https://cisoseries.com/will-employees-eventually-violate-security-policies/
This week’s episode is hosted by me, David Spark (@dspark), producer of CISO Series and Andy Ellis (@csoandy), operating partner, YL Ventures. Our sponsored guest is Jadee Hanson (@jadeehanson), CIO/CISO, Code42.
Full transcript
[Voiceover] 10-second security tip, go!
[Jadee Hanson] When you see an employee put company data at risk, don’t assume it was done maliciously. Remind yourself that collaboration tools of today make this an easy mistake to make and adopt the practice of conducting empathetic investigations when dealing with these types of scenarios.
[Voiceover] It’s time to begin the CISO Series Podcast.
[David Spark] Welcome to the CISO Series Podcast. My name is David Spark, I’m the producer of the CISO Series. And my co-host for this very episode, you’ve heard him many times before, his name is Andy Ellis, he’s the operating partner over at YL Ventures. Andy, your voice sounds somewhat like?
[Andy Ellis] This.
[David Spark] That’s all you’re going to hear for right now, you’re going to hear a lot more of him in just a second. We’re available at CISOSeries.com. If you have not spent at least half of your day there, what are you doing with yourself? Go to CISOSeries.com. We have over 1200 or 1300 posts that include podcast episodes, videos galore, tons of stuff on the site. And I want to mention our sponsor who has been a phenomenal sponsor over the past few years of the CISO Series, and that is Code42, reimagined enterprise data protection for insider risk. And we will actually be talking about that topic plus a lot more on this show. And Code42 is responsible for bringing our guest, who they brought before, so I’m excited that she is back again. But before we go there, I want to bring up a subject of the educational value of the lemonade stand. Andy, did you have a lemonade stand as a kid?
[Andy Ellis] You know, I don’t know that we had a lemonade stand.
[David Spark] Or did your kids have one?
[Andy Ellis] My kids, we did try this once. It was an interesting experience in the value of work.
[David Spark] Well, my son did one, and he came home, and everything he was saying, I was thinking, “Oh, my God. This was an amazing educational experience.” Because he was talking about what sold quickly, what time of day things were selling, what people wanted, what didn’t sell, and how they wanted to do it again and how when people sort of traded off different shifts and things like that. There’s a lot you can learn about business from running a lemonade stand.
[Andy Ellis] I’ve got to ask – did they get busted by the regulators? Because that’s what’s been happening to a lot of lemonade stands.
[David Spark] They did not, but it’s interesting you bring that up. Because I live in sort of a community where we have a homeowner’s association. And there was another lemonade stand, not my son’s, that put their lemonade stand on one of our public community parks. And the woman who runs the HOA threatened to call the cops on a couple of 11-year-olds running a lemonade stand, to which we were all thinking, “Do it. Call them. I’m eager to see how they respond to that.”
[Andy Ellis] Yeah, the problem is that a lot depends on how the officer’s feeling that day.
[David Spark] Well, seriously, if an officer gets a call saying, “There’s 11-year-olds…” “We’re not responding to this one.”
[Andy Ellis] Hopefully, you wish that they would say that, but unfortunately, you put them into a predicament whenever you call a police officer, so I’m never a big fan of that one.
[David Spark] My hope is every cop has something better to do than break up a couple of 11-year-olds lemonade stand.
[Andy Ellis] I’m with you on that.
[David Spark] All right. Let’s get to our subject at hand, or our guest at hand, and which we will discuss many subjects with her. She’s been on before, she’s fantastic, and I met her a few moons ago in Los Angeles and San Francisco. It is the CIO and CISO, not many of those we get on this show, combo titles. So she reports to herself, as I understand.
[Jadee Hanson] Sort of.
[Andy Ellis] Which one reports to which one?
[David Spark] For Code42, our sponsor/guest, Jadee Hanson. Jadee, thank you so much for joining us.
[Jadee Hanson] Thank you for having me and thanks for having me back.
Should you block a vendor because the salesperson is annoying?
Is this a cybersecurity disinformation campaign?
