My daughter has been in gymnastics for several years. This, of course, means that I’ve spent countless hours in a gymnasium watching her, cheering her on, supporting her when she’s frustrated. All while trying to be a good dad by not looking at my phone and getting lost on social media or email.
I remember one of the first times I was sitting up in the stands watching her. All of a sudden, a loud brass bell began clanging and all of the other parents began clapping. I looked around and couldn’t figure out what had just happened. I went back to my phone, and it happened again…bell rang, parents clap.
I looked down and found the bell in the room. There was a little kid, about 3 years old, tugging on the rope attached to the bell with all her might. As she ran back to her group, the parents all applauded her. She was beaming. Later, I learned that the kids get to ring the bell whenever they master a new skill or do some move perfectly.
The bell, in other words, is a reward. As the kids get older, they ring the bell less and less. But as a reward, the bell teaches them that hard work and dedication pay off.
When is the last time you can remember being rewarded for doing something right when it comes to cybersecurity?
We’re adults. As we’ve gotten older, we hear praise for our work less and less. And when it comes to cyber, we’re expected to be perfect already. We’re punished for doing things wrong. And when we can’t do something right, those people are looked down on for needing “hand holding” to develop those skills.
If we taught kids gymnastics that way, would they improve? For most kids, I don’t think this approach would work. They might be much more likely to quit instead of sticking with it. So why do we think adults are any different?
Gymnastics coaches don’t just expect kids to be able to do a cartwheel or roundoff on the first try. Instead, they break each movement down into individual skills. For a cartwheel there are five or six different skills that kids can master before putting them altogether into a whole. In some cases, they can substitute easier skills, before they do the whole skill. Maybe it’s ok to bend your knees when you land instead of trying to stick the landings on day one, for example.
When we teach cybersecurity – we don’t do any of the things. Most security training involves educating employees on what their obligations are when it comes to being compliant. Some training focuses on all the things you’re not supposed to do or types of things to avoid. Often, security training goes into a lot of confusing detail on technology concepts that most employees won’t ever need to know in their daily lives.
What would it look like to help train employees like gymnastics?
Take an example that many employees will be involved with in some way in their careers: entering into a contract with a vendor to provide a service for your organization. Most employees will only do this a handful of times in a career, and very little training is dedicated to this activity.
The Ponemon Institute issued a report recently that indicates 60% of all data security breaches happen because of a vendor. And the report indicated that more than half of organizations didn’t adequately vet the security of their vendors before entering into an agreement.
How would we break vetting the security of a vendor down into smaller behaviors that employees can master when it comes to security? Here are some examples based on the Nine Cybersecurity Habits:
- Literacy – At the beginning of the project, before you’ve even looked a vendors, start with a pre-mortem to talk about the project and what could go wrong. Review the vendors in the market, look at reviews, references, and news articles to understand the company’s stance on protecting data.
- Skepticism – Don’t believe the vendor unless they put it in writing.
- Vigilance – Perform security reviews of your vendors before entering into a contract. Send them security questionnaires or ask that they provide security documentation or audited statements in writing.
- Secrecy – Ensure that personal information is adequately protected, not just in the contract, but in practice. Is data password protected or encrypted? Or is it being stored on an open website?
- Culture – From the start of the project, make sure to emphasize that security is an important objective of the team. Use techniques like The Security Minute to begin meetings with a security topic for 60 seconds.
- Diligence – Make sure you include security language in the contract before it is signed.
- Community – Make sure when you’re forming the project team that it includes everyone from IT, Security, or Legal from the beginning of the project.
- Mirroring – When vetting a vendor, most organizations require proof that their suppliers conduct regular security audits or penetration testing by third parties.
- Deception – To ensure that your data remains secure, many organizations will embed unique data into the documents that are shared with 3rd parties that acts as a kind of digital watermark. If the data is ever exposed, this unique watermark can help point to the source of the leak.
Mastering any new activity requires practice. Whether it’s gymnastics, or learning to play the guitar, it takes time to learn all the techniques and skills it takes to be proficient. With Well Aware’s security training, we help users master the Nine Cybersecurity Habits by using the natural habit loop that has been proven to be most effective at changing behaviors.
Learners need their own unique learning path based on their unique personality that fits with their role inside an organization. The Habit Loop – Prompt, Behavior, then Reward can help make learning new cybersecurity behaviors easy by breaking them down into smaller, more attainable skills that are personal to each individual, just like in gymnastics.
Cybersecurity doesn’t have to be hard or scary. Well Aware Security’s unique approach to security awareness training can give your teams the roadmap they need to make a difference in security today.