Amrit Williams, BigFix CTO, takes an in depth look at security awareness and training with security catalyst Michael Santarcangelo. Part One.

Subscribe in iTunes:

Subscribe with XML:

FULL TRANSCRIPT

Amrit Williams: Welcome, this is Amrit Williams, on “Beyond the Perimeter”, and today I’m joined by Michael Santarcangelo, also known as the Security Catalyst, who I believe is calling us from Myrtle Beach, Florida.

Michael, thank you for joining me today.

Michael Santarcangelo: You are welcome. And I am hanging out in lovely Myrtle Beach, South Carolina.

Amrit Williams: Well, that is a real beach, South Carolina (laughing). You know what? East of California for me is just an opaque land of…

Michael Santarcangelo: (Laughing.) So it’s California, Las Vegas and whatever the country.

Amrit Williams: Well, Vegas is a foreign land; it’s like Russia with more rights.

So, Michael, thanks for joining me today. I wanted to jump into some of the awareness work that you’re doing, and specifically you have a high-level foundation around building awareness and connecting people to consequences of their actions, as you call it. And before we drill into the actual framework itself is just touch on a little bit of awareness. Since the last time we talked, I think it’s been a little while here and you’ve been out there doing your thing, acted as a catalyst, and I wanted to find out if, you know, your experience I doing that and if any of your thoughts have changed or if you have new insights in terms of awareness training, especially as it relates to security.

Michael Santarcangelo: You know, a couple of things have changed. Let me give you a quick update, too. Around May of last year we decided that we were going to leave our house and go full-time in the RV and we did that. So as of January 1, my family and I now live full-time in our RV, and it’s been fantastic because it’s really taught us that we’re no longer collectors of things but of experiences, and the way that that translates in everything else has been fantastic for me.

What happened during that process is I often sought to streamline the business. When you ask about have my thoughts changed or has my experience of working with people shifted some of my thinking, it has. It has, as have conversations with you and with other people. And that kind of led to this pathway with the awareness that we’ll get into; but here’s the tricky part. What I started to realize was that the way that we define some of the terms that we use don’t necessarily match what our expectations of them are, and awareness is one of those.

I hear a lot of people say stuff like Security Awareness Training, and it’s like they slur it all together. And the big thing that I’ve learned — and I learned this talking to you years ago in Georgia — was that there is awareness, which is the realization that your actions have consequences, and then there’s training, which is the way that we can shape, support and guide people to different behaviors.

Amrit Williams: I understand. Expand. How? How do you guide people to different behaviors?

Michael Santarcangelo: Sure. Well, you know, the first part to it, like if you ask about some of the ways that things have started to change, I can still remember when I started looking at security awareness — and, you know, this is… it’s kind of a reluctant admission on my part, although I wish I had realized it sooner, that I really needed to be focusing on awareness, because what I realized is that awareness is about people, right? This is what I wrote about in Into the Breach; this is what I’ve done for years.

So if we look at how do we start to inspire the behavior change, what I started to take a look at — let me come back for a second. What I still remember is when you were kind enough to invite me to come share some platform time with you at an event you were running in Atlanta; and I drove up from Talladega, Alabama, got to meet you, Mike Rothman was there. And at the end we were kind of doing just a freeform discussion. You brought up an example about security awareness where a company had spent — and I don’t remember the number you used — hundreds of thousands of dollars; it was something big.

Amrit Williams: It was millions.

Michael Santarcangelo: And at the end of the day, they had resilience. Okay. So very good, that’s even bigger. So they spent millions of dollars and then they did a social-engineering test and they completely failed, and so it meant the whole experiment was failed. And that’s resonated with me, because I didn’t at the time have a good answer for that. And in fact, I’m still on the fence as to the role social engineering plays in assessing awareness. But what has happened since then is at the time I would have been “rah, rah awareness” and you were kind of “rah, rah no awareness”; so here’s some of the transition.

I started to look at what we meant, because what I learned in listening to you and in the multiple conversations I’ve had in the years since is that if we define awareness as I tell people what they’re going to do, what they need to know and how they’re going to act, that’s not awareness; that’s not even really training at that point. It’s… I don’t know, it’s directives, I guess.

Amrit Williams: There’s a difference between the activity of trying to make people aware of something and the outcome of how those people respond to something happening. And I think that from the perspective of whether that incident that I mentioned, that case study, would be financial bank or the financial-services company in Europe whether it was successful or not, their comment wasn’t that their security awareness didn’t work; it was that they were only focusing on the activities and they weren’t measuring the outcomes, and when they measuring the outcomes they realized that they had invested too much in the activities and not enough in providing and implementing the controls to ensure that regardless of how people responded there was enough to catch them if they made or tried to do the wrong thing, either negligently or maliciously.

(00:05:09)

Michael Santarcangelo: Wow, that’s actually a really cogent way to look at it; I like that. And in fact, that’s not really much different from the way I look at stuff today.

So here’s some of that stuff I look at. So if we say what’s kind of shifted, what I started to look at then is kind of, you know, anthropologically how do we do what we do. What are the words that we choose, how do we explain stuff, what are the expectations? And so when you say, you know, “What started to shift a little bit?” here’s the biggest change that I realized. There is awareness, and there is training. They’re not the same thing. We can try to, quote/unquote, “make” people aware of stuff; but what I found is sometimes it’s better to just kind of figure out what they’re already aware of and connect dots for people.

