourself a little to the listeners?

Kathy Isaac: I'm Kathy. I'm the Vice President of Customer Success at Carbide, which Jara mentioned. At Carbide, we build a cybersecurity platform that helps businesses implement security and privacy within their organization, their products or services. My background is 100% in technology. I started off as a programmer many, many, many years ago. I won't age myself. I moved into project and program management over time, still working on technology projects, and I came up around that time where security and privacy were becoming not just a nice to have feature or a soft requirement, but were becoming hard legislated requirements. I worked for a little while with EMS and long- term care in the public sector, and there, I was dealing with health data. I was dealing with 24/ 7 services. I was dealing with end users who didn't have a desk or an office, like EMS. They were live in the street in an ambulance. And nurses, love our nurses, but let me tell you, they don't want to use computers at all. Trying to come up with solutions that were customer facing, customer engaging, and yet, still effectively secure became one of the things I got really strong at and really good at doing, because I was dealing with people who just, their jobs were saving lives and that's what they were focused on. It was my job to make sure that they could do what they needed to do in a secure way. I doubled down on cybersecurity going forward from there, started working for a services firm before coming into Carbide. My focus has always been on the user side of things, whether it be internal or external, that they get to do what they need to do in a secure way, that they're building security into their programs and services in a secure way. That's what's landed me here today.

Jara Rowe: That's fantastic. I love that background, and I can't wait to talk more about different trainings and all of that fun stuff with you today. I just want to go ahead and dive straight into it. For some people that may not even be familiar with the term, what is cybersecurity awareness training?

Kathy Isaac: That's a great question to start with because I think this is something that's often overlooked. You had mentioned in your intro that it's a critical part of any kind of cybersecurity program within any kind of business. It doesn't matter what industry you're in. You can put in all the technology and tools that you want to to be secure, but if your staff, your end users, your stakeholders aren't aware of their responsibility and the risks that are associated with what they do, your programs will fail. Cybersecurity awareness training involves educating your employees, all your stakeholders, that could be contractors, your board members, et cetera, about the different aspects of cybersecurity. What's important to add into that is their obligations, their responsibilities and the risks that exist. They've got a lot of power right there at their fingertips when they hit that keyboard, and they need to understand what those are. It's also important to indicate that the key word in cybersecurity awareness training is awareness. We're not trying to create cybersecurity experts with this training. The aim is really to make your staff and your stakeholders aware of the threats and how to respond to them.

Jara Rowe: Thinking about different stakeholders and things when it comes to training, how does a company go about tailoring the training to the different audiences?

Kathy Isaac: Tailoring is also something I recommend to my customers often. You want to start by categorizing those audiences that you have into different segments based on the roles, the responsibilities, maybe their technical proficiency, the kind of data and information they might have access to. For example, you might have an executive management segment. You might have IT staff who have a different technical aptitude and capacity. And then, you have office staff like marketing, sales, general employees. That's the first thing you want to do, is figure out who are the different groups you're trying to work with. When it comes to executives and management, try to focus on high level strategic discussions about the impact of cybersecurity on the business, the obligations, the regulatory compliance issues, reputational damage. Things like that are really important that the executives and leadership understand through awareness training. When you have IT and technical staff, you might want to dive deeper. They're using the tools, they're using the technology. You have people who are doing things like network security, they're doing malware analysis. They need a completely different type of training. They need to know how to use those tools and how to read the data that's coming from them in a secure way. Then, you have your non- technical staff. Simplify the content. Make it nice and easy for them to understand, use basic plain language, try and focus on real world examples, because I think that's one of the toughest parts is people seem to think, " This doesn't apply to me. I work in marketing. Cybersecurity is not my issue." Help them to understand, through real world examples, of how their roles and the work that they do can actually be impacted and why it's important to them to understand concepts like phishing, managing passwords, browsing the internet safely, things like that, you really want to drill down into non- technical staff. Then, you might want to get into some department specific training as well. Take into consideration someone like a finance person. They're using tools and they have access to financial information. They need to understand, again, those obligations, those responsibilities and the risks that exist there. Whereas someone like a marketing person might need a little more guidance on, say, social media security. Really, think about the different roles within the organization. Start there. Who do we have? What kind of data do we have and information that we're sharing externally, and how do we go about addressing security at those levels?

