Kick Your One-Size-Fits-All Security Awareness Training to the Curb

Security awareness training is considered a staple of cyber security programs. All the technology in the world won’t eliminate breaches if a determined attacker can exploit a human being at the end of a device. It’s therefore been a long-held belief in the security practitioner community that enterprises need to provide security training to employees, often once or twice per year mandatory classroom sessions complemented by more-frequent online assessments. At times, these programs have been positioned as combatting the problem that “humans are the weakest link,” which doesn’t do much to help employees feel like they’re an important part of the process. In better cases, where awareness training is presented from a more positive perspective, enterprises trumpet increases in reporting, decreases in risky behavior (such as clicking on links in emails from unknown senders), and even a reduction in malware slipping past the endpoint.

While the latter is a desired outcome, there is often a limit to how much these programs affect. For one thing, when awareness training is infrequent or when it’s offered as a pre-packaged solution, employees may feel like they have to complete the activity to check the box that says they did X so they can get back to their “real” responsibilities. Conversely, when the organization treats security awareness training like a compliance activity, little effort may be put into emphasizing its importance or benefits, especially on a personal level. Last but not least, when the focus is on correct answers rather than behavior, potential improvements may be buried under apathy.

I’ve written before that awareness isn’t the problem in security. Three years later I still believe this to be the case. Maybe even more so. Today, your average device and internet user knows about cyber security risk. Heck, most of them have been part of some breach of their personal information. If you’re testing awareness, your employees are probably going to fare fairly well. In the heat of the moment, though, that’s when things get tricky. And that’s why the focus must be on behavior change and must be tailored for the individual rather than the company the individual works for.

The root is trust

Robert Fly and Masha Sedova had similar (and likely more cogent) thoughts when they were working together at Salesforce, Fly leading security engineering and Sedova heading up trust engagement. Pausing for a moment, how many companies even have a “trust” department, in the first place? Sure, every company wants its employees, partners, and customers to trust them. How many hire behavioral experts to work full time on that effort and work hand-in-hand with the internal security team to build solutions to achieve trust?

Fly and Sedova knew they had something special and wanted to codify their knowledge and personal learnings, and in 2017 decided to start Elevate Security with a mission to change the way security training is delivered. Today, with Fly as CEO and Sedova as Chief Product officer, Elevate offers a platform which allows companies to measure, influence, and reduce human risk. If this sounds a little like marketing gobbledygook, we understand your hesitance—Ed and I listen to hundreds of vendor briefings every year. But in Elevate’s case, the company is fusing behavioral science with more-traditional online security awareness training.

The Elevate Security platform has all the bells and whistles you’d expect in a training solution: phishing simulations, online tutorials, gamification, experiential learning, and robust reporting and scoring for program administrators. Speaking with Jon Sanders, Head of Sales, and Tiffany Schoenike, Head of Strategic Partnerships, the two showed us Elevate’s goldmine of data about employee actions and training results. We saw the dashboards which illustrate how employee actions are scored and compared, and how admins can see if the program is working as intended.

Customization and personalization

But this is not what impressed us most, because, frankly, several awareness training and anti-phishing, companies could claim the same. What was unique to Elevate is the way the platform allows companies to tailor training to each individual based on the data collected about them. Administrators, or trainers, can dole out customized modules for every employee, without creating hundreds or thousands of unique programs themselves. Of course the platform comes with pre-packages modules, but it’s like a choose your adventure for each employee (except with many more options than I remember from when I was 10 years old).

On the Elevate system, there is no one-size-fits-all, or even one-size-fits-each-department. Every employee receives tailored training based on where and how they need reinforcement, and instead of being tested on what they know, their learnings are based on how they act or react to previous training. Thus, while certain departments or roles may typically exhibit like behaviors, if one employee in a group doesn’t fit those criteria, they are presented different training from their peers.

Keeping it positive

Moreover, as previously mentioned, training modules are predicated on behavioral science. Sanders and Schoenike reinforced that the company’s platform “isn’t built with the idea that there is a right answer. It’s about training behavior and actions.” Instead of looking at employees as “the weakest link,” said Sanders, “our company was founded on the principle that employees can be the best layer of defense, and you can see positive reinforcement at every layer of our technology.” Elevate fuses behavior and data science into a customizable training, making the experience for employees enjoyable and more beneficial, resulting in fewer vulnerabilities for their employer.

With all the human layer security solutions in the vendor market, we really like the positive message of Elevate, and more importantly, the focus on behavior at a personal level. No human likes to feel like they’re being churned through a meat grinder, which can happen when training is too generic or treated as a compliance requirement. No one likes to feel like stupid, which happens when there is a message that “users are the weakest link.” Elevate is none of those things and we encourage you to test drive the platform and let us know what you think.