HRM & Cybersecurity Blog | Living Security

Human Risk Management: A Breakdown

Written by Living Security Team | July 26, 2022

Our Human Risk Management Conference has come and gone, but the work (and the learning) never truly stops. To kick off the conference, Drew Rose, Living Security CSO opened the conference with Human Risk Management: A Breakdown. In this introduction, Drew shared the following key insights:

  • What Human Risk Management is, and how it differs from standard Security Awareness Training
  • How to empower employees of all kinds of organizations to deal with the inadvertent and deliberate security mistakes that put companies at risk
  • Why traditional annual Security Awareness training might tick all the boxes on paper, but won’t provide actual behavioral change.

Watch the full recording, complete with helpful diagrams and visuals, and read the full transcript below:

 

 

 To learn more about Human Risk Management, download our free whitepaper:



Full transcript of Drew's panel:

Drew Rose:

Why are we here? More importantly, why are you here? That's something that I really want you to think about. Again, feel free to jump in the chat and answer that question of why you are here spending your time. We're here as an organization because we are human and we make mistakes. Like dropping our brand new cell phone, where we have yet to put the case on. We make inadvertent mistakes and deliberate ones. Sometimes it's hard to tell the difference. We make mistakes that affect our relationships. We make mistakes that affect our physical being.

Drew Rose:

We make mistakes that affect our finances. We make them in complex work environments needing to consistently and accurately follow long procedures. We make mistakes when we get little sleep. We make mistakes when we're stressed, when an outcome triggers anxiety or fear. Mental strain causes mistakes needing to concentrate for a long period of time. And we only have a limited number of items that we can hold in short term memory. Emotions, anger, sadness, happiness, embarrassment will all affect anyone's performance. Do you have children? We make mistakes because we are human and not machines. We are here because in our field mistakes lead to risk, loss and exposure through cyber incidents and breaches.

Drew Rose:

From the curiosity of the subject line I love you in the 1990s, to the convenience of downloading the illegal movies and music on Napster in the 2000s. And finally, the imposter emails from your boss, he need gift cards ASAP. We protect the confidentiality, the integrity and the availability of our organization's, computers, networks, data, and access. But if you've been in this industry for more than five or 10 years, cyber security used to be ITs job. Maybe you had a full-time employee focused solely on cybersecurity. And one day compliance came and said, "Thou shall have annual awareness training." Because the breaches happened and people's lives were affected. And organizations felt they had to do something. And so we had this blanket statement. If everybody just takes security awareness training, one time per year, we'll have less breaches. The tech guy said, sure, that's easy. I can just assign a training and in 30 minutes I'm done. I'm there. But was it that easy? Because if it was Living Security probably wouldn't be here today. But in their mind, all was good in the world. Peace and happiness. But in fact, nothing changed.

Drew Rose:

The breaches continued, they got bigger, they got more impactful. And we recognize the absolute nature of one time annual training was not going to be effective in changing behavior. Some of us did early on. And so the pendulum shifted. Cyber went from ITs job to everyone's job. But too much pressure, cyber security being accountable for the cybersecurity hygiene of yourself to your organization. It's much easier said than done. And so how do we get there? How do we get buy-in where end users who maybe are not technical, believe that cyber security is part of their responsibility.

Drew Rose:

And that's when cyber security culture began. Engagement, campaigns, swag, surveys, escape rooms. Some of you may know Living Security from ... The birth of the security awareness program owner full-time jobs dedicated to not only getting the compliance checkbox, but trying to bring a positive frame of culture to an organization. During this timeframe, it was all about views, impressions, likes, and smiles. And I can tell you from experience, I got a lot of them. But you can't sell smiles to the board. It doesn't equate. The board operates from a risk perspective. And the amount of smiles you get, or the amount of impressions you get on a specific campaign or program, that doesn't necessarily equate to a reduction or even an increase in risk. There's no way to combine those two. And you haven't been able to measure human risk. It's been very complex, even if you tried to dive into that, until now.

