Amrit Williams, BigFix CTO, takes an in depth look at security awareness and training with security catalyst Michael Santarcangelo. Part One.

Subscribe in iTunes:

Subscribe with XML:

FULL TRANSCRIPT

Amrit Williams: Welcome, this is Amrit Williams, your host on “Beyond the Perimeter”, and we are back with Michael Santarcangelo.

Let’s talk about a real-world case here, ‘cause I like the connection between using awareness in the framework to find which controls are effective. Let’s talk about something that came out very recently, which is a report by Inspector General, SEC Inspector General David Kotz, who was requested by Senator Charles Grassley to investigate something at the SEC. And what the findings found is that several senior employees at the SEC were surfing for porn, and they weren’t just kind of goofing around; apparently, some of them, one of them spent up to eight hours a day looking at and downloading porn to the point that his computer ran out of hard-drive space and he started downloading these files to CDs or DVDs. He had another accountant who was blocked more than 16,000 times from visiting sex or pornography sites; but he still managed to, according to the report, amass a collection of very graphic material by using Google to bypass the SEC’s internal filter. And we found that 17 of these employees were at a very senior level and were earning salaries of up to $222,000 a year.

So what you have here is an organization that’s highly audited. You have very senior employees; you have them clearly dealing with a very critical infrastructure organization, which is the SEC. I’m sure the SEC IT Department has a ton of controls implemented and I’m sure they do a ton of awareness programs, and yet you still have what are probably very highly intelligent people, very sophisticated folks, doing some pretty dirty things. And I don’t think there’s anyone out there that would argue that the proliferate malware and bad stuff will come from sin sites.

So how would you instruct an order of the straw man here to break down the framework? Let’s use this company, SEC. How would you work with the SEC? And maybe a good way to respond is first introduce the framework, and then let’s get back to the SEC or, you know, or choose how you’d like to respond; but that might be a good way to do it.

Michael Santarcangelo: Amrit, I think the SEC is a great example, and it even shows how you’ve influenced some of my thinking. So we start out by saying they had a lot of controls, and they had a robust awareness program. And without knowing any of the details, I think we could agree that by today’s standards in our industry, they probably had PowerPoint training, mandatory policy signings, annual training that they had to attend and questions that they had to ask, and yet it didn’t work.

And that’s kind of where a lot of my thinking around this started to look at, to say, “Wait a minute. All we’ve been doing is telling people this stuff”. The reason for this  — and this sets up the framework and the stuff that I’ve looked at — is what I’ve called before, and we’ve talked about the human paradox, and it’s this concept that people have been disconnected from the consequences of their actions, which means they don’t take responsibility, they’re not held accountable.

As I’ve continued to evolve this and look at it deeper, what I’ve started to realize is that it’s not as simple as people’s actions or decisions have consequences and consequences are good or bad. That’s not entirely accurate. So what I’ve realized is there’s another layer, right? And this layer matters because it directly impacts what could happen at the SEC.

Actions have consequences. The more we distance people from that, the bigger the gap, the deeper the chasm, the more complicated, the more costly it is to be able to control.

The less responsibility people take, which then means the less transparency we have — and it’s almost counterintuitive. We would think that more controls and more governance and more… if you will be blunt, more oppression would equal more transparency; but it actually gives people more places to hide and more places with which they can work and do stuff.

So what happens is that actions have consequences; consequences have impacts, and the consequences are intended or unintended, the impacts are either good or bad, right, or I’d prefer to say positive, neutral or negative. Because what happens is if you abstract that lens back and you can look at it, this is a case where people were so disconnected from the consequences of their actions, or I guess sometimes in the case of pornography they’re addicted to sex or something to that effect. But if you follow the tree, you know, the intended action of these controls was to prevent this; the intended action of this training was to prevent this; but it didn’t work that way. And I think we could agree that the consequences ended up having a pretty negative impact for a lot of reasons.