4:25.223
[David Spark] Many cybersecurity professionals feel it’s quite all right to block a vendor because one salesperson is persistent and annoying. We have heard many times that security professionals have access to the mail server and can block all the emails from a domain. So, think first before sending those pesky sales emails. And this is what Naomi Buckwalter of Cybersecurity Partners of Philadelphia suggested – that more than one cold email from a salesperson is grounds to have your entire company blocked. Now, most sided with Naomi and attacked the vendors. But some, including you Andy, referred to this as an abuse of power. Andy, why is this a ludicrously dangerous practice? And are there better, more professional tactics?
[Andy Ellis] Yeah. So, I read that post, and I got to say, I just shook my head at first. Because look, you have one SDR who sends you mail twice and you’re going to block the domain. Let’s just imagine for a moment that it was Jadee’s company. And Jadee might be my vendor, and yet she sends to a different person two emails, like some SDR does. This happened to me all the time as a CISO. Like, somebody had sold someone in the CIO’s organization, and they wanted to cross sell, so they send me mail, so I block the domain, and now my partner can’t communicate with one of the vendors that they want to use. Or they reach out to try to do something, and they can’t. Just this abuse of a CISO who sort of just goes over the top and says…
[David Spark] And it doesn’t have to be a CISO, it could be anyone.
[Andy Ellis] It could be anyone saying, “I am going to deny my entire company the right to receive email from this other company forever. Because you know that that email rule will be forgotten.
[David Spark] Right. And it could be some young eager person who is long gone after a month or two.
[Andy Ellis] Right. And look, all you have to do is reply with one word – no. You can be polite and say, “I am not a contact for you.” If you haven’t seen it, I have a lovely mail template if you Google “vendor rebuff.” I think you don’t even need to put “CISO Andy.”
[David Spark] It is well-renowned, that post.
[Andy Ellis] Take that, personalize it, make it a signature that you can just send it back that says, “I am not interested.” It’s really polite, SDRs love it. Sorry, SDR is a sales development representative, what we now call the sort of junior insides sales folks that are trying to get that. So, I think this is like a C-level executive abusing the most junior person in a sales organization. I have a problem with that.
[David Spark] Jadee, it’s a pretty severe abuse of power, isn’t it?
[Jadee Hanson] I would agree it’s a severe abuse of power. The important thing I think to remember is that these are salespeople just trying to get their job done, and so I think it’s better to just give them some grace versus getting the security team involved, spending countless cycles to set up blocks to save the CISO a bit of annoyance in the inbox. I think maybe a more professional way to handle it would be to set up a certain alert making sure certain emails go into a certain folder or simply just ignore it and move on with your day.
[David Spark] I will tell you though, Andy’s comment, and I get them all the time, a simple no, honestly, I don’t get harassed after a simple no. I mean, just say no.
[Andy Ellis] Actually, the best part about the simple no is there are occasionally the people who do harass you. And those are wonderful because now you have somebody who has outed themselves as actually being bad. You’ll often get this if it’s like a startup and it’s the CEO who’s been sending these out. And you send the form letter, and you get the “You clearly don’t care about security,” to which my response is, “You clearly don’t care about revenue.”
How do you know if your security program is improving?
It’s time to measure the risk.
8:08.891
[David Spark] One year ago, CISO Tradecraft put out a cyber report card to test quarter over quarter to see if they’re getting better. They broke it down into technology (mostly measuring vulnerabilities), people (mostly around phishing), and processes (mostly around risk management and disaster recovery). Lots of opinions about CISO Tradecraft’s chosen metrics, but I applaud the effort to measure many variables and to repeat the process to see where there’s improvement and decline. So, what do you think of the choices here, Jadee, that CISO Tradecraft made, and what do you think are the hardest parts of creating a list like this – and I’m assuming it would change company to company – measuring it, and then ultimately having an action plan on the results?
[Jadee Hanson] I love this post and applaud CISO Tradecraft for putting something out there. I would say risk management, measuring security risk management, is something that I think us in security, we’ve been working on for a very long time, and it’s really hard to get right. For some business functions – such as sales, human resource – standard metrics clearly illustrate whether or not departments are on track or not on track. Unfortunately, it’s not nearly as clear cut for security programs.
