Security Awareness and Skills Training

[00:00:00] Welcome to MSP 1337. I'm your host Chris Johnson, a show dedicated to cybersecurity challenges, solutions, a journey together, not alone.

[00:00:17] Welcome everybody to this episode of MSP 1337. We're going to talk this week about security awareness and skills training, maybe it's just skills training and skills and awareness training. And I've got Jim Harriman with Kinetic Technology Group with me today.

[00:00:38] Been with us before Jim, welcome to the show always a pleasure.

[00:00:43] We had our end of month call yesterday with the secure outcomes integrator members and they got brought up we were talking a little bit about skills awareness or security awareness and skills training and you brought up some things that will get to here in a second.

[00:01:04] But we decided to take a look at the CIS navigator and we happened to pick one.

[00:01:12] If you look at the navigator, it has all the CIS control unit, it shows you how they mapped other frameworks and it just so happens that security awareness and skills training has a really end up mapping to Sieges or the criminal justice information security.

[00:01:30] What was interesting about it is it has levels of maturity or different levels of training that someone has gone through to show the maturity process for what they're being tasked with.

[00:01:42] And I thought it was interesting, obviously we talked about a little bit yesterday that we don't really see a lot of that in the vendor platforms and the tools and services we consume.

[00:01:53] So I think you start out as a six grader in middle school and it shows your progress through graduating high school in the security awareness training, but to some extent, how do you know that those that you're providing this training too.

[00:02:10] And then we just pulled out in the trust market, it's not actually called out in the CIS like how do you measure success with your staff because you know we were talking about this before we started to call.

[00:02:21] Like if they're technical here's your security awareness training skip the video going into the questions right and to some extent you're like and I expect you to get them right whether you watch the video or not because this is a pretty for someone who's technical, this should be pretty easy stuff.

[00:02:37] And in our conversation we had yesterday, we kind of kept going back and forth on the different challenges like well what happens when you're in that staff meeting and the three people that are not technical or like, well why do we have to do that?

[00:02:49] What why is that important. And so I think and I want you to share but I think there's two things that I want to cover today that make security, awareness and skills training really important.

[00:03:01] Number one is whether you're a technical person or not if you don't understand the why the probability of it being followed well is not very high.

[00:03:12] And the second one is, if we're not measuring growth especially when we get into the skills training then how do we show evidence to those that are either our clients or maybe our vendors are insurance providers and even our own, you know, the rest of our team.

[00:03:30] That we are in fact qualified to say sit behind the wheel and drive it down the road.

[00:03:37] Yeah, I think you know when it comes to the why I mean that's been I think the biggest challenge across all the MSPs that I've worked with over the last several years of getting buy-in from staff as to why we're going through a framework now why we're doing all these things to begin with.

[00:03:58] And so communicating that and getting buy-in is not a really easy thing to do other than trying to just force feed it and you know bully people into it effectively right.

[00:04:11] So I mean at least that's how I felt initially and then I'm like, you know, I just got to get them involved.

[00:04:17] I got to take them on the same journey that I'm going on with this and start engaging them on the day to day and show them exactly how these frameworks and these things that were that I'm trying to implement really do impact and have a very direct connection to their day to day jobs right.

[00:04:43] And what they've been hired to do within our organization and support of our clients and so that's been that has been a challenge and it has been a slow process over the last several years that we've been doing it.

[00:04:58] And so communicating it is not always other than just like a parent because I said so right.

[00:05:07] But why? Because I said so.

[00:05:12] But again, taking them along for the journey and getting people involved at the various stages you know whether they're in our company.

[00:05:22] I mean, I've got a security team of six people now.

[00:05:27] I mean, that's like half my company right. I mean it's it's pretty amazing and they're all engaged in that right.

[00:05:34] And the other half you don't call them that because you don't want to pay them that but they also were on a security team.

[00:05:40] Right exactly so but but even you know to our you know ourselves or business development folks to our finance person.

[00:05:50] You know, all the way to you know people that are configuring devices it's like we're implementing all these steps and the person that's configuring the devices like well why do I need to do this as well.

[00:06:02] Because you know these things are hardening the configuration of what we're doing so.

[00:06:09] It's funny because we've in practice we're doing a lot of these things but now when we get into the training aspect of it.

[00:06:18] It becomes a completely different dynamic right how do we take this and establish a a realistic program for a company of our size.

[00:06:30] Number one.