Jara Rowe: You mentioned that some people just don't think it's relevant to them, but that's one thing I've learned through hosting the podcast, is that cybersecurity is important and affects everyone no matter what their role is. I hope we are educating people that they all need to take that seriously.

Kathy Isaac: Some people don't. Some people don't think it's their problem.

Jara Rowe: One of the other things that I've been understanding more and more is that it's an entire company's issue. Everyone needs to be on board and doing their part to make sure that their company is secure, and you're a SaaS company, that your customer's data and everything is secure as well.

Kathy Isaac: And your employee data and customer data. All of it is... Your business data. You definitely don't want your financial reports out there without being properly vetted. All of it is important.

Jara Rowe: I guess, still, maybe poking at the people that don't really think that it's for them, there are some employees at organizations that just struggle with staying on top of their training, and things like that. How do you make training sessions more interactive and engaging for those people to take part in?

Kathy Isaac: I mentioned earlier the real life scenarios. I think that's really important. We are living in a time now where we have history. We have tons and tons of breaches that we can reference and use as examples, and I think, when people tend to see that, when the training is framed around their real life day to day, it becomes very real to them. And nobody wants to be that person who clicked that button. You just don't want that. Showing how cybersecurity practices directly relates to their job and their roles and their responsibilities, that helps to make training more relevant to people and they engage a little bit better. Then, we have things like interactive content. These days, it's becoming more multimedia, videos, animations, simulations. Phishing simulations are great. I think that's another thing people don't want to get caught slipping on. Do more of those. They're great training tools and it helps people to stay aware and alert. And it engages them. They're doing it. It's interactive. They don't have a choice. They have to participate. Gamification. There's some people that, you're going to get them with a badge. If they can get that badge, they're going to do the work to get it. I think that's motivating for many employees when you turn it into, versus department, you mentioned Cybersecurity Awareness Month coming up. This is a good time to put these challenges and things in place. People will get on board. They'll get engaged in stuff like that. And then, I think, also too, having department level champions helps as well, especially in larger organizations. Security can seem so far away. Like I said, " That doesn't impact me. I'm just a little tiny peg on this big game board." Having department level champions who can go out, encourage staff and work with staff and collaborate with staff on it is a good way to engage everyone building their security and privacy skillset.

Jara Rowe: Those are great tips. Thank you for that. What are some common mistakes companies make when implementing cybersecurity awareness training?

Kathy Isaac: The number one mistake is lack of leadership engagement. We talked about people thinking, " This isn't important to me. I'm not... " Every single person has to be engaged, including the CEO. I had mentioned earlier, even when it comes to training, your board members, everybody needs to be involved in this. When I start with customers at Carbide and we get going, I actually ask them, when we start talking about governance to get their CEO, their CTO, somebody from C- level on that call. One of the things I think is really important is, if a company- wide communication goes out that says, " We're starting this initiative, et cetera," that email needs to come from somebody very senior. If it's Jara's project, it's going to fail. It has to come from the very top and you have to demonstrate that everybody is engaged in it. When you have executive support, that really helps to set that structure that everyone is involved. I do notice that, when companies don't do that, to me, the number one biggest mistake is, your CEO is not engaged in this. The other thing is we talked about the tailoring, the one size fits all approach. I think that's a mistake that some people and companies make. " We're going to do awareness training. We're going to do it once a year. Here are the four courses you need to take and everybody takes the same four courses." Well, you're going to get the lack of engagement there, especially when it's not being updated. It's the same four courses every year. We're going to start skipping through those slides or fast forwarding through those videos really quickly. It has to be tailored, and I think it has to be relevant and updated often. One more, though, that I want to add on that because this one, I think, is also a very big one: fear tactics. The goal here is not to terrify people. It's about awareness. And I see a lot of companies relying on the fair based messaging to create this anxiety, and all that does is really disconnect people from it. With cybersecurity awareness training, you got to promote a positive and empowering cybersecurity culture. The emphasis should be on the benefits of good cyber hygiene and talk about how we protect our customer's data and how we help our customers better by protecting it, and avoid the fear- based messaging.