I think there’s two main challenges that security teams run into when trying to measure their own program, the first being the internal goal post keeps moving. Meaning each of us in our companies are having companies the technology landscape changes continuously, so what I had to protect yesterday is not the same thing as what I need to protect today. The other challenge that we run today is that external landscape is constantly changing. What was good enough last month may be lacking this month due to increased cyber attacks. Small changes and big changes in the cybersecurity landscape, such as the Russian/Ukraine war, play a huge role in changing the security landscape for companies.
So, I would suggest steering away from simple metrics such as vulnerability counts and focus more on maybe like time to close vulnerabilities. I also would suggest focusing on measurements of overall security maturity versus tactical counts of people that click on phishing links or phishing simulation links. And I think it’s also important to remember that what we report on and what we track has to be a combination of the qualitative and quantitative measurements around our program. And also remember that what works for my company most likely won’t work for your company, and it really has to be specific to the company.
[David Spark] Andy, I think the thing that I found most interesting in what you just said there, Jadee, is the fact that it’s hard to measure quarter over quarter, being that certain targets keep changing. How do you sort of adapt for that, Andy?
[Andy Ellis] So, I think there’s a big piece which is measure for efficacy not for activity. In fact, I just did an op ed on this in CSO Online titled “Vulnerabilities Don’t Count,” which is everybody likes to put how many open vulnerabilities there are or how many you patched this month. It’s one of the most worthless metrics ever in my opinion. Because first of all, what is a vulnerability? One problem on a thousand servers – is that a thousand or one? Because I can totally gain my metric.
And so I had the pleasure to actually talk with the folks at CISO Tradecraft, and I’ve seen the next version of this that they’re already working on. There’s a lot more in here that is about efficacy. So, instead of being, “What’s the average age of your vulnerabilities?” it’s, “How many vulnerabilities are patched within the compliance window?” Because that’s what really matters. If I’ve said 30 days, I don’t really care about the average, because I might have one thing that’s 300 days old screwing up my average, or I might have a million things patched the same day that also screw up my average. So, average is in general a bad metric to go with because your landscape changes, weird things happen.
So, I like the try to measure efficacy. And I think that for everything you measure, there’s two supplemental measurements you want to think about. One is the difficulty of gathering this data. Because oftentimes what we’re reporting up to the board might take us like six person-weeks to generate this number. And that means we don’t have a robust process, because it’s expensive and hard to know where we are. And so we can’t just easily glance over and say, “Oh, hey, we’ve gotten worse,” because it requires you to make that investment. So, if your number isn’t something that’s in a dashboard that you just glanced at and put into your dashboard, you’ve got a problem.
And then the second one is who is the most senior person who pays attention to this metric on a regular basis, and you actually want it to be the most junior person you can find. If it requires an executive vice president to pay attention to this metric for the process to keep moving, that’s not a mature process. If the person who’s paying attention to driving it is like a program manager deep inside the organization, and you’ve got a great score and a program manager’s the only one who’s actively working it and they just report upwards and say, “Hey, here’s how we’re doing,” I love that process. That’s a mature process that’s never going to fail.
[David Spark] Jadee, I want to come back to you and just ask – how do you sort of consciously deal with when you keep reporting it, any metric that you’re choosing, how do you get away from the, “Oh, well, here’s our numbers, here’s new numbers, that’s interesting. Let’s move on,” going from that to, “Okay, these are the numbers, this is what we’re going to do as a result of what we’re seeing now”? Do you actually create actionable plans given that information?
[Jadee Hanson] Yeah, we do. So, we’re measuring ourselves all the time, but the biggest measurement that we do is we take time every year to kind of measure ourselves on efficacy, like Andy was talking about, but really just like maturity across the board. And at that point, we’re really trying to pull in what’s changed in the security landscape that we as a company have to react to. Getting to a maturity for one year in a specific area may be a three the next year, not because we’ve pulled security controls out, it’s just because the landscape itself has changed.
It’s time to play “What’s Worse?”