But what happens is, I still come back to that if we go back and look at the program, I would be completely amazed if somebody didn’t know this was happening and if there was really no visibility at all, and I don’t mean technologically. I mean people didn’t know that there is a dude surfing porn eight hours a day?

Amrit Williams: Well, they did know it.

Michael Santarcangelo: Well, that’s a really interesting outlier.

Amrit Williams: They did, and –

Michael Santarcangelo: What’s that?

Amrit Williams: — this is what’s interesting. It says that one of the people was blocked 16,000 times from visiting sex sites.

(00:05:00)

Michael Santarcangelo: Yeah.

Amrit Williams: What it sounds like is no one bothered to look at the logs or the violations, violation alerts. So the control was in place, it was blocking the person from doing it. He figured out a way to bypass it, but no one was monitoring.

Michael Santarcangelo: Go back to your earlier question then, right, is we go to introduce the framework. So what I would ask is: what’s the value of implementing a control in the environment without understanding the intended or unattended consequences of it, the cost of it and if you’re actually going to use it? Because otherwise, right, they spent a lot of money for controls that they didn’t seem to get value from.

But, I mean, we’re talking esoterically here about a specific thing. So if the SEC were to come to me and say, “All right, Michael, we got it. We need something different here”, I’ve broken it down into three steps: we need to build a foundation, we need to build the framing, and then we can move on to fulfillment.

The reason for this is I’ve started looking at a lot of people who come in and say, “I’ve got the solution”, and I don’t care what the solution is. I want to know what the question is first.

So what’s happened, then, is that we’ve started to take a look at kind of our framework. And in fairness, you know, I’ve debated the different words around it; but what I’ve broken down is — we’ll call it a process, at least — is that there are three steps to starting to build awareness that works. And if we think about this, one of the images I’ve started to use, and I used it hesitantly because I didn’t want it to be overplayed or misinterpreted; but I really got fascinated with lighthouses and I started to realize that lighthouses have a foundation. So that’s our first step. Upon the foundation, you build a framing; but if you look into lighthouses, lighthouses are constructed based on where they are and what they’re trying to be able to do. So the framing elements to it require assessment. They have to utilize the materials that they have and their mechanisms most efficiently. And then they have to program the lighthouse to be able to, you know, properly notify people. So we create a framing for people, and then it can fulfill the mission. I mean, you can turn on the beacon; you can rotate it.

There’s an interesting thing about this, though, that I like. What I’ve started to saying is that real awareness is bilateral. It’s awareness that your actions have consequences, and then it starts to help you understand what those are; but it means, then, that you can also realize as a business or as an organization overall. So if you think about it, a lighthouse is visible, and it provides visibility into the danger areas and into the harbors, and then there’s a whole bunch you can do around it.

So the framework has three parts. You construct the foundation… and what we developed is a five-step process — I’ll share that with you in a minute — but that the purpose of this is it’s not one-size-fits-all; it’s saying, “Here, let’s match this”. There’s hundreds of lighthouses that dot the coasts of America, and every one is the same and every one is different. And that’s kind of the strategy behind having a process. And then I’ll talk more about the framing and then, of course, the fulfillment is the fun part. Here’s why it matters, though.

A lot of people jump right to fulfillment. They show up and say, “I got a flashlight, we’re good. I have got a PowerPoint deck, I’ve got prepared training, and this will help you”. And I think that’s exactly the disconnect that you see in places like the SEC.

All right, so the foundation. This is something I’ve been developing for a couple of years, and it was just based on successful projects, right? You know me. I’m an amplified and positive kind of guy. And so what I started to look at was the projects that were successful are the ones where we can answer four questions. Here’s the five things that anybody who wants to be successful at a project or awareness or anything else that they need to answer: Step 1, how do you define your success; step 2, plan your work. What’s your work plan, what are you gonna be able to do; step 3, establish and understand your value. It’s kind of like saying, “Why are you doing what you’re doing”; step 4 is measuring what matters; step 5 is being able to communicate with counts.

