As a Deputy Chief Information Security Officer, it often falls to me to come up with new and entertaining ways to engage our employees with the kind of in-depth security training mandatory at a large cybersecurity company.
Though crucial for security, many companies unwittingly create disengaged employees by requiring that team members test their security knowledge by filling out the kind of dry multiple-choice questionnaires rarely seen outside of the New Patient forms at a doctor’s office – and about as eagerly anticipated.
Prior to National Cyber Security Awareness month (NCSAM) last year, I was left thinking about ideas for trying something different. There are a myriad of articles and blogs out there on the failings of traditional web-based training (WBT) for employees, so I wanted to approach it differently this round.
Searching for ideas, I started to pay a bit more attention to people I judge to be thought leaders in this space - Chad Loder, Masha Sedova, and Drew Rose - who advocated gamification, escape rooms, simulations and hysterical videos - all of which drove me in the direction of seeking to approach the security awareness and training challenge from a more engaging perspective.
Around that time, I made a joke on an internal coms channel about penning an original security haiku each day that month. Later I revisited the idea publicly on LinkedIn when a colleague asked what people were doing for NCSAM. That simple joke stuck with me and I thought... why not?
So, on the Sunday of each week I spent some time over coffee crafting security haikus and then penning an email to be sent to the entire company first thing each Monday morning. Anticipating pushback, I fired off a warning email and promised to use the same subject headers in case some folk did not want to receive them, so they could apply email rules appropriately.
But after the first week, something surprising happened - our employees started replying to my daily emailed haiku by sending me their own haikus in return. Much to my delight, I started to get original haikus about phishing, tailgating, writing bad code, conforming to OWASP standards, travel risks, etc.
The really interesting manifestation is that employees started responding with topics not commonly covered in standard security training - proactively thinking about ideas or issues that they thought were important in their day-to-day life working at a security company.
When the dust settled I found we had several dozen new haikus that I dutifully added to a fun background, inscribed with each haiku author’s name, and sent out internally throughout the remainder of the month. It wasn't until after Security Awareness Month was over that I realized what this really meant.
Some may say I’m being over-optimistic in my assessment and I will own that, but for sake of argument, I took a swing at some numbers. Over NCSAM month, we distributed 23 haikus internally. If we assume people took three minutes to read and reflect on each one daily, that is about an hour of training over the span of the month covering numerous security-related topics. Some haikus were straightforward and easy to digest, but some submitted by the more senior Research staff were extremely clever and probably resulted in people thinking about them even more.
In addition to the simple digestion of the message, some people were so inspired that they put pen to paper and started crafting their own - meaning they were actively thinking about/ researching the topics and trying to see them in a new and creative light. Other people asked me if they could share my emails with friends/family/peers, which mean they were acting as security champions for the company (if only for as long as it takes to forward a message and type an intro).
With regards to effort spent, each haiku email took me around 30 minutes to craft when you add up creating one, finding a good background, distributing them, and responding to the employee responses for each. Over the span of the month, that means I put about 12 hours into this effort (in other words, an average cybersecurity workday). In return, I can guestimate we had about 400-800 hours of employee response.
Can this kind of approach replace obligatory security training? No, of course not - we will still need that content and that activity to hit the appropriate audits and compliance checkboxes required these days. But do I consider this novel approach to security training a success? I like to think so, if it put people's focus on issues, promoted conversations about the haiku messages, and had people actively creating and exchanging their own ideas.
So, in the end, a joke led to a challenge which led to a collective exercise in awareness.
Next year, I think we are going with a Dog-Shaming theme for security awareness training - this is me giving our employees fair warning so they can start thinking about contributing their own.....
- Steve Mancini
Deputy Chief Information Security Officer
P.S.: Below are a selection of some of my favorite employee-generated security haikus. You can view these in higher resolution in my follow-up posts:
Part 2: Cyber Security Training Haikus: No Heads in the Sand
Part 3: Cyber Security Training Haikus: Shellcode Returns