14:53.923
[David Spark] All right. Jadee, I know you know how to play this game, because you’ve played it before, but you haven’t played it with Andy yet, which is always fun. And this is a topic, it is not going to be a surprise to you, we’ve talked about this many times on the show, but I don’t think we’ve ever done it as a “What’s Worse?” scenario. So, what it is is it’s a half-good, half-bad kind of a situation here. And it comes from Jonathan Waldrop of Insight Global. I will have Andy have answer first, Jadee, so you can agree or disagree with him, up to you. And you’ve heard this before, so it’s not going to be a surprise to you.
Andy, scenario number one, you have a CISO with no technology experience and is first and foremost a business executive, and I think you know where I’m going with this, or you have a CISO who only has technology experience and no business acumen at all, which one is worse?
[Andy Ellis] See, this is one of those that, like, it’s so extreme. I sometimes hate the very binary ones of “What’s Worse?”
[David Spark] It’s pretty binary, I’m just telling you.
[Andy Ellis] It’s really binary. What does “no technology experience” really mean? I’m going to use Jadee as an example here. Like, Jadee is fantastic at business and technology. And so I’m trying to say what would a businessperson with no technology in Jadee’s company look like, would that be like I went and I hired some VP of marketing who’s brilliant at marketing from a hospital who’s never worked with technology and tried to put them into Jadee’s role? Like that’s sort of my mindset. Or do I take this amazing technologist and put them there? I think that’s a little extreme. So, I’m actually going to say – I’m going to be contrarian. I’m going to say what’s worse is the technologist with no business experience. And the reason I’m going to go with that is because a businessperson who really doesn’t rock the technology can get advice from the people that work for them. But a technologist that doesn’t rock the business cannot get that advice from their organization.
[David Spark] Good rationale there. Now, Jadee, I always love it, no pressure, but I love it when you disagree with Andy. What’s your answer?
[Jadee Hanson] I wish I could disagree, but I do agree. I think you’re hitting on something that makes me kind of crazy in the security space, when people talk about, “Is this person technical?” or “How technical are you?” There are so many facets of that, and it can mean so many different things. I think for a CISO executive, you have to understand the organization, and you have to have the business acumen to be effective. Your level of technical experience is important, and it will help you and serve you well if you have a high degree of technical acumen, but it is not the thing that will procure you from actually delivering a strong security program for the organization. Because it’s the business acumen that actually helps you understand where the company’s at risk, and where you need to apply your strongest security controls.
[David Spark] Very perfectly succinctly put. And let me throw this out. Being not technical savvy doesn’t mean you’re not security minded. You can be very security-minded and have a strong business acumen but have no technical chops whatsoever. That, of which I think we’ve seen many CISOs like that, seems to be perfectly okay. What do you think?
[Andy Ellis] Yeah. I just want to be clear that both of these are bad states to be in. You want somebody who’s got a blend of them, and we should be talking about should you be 60/40 in one direction or the other direction, but 100/0 is just awful in either situation.
[David Spark] Again, it is what’s worse.
[Andy Ellis] It is what’s worse, but I always want our listeners to make sure that they don’t walk away going, “Oh, Andy thinks you should be business-minded and not technology-minded.”
[David Spark] Nobody should walk away listening to “What’s Worse?” saying, “The option that Andy or Jadee chose is the option that is preferrable, the thing we would all want.” No. It’s again, the worst of two. The idea is they’re both carrying risk, which carries greater risk?
What to do when employees violate security policies
If you haven’t made this mistake, you’re not in security.
19:11.966
[David Spark] So, according to a report by your company, Jadee, IT leaders believe employees are 85% more likely to leak files than then were pre-COVID. Now, I can see this going up, but that’s a pretty startling increase. So, I want to know from your take – why do you think is the reason for this drastic increase? And then second, I want to mention another report from the National Science Foundation found that 1 out of 20 tasks by employees violate security policies. And when I first read that, I was, like, it’s kind of inevitable that your staff is going to eventually violate policy. It just takes time, nothing else. So, why the massive increase, and is it just inevitable your staff’s going to violate policies, Jadee?
