Ask any group of CISOs to explain their programs, and you'll hear all about functional, procedural, and policy-based controls. They will describe their next-generation firewalls, two-factor authentication, and improved SIEM. You’ll hear them lament the challenges of identity management, and risk scoring for apps. Some might even mention cloud-based virtual protections, perhaps supported by bug bounty programs.
Oh, yea – and you might hear about security awareness programs. But probably not.
This after-the-fact inclusion of security awareness programs as a stepchild in the typical enterprise security program stems from the personalities and tendencies of the wonky gear heads who are attracted to our discipline. You know what I am talking about: Enterprise security positions are staffed with people who value facts, details, and accuracy. They are the ones scratching their heads at your joke, because it didn’t make mathematical sense.
I gave a keynote speech on awareness several years ago for a large audience in New York (a review of that speech is at http://www.lightreading.com/mobile/ mobile-security/atandts-amoroso-to-battle-new-threats-mobilize-your-people/d/d-id/710662). My point was to plead with the CISO community to do two things. First, I begged them to take enterprise cyber security awareness more seriously, perhaps referencing this function first when asked about their programs. The symbolism would be noticed.
But second, I asked the audience, and I am asking you, to considered forklifting the security awareness program as far away as possible from those incredibly nice, well-intentioned people setting up tables with brochures outside the cafeteria. This is a tough message, because security awareness teams in my experience are often the sincerest people you will ever meet. But let’s please be honest: When you see those awareness people smiling behind a straw bowl of “Think Before You Click” buttons, you head the other way. Admit it: You know you do.
The correct CISO approach, I believe, to enterprise, and even consumer security awareness, is to hand the entire thing over to the nearest and weirdest creative, right-brainers from musical theater class who know how to properly employ video, social media, and viral messaging to entertain, inform, and yes – even shock. If you want people to absorb your message, then you can’t hit them with long capitalized memos from the IT Department addressed to ALL STAFF.
All of this should help you understand why I was so delighted to speak recently with Michael Madon, Founder and CEO of Ataata. Michael was kind enough to take me through a demo of his new platform, and this included a preview of his original security awareness content. I could sense roughly ten seconds into the first piece I watched, that something was different about this piece. Something seemed truly unusual about what I was watching. And then it hit me: It was good.
Now let me define good. When you create content for the enterprise, like the usual speeches, talks, and PowerPoint presentations you see at work every day, the quality bar is so low and the boredom factor is so high, that any attempt at humor will be met with some enthusiasm. A good presentation is thus anything that includes a cartoon, funny picture, or any reference that gives those desperate attendees a brief respite from the financial snooze-fest about to occur.
But this should not be confused with truly good content. The stuff you see at work just happens to exceed the rock bottom expectations we have for business speak. This explains why that manager from Accounting who brought down the board room with a Dilbert cartoon is not going to be headlining at Caroline’s anytime soon. But this is precisely my point: If we can have world class firewalls, and we can have world-class crypto, then why can’t we have world-class security awareness content?
That’s what was going through my mind as I watching the content from Ataata. It was an episode you might choose to watch – just to watch. Performed by a professional troupe of actors, the pieces resemble Seinfeld in their humor, and frankly, you feel like you are just goofing off. I watched Mike’s stuff on my PC while sitting in Starbuck’s and the kid sitting next to me glanced over. (It might not have been the video, but I swear it happened.)
The messaging in the pieces is subtle, but will meet the approval of any CISO. Mike sets this whole thing up as a subscription, where your employees get a new video periodically that they can watch from their PC or Mobile. Videos string together as a series, and it just seems like a whole lot of fun. There are the usual dashboards for managers who need proof that people watched, but this would seem unnecessary in my opinion.
Perhaps even better news is that I think the fine work at Ataata is slowly become more the norm than the exception. I’ve seen super nice content on security awareness, for example, coming from great firms such as Digital Defense, who use advanced graphics and other professionally-done production methods to keep things fun and light. This is all good for the enterprise security industry, and you would be wise to take the time to hop on board.
Look, we have often-depressing jobs in this CISO and enterprise security racket. We deal with a bunch of nation-state actors trying to damage our infrastructure. We deal with snarky kids who figure out how to gum up our cloud provisioning software. And we deal with whiny corporate boards who choose to blame us when a group of expert hackers climb into our networks through those open UDP ports that we were told we had to approve.
So, excuse me if I find this idea of fun, creative original content becoming part of our lexicon. I think we deserve the break.