14 Feb Dishing On Phishing: Your Employees, Weight Loss, And Security Awareness Training
KnowBe’s KB4-CON event features a cybersecurity educator
–Steve Morgan, Editor-in-Chief
Sausalito, Calif. – Feb. 14, 2020
Lucas Burke laughingly admits that he knows what’s good for him, namely eating right and excercise, and yet he doesn’t always follow that simple advice.
Millions of people, many of them employees at organizations globally, are much the same. They ignore the principles of good nutrition. Some of them smoke cigarettes and indulge in other unhealthy behaviors, even at the risk of severely negative outcomes. This is not to criticize. Rather, it is to take human nature into consideration when we design our security awareness training programs.
Burke, whom we met at KnowBe4’s KB4-CON 2019, the world’s largest security awareness training conference, has a master’s degree in Computer and Information Systems Security / Information Assurance from Capella University, and industry certifications including CTPRA, CISM, CISSP, GCCC, Cisco CNP, and Microsoft CNE.
It’s not just his credentials that make Burke a worthy source of best practices for training employees to be cyber safe. He’s vice president, Security Compliance and Assurance, and previously director of Security Operations, for Philadelphia, Pa. based Radian (NYSE:RDN). Before that, Burke was the CISO (chief information security officer) at Villanova University.
Despite all of his cyber knowledge, Burke believes that it’s personal (computing) habits, more than anything, that need to be addressed in order to avoid employee induced cyber intrusions and attacks.
4 Keys to Security Awareness Training
In Burke’s opinion, there are 4 keys to a successful security awareness training program. And they are all rooted in a deep understanding of human nature.
1. “First, you need to understand what your corporate culture is, and what outcomes you are trying to achieve with your program. Don’t just wing it, because if you do, then that’s the type of result you’re going to get.”
2. “The second thing is, focus on results. It’s what your employees do, not what they know, that matters.”
3. “The third point, which is the flip side to that — just because employees know what to do, do not assume that they are going to do it. We know this from life itself. Weight loss … we all know what’s a great way to be healthy — eat right and exercise — it’s a pretty simple formula. Do we all do it all the time? I know that I don’t … Just because your employees know what secured behaviors are, don’t assume that they are going to follow them.”
4. “The last piece is, you can’t go against human nature — and if you set your security awareness program up to work against what people will do naturally, you are going to fail every time.”
Burke summarizes:
“Start with your culture.
“Understand what types of outcomes you want to achieve.
“Set up some realistic expectations.
“Drive changes in behaviors, not knowledge, and although someone knows something, do not assume they are going to do it.
“Do not try to fight human nature because it is not going to work out.”
What is Burke trying to tell us? Our take is that people have a habit of blindly clicking on links in emails, even though they subliminally know that they shouldn’t be.
With all of his experience, why did Burke make the pilgrimage to KB4-CON 2019, and why should KnowBe4 shops think about going to KB4-CON 2020? It’s all about security awareness training managers, infosecurity practitioners, and CISOs, learning from and sharing with each other.
We’ll be checking back with Burke to find out what he’s done, if anything, to help users kick their bad cyber habits. And with an understanding of those habits, what does his security awareness training program look like?
Stay tuned for more dishing on phishing next month.
– Steve Morgan is founder and Editor-in-Chief at Cybersecurity Ventures.
Go here to read all of my blogs and articles covering cybersecurity. Go here to send me story tips, feedback and suggestions.
Sponsored by KnowBe4
KnowBe4 is the world’s largest security awareness training and simulated phishing platform that helps you manage the ongoing problem of social engineering. We are a leader in the Gartner Magic Quadrant and the fastest-growing vendor in this space. We are proud of the fact that more than 50 percent of our team are women.
