Security awareness training for CEOs

Anyone seen anything on that?

Regular security awareness training is a hard sell for CEOs of large and rich companies. They tend not to think of themselves as regular people, and, to their point, their time is pretty expensive, so it's better not wasted on half-baked products.

Anyone knows of a very good, short, to the point, of extremely high quality, CEO-fashioned, expensive security training?

Just basic things -- check if the web-site has a cert, if it's trusted, don't accept suggestion to download and install "flash updates", how to avoid sketchy web-sites, how to recognize phishing, spear-phishing, whaling, CEO-phishing type of stuff.

Find more posts tagged with

Comments

TheFORCE

gespenstern wrote: »

Anyone seen anything on that?

Regular security awareness training is a hard sell for CEOs of large and rich companies. They tend not to think of themselves as regular people, and, to their point, their time is pretty expensive, so it's better not wasted on half-baked products.

Anyone knows of a very good, short, to the point, of extremely high quality, CEO-fashioned, expensive security training?

Just basic things -- check if the web-site has a cert, if it's trusted, don't accept suggestion to download and install "flash updates", how to avoid sketchy web-sites, how to recognize phishing, spear-phishing, whaling, CEO-phishing type of stuff.

I'd recommend this. https://www.knowbe4.com/pricing-kevin-mitnick-security-awareness-training
The solution is calldd KnowBe4.
I just recently had a demo for it and received a 2 week trial. The solution has exactly the training you need, you can cater it to your audience for regular users to IT or developers or high management. Seems to be relatively cheap also. It's a SaaS solution and very well designed. You also get to conduct phishing campaigns from the platform and create your own social engineering campaign or use the templates they have. Cool thing is that they introduce content very often and relative to the news out there. Has tons of metrics too in order to judge how well users are identifying malicious emails etc. Give it a try. We will migrating to this soon.

gespenstern

We have it and it sucks for the purpose outlined in the post.

There are just a few modules on what would be interesting for top management and they all full of fluff and irrelevant. The one on CEO fraud starts with a long introduction and a hypothetical situation in which a small real estate business owner who hires an accountant gets a call from them and they say that supposedly the owner asked them to transfer money in both SMS and email. For CEOs of multi-million or billion companies it's hard to feel in such an owner shoes IMO and it's too lengthy anyways. Majority of knowbe4 modules could have "for dummies" labels on them, I don't think top management of larger companies can appreciate that.

That's why I'm looking for something specifically designed for this type of audience.

TheFORCE

Really? That's interesting, I'd have to lool into it again then when the trial starts. We are in a tight spot as our current solution is being retired and this was what was presented to us as the replacement. Will follow this thread too then. Thanks for the heads up.

MitM

@gespenstern Did you ever find a good solution?

@TheFORCE did you ever proceed with the purchase? If so, how do you like it?

I'm looking for security awareness training for my entire company. KnowBe4 always looked good to me

kaiju

Cybrary has a free 1 hour long User Security Awareness course.

It would probably be best to create your own Security Awareness briefing for C-suite execs. Have the rest of the staff do an online briefing and then submit their digital cert for record keeping.

paul78

If the CISO or head of security isn't sufficiently influential or has the autonomy with the right authorization to do their job, security awareness for a CEO will never be entirely successful.

I actually don't recommend security awareness training for execs. For compliance, they may take the same security awareness training as everyone. But usually my preference is to do a "demonstration" or have a 1:1 conversation.

LisaPlaggemier

So, full disclosure, I work for InfoSec Institute and we have a ton of content for execs.

BUT, from my experience running a training and awareness program, I recommend you do exec training in person. Keep it short, targeted, and limit it to a small group. Why? So they can ask questions without feeling stupid in front of a large group of people. You'd be amazed at the basic stuff they might not understand but are afraid to ask. Some companies also offer dossiers to execs, presented to execs at their homes with their families present. Imagine doing a physical and cyber assessment of an exec and his family (think, what their kids are posting on social media), and presenting it to them in a very relaxed, non-judgmental atmosphere where they can ask questions. You obviously can't make that mandatory, but they may take you up on it if offered, especially if they have teenage kids. Stick to the facts, show them how the info could be used against them without being alarmist, and give concise, clear recommendations.

paul78

LisaPlaggemier said:
... You obviously can't make that mandatory, but they may take you up on it if offered...

Just my 2 cents. I'm not sure that I entirely agree with that sentiment.

A CISO or head of infosec, is an exec at most organizations. And if that role really exists with the same level of authority as other peer execs, there's no reason why it cannot be mandatory. When the Chief Counsel tells me that I am required to have certain liability clauses on my vendor contracts or the CFO mandates a budget submission dateline, that's within their charter and authority. The same is true for any CISO or head of infosec. Most execs will not waste goodwill capital to push back on spending 30 minutes for something that is generally viewed as a basic requirement in regulated industries.

If however, the tone from the BoD and execs is to take a lackadaisical approach and has a high risk tolerance - no amount of awareness training will compensate for that type of culture.

MitM

In my case, I'm looking for awareness training for the user community of my company, in many languages, not specifically execs. Quite different from the original poster.

kaiju

@MitM You will most likely have a find a base training and then reconfigure it to fit your organization. Do you have translators within your org who can assist you?

paul78

@MitM - take a look at the solution that @TheFORCE mentioned - Knowbe4 has training in multiple languages. Their phishing platform is pretty decent too.

MitM

@paul78 Yes, KnowBe4 was my first option. That's who I'm familiar with, just wasn't sure if there are other worthwhile ones

infosec_darren

@MitM give us a look (http://infosecinstitute.com/securityiq)! Ask for TechExams discount, we'll throw in a boot camp of your choosing for you

EANx

paul78 said:

LisaPlaggemier said:
... You obviously can't make that mandatory, but they may take you up on it if offered...
Just my 2 cents. I'm not sure that I entirely agree with that sentiment.

