Does Security Training Really Work?
David Tyburski, Chief Information Security Officer at Wynn Resort sits down to talk to Steve Moore about security training, specifically phishing training. He shares his thoughts on the idea of training vs education, positive vs negative reinforcement, and offers suggestions for engaging with employees.
David Tyburski’s Current Role
I'm currently the global CISO for Wynn Resort, a casino in the north end strip in Las Vegas. About 9 years ago, Wynn put a directive to have a more dedicated security focus in on the environment in the organization. They basically handed it to me and for the last nine and a half years I have run this organization building it from just me to the organization it is today, managing all their properties & operations worldwide.
What Advice Would You Give Your Younger Self?
One thing I would say is to be a little more attentive to the tool-set you bring, because we did a lot of false starts along the way as far as buying tools. If we'd spent a little more time evaluating where we could really use them, we would have been in a better position in the early days. And we do that today by ensuring we have good proper use of cases for every tool that we bring.
Also, I'd tell my younger self to spend more time on the use case to know how to use it instead of just going to get it. Understand not just the reason why you want it, but how you will use it and what you expect from it.
What Bothers You About Phishing Training?
It's not necessarily all phishing training, but what bothers me is that we're attempting to teach non-security professionals to be security professionals. They have backgrounds that are varied from us, they don't spend their time looking at security incidences or reading on security articles, but they're extremely talented people in other ways. They do an amazing job at what they do.
But we as security professionals try to teach them that they've got to know what we know. So I think security professionals need to do a better job of understanding their role in the business, and building a technology solution around that instead of trying to get them to understand their business.
Training vs Education
There's a major difference between training & education. Wynn is an education program, because we're not training people but educating them. We want to give them the security knowledge and information they need for their organizations.
We're educating people, trying to give them knowledge and not just teaching them the steps to accomplish something. We have to be able to transfer knowledge, and that's an education program.
We have a continuous education program. We break up the topics and put them into small easy to digest chunks and we continuously run a new topic every week. It's timely and we do everything we can to relate it to everyday life.
People are like water and will always try to take the path of least resistance. So in that light, if we can make our security program and educate our people in the right way, that the security of the organization is the path of least resistance, then it's no longer security fighting the rest of the business but security enabling the entire business to operate.
Should Information Security Be More Aggressive with Email Attachments?
For an HR person whose job is recruiting, he needs to open the resumes he receives as attachments to emails. So how does information security help or enable that process and allow the person do the job safely?
One way we can do this is to intercept the email, pull the attachment out, and re-write it in our own PDF where we turn off all the problematic ability and take out any possibility of weaponization, restrict what that PDF can do and look like, bundle it up and put it back in the email and send it off to the recipient. Now we won’t mind if the HR person opens it because it's safe.
So to them they simply open the resumes the way they need to open them. They're doing their job and we're enabling it, but we're also protecting them from all the weaponization problems that could come along with emails and attachments.
Good Security Programs
If you bring in negative reinforcement in your organization, it will only go so far. If your objective is to reduce malware in your environment or reduce that phishing problem, then training people the way we seem to want to do is a negative reinforcement model. You may end up frightening employees to the extent that they're not willing to take the risk. So it's important to find a better way to bring that into your organization so that employees do their job of generating revenue and doing good things for the business.
Employees also need to have a way to communicate back both positive & negative feedback- did it work or not, what slipped through and what did we not recognize? Any good security program is not dependent on one single item. You need to have multiple places to protect the same thing. So if we're eliminating 99.99% of phishing & malware coming through email by rewriting attachments, then what slipped through & why? What was that new technique the hacker used, what is that new thing that we haven't accounted for? That's what we need to focus on.
One of the things we push out for in our education program is the open door policy. A lot of companies have it but how many line level employees are comfortable picking up the phone & talking to the CFO? Probably not a lot. But in this organization we have made that an absolutely acceptable act and the CFO is responsive to it and is on board. Therefore, you involve everyone so that the entire organization is working towards that same goal. Security becomes a lot easier because you have allies helping you do it as opposed to shadow security.
What Other Things Can We Do?
One other thing I do a lot is what I call evangelist activities. I go sit with the business and not just the managers or directors of the business, but actually line level employees. I have conversations with them, eat lunch with them, talk to them in their own environments, sit with the project team, the gaming people, their sales people, sit and learn their jobs for a day and get a better understanding of their work. I do these things regularly so that they can build trust in the program and in me to have an open line of communication. How can we help them do their job better? We want to be able to bring them into our world and enhance collaboration.
Also, if you look at a lot of the primary activities of any user in any organization, two of the biggest things that the end user is going to deal with are:
So I would advise security professionals to investigate browsing installation platforms. Understand that it's not just about rewriting docs and emails and things that are inbound to the organization but also the outbound activities of the user like exploring the web.
Do You Think Information Security as a Whole Has a Problem
I think every organization is different, every CISO is different and company cultures are different. I think information security has to adapt to that within their organization and promote the change that's necessary. We do get a bad rap in some cases because sometimes we have to say ‘No’, but I think some organizations take that to the extreme.
Therefore, it's all about building a culture for your organization. What works for Wynn may not work in another organization. But if you understand the business & the people, and your objective is to enable the business’ safety and working towards those goals, I don't see how you could go wrong. The idea that you only tell someone what they can't do and never tell them what they can do is a wrong position.
Resources:
Exabeam - Website
SentinelOne - Website
Steve Moore - LinkedIn
David Tyburski - LinkedIn
Wynn Resort - Website