Drew Rose:

So, program owners became more like roll callers. And instead of focusing on the most value that they can bring, meaning reducing risk, reducing the amount of ransomware that is impacting their organization. Reducing the amount of victims that are falling to Phishing emails. Reducing poor password hygiene, sharing passwords, reusing passwords, not knowing how to use strong passwords, not using two-factor. Also, increasing MFA usages. Increasing security reporting, not just phishing, but holistically. Increasing overall vigilance, which leads to positive security behaviors. So, how do we get there? How do we get the respect, the metric driven outcomes that we all know are important, then how many threats your firewall blocked? You've heard this phrase several times so far today. It's human risk management.

Drew Rose:

Human risk management is the intersection of managing cyber risk and engaging the human. Human risk management represents a revolution in how enterprises should identify, respond to and report on human initiated risks within their organization. HRM represents the convergence of granular management of human behavior induced cyber risk relevant and engaging content for your employees. I'm currently working on this outline for four pillars of human risk management, data analytics, reporting, automation, training and culture, risk simulation, and security by design. Each of these represents its own expansive functions. Not only is Living Security talking about human risk management, but there's other visionaries in our field that are also trying to increase the importance and the responsibility of this field. Now, during the rest of this conversation, I'm not going to be going into a lot of depth of these different pillars. And what I want to acknowledge is that this isn't something that Living Security is doing on their own to bring to the table.

Drew Rose:

Through mechanisms like our client advisory board and the Living Security community, we are always bringing in people that are interested in helping to move this industry forward. And so over the next six months, we'll be doing a lot of work on defining these pillars of human risk management and then bringing them back to the industry for everyone to be able to use and leverage as we talk about the maturity from security awareness training to human risk management. Human risk management is a function that should sit directly underneath the C-level executive in charge of cyber and information risk. Typically, this is the CISO, but could easily be the CSO, the CIO, the CTO, the COO, or even the legal team. We've done it. We've seen it in every way imaginable. The people that have the security awareness titles today, we need to start petitioning for the jobs that represent the goal of our daily job duties.

Drew Rose:

Now, if I ran a poll right now, I don't think that ... if I ran a poll saying, here are five items from a daily job duty perspective that getting annual training compliance is the most important task you do in a day. We know that task is not, mostly not reducing risk. Reducing risk from getting sued if a breach occurred, but it's not changing behavior. So, at first we as an industry need to pivot in how we message our results. The messaging to the board should not be, we are 99% compliant in our annual training. Our messaging to the board needs to represent the risk that humans bring to the environment and what we're doing about that. What we're doing about the specific behaviors, both from technical and non-technical individuals. We need to act like reducing human risk is the fundamental goal of our job. We need to rewrite our job reps and ask for a new title. Transformational CISOs and business leaders can jumpstart this maturity by taking the initiative and changing titles to those that better fit the goal. If you see here's, I love actionable items, right?

Drew Rose:

We have an audience of over 400, I believe right now. If you see people on LinkedIn announcing new job titles that are non confirmative to what they've been in the last five years, and we'll talk about some of those job titles in the future, raise that awareness. Reshare that message. Congratulate that person. And then dive in and figure, how did they do that? Did that come from the bottom? Was that something that was petitioned by the actual person that getting the new title? Was it a transformational CISO that believes investing and reducing human risk has a net positive outcome? And then how do we start getting those people to get their voices out there?

Drew Rose:

But why is it important to realign our title? This image should not take too long for us to figure out. I've been in security awareness industry for 12, 13 years now. We need to be reborn into the security team. Too often, firsthand reports, secondhand reports. I hear about less ideal relationships with these supposed peers. [inaudible 00:12:58] managers, forensics investigators, security architects. Sometimes downright contentious. I find many security awareness program owners to be viewed as just the marketing arm of the security team. The soft skills, the ones that can talk to the end users. I don't see security professionals realizing the true potential of what we can achieve. And this is why we need to restart. A letter of trust, belief and credibility that marketing is just a skill of this program, not the goal, not the outcome. In fact, the partial outcome is to enable your security peers.