[00:06:32] With material that is not just you know thrown together and you know word docs or g sheets or whatever.

[00:06:41] And really make it somewhat interesting and you know bearing that experience and so that's that's.

[00:06:48] Well, so so I want to touch on that.

[00:06:53] I was just talking about the different programs that are out there you can buy through vendors and some of them don't scale very well right like if you're you're buying something that says oh it's 10 or $15 a seat for the training program per month.

[00:07:13] So you know, it's about $15,000 employees.

[00:07:16] That might not be palatable budget wise you know in year and it's interesting because you know tear point at your organizational size.

[00:07:27] You probably start to feel some of the friction from a cost standpoint as as that scales because a lot of these programs weren't built for organizations that are large they were built for organizations that are small to ensure that they're getting that sort of the minimum threshold that is.

[00:07:42] And so that's the minimum threshold that makes sense for them to be to be having it you know different clients per per that cost.

[00:07:49] And it got me thinking like because we see these patterns emerging with products like credly that show you the badging and the sort of the certifications and you see you know you to me and.

[00:08:00] So TV they all have these different strategies around ear marking that you have satisfied that particular program but like you don't necessarily know well who authorize them to do that like what's their background or the educators like did they go to school to put together learning objectives for my team.

[00:08:21] And I'm not saying this to downplay any of them but you but just got me thinking like we rely more and more on a model that follows more that traditional education system.

[00:08:32] To make sure that our employees and our clients are are in fact learning what they need to to protect the data that they're responsible for on a day to day basis and no more of this it's IT is responsible it's IT is problem it's a system and he takes care of that so.

[00:08:52] So they got me thinking about some things you said like how do you make this engaging and how do you sort of measure that you're being successful with that you know kind of going from the wide to the proof.

[00:09:02] Yeah it's that that is a completely different scale to measure right I mean especially on the growth side because.

[00:09:13] Like you mentioned most of the products that are available to us in our industry that we present to our clients are very linear there's not a lot of.

[00:09:26] There's just not a lot of ways to gauge someone's knowledge and maturity at a level and you know when it comes to you know our clients and things of that nature I mean we all know that it's their focused on certain things.

[00:09:42] And for a lot of them it is very very much so a check box for an organization right I mean you look at an ad agency and it's like okay I need to just answer these questions watch this video and move on.

[00:09:59] I don't know that it's is necessary to gauge somebody's growth in cybersecurity awareness there as it is within our own organizations right and they're they're going to be exceptions to that I mean any time we're dealing with a client that has regulatory standards that they have to meet you know.

[00:10:25] I think that all rules up hill two right like cave there.

[00:10:30] I think that bound by regulatory now sort of the main fly you are.

[00:10:35] Right I think we're where I'm heading and what I touched on with our conversation yesterday was I really think that we have to.

[00:10:46] Re-evaluate this from not just a check box on a cyber security questionnaire or whatever but that it is and it will start with us as the as the managed service provider and then what we do is we can then take that stuff and instead of sending out all the things that we've been doing is actually take what we're developing and training our own staff on and.

[00:11:14] Changing that into something that we are then providing to our clients on top of either on top of what we're already doing or supplementing it in some way or finding some other avenues of which to raise the bar.

[00:11:30] On the training for for that when it when it's needed when it's necessary but the fact is is that it is necessary in our in our industry in our organizations as the provider of these services we we have better for sure so I feel like you took the proof side of this and then you.

[00:11:50] So I think there's two proof questions in this question so there's the proof of like showing evidence that this is happening.

[00:12:02] But then there's the proof that I think you just are that you just hit on like the proof as to why we're doing this right like so so for example the thing that comes to mind for me is what's the outcome that I expect my employees to gain by watching this video and answering these questions.

[00:12:18] So I think if you just say like so they don't click on the link and you know become a victim of fraud well of course someone wants them to click on the link and become a victim of fraud but we also want to be living in fear that every link that comes into their email is also malicious to a degree right like we want them to have that sort of be sensitive to it don't be desensitized to it.

[00:12:40] So that had me kind of walking down this path of like okay what am I really trying to achieve well I'm trying to achieve that we always stay with our doors open we're not a victim of ransomware and fill in the blank data exfiltration you name it and I go okay well how do I articulate that to an employee like hey this this training that we're doing is about don't fall victim to the you know click this links you can put in your credentials.