[Jadee Hanson] Let’s start with the National Science Foundation. For sure, 1 out of 20 tasks violated security policies. I do think it is inevitable. I think the technology that our users use today, there’s going to be some scenario where employees are just trying to get their job done, and they’re going to make mistakes, or they’re going to do something that they don’t truly understand the security risk of and put the company at risk.
In terms of the 85% more likely to leak files stat, there’s a few things going on that I think lead to this. I think the first one and the biggest one being turnover. So, we know that when employees leave organizations, they take lots of data with them. And today, we’re seeing an incredibly high rate of turnover that companies are experiencing. I think the New York Times or Wall Street Journal called it the Great Resignation, and so this definitely plays into that statistic.
The second reason why we’re seeing this so high is really the shift in technology that has occurred kind of pre-COVID and post-COVID. So, as people shift to work from home, they’re hybrid environment, there are a number of companies that moved to adopting kind of different ways of collaborating and sharing data. And so data moved out of networks. It moved to cloud solutions like Azure, GCP, or AWS. Data files moved from storage servers to Google Drive and OneDrive and Box. This technology shift has been wonderful and great for collaboration, but it also has created risk. And so many of these great collaboration tools, it just makes it easy to accidentally or maliciously take data out of the organizations. And so for us, our security teams, we have less control, and we really just need that visibility in place for all these new technologies that our companies are using.
[David Spark] What have you seen, Andy, in this past couple of years in terms of sort of abuse of policies? And again, non-malicious abuse.
[Andy Ellis] Yeah. So, actually I like the comment of abuse of policies, because I interpret it very differently. Many organizations write policies that cannot be followed and get in the way of the business. And so of course your employees are going to violate them, because they have a job to do, and you wrote a policy that says they are not allowed to do their job. They’re going to ignore you. That’s very simply what’s about to happen. “We have a policy. Don’t click stuff.” Except HR sends those messages that you have to click to get employed, and Finance sends the ones you have to click to get paid and so many things you have to click. In fact, security teams send the ones you have to click to go take security awareness training that tell you not to click things. So, at what point do you get to say? I’m not even saying should you. Do you even get to say that the employees violated a policy when the only reason you have that policy is so that you can tell your auditors that you have a policy. That’s not a real policy. Those aren’t violations.
And then one thing about the NSF thing. It was a study funded by the NSF, published in HBR, and we should be really careful about reading anything into that study, because the way it was done was they surveyed people and asked them what they had done. And so there was a very strong correlation with people who had high stress days and were willing to say that they violated policies.
[David Spark] Right. That’s what that article was about was about people are more stressed out and when they’re more stressed out, they violate policies.
[Andy Ellis] Yeah, except I think the answer is that when they’re willing to admit that they are more stressed out, they’re willing to admit they’re violating policy. We should be careful not to believe that means there’s a correlation between when they violate policy. It’s when they’re willing to admit it.
[David Spark] That’s a good point there. Janee, I want to go back to something Andy just said in that could a lot of this problem of violating policies be corrected if policies that are errant or pointless or making people’s lives more difficult, if those could be course-corrected, it could really save a lot of headaches.
[Jadee Hanson] Yeah, I think it’s a good point. The thing I think we’ll talk about in a minute is training, and I think there’s a training element that ties to policy. In many of the policies that security teams write, we say things like, “Thou shalt do this and not do that.” When employees run into that, and they’re trying to get their job done, they don’t know in lots of cases the right way to do it or the wrong way to do it. And so even though they may read the policy and understand it, I think where the rubber meets the road is the how. And so, okay, how do I get my job done without violating the policy, and that’s where the intensive training comes in. And we have to really educate our employees on the right way to get something done versus the wrong way, and it needs to be kind of that “just in time” education. And so there’s just a fundamental disconnect from a written policy that sits there kind of static, and a user in everyday life just trying to get their job done and running up against violations of policy, maybe not even knowing it and not even knowing the right way to execute a task.
[David Spark] I think, Jadee, you have just made a good argument for tabletop exercises for policies. You write a policy, now let’s actually practice how this would work in real life. What do you think of that?
