CISOs use many different approaches to educate employees on the importance of safeguarding company data: from required trainings, to companywide emails, to town hall meetings and more informal “lunch and learn” events.
All of these techniques are helpful. But to create a culture of security that sticks – one in which employees are vigilant and quick to report potential threats – CISOs must engage employees about security in ways that matter to them.
According to a May 2016 Ponemon Institute study of 601 executives whose organizations have security awareness training programs, 66% believe that employees are the weakest link in the security chain while 55% indicated that their companies had suffered a security incident or a data breach as a result of negligent or malicious employee behaviors.
As Todd Barnum sees it, it’s essential for him as GoPro’s CISO to act as the company’s “Chief Security Evangelist.”
“If I’m in my office, I’m not doing my job,” says Barnum. “My job is out in the organization, meeting with people and helping them recognize the risks facing them personally and the company as a whole.”
One of the ways Barnum and his information security team are captivating employees to raise security awareness is by creating gamified training that incorporates GoPro video. The team recently developed a 5-minute training game that takes employees through action-packed POV videos of surfing, snowboarding and motocross - all shot with a GoPro, of course. Through different points in this video experience, the player is asked to answer questions around recognizing and reporting phishing scams. By answering correctly, the player can continue on their ride. If they answer incorrectly, they wipe out and receive a quick training tip before continuing to the next wave or jump.
“People love this,” said Barnum, now that the training is being rolled out to GoPro’s 2,200 employees. “Through this, employees are starting to learn about security best practices and are more aligned with the company’s mission.”
Another way GoPro’s information security team stokes employee engagement is by running phishing simulations, emails that mimic real-world phishing scams. The first GoPro employee who detects and responds to these phishing “attacks” receives a $50 gift card. Now that the team has been running periodic simulations for over a year, GoPro staff are responding within seconds after the phishes are sent. In the case of real phishing attacks, these first responders would be saving their 2,200 colleagues from becoming targets.
To further strengthen engagement, employees are also encouraged to create their own phishing simulations for the security team to send out through the company. If more than 20% of GoPro’s employees fall for an employee’s phishing scam, the employee receives a nice cash prize.
“These exercises are key to staff engagement,” said Barnum. “We run community focus groups and host lunches where we bounce ideas off of people. It’s where we came up with the idea to create gamified trainings using GoPro video,” Barnum added.
To strengthen security awareness, Barnum has even added a marketing person to his team to help craft the right messages and creative awareness materials to drive employee engagement.
In addition, each of the security engineers on Barnum’s team is required to present a “cybersecurity roadshow” every month to different departments, such as HR and product engineering teams. “What we’ve discovered is that these events lead to a change in people’s behaviors,” said Barnum. “Every time we hold a town hall meeting or put on a roadshow, the security team members always come back and tell me there’s no better use of their time.”