Drew Rose:

Imagine walking into this room and helping to make your security peers more efficient, effective, and valuable at their own job. And that's what human risk management is able to do. Marketing, coms, branding is a skillset and it's a valuable skillset. You're talking to a team of Living Security that really believes how important being able to engage with the end user is and how difficult it is in a 2022 year of consuming content daily of trillions of dollars spent to capture your eyes on Netflix, Prime, Disney Plus, you name it. How do you capture people's attention is very challenging. How do you capture it? How do you make them retain that information? In the human risk management field and we're talking about people, it's not binary. It's not a machine. And culture is ever changing from size of company, location, vertical, how old they are, how young they are. Those are all different factors that need to be brought forth from professionals to understand as they're building out their human risk management program.

Drew Rose:

So, it's time to get your seat at the table. That one. So, the first pillar of the human risk management Pantheon is data risk analytics and automation. This from my perspective is one of the most important pillars because it's the evidence. It is the factual information that can prove that you are doing an effective job in reducing risk. With this information, you can get budget, you can get resources, you can get what you need. Because if you can prove that those investments are actually reducing human risk, it makes no sense to buy another 5 million NextGen firewall. When you can spend 200,000 on a new campaign that has evidence around changing some sort of behavior. So, we have the human risk, analytic specialists, human risk automation specialists. New large organizations handling big data is very challenging. And then what do you do with that data?

Drew Rose:

We have several conversations happening later today about using actual behavioral data to create action and measure change. And I'm really excited to dig into those conversations. So, it's all about data integrations and collection, pulling in information from existing tooling that has events and actions that are associated with your end users. Data insight analysis. This is big data, BI, Business Intelligence, cybersecurity Business Intelligence. How do we make sense of the data? How do we sift through the noise and find the information that is important to you and your organization? Cross team action and automation. I was just speaking about this a couple slides ago. If you can walk into the office of your security architect or your security operations manager and make their job easier by reducing threats or incidents or questions, they will give you the time and day. They will listen to you request and your recommendations because you're just not asking from them, you're bringing forth a skill set and solutions that can help them do their job better.

Drew Rose:

And reporting. Reporting is going to be a big factor of human risk management. What are we used to seeing from a reporting perspective in security awareness training? Well, we're used to seeing Phishing. Simulated Phishing results, kind of the de facto standard for a decade. That has slowly morphed into reporting rates.

Drew Rose:

But what else. What else can we report on that showing behavior change and how do we target those reports to the individuals that need them in a perspective that makes sense to those individuals. There's not going to be a one size fits all report. And so what do we get out of it? What are the key metrics that we're going to measure to prove success in this field? Reduction in sock incidents. Increase in understanding of human risk by leadership. I'm going to talk about this several times, these last 10 minutes. We'll see in the next slide too, or the next few slides. The accountability of human risk lives with the leadership, the business leadership of their team. Let that sink in. But how do we do that? If they don't know what risk their team brings to their organization, then they're flying blind. This role is going to help to deliver that information.

Drew Rose:

Increasing efficiency and effectiveness is existing security processes and solutions. This is the one plus one equals three. Your organization has spent millions, tens of millions of dollars on security technology every year. How do we get the most of that tech? How do we get the most of that team? The pendulum is shifting. Using data and evidence we can finally give business leader a view into the risk that their team brings to the organization. And more importantly tools to do something about it. Cyber risk is still everyone's responsibility, but the accountability is for the business leader.

Drew Rose:

I'm really excited to dig into this topic and if you're listening, and this is something that's very interesting to you, how to get business leaders more accountable for cyber risk. Shoot me an email message me on this application and let's sync up and talk about it. Pillar number two, culture and training. This pillar is going to seem the most congruent to how things have been evolving over the last five years. Some of these job titles may not feel very different. You may hold some of these job titles as well. Security culture advisor, human risk learning and development specialists, human risk behavioral specialists, security education awareness manager.