[Jadee Hanson] Yeah, I love that. I mean, something that we do at Code42, we do at least one tabletop exercise a year, and we’re testing all of our policies, we’re testing all of our processes, and we’re adjusting based on kind of our lessons learned from each exercise.
[David Spark] Yeah, and it’s not so much a tabletop exercise should [Inaudible 00:26:07] but a tabletop exercise, “Okay, this policy’s in place, how do people do their job knowing it’s in place? Ah, we realize they can’t. Maybe we should adjust the policy.” Andy, have you ever seen anything like this?
[Andy Ellis] Absolutely. We see this all the time. And what’s fascinating is modal bias kicks in here, and it’s lovely to watch. Imagine the IT team comes to the security team and says, “We have a new policy we want to implement.” Like, the security team will rip it to shreds and point out all the ways that it will not possibly work, and users will hate it, etc. And then the security team goes and writes a policy and does not apply the same thinking. Because it’s their policy and they’re, of course, too brilliant to make that mistake. You have to apply the same adversarial thinking to your own work as you do to everybody else’s work. Because the security team is the expert in adversarial thinking, and so if they create a policy, there’s nobody who really is as good as they are at figuring out how employees will break the policy because it got in their way. So, you have to do that consciously yourself.
How to make security training stick
Pay attention. It’s security awareness training time.
27:10.580
[David Spark] On Reddit, socialanimal88 – that’s a redditor handle – had a controversial comment about security awareness training. The user said if you’re actually going to do the training, you should also have a non-tolerance policy, “Unless a company doesn’t enforce a non-tolerance policy, no matter how many times you preach security awareness, the users keep violating it simply because they don’t care or aren’t aware of its impact.” So, non-tolerance seems severe, but complete tolerance seems too lenient. So, is there a middle ground here, Jadee, I’ll start with you, and can there be an “X number of strikes and you’re out” type policy? I mean, how do you manage this? Because I would say universally what we’ve talked about in the past on this show is there’s kind of this constant acceptance of violations. But that just doesn’t work, does it?
[Jadee Hanson] It doesn’t. So, first of all, reacting to the post, I believe that most people actually do care about security, and so the post is surprising to me. It’s sort of like saying that “Here’s all the training you ever need to know. Now go into the world and never make a mistake and remember everything we just told you.” That is not reality, and we as security leaders need to recognize this. So, I think we also need to realize that the way that we’ve traditionally delivered training in the past has been incredibly ineffective. We make users go through long videos, do quizzes on the end. Most users are mindlessly clicking through screens to get to the end and take their test, all while doing probably six other things at the same time
[David Spark] Andy’s raising his hand right now saying he’s that user.
[Jadee Hanson] He’s that user. So, there’s no actual retention of what we’re training on and what they need to learn, and there’s no experience with what we’re training on tied to the training itself. And so this is something that we have been thinking…
[David Spark] So, you’re putting more of the blame on the trainers than on the trainee?
[Jadee Hanson] I do think that there’s an element that needs to be we need to hold our users accountable, absolutely, but I think there’s an element that we have to realize as security trainers. And so we’ve been thinking a lot about this at Code42. We’ve actually had work to come up with a more kind of “in the moment” training. We call this instructor and basically what we’re doing is we’re looking for those policy violations that we talked about before, and when we notice something that violates a policy, we share with you how to fix it. So, we share with you a one-minute video tied to the thing you just did, and then we tell you why it was a problem, and we tell you how to prevent this in the future. And this has had just a huge impact. If you think about it, it’s relevant.
[David Spark] I’ve heard about this instructor. Give me an actual example, give me a real example of something someone could violate, and then the video or content or how that sort of appears in front of them.
[Jadee Hanson] Yeah, absolutely. This actually just happened to my CEO a couple weeks ago.
[David Spark] Oh, they’re violating policies, great.
[Jadee Hanson] So, he shared a…
[David Spark] So, you have a tolerance policy for your CEO, correct?