So again it’s a little bit of rhyming in there — that’s, of course, by design — but here’s the part about success. You asked a lot of people, let’s stay focused on awareness, “What does the successful awareness program look like for you?” What do you think their answers are?

Amrit Williams: Don’t know.

Michael Santarcangelo: Yeah, there’s the top answer. It goes kind of like this: “I don’t know, man; but it’s compliance, I had to do it, I didn’t have a choice” or it’s any number of other choices around that.

And so what happens is we have to help people first to find the success; but there’s another layer to this. Success, what does it mean for you on a personal level in your role to be successful? What does it mean for your team or for your bosses, you know, the ones signing your paycheck? What does it mean for the organization as a whole? And it’s not just this “Well, success is when I meet my goals and I come in on time and under budget”. That’s nice; it’s trite. It doesn’t tell me anything. What we’re looking for is what are the visible signs of the measurement?

By the way, here’re some strategy that I like when I talk to people. They want to see and measure changes in people’s behavior. They sometimes even say stuff — and I love these — “We want to see an increase in trouble tickets, because it means people are paying attention”. I mean, that could have a negative consequence to it; but I like the way that people are thinking.

(00:10:05)

When they say, “I want more people to come to me with ideas or challenges, I want people to share what they’ve learned with each other”, now those are signs of success.

When it goes to the second part, then, planning the work, there’s a lot of… there’s some controversy around whether you should use SMART goal-setting or you shouldn’t use SMART goal-setting; but here’s what I like about it: “SMART” stands for Specific, Measureable, Achievable, Realistic and Time-bound.

If you ask a lot of people the steps that they’re going to take to do awareness, it starts out with, “I don’t know”; or it’s this huge comprehensive program. What we try to do for people is just say “What are the five things that you can get accomplished this year; and then specifically, what does it look like? Can you achieve that with the time and the resources and the budget you have? How are you gonna know that you did it, and when is it gonna be done by?”

That for most people is a real eye-opener, because a lot of us in security are very reactive. We can argue later whether it’s right, wrong or just the way that things are; but if you’re always reactive sometimes it’s hard to plan, and that means you’re not maybe going to be able to optimize stuff.

The value question is kind of interesting, because it’s kind of like saying “Why are we doing this”; and if the answer is “I don’t know, my boss told me to; I don’t know, because compliance requires it”, really that’s a tough sell. I mean, how do you explain why you’re taking the actions you’re taking?

But if you take a minute to think about what success looks and feels like, how you’ll demonstrate it, and then you think about the steps, just the basic steps. I’m not talking about a 500-line project plan; I’m talking about what are the five big initiatives around this and a couple of the key milestones, and then you can think about the value. So how would a user be impacted by this? How about your boss? What’s the value to them? I mean, what do they communicate up the channel? How about the executives, what do they care about, what do they think? When you can establish that, then it helps you figure out what to go measure.

You know, you and I know there’s a lot of talk around measurement now, and I love it; I love seeing all of it. I’m unique, in that my formal training is in human ecology and specifically in analysis of policies. But I was trained to use anthropology and sociology and economics and statistics and regression not just to get to a number, but to understand the context as it relates to people to try to figure out specific responses; so it kind of fits with what I do now.

So when we talk about measuring what matters, I’ll give you an example. A lot of people will say, “Well, for security awareness, we measure how many people took the training, and we measure how many people passed the test”.  My first question: “What’s a passing grade on your test?” Number one answer: “70%.” My next question: “What do you do with the people who don’t pass?” What do you think most people tell me?

Amrit Williams: “Nothing.”

Michael Santarcangelo: That’s exactly what they say: “We don’t do anything.” So my question then is, “What’s the validity of that measurement? How does that help you determine if you’ve done anything right or wrong?” But more importantly, that’s not measuring behaviors or outcomes.

