Cyber security is serious, right? Not all the time. Sometimes a little levity goes a long way.
That’s what next generation firewall manufacturer vendor Palo Alto Networks learned two years ago.
“Many CISOs reach to technology to increase awareness, and that’s not necessarily the thing to do,” company CSO Rick Howard said in an interview. “
When I first started here four years ago we had a problem with employees ‘tailgating’ in through the turnstiles – one employee would badge in and 10 or 15 would come in right behind and wouldn’t badge in. We were trying to figure out how to fix that.
“We had all the smart security people in a room, and we were going to buy a bunch of technology and increase the security around the turnstiles, and it was going to cost a lot of money but by God were were going to solve it. The we realized maybe that wasn’t the right approach.”
“We made a movie of our CEO walking through the turnstile and then our CTO tailgated in. And they were standing by the elevator and the CEO turns to the CTO and says ‘You know, you’ve to got to use your badge to go through the turnstile,’ and the CTO says ‘I know, but I got a meeting. I’ll do it later.’ and the CEO says ‘You’ve really got to do this now.’ and it escalates into an argument and then a wresting match. They both fall to the floor, and the CEO calls into his watch ‘Broken Arrow! Broken Arrow!’ and four guys with toy machine guns come and grab the CTO and drag him off.
“Then the CEO looks at the camera and says ‘Don’t be that guy!’”
“We showed that film at the all hands meeting that quarter and now I don’t have a problem with tailgating into our company offices, because a picture of that video is by ever turnstile.”
In fact, the company has made several more ‘Don’t be that guy’ videos since then to keep up the momentum.
“You don’t need technology all the time for security awareness,” Howard emphasizes. “What you really need is to get buy-in from the executive leadership.” he said. Then awareness training “becomes the thing do to, not the thing to dread.” If you’re trying to go bottom-up for security awareness I don’t think you’ll have much luck.”
Another technique he commends is having friendly competitions between the various groups inside the company (marketing, sales, security, executive team) to see who does better on security metrics. For example, Palo Alto Networks subscribes to a commercial phishing test company, which complies response figures every quarter. “When an employee screws up we tell them, but more importantly we collect and show stats for the executive groups and show them at the monthly executive meeting. And you can be sure if the EAs (executive assistants) do better than the office of the CSO that is a sore point that the senior leadership decides to fix right away
“That has shown remarkable results. We have gone from high percentages of clicking on email messages to a very small percentage that do. And many report to the infosec staff when they think there’s some sort of spoofing mail coming in.”
Like many experts, Howard says telling a story to staff about a real attack is one of the most convincing techniques.As a company that defends networks it has a certain advantage in gathering data, he admits, but it does enable trainers to say ‘Here’s what we saw last week: Adversary X, we think they’re from Russia, they went after Joe’s email box with a link in an official looking message, then they tried to get to the data over here but we stopped them.'”
Asked how to deal with staffers who insist they have to click on every email link in case it’s important, Howard says there’s a reason the security message isn’t getting through. ”We get good at quantifying technical risk but we struggle mightily into converting that into business risk. So my advice is not to portray the problem as a technical thing they should be doing but to convey the potential business loss, the risk for him to be doing that thing … Then it’s not an IT problem any more, it’s a business problem.”
PS: As always during Awareness Month, Howard is overseeing a “People’s Choice” voting campaign for one book to be added to the Cyber Security Canon hall of fame. This is in addition to the committee which makes its own additions. The nominated books get winnowed down each week until only one is left. For details click here.