[00:13:05] It's going to be coming easier and easier to avoid largely because we recognize that our bank is not going to send us an email to click on a link to change our passwords we we're learning those things are not likely going to happen.

[00:13:18] So you can have a level of scrutiny that that ends in you can still get to the desired result if in fact you're supposed to change your password by going out to the website or going out and finding the phone number and not just following what maybe shows up via email.

[00:13:32] So if we go into more of the things that are less specific like what happens when you know Jim I get an email it says hey you need to transfer money or you need to do make these changes they're more tactical and approach they don't actually have links and then they play you to do things and it sounds like it's coming from Jim where it's coming from someone in your company.

[00:13:57] Now this is getting harder because we all want to be helpful to those that are reaching out to us how do you navigate that one.

[00:14:06] Man you know we actually had a very well done fishing email come into my CFO.

[00:14:16] Okay.

[00:14:18] From somebody he didn't know but it had a thread that appeared to have me in it telling them to contact him and everything I mean everything was 50 well written and it just was well put together and he's like hey who's this and I'm like I've never heard of them before.

[00:14:43] And he's like well I got this email and I'm like look let me look at it so I want to do is I'm looking at I'm like man this is this is actually really really good but it just it was just a really really well crafted fishing email and had he proceeded and paid this invoice for whatever amount it was.

[00:15:05] Yeah.

[00:15:06] You know it would have easily just been a loss of you know several hundred dollars or several thousand dollars whatever the case may be and it's that's the that's the thing I mean he's he's a financial guy that works in a technical organization that has his level of maturity was enough maybe not to just I mean to know it was fraudulent but at least.

[00:15:34] It's like well.

[00:15:36] I don't even know yeah it looks just because I don't even know who this is he was he was cognizant enough to know that okay this is not a client right I don't recognize this vendor I don't recognize so you know it was it was pretty obvious but somebody get along and come in and say hey well this is you know the cleaning company that you know use and so on and so forth and it could be a different deal but.

[00:16:00] Now you're taking somebody that goes from an educational standpoint to how do you enforce to prevent so like I think about like nuclear launch codes right so like if your CFO in order to pay an invoice has to engage to get the second key and he sends it to you all of a sudden you're like wait a second this is where we're now like hey I'm not turning my key I don't agree with what this is.

[00:16:21] And I think it's I don't want to say it's easy in the one you just described but I think this is one that no one wants to part with money when it's in the context of like paying invoices like hey let's make sure that already paid us invoice feel like I already paid this invoice kind of thing right I think we're more likely to be suspicious on invoicing from especially

[00:16:41] from a vendor standpoint and we see a lot of this play out if we're remotely paying attention to the news the vendor world of things that have been compromised and then targeting solution providers but what about things like taking care of employees I seem I've seen this one like the email that says hey as a result of going through divorce I need to separate out bank accounts can you please change the direct deposit to this account number.

[00:17:09] And the one that I actually dealt with was interesting because they actually didn't spoof the person's email.

[00:17:16] It was legitimately just a different Gmail account where they put an email on it like there was no spoofing involved they had enough information to go and target and it happened and direct deposit took place and it was probably a 60 day process.

[00:17:32] What was interesting in the live and learn from me from that particular case was the end result was like well instead of truly solving this problem now in order to change any direct deposits you have to come in and have it fill out the form in person.

[00:17:47] And I thought that was interesting so I asked the question I go okay do you then ask them to produce identification they're like what do you mean.

[00:17:55] I go well you've asked them to come in in person how do you know it is who they say they are like well we know we know all of the employees that work and I'm like you know 1000 people you know that many people by face I'm going to give you like maybe but like.

[00:18:12] If someone's really targeting somebody else they're going to do everything in their power to at least create the illusion that you believe you know who they are even if they have to come in in person and what to me and this kind of goes hand in hand with like the nuclear keys is like why was that the answer like.

[00:18:29] There are ways in which this could have been solved that were far less complicated but the knee jerk reaction I think that's the part that all of us collectively have to work to avoid is if our solution to the problem is knee jerk and extremely complicated.

[00:18:44] We haven't solved the problem and likely we've made it worse and that's kind of why I go back to this whole idea behind the why on the proof tied to our conversation yesterday you mentioned.

[00:18:55] leveraging a tool and I immediately went to the education space you talked about using Kahoot.

[00:19:01] Talk to me about that a little bit so I think that obviously changes the engagement you can force them to watch the video in order to get to the quiz you know they can't fast forward it but you obviously can't stop them from starting at the screen those things like what what put you on this path to pick something like Kahoot as part of your training well part of it has to do with.