[Jadee Hanson] Well, again, this technically wasn’t a violation, but it was something that we saw. So, he publicly shared a document out of Google Drive, and I believe he was sharing it with our board team and whatnot. But we can see that it’s important information, and we can see it’s going to people outside of the organization. And so our automation kicks in, a little button pops up that says like, “Hey, did you mean to share this or not? And here’s a quick video on proper sharing.” And the video ultimately just says, “Hey, we saw that you shared something publicly on Google Drive, and here are the steps that you need to take to make that private or to restrict the number of people that have access to it.” And it walks you through the Google settings so that you can, in the moment, right there in a relevant time period, have the user take actions. And that training is when it sinks in. Then people know, “The next time I go to share something, I know how to do it, I know what would be improper versus proper.”
[David Spark] Now, not slamming it when I say this, but it sounds like a more relevant version of Clippy, “I see you’re writing a letter.”
[Jadee Hanson] Maybe. Right when you said that, David, I was like, “Clippy? Who is Clippy?” and then it dawned on me.
[David Spark] There you go, Clippy.
[Jadee Hanson] I’m like, “Oh, yes, Clippy!”
[David Spark] Clippy. I see Andy appreciated that, Andy – by the way, loved all of that, Jadee – so what’s your sort of policy, the tolerance, no tolerance? Where do you lie? Assuming that the training is somewhat good.
[Andy Ellis] Yep. So, actually I want to add to the example Jadee just used. Which is do you know what the real problem is there? There is no easy way for the CEO to click “Share with the board.” That’s what’s actually missing in Google Drive, is you have this group of eight people that somebody else knows who they all are, what their email addresses are.
[David Spark] Well, you can create a board group, you could create the group.
[Andy Ellis] It’s really painful, and most organizations do not go through the group management to make this easy. So, your CEO just wants to click the button “Share with the board” and I could solve this with eight workarounds. But that’s the ultimate failure is the bad system, not the fact that they said, “Oh, fine. I’ll just create a link, that as long as you have the link,” and I’ll send it to them.
[David Spark] But this is where the value of the tabletop exercise comes in. We see these kinds of scenarios.
[Andy Ellis] But now it’s come to the core question around tolerance, non-tolerance. So, first of all, Jadee is dead on about the failure of the security awareness training industry. As a historical issue, security awareness training used to be, “Hey, there’s some things I need to tell you.” And then all of a sudden, it became, “Hey, I need to prove that I told you something once a year. Every employee has to have this, check the box.”
So, I want to just – everybody, if you’re listening – do some math. Count how many employees are in your organization, how long is your security awareness training annually, and now multiply those two things together. So, if you’re doing 90 minutes of training, and you have 1200 employees, you have just burned one FTE. One full-time equivalent per year has just been destroyed in your company to go do security awareness training. Are you getting the same value out of that training that you would have gotten had you put that FTE doing anything else? And the answer is probably no.
It’s why when I first implemented security awareness training back at Akamai for compliance reasons, it was a single web page that you had to click one button on once a year, and you could read the whole thing, click the button, and be done. And there were references to go do other stuff, but none of this like, “Here’s a video. And if you move focus, the video auto-pauses.” I hate that, by the way, that is the rudest thing ever. It’s why I always had two computers, one to do awareness trainings on, and one to do my work on.
[David Spark] By the way, you are essentially the devil on the shoulder right now giving the bad advice.
[Andy Ellis] I’m giving you the advice to get your job done. So, here’s the reality – let’s ignore the specific of security awareness and let’s talk about policy violations. If you have employees who are repeatedly putting the company at harm and refuse to learn, what do you do? Right? That’s the real question that we’re trying to ask here.
[David Spark] Yes.
[Andy Ellis] Let’s ignore whether our training was good or bad. You have somebody who’s dangerous. The problem that most security professionals have is they think they should have the firing ability. And you don’t. You never will. The person does not work for you, you do not get to choose to fire them or not. The real question is is their violation dangerous enough that you are willing to spend political capital speaking with their manager, their director, their VP, the head of HR, and say, “This person is such a problem, and I need to understand why you’re willing to tolerate this, and educate…”?
[David Spark] We’ve talked about this. You’ve had people like this before, yes, Andy?
[Andy Ellis] Yeah. We’ve terminated people before. I’ve never done it, somebody else does the termination because it’s their…
[Crosstalk 00:35:31]
[David Spark] But you made the case.