Jara Rowe: When it comes to frequency, what's the best practices for new training and how often should that be done? Yearly?

Kathy Isaac: Best practice is annually. And many of the regulations or certifications companies are trying to comply with will say at least annually. I do often recommend to my customers that you mix it up a little bit, with the aim and the goal of awareness. You want security and privacy to be front of mind for your customers. You don't want to inundate them with it, but you want to keep the messaging going. If you do have four courses you want people to do annually, maybe do one per quarter. Cybersecurity Awareness Month, it's not always just about somebody having staff sit there and click on a video or go through this. Maybe it's just about sending out security tips or reminders or, in your monthly newsletter, have cartoons or something that's a security cartoon. There's lots of stuff out there and content that can be used. While I think the actual awareness training, yes, annually, you want to make sure people are going through this, I like to recommend always that you spatter security awareness tips or content throughout the year. Whether it be quarterly, monthly, just keep it going. You're trying to build a culture here. It just becomes routine, that way. You really want to set a cultural change when it comes to awareness training.

Jara Rowe: Cool. We have all of our training and everything set. How would someone in leadership actually measure the effectiveness of the training?

Kathy Isaac: Well, one great way is the phishing test simulations. Anytime I've worked in an organization where we're doing them and trying to execute them, it's like, " Okay, shh, we don't want to tell anybody. How long do we give them?" Because the way that works, too, I think is, you want to give immediate feedback. As soon as somebody clicks that button, you want to let them know that they've clicked the button, but you don't want them to turn to their neighbor and say, " Hey, don't click that button." You really want to measure the effectiveness of your training. You really have to think about how you do those simulations. That's one way. Engagement is a good measurement. Whatever tools you're using to do awareness training, you should, and I say tools, because I do know a lot of companies that just build their own internal slide deck, or it's a room full of people and we do ... That's very difficult to measure. If you're using tools and you can measure who's actually doing it, how long did it take them to go through this video that we know is 15 minutes long? If they did it in three minutes, is that effective training? They're just scrubbing it. You want to look at things like that. And then, quizzes are always good, thinking about the fair tactics. If somebody fails a quiz, I think they should get the opportunity to redo it, because again, what we're trying to do is teach you. This shouldn't be pass or fail. You got a few wrong, go back and do it again before you're actually done your training. And I think that you give them as many tries to do it as they need, but you measure that. How many times did they need to do this before they got it? That's how you start to measure the effectiveness. And then, you track that for next time. Jara needed three times through this six months ago. Maybe let's give it to her again. Let's see how many times... Well, she got it done the first time. Maybe it's working, maybe it's not. I'm a data person. I love data. I would want to collect as much information about engagement as possible to measure effectiveness.

Jara Rowe: I will say that, when I miss something on a quiz, I feel really bad about it, but we are able to do it multiple times until we inaudible.

Kathy Isaac: I don't like when you can't go back and fix it, or if they don't show you the right answer. If you don't show me the right answer, I have no idea, did I learn something or not? I didn't learn anything.

Jara Rowe: I know a lot of companies now are remote work and they have distributed teams. How does cybersecurity awareness training adapt to address the unique challenges of this new work environment?