[00:19:21] I mean I got in the first time I saw Kahoot was at a conference that you and I were both at and they used it as a.

[00:19:29] Oh that's right and an engagement at the end of the deal a quiz at the end where they were given away a prize.

[00:19:34] A quiz let yeah right and I'm like this is really cool and so and then I was out with my family and we were doing trivia night at a local establishment

[00:19:47] and and they're that they were using Kahoot for the trivia game right.

[00:19:52] Oh wow okay this is this is pretty cool I'm really digging this and so I'm like getting into it and everything else and I started talking to my wife about it she's like oh I use Kahoot all the time well she's an education she she's a professor at a college and so she's like I use it regularly you know and I'm like okay well this this is an education system really

[00:20:16] and how we can maybe leverage it in multiple ways is an interesting thing.

[00:20:25] I think whether it's Kahoot or some other you know learning management system where you can you know gauge progress.

[00:20:35] You know as I mentioned that we we have started a whole onboarding thing with all of our staff when they start with us they go through this process it's anywhere from four to 12 weeks depending on how far they are how quickly they proceed and what certifications they might need

[00:20:54] from the get go and so on and so forth and just being able to have a system that tracks all that but then building on top of that so that it is a like a life cycle an employee life cycle of training within our organization that is ongoing constant

[00:21:12] and you know tracks their progress on their certifications or whatever I'll have their progress on cyber or as it relates to the framework or the trust mark that we're doing or whatever I mean just having something that will go through that and I mean there are things in our space that are somewhat LMS to a degree that you can customize add your own training videos

[00:21:41] and quizzes and things of that nature but I really think that they're they're limited on how far you can just really build out a full program to see somebody's growth within an organization over time and so that's the challenge and I don't even think Kahoot will necessarily do that I think it's going to be, you know maybe part of part of the tool but yeah.

[00:22:06] I don't know to make me think that it's going to be the platform overall you're describing an arena that I know like organizations like empath are trying to address which is like more of a learning pathway like today you're an X role doing X job what do you want to be when you grow up where do you want to go with what you're learning and make it less about the mandatory like do these things because I said so don't ask me why do it anyway.

[00:22:36] And then you know where those challenges take you and I think to your point I mean I remember when I was working in the K 12 space when teachers or curriculum director or coaches would say hey we want to implement X product or service into our curriculum and into our strategy.

[00:22:53] Questions that I learned to ask real quick on the IT and security side of things like what does it integrate with what is the privacy how do they address taking care of you know protecting student information what information is it going to store.

[00:23:06] And then and then sometimes the more difficult question was okay so they go from third grade to fourth grade does this go with them to the next teacher is there a does the next teacher get to see the historical data and be able to model and and and.

[00:23:22] Assess where the students I can keep them on that that journey to be successful or do they just you know draw line the sand start over and that was interesting because especially around the COVID window there were a lot of products that were really solid from an education standpoint but they weren't built for the actual school system they were built for those that were largely coming from the home school space.

[00:23:47] Or the only teacher they were going to have doesn't change year to year so it didn't really have a bearing on all the sophisticated ways in what you need to have sort of that gradual progression and I think it's interesting because I had to pull up to who.

[00:24:00] I was spending a while since I looked at it and I remember when we were implementing it in the school district you know it was like for teachers and for students now if you go on their website it's like professionals for teachers for students for families and friends like obviously when you are doing the trivia that was probably.

[00:24:17] And more family and friends than it was for professionals.

[00:24:21] The world is evolving very rapidly and it just keeps bringing me back to I think helping especially in the MSP space helping our employees recognize that they have they control their destiny right like don't look at this you know and ask why from the perspective of why do I have to do this look at it from the sector from the why as in what is my opportunity

[00:24:45] and work in this take me because I think asking why questions about if I don't understand the training you're having me go through and you explain it to me and now I understand it I might point out a flaw in that particular training we've seen it before I had one where I had to go through a training it had me sign off and agreed to some things and I'm like wait a second the policy I had to read at the end of the video to agree to the terms that was in the video are actually conflicting with each other.

[00:25:14] And they're like what do you mean so I walked through the three things that I found that we're conflicting with each other and like oh my word we have to change this because we have employees that are saying yes to the policy signing it.