[Andy Ellis] I made the case. Usually I didn’t have to make the case, we found what they did… And the most egregious thing you will ever do that will get you terminated basically instantly, like every CISO should hold the line on with those managers, is cover up. It’s okay to make mistakes, but the moment you go, “Oh, I screwed up. Let me delete the logs of it.” To me, that is the one thing that I have zero tolerance for. Because if you’re going to hide it…
[David Spark] Well, screwed up and then alert is that’s cool, yes?
[Andy Ellis] Yeah.
[David Spark] Yeah.
[Jadee Hanson] Yeah. I think that’s a really good point. We talked about earlier just like empathetic investigations. And when we go through an investigation, if we know that the person on the other end is speaking honestly and truly did make a mistake, there’s a lot more leeway for that type of a situation, versus a situation where we can see in all of our technology and all of our tooling that you are lying about the situation that you’re in. It’s a lot less empathetic action that we can take in those types of situations.
[Andy Ellis] And I’ll add in one more unforgiveable mistake which is not the CISO’s unforgiveable one, usually the head of HR’s unforgiveable one. If when you have made the mistake, and you’re being called in for a counseling session, don’t show up with your lawyer in the room. I have had an employee do that. It was – boom – instantly everybody’s like, “Okay, they got to go.”
[Jadee Hanson] Mm-hmm.
[David Spark] Not good.
Closing
37:00.611
[David Spark] All right, some good advice we’re wrapping this up with. By the way, this episode was packed with great advice. Thank you very much. Jadee, I’ll let you have the very last word. First, I just want to thank your company, Code42, for sponsoring this episode and actually, many episodes with the CISO Series. Thank you so much for doing that. Also I always ask all our guests are you hiring, I’m sure you are, but hold tight for that. Andy, any last words?
[Andy Ellis] So, I think this was also a great episode, I always love having Jadee around because she makes me smarter. The real focus here is if you are not a kind human being, you will have problems in security. You can fake being kind and that’s okay, but if you approach this and you want to be in charge and you want to hurt people and punish people, you’re going to go south. We are supposed to be helpful and sustainable, and we get a lot more done when we treat everyone with dignity.
[David Spark] The “I told you so” security professional is a dated security professional.
[Andy Ellis] Yeah.
[David Spark] They don’t survive much anymore. All right, Jadee, any last words, any plugs you would like to make for Code42, and are you hiring?
[Jadee Hanson] Yes. So, I myself in IT and security am fully staffed. This’ll probably be maybe three days, I don’t know. But right now, I’m fully staffed but obviously we’re always hiring throughout the company. As I mentioned in the Intro, we at Code42, we’re working really hard to solve some of these data protection and insider risk problems, and we’d love to hear from you. So, here is my offer, I might regret this, but if you are a security leader and you are looking at wanting to solve this data protection problem, I will offer to take time to walk you through the product if you’re not quite ready to contact Sales. So I myself, I’ll make time, I’ll make myself available, walk you through the product, share more of what we’re up to. As I mentioned, passionate about what we’re doing and love to share with you.
[David Spark] Ah. A great, great offer. A walkthrough from Jadee, by the way, she spells her first name J-A-D-E-E, and best way to contact you?
[Jadee Hanson] Just through LinkedIn.
[David Spark] LinkedIn. And by the way, the link to that will be available on the blog post for this episode. Thank you very much, Jadee. Thank you very much, Andy. And thank you very much to our audience. As always, we greatly appreciate your contributions, and for listening to the CISO Series Podcast.
[Voiceover] That wraps up another episode. If you haven’t subscribed to the podcast, please do. We have lots more shows on our website, CISOSeries.com. Please join us on Fridays for our live shows – Super Cyber Friday, our virtual meet up, and Cyber Security Headlines Week in Review. This show thrives on your input. Go to the Participate menu on our site for plenty of ways to get involved, including recording a question or a comment for the show. If you’re interested in sponsoring the podcast, contact David Spark directly at David@CISOSeries.com. Thank you for listening to the CISO Series Podcast.