Change that we can take a look at, you know, I like to go back to a password example. If we determine that a behavior we want to shift is, you know, there’s 4,000 password resets a month at the help desk and every password reset is $10, you’re spending roughly a half a million dollars a year on password resets.

Now, we can certainly look at: is there a better technology that will remove this problem from our landscape? Absolutely, and I love those technologies and I am a big proponent of them. But in the short term, could we spend a couple of thousand dollars, and could we start to help the people connect the dots based on the good work that they’re doing? Sure. So how do we measure that? Well, we can measure if we’re successful in our training, right — this isn’t awareness anymore; this switches over to training — but again if we’re just looking at measurement, we can measure calls to the help desk. We can even start to measure if they’re coming from a specific business group, a specific job level, a specific role, and we can try to understand how to customize our methods to meet their particular needs better.

But we can also then take a look at the strength of the passwords now. We can take a look at mean time to break. We can look at a lot of things, not did they attend the password training and these idiots are still getting it wrong. I don’t think that’s an effective — I don’t think that’s measuring what matters. But if we start to tie it to costs and to outcomes, right — and we talked about this already — the measurement becomes what matters. Well, now you can take all of that and you can communicate what counts.

Look, here’s the difference. Boss comes to you and says “What are you working on, your jobs and awareness thing?” and you go “Security awareness”. He goes “Great. What was that again?” It’s a big difference, though, if the boss comes and says “Hey, so what are you working on” you can say, “You know what? We’re making a strategic investment in our people. In fact, just this year alone, we’ve already saved the company about $200,000 because we changed the way the people are setting their passwords and this is helping us use the right controls and using them in the right way. We’re actually reducing friction in the environment”.

Now, does that sound canned?

Amrit Williams: Of course it does. No, it sounds canned; but it sounds really exciting, and I think that gives people the lever that they need to go in and have a conversation they need with upper management to explain the importance of driving awareness that works.

(00:15:05)

Michael, now what I want to do is give the audience some information on how they can get more details here and get engaged with you. So let’s do that now, and then we can move into the next portion of the podcast. But folks who want to get in touch with you, how do they reach you? How do they find you, and how do they get more details on the framework, which we’re gonna go into more details in the next podcast?

Michael Santarcangelo: Simplest thing to do is they can come visit me                at www.securitycatalyst.com; they can send me email, it’s michael@securitycatalyst.com; they can give me a call, 518-207-3453. That will ring right to me.

Let me just make a quick point. This is my passion, right? I made a decision at the beginning of the year I am going to focus on guiding the human investment. It’s awareness, it’s training; we separate the two, but they blend together. I would love to discuss this with anybody. Whether they agree with me or they hate the stuff that I’m talking about and they think I’m off my rocker, I don’t… I’m not big into sales, so these don’t turn into sales calls; these turn into “Let’s talk”.

So anybody who is interested in this, I am happy to talk with them. I am updating the information on my website; I am going to keep updating it, I’ve got a whole bunch of articles, and I’m really trying to improve my ability to explain these things; but also to put it out there so we can have more conversations. So thanks for that opportunity, and anybody who wants to talk about this, I would love the invite to have the chat.

Amrit Williams: And I absolutely encourage everyone out there that is struggling with how to take advantage and leverage their people to be better at helping to improve the security of their organization, because ultimately it’s that variable between the keyboard and the chair that causes a lot of problems in an organization, to reach out and have a conversation with Michael about what they can do.

Michael, I appreciate you joining me today, and I look forward to continuing this conversation in the next series of podcasts. Have a great day in South Carolina.

Michael Santarcangelo: You, too. Thanks, my friend.

Announcer: You have just listened to “Beyond the Perimeter”, sponsored by BigFix, Inc. Views expressed on this podcast are the personal opinions of podcast participants and do not reflect official positions of their employers or BigFix.

Thanks for listening!