A CISO or head of infosec, is an exec at most organizations. And if that role really exists with the same level of authority as other peer execs, there's no reason why it cannot be mandatory.

I have to agree with Paul. If the culture of the organization is that "we will train users in basic infosec", then it becomes mandatory. I've previously found that a lot of senior "C" suite people will go along simply because of optics, it's the next layer down that's been the road block. It's the plant manager or the press director that is always "too busy". My response has been "well, your boss' boss says you have to make time." It also works a lot better when the execs sign off on a policy to warn a couple of times then disable someone's account.

LisaPlaggemier

@paul78 and @EANx I should have been clearer in my original post...what I meant was, you can't make inviting yourself over to their home to present a dossier on them and their families mandatory.

cyberguypr

So you expect them not to advertise in a platform they own?

EANx

I prefer their occasional marketing post to the full-screen ads.

paul78

@Cert_God - I've referenced advertisers on TE in the past - including products from Infosec Institute. Heck - I've even bought stuff from advertisers on TE. I don't particularly see why that would be a problem.

LisaPlaggemier said:

@paul78 and @EANx I should have been clearer in my original post...what I meant was, you can't make inviting yourself over to their home to present a dossier on them and their families mandatory.

LOL - yes - although it could be fun to hack their home networks and replace the wallpaper on their home computers with the dossier.

Without going into any detail, I do also think that a demonstration can be most effective when the CEO or members of the executive staff have an uninformed risk appetite. But it takes at least one member of the executive staff or the BoD such as the CISO to affect change. And that change can take time.

@LisaPlaggemier - I like your approach to security awareness from a marketing perspective. Because this type of education benefits well from subtle approaches. I firmly believe that security awareness cannot be one-time event. Unless, an individual is attuned to cyber threats, most people tend to get sloppy about 2-3 months after the training is given.

EANx

paul78 said:

Without going into any detail, I do also think that a demonstration can be most effective when the CEO or members of the executive staff have an uninformed risk appetite. But it takes at least one member of the executive staff or the BoD such as the CISO to affect change. And that change can take time.

When I was giving security presentations, I would always select examples that resonated with the audience. It's not hard to find organizations in the industry that have been affected. If the companies think they're "hardened", focus on the issues the USG has with insider threat. I can think of two easy ones from No Such Agency.

Meggo

@paul78 is there a training cadence you've found works best -- or do you find it varies widely by role/department?

paul78

Meggo said:

@paul78 is there a training cadence you've found works best -- or do you find it varies widely by role/department?

In my opinion, I would say that it varies by company. A common practice is an annual training cadence but most companies do so solely as a compliance checkbox which is generally useless. For companies with an inherent culture towards data protection, the annual security awareness CBT is probably fine - usually those are companies like larger fintechs or financial institutions where the employees are more attuned to threats. I have noticed that tech companies where the employee base is younger then to need more security awareness training. But because it's not practical, usually some other mechanism of reinforcement is needed - for example - regular phishing exercises or short talks during departmental all-hands.

I think that formal training can only be done once or twice or year otherwise the employee base will become inured and blase to the training.

averageguy72

I concur with those that have mentioned KnowBe4 earlier, it's one of the better platforms I've seen. I use it for monthly assessments and targeted retraining when necessary. And they may let you perform an assessment before signing up to help you make your case to leadership. If that's what you're looking for in terms of prebuilt training and assessments. We developed our own annual core security training and revise it every year to include any new trends.

I also agree with @EANx, provide relevant metrics and statistics. You may also be able to put together interesting statistics on your own by doing things like scanning your organization's email addresses with the haveibeenpwned.com API. You can write a simple script or app to automate it. Things like that, depending on your company's culture, may garner attention more efficiently than relying on general reason.

LisaPlaggemier

@paul78 I agree that if mandatory training is too frequent it can cause them to disengage on the topic of security - just the opposite of what we want. I ran a program for four+ years and have a lot of friends at different companies in the same role. Many of us evolved our programs over the last 4-5 years to have a small part of the program that's done for compliance, but the rest of it is done with the goal of real engagement and culture change.

For example, you send out a set of CBTs annually that check all your boxes for compliance and give you a nice neat report for audit when they knock at your door. You drive that program for 100% completion. Keep it short and targeted and find the best produced CBTs you can - remember, this is probably the most visible thing your security org will do - the whole company will see it. Give people plenty of notice that it's coming, keep the communications upbeat, and explain "the why". Then, run the rest of your program to get people to engage. Do communications (articles in company newsletter, lunch & learns, videos, etc.) that are informative, entertaining, funny, engaging...whatever works in your company culture. The idea here is to make info available that is so helpful and engaging that people WANT to read or participate, and they actually change their behavior as a result.

My experience is that as soon as you make something really funny or engaging mandatory, it's not funny or engaging any more.

LisaPlaggemier

@MitM , FWIW, I ran a program at a $2B technology company with 9K employees in 23 countries. When I talked to HR in each of the countries where we had employees, surprisingly, not all of them wanted training in their local language. Some used English for all company comms, so they wanted the training in English. For phishing, we phished them in their local language and reflecting local threats.

LisaPlaggemier

@MitM I made a quick spreadsheet for my vendor selection process that included things like ...Will people at my company like the look and feel of the modules? Do they offer all the languages I need (localized content, not just translated)? How robust is the Active Directory sync (ie will it save me a lot of time and effort?)? And finally, price. I used the Gartner Magic Quadrant for Training and Awareness to come up with a short list of companies. Once I saw their demos, it was pretty easy to choose what I thought would work best for our needs. These days, most of the vendors in the Quadrant have content that covers all the bases for compliance for most industries.