Kathy Isaac: I think some of the things that I focus on is what the change in workplace looks like. When I speak with my customers, I try to think about remote work specific scenarios and I try to use those examples when we're talking, because I have tons of examples. I actually had a customer recently earlier this year that, working from the coffee shop, went up to the counter to get his drink, and as he was returning to his table, he watched his laptop walk out the door. Using those scenarios and thinking about that when speaking with customers or with employees in training is starting to think about what you can and can't do or how you should and shouldn't behave in remote work situations. You want to address things like securing your home wifi network, or connecting to the wifi network at the coffee shop. We used to say, " Don't do it." Now, everybody does it. Now, we have to talk about how do we do it securely. Using personal devices. That's one thing that I think we really need to talk about a little bit more, people are using their personal devices more and more and more, setting rules around what they can and can't do and making sure employees are aware of what those rules are. And thinking about just the threats in a work environment, they do go beyond just the cybersecurity threats, but the physical security threats: theft, shoulder surfing, people looking over your shoulder and seeing things that they shouldn't see. One of the big things I talk about too is printed documents, hard copies. It's no longer digital. Did you need to take that financial spreadsheet to the coffee shop with you when you went to work? If you don't need to, don't do it. If you do need to, okay, fine, but you don't throw it out in the garbage there when you're done. You take it back with you and dispose of it properly. That kind of training needs to come into place. Outside of just the training, this is where companies too would also want to implement things like remote working policy, BYOD policies, making sure their staff are aware of what those policies say, what their obligations are under those conditions, and that they're signing off on those as well.

Jara Rowe: One thing that I've learned is about how cyber threats are always evolving, things are always changing. What do you see as the future of cybersecurity awareness training?

Kathy Isaac: Okay, I am a geek. I just want to start with that. I'm always on top of this stuff and I can always try and envision what might happen next. Some of the stuff I see going on, it's getting pretty innovative, and we're about to step into some spaces that I think are cool. I don't know if other people think are cool, but microlearning. that has been coming up, and I've been hearing about it since last summer. I don't know if you're aware of this, but this is the little TikTok style video that, apparently, people love. And I'm like, " I think I might love it too." But these are just short focused learning modules, bite- sized. They are 30 seconds to one minute long. They deliver specific concepts. You could throw cybersecurity concepts in there quickly, effectively, and they fit in well with busy schedules and short attention spans. One company, I saw pitch, this company selling a micro- learning product, and they basically went to a corporation, took one of their one hour long training sessions and broke it up into 10 or even more videos, and then, measured engagement. And there was much higher engagement from their staff on those micro- learning that they could look at on their phone. It's literally phone- sized videos versus the one- hour presentation. I can see that happening in cybersecurity land, awareness training switching to just micro... It's already happening, to be honest, with you, but less formally. There's no way I was going to get through this whole session without saying the words" artificial intelligence" at some point. There's a lot going on in that space that I think is going to be really impactful when it comes to cybersecurity awareness training. Behavioral analytics is already being mixed in there. What that does now, it gives us the opportunity to do adaptive learning. I'm going to get a different training than you, Jara, because the AI tool sees how we work and knows what we do. You're going to get content tailored for you and your day- to- day work, and I'm going to get content tailored for me. Sometimes, even in the same course, it's got the same title, but we've got two different experiences happening there. And with the quizzes and things that, maybe I got these questions wrong, I'm going to get more content on that stuff based on my particular learning style. There's also this augmented human intelligence piece, these tools that can actually plug into your day- to- day work. It's actually looking at how I work, what I'm doing and saying, " Hey, look. I don't think you should click on this link. This looks suspicious. What do you think? Should you click on it? Should you investigate this further? I noticed that you copied so- and- so on this email. Should they be there?" Those tools already exist. We're going to see more of that. It's an integration of training into our day- to- day work versus sitting down and doing a course. You'll see more of that. And then, there's other cool stuff I've seen when I go to shows and conferences, VR, augmented reality, where you're actually in a simulated attack. " What are you going to do? You've clicked on this button. What do you do next?" And you can measure your staff's understanding of how they respond to a realistic threat. There's a lot of cool stuff already happening and out there. I think it's cool. I don't know about other people, but I definitely see how we do cybersecurity awareness training changing in a way that is going to be more fun and more engaging.

Jara Rowe: That's awesome. All right. Now, I have a little bit of a, I wouldn't say lighthearted, but fun question for you. If you could create a new cyber attack, what would it be called?