Drew Rose:

Some of the key outcomes. Now we can't get away from compliance. We're always going to have the compliance. We're always going to have the checkbox. We have to do it, but what more can we do? Role based training, cybersecurity awareness month, survey creation distribution and analysis. I've already said it once. We need to understand the culture of organization before we just try to distribute education and awareness campaigns. What may work for one company may not work for another. And sometimes perceptively what we see from our own subset of that org may not be the same or familiar across that organization. So, we need to dig in and do surveys and talk to people and see how culture changes. And you may come up with multiple approaches on how to build your human risk management program. Security champions and ambassadors.

Drew Rose:

These are subjects have been, there's plenty of experts on in the security awareness field, and that we can continue to leverage the lessons learned there. Security communications. Secure leadership program. This is from the previous pillar. These pillars are going to bleed into each other. It's going to be a great Venn diagram. And for smaller organizations, you're going to do all of these if you're the only person right now on that team. But the idea is like, how do we build enough of a case where we can bring in more individuals to share the load? Because we know that investment in human risk management is going to have the greatest reduction in risk. How do we measure? We measure the success of culture and training through behavior change, increase in password manager adoption and usage, increase in MFA usage, increase in engagement from user base. These are very clear and actionable things.

Drew Rose:

Risk simulations. This is everything from human risk simulation manager to human risk simulation analysts. This is your Phishing, Vishing, Smishing, tabletop exercises. How do we measure this increase in incident reporting? Reduction in false positive reporting. If you can reduce the amount of false positives that is going to take some time and some workload off of your security, your sock. Because if they're not answering to as many security incident reports, then they have more time. They have more time in their hands to deal with actual incidents. Increase in leadership's confidence and respondent security incidents. Tabletop exercises should not be every three years for the board and C-level executives. Understanding when potential incidents or even breaches are raised up, we all need to be prepared to respond. So, we need to train up the individuals to know what to do, to who to call, to how to respond when those incidents are brought up.

Drew Rose:

And the fourth pillar. This is another area that is very, very exciting to me. We're calling it security by design. Security by design evangelists, security UX analyst, and the BISO fits into this role. This is for internal and external products and applications. How do we build in best practices in the SDLC? How do we create business partnerships to understand friction points in their process? And how can we create a stakeholder journey that can be improved with secure technologies? Security by design creates a focus in hygiene of security on everyone in your organization, especially in software development. Security by design is built into the UI/UX process as well as secure co-development.

Drew Rose:

How do we reduce application misconfiguration and a reduction in friction of adoption of usage, of existing and new applications. We've all seen this happen. Team X purchases, $500,000 software to do process Y. But it takes five minutes or 10 minutes to log in and people give up and they revert back to the homegrown solution that they've been using. This is the community that is going to make human risk management a critical component in reducing risk in your organization. But like any other monumental shift, not a single person or organization is going to be able to do it on their own. It's going to take visionaries, transformational security professionals, creatives, data heads, and caring human beings working together. It's no coincidence that you signed up for a conference named breaking security awareness. There is a reason you join this web conference with everything else you have going on, with as much noise that you receiving daily from the world, from your job, from your family.

Drew Rose:

There is a reason you're sitting on this call with us and you're excited about these presentations. Research, case studies, conference presentations need to happen. We need to publish our results on how to achieve this transformational shift. Talks titled how I got the board to care about the human factor. Move beyond phishing metrics. Human behavior analytics for the win. Security culture is how, reducing risk is the why. End users are responsible for vigilance, not accountability. That's leadership's job. Begin to chart your career. Start having conversations with your leadership about changing your title to something that makes more sense, given your outcomes, not your daily duties. Find a mentor, ask questions, speak up. The Living Security community is a great place to start. We have 750, 800 people in this community. Some may already be on this transformational path.

Drew Rose:

How did they do it? Find people that are in similar organizations as yours which is why we're doing the breakout sessions, because it's so important to find like-minded people. You work for a big bank, go find big bank competitor, say, look what they're doing. Look at the results they're having. I bet you their CISOs already talk. Get the data, make the case. This is our ... More technology is not going to fix this problem. Every new tech for the last three or so years is being conflated, which is, do we really need this? Is this going to change? We are through the incredible advance of security technology for the time being. It's now time for us to focus on the human, where we should have started from the beginning.