By Jason Hoenich on May 21, 2019
It’s time to sit down with the man, the myth, the security awareness legend, and Habitu8 co-founder Jason Hoenich to find out