So, you know, where a lot of my discussions have been and a lot of my efforts have been in the last year or two — well, I guess it’s been longer than that now; but where I’ve been extremely focused and then, you know, since the beginning of the year where all of my time is focused, is trying to figure out how do we start to take a look at stuff? So I’m looking at things like behavior modeling, and I’ve started to look at, you know, social pressure, and I’ve started to take a look at the way things are going, and here’s I guess the big distinction that I started to see.

If you look at behavior modeling, which is at the core of a lot of the stuff that I’m starting to take a look at, as an industry we tend to model and emphasis the negative stuff and we highlight the negative stuff, and then we get negative things that happen and then we blame everybody because we got the negative things that we told them were gonna happen. And it’s kind of fascinating, because if we were to do the opposite and start to showcase the good things and model the right behaviors, we actually start to see the exact opposite happen.

Now, is it a panacea? No, ‘cause there’s another challenge here, too, and you just talked about this. Measuring outcomes and measuring behavior change is a bit of a challenge; but just because somebody knows the right thing doesn’t necessarily mean that they are going to take the right action. And there’s a lot of social reasons for that and there’s a lot… you think about the ego invested in trying something and getting it wrong. What if you don’t look as good? What if you get embarrassed? Well, just the realistic aspect of people have a job, they know what they need to do to be successful to get their paycheck. They didn’t get a pink slip last week, they got their paycheck; their paycheck got cashed. We come along, we say something.

Now, whether we say it in the most poetic possible way that connects with them and the skies open up and they got it or it was just some   30-minute thing they had to endure, even if they nod their heads and say “Yes! I totally agree”, does it mean when they go back to their job, when they go back to their work that they’re suddenly going to change their behaviors? It doesn’t, and it doesn’t because of those pressures and because knowing the words or understanding abstract concepts doesn’t translate necessarily into the behaviors, and if we don’t address that gap it’s going to be either a very long, painful process or we’re going to continue to misfire.

So that’s the stuff I get to start to play with now.

Amrit Williams: Well, I do want to dig into the framework; but I want to ask you a question, just a real practical one.

Michael Santarcangelo: Yes.

Amrit Williams: How much resources should an organization invest in trying to drive greater awareness of their employees versus investing those same time and resources and money into putting in controls that limit the ability for employees to do things they shouldn’t do, regardless? And I know it’s a balance; I mean, what I mean by “balance” is obviously it’s not 50/50, but you want to do both. But the reality is that, you know, people are dealing with limited budgets and they’re dealing with limited resources and they’re dealing with limited time. So what do they focus on, and at what point do they start expanding and implementing awareness programs?

Michael Santarcangelo: I like that question. I’m gonna give you an answer that might be a little bit different. And I almost want to answer with a question, because, you know, you already started out by saying it’s a balance and, you know, the logical answer is, well, it depends. Here’s the way that I take a look at it.

If you want to use — right, because you and I have had this conversation before? There’s a need for control. So just to make sure that everybody’s clear with where I position it, I believe in people and I want to, you know, I want to maximize our investment in people to get good results, et cetera, right? That’s all, it’s all well and good. I understand the role for and the need for technology.

I think what you and I have also talked about before is that technology to work successfully needs to be implemented properly. I’m going to add a caveat: to be implemented properly means it has to meet the needs of people.

There’s a struggle that goes on in security where out here people say things like security’s supposed to be hard; it’s gonna be hard; it’s never gonna be convenient. You know what? That’s a great conversation for another time, there’s parts of that that may be true; but what we’ve seen repeatedly with human nature is that if somebody has a job to do and the controls that we add are perceived as a barrier, there’s a consequence to that. And the consequences may not be negative, they may be great; but a lot of times all that does is it creates an incentive for an otherwise intelligent person who’s trying to do the right thing to do a workaround.

(00:09:58)

So when you say how much time should we spend into an awareness program or how much effort or time or money or resources versus into the controls, the way that I would answer it is what I would want to do is optimize the mix by putting in the right — I mean, this is appropriate of course that I created this framework; but what I found is that we can do a very tactical, rapid assessment that lets us understand where our controls will be most effective and uses the pathway to roll out the controls with the least amount of friction so that we get the biggest bang for the buck for our controls.

Now, in terms of that, then, you know, I sometimes will say, “Well, how much should I spend on awareness? Is it $10 a person, is it $1, is it 5?” My argument to that is that I think we need to measure our awareness differently, and I think that we need to measure awareness based on outcomes, and if we consider awareness now as the realization that peoples’ actions have consequences, when people start to realize that they’ll actually start to seek out the training that will help them make better decisions if we seek support and guide them the right way. I actually get programs that will pay for themselves. So then what happens is your awareness program continually shows you positive returns, and it shows you where to make the best choices in your technology, and it gives you the insights you need in order to purchase and implement the right controls and people have a better understanding of how to follow them.

I mean, it’s not all unicorns and rainbows here. I mean, there’s effort to it. But what I’m finding is, even for companies that have a hundred thousand people, we’re getting results with a team of two.

Amrit Williams: Michael, I appreciate you joining me today, and I look forward to continuing this conversation in the next series of podcasts. Have a great day in South Carolina.

Michael Santarcangelo: You, too.

Announcer: You have just listened to “Beyond the Perimeter”, sponsored by BigFix, Inc. Views expressed on this podcast are the personal opinions of podcast participants and do not reflect official positions of their employers or BigFix.

Thanks for listening.