Kathy Isaac: I have absolutely no idea. This one is hard for me to figure out because I don't know how cyber attacks are named, to begin with. If I were to create an attack, what would it do? I don't know. I guess I would go after a high profile account at a high profile company and try to gain access to their account. What would I call that? I'm just not that creative. I don't know. But I think that's what I would do, if I was an attacker. I think I'd go after somebody who I expect will have a lot of access to critical information at a company I think is going to make me a lot of money if I get their data. That's where I'd go.

Jara Rowe: That's probably what I'd do as well. I don't know what my attack would be called either. That's okay. All right. Kathy, I really appreciate your time today and I've learned so much about cybersecurity awareness. Before I let you go, is there any other thing that you would like to run home about awareness training or just cybersecurity in general?

Kathy Isaac: I think the number one thing that I'd want to focus on is that leadership involvement and engagement and endorsement. I think the idea behind cybersecurity awareness training, or any of it at all, is that you've got to build this culture within the organization. Every single person has to be engaged in that. And culture starts at the very top. And if, as a leader, you're not engaged, you're not following the practices, you're breaking the rules, you cannot expect your staff are going to follow. And I work with lots of organizations. Some of them are nonprofits and I've heard people say, " Well, we're nonprofits. The legislation doesn't apply." Regardless, there's an expectation that is set by your donors, the community you serve, if you're a profit making business, your customers, it doesn't matter what the legislation says. In 2023, your customers have an expectation. Your stakeholders do. And if you can't meet that expectation, if it even seems like you can't meet that expectation, you're done. Once your reputation is hit, you're done. From the very top, the leaders should be engaged in this and understand that this is not just a thing you should do. This leads to business growth or business failure. I think that's the one thing I really want to drive home is that leaders need to be involved and need to endorse and push cybersecurity awareness across our organization.

Jara Rowe: Fantastic. Thank you again for your time. I hope the listeners learn just as much as I did, and that wraps another episode of The Tea On Cybersecurity.

Kathy Isaac: That's awesome. Thanks for having me, Jara.

Jara Rowe: Now that we've spilled the tea on cybersecurity awareness training, it's time to go over the receipts. I really enjoyed my conversation with Kathy. She taught me a lot about cybersecurity awareness training, and even some of the intricacies that I never thought about, so I hope you as a listener got a lot out of that conversation as well. There were a handful of things I took away from Kathy, so let's dive straight into those receipts. The first receipt that I have is, what is cybersecurity awareness training? It's important to tailor the courses to each stakeholder, whether that is someone from your marketing team, an engineer, all the way to a board member. Another thing I took away are a few mistakes that companies make, and one of the biggest ones that companies make when it comes to cybersecurity awareness training is having a lack of leadership engagement. This really needs to be a top- down initiative, and if staff members see that the CEO isn't taking it seriously, then, they probably won't as well. We all, for the most part, work remote and on a distributed team, so when it comes to remote work, there opens up a new set of cybersecurity challenges or threats, but Kathy also pointed out that, with remote work also comes physical threats. When you think about cybersecurity awareness training, you may want to throw something in there about physical threats as well. Kathy shared an example with me. Someone she knew was at a coffee shop, left his laptop on the table, went to get a refill of coffee and turned around to seeing someone leave with his laptop. I can only imagine all the important data that didn't necessarily need to be in anyone else's hands, so think about that as well when you work remote. And the final receipt that I have for this episode is how cybersecurity awareness training is changing to suit different learning styles. Kathy talked about microlearning, which is coming in bite- sized pieces of training. Think about a TikTok style video. She also talked about how AI can help customize for different roles, and that VR is probably going to be a big thing as well where you can have simulated attacks. I hope you took as much away from this episode as I did, and that wraps another episode of The Tea On cybersecurity. And that's The Tea On Cybersecurity. If you liked what you listened to, please leave a review. If you need anything else from me, head on over to Trava Security. Follow wherever you get your podcasts.