[00:25:25] And they're signing something that is actually contradictory to the video that they had to watch and the quizzes that they answered all the questions to so like there's so much opportunity of like making sure that employees aren't just going through the motions of doing it because you said well this is part of our security awareness training we have to do it don't do it like

[00:25:43] then we get dinged on whatever assessment comp tea is giving us for the trust mark and I don't want to get dinged right like do you have are those conversations happening in your organization today like do you get the wise and like the glazed look and they're like well okay I'll do it whatever.

[00:26:00] Well I think I think most of the wise with our staff have been answered as to why we're on the the trek that we're on from a cyber security.

[00:26:11] We need to do this being audited third but you know being being held accountable as an organization sure what we're responsible for and so I think that everybody has is on board with that.

[00:26:26] I don't know that everybody has caught the vision because it's relatively new with me and all these things that we're talking about on taking I mean look we're a small company 12 employees or whatever but I don't want to stay that way.

[00:26:42] When I look at the competition for our employees moving on whether it's in a large corporate environment or whatever you know I mean the amount of money that those companies are able to spend on what we're talking about today.

[00:27:02] I mean there are programs out there that are doing corporate not just cyber training cyber security wellness training skills training you know role based training on their job in the company and so on and so forth.

[00:27:17] Sure.

[00:27:18] They're spending you know what 300 to $500 a year per employee to use these systems right and that's a lot of money.

[00:27:33] I mean for us that's only you know I mean at 12 employees say that's you know what 350 360 bucks a month right I mean it's not insurmountable right but then you got the time to you know put in the content and build out the programs and all the other stuff that's there some of these already have those higher it's more expensive ones already have material and content.

[00:28:02] But you know it's very specific to that but to make it specific to your organization you have to create it yourself right.

[00:28:11] Well that's where it gets more expensive like I've seen like with cyber who where you can you know build your own program right they can pull content in from third party here's the Vimeo link I'm going to make my own quiz.

[00:28:22] And I think we're quickly approaching that being almost a requirement anymore like I can't consume can just say oh fill in the blank vendor product that's an education set of education content or a catalog of content because unless that contents evolving fast enough to keep up with me and the needs of my employees.

[00:28:41] And it's just a content library it doesn't actually give me the learning objectives and the outcomes that I'm hoping to achieve as my company matures both from a culture standpoint and from you know cyber security being sort of a core focus of that right yeah I actually didn't see this coming when we started this conversation from yesterday.

[00:29:01] But it's definitely opened my eyes to some of the challenges that we have and I think for anybody listening you know you're dealing with skills and awareness training as part of a framework part of the trust work part of the things that you're pursuing to be successful.

[00:29:16] Successful is you tackle cyber security or even other parts of the organization that may be tied to like learning quick books or any number of vendor products and services but I think if you don't have a true why.

[00:29:29] That gets into what you said before like well we're all doing this journey together we're on the same journey and then that kind of goes into that that that proof component of how do I know that gem is working towards that in goal like hey we're going to be.

[00:29:45] 500 employees in 2029 whatever it might be like you might have a growth structure tied to that it's like okay what do I have to do for all of my employees.

[00:29:56] To be equipped you know do I need to have them go through things like the working genius or you know other.

[00:30:03] Learning paths that actually develop the ability to to learning to elaborate knowing strengths and weaknesses that obviously when it comes to security could go ahead and hand as well right so.

[00:30:17] Whoa that means it's that means it just means times up like we're supposed to be done like so with that the bell ringing on us you know we have hit the 30 minute marker i'll stop rambling on learning paths but.

[00:30:34] Gemini last thoughts to share with what the audience because I think they this is where I would go that deep thought process saying does my organization understand the why.

[00:30:45] And if we look at the proof today does it reflect our why.

[00:30:50] I think my final thought on this whole thing really is that when we're looking at the c is framework or really any framework.

[00:31:00] Whether it's talking about control you know whatever it is for security awareness training that there's the the.

[00:31:10] Check the box section of it but then if you look at it it's so much deeper it's like control for and secure configurations right control for secure configurations it's like boom boom boom seven control safeguards and you're done but you're really not because there's so much more right there is so much more to do.

[00:31:30] And I just challenge everybody that's listening it's like you know go beyond what the requirements are because you know the requirements are all are there to provide us with a base you know a foundation of what we're trying to accomplish in the overall and so just dig a little deeper.

[00:31:52] I think that pretty much sums it up and I don't have anything else to add other than thanks everybody and have a great week.