The Business Security Weekly podcast brings together cybersecurity expert hosts with businesses to discuss how to navigate security in a corporate setting.
Human Risk Management, Episode 321 on September 25, 2023, featured Jake Wilson, Security Awareness Evangelist at Western Governors University. The conversation touched on the importance of security awareness programs, the role of engagement and fun in these programs, and the movement away from a compliance-focused approach to one that emphasizes behavior change over time and how data shows effectiveness.
Jake emphasized the importance of a robust, engaging, and consistent security awareness program. He pointed out that often organizations focus on compliance checks, but there is immense value in creating a program that actively engages and educates employees.
“I feel like there's starting to be this shift... I think there's a lot more to information security than just the online courses and ad hoc kind of communications or alerts about risks or things that are happening at the time,” he said. “The biggest change we made was focusing on making things fun, making them engaging. Then we started to see more buy-in and people got excited about security.”
When discussing the structure of security awareness programs, Jake stressed the importance of moving away from long, tedious courses to shorter, more frequent ones. He believes that this approach increases learning and retention among employees while also being more considerate of their time.
"One of the pieces of feedback we get is, 'Oh my gosh, thank you so much for making this course only five minutes or ten minutes,'" he said, "because it gets them back to their main focus, which is whatever their department or whatever their role is."
Having the right people leading security is important, too. "I think if you have somebody dedicated to security awareness, somebody that obviously cares about the organization and helping individuals at work and at home, it does wonders," he said.
“We don't want to roll out these training courses for every single person," he said. "We have people that are maybe the most secure person in the university and they create the best passwords, but maybe there are individuals that need additional help.”
Wilson shared how Western Governors University's program included monthly scorecards sent to individuals, showing them what they're good at and what they could improve on.
Jake uses Unify, the human risk management platform from Living Security, which enables him to see all risky users so he can prioritize delivering training or policies to those who need it most. When he sees a person or group that is exhibiting risky behaviors, he can create action plans to mitigate their risk.
Jake noted that metrics should go beyond things like basic phishing click rates to instead include data on behavior change over time. He said he uses and will expand use of the Human Risk Index scores provided made possible in the Unify human risk management platform.
What's more, he can show that the "organization as a whole went from risky to vigilant; the needle moved to the right," he said. This approach gives a more holistic view of the organization's security posture and helps identify areas for improvement.
"I think it tells a really cool story to leadership, and it's something that I think it's easy to understand," Jake said. "It's not technical. It's just behavior change."
"Fast forward in a year, we'd want to focus on maybe the top risks that we could address and then take a proactive approach with the individuals that need help the most… the goal is to show that needle moved within [Unify from Living Security]," he explained.
Through the end of 2023, qualified organizations can get a free POC of Unify, Living Security's Human Risk Management platform. Request a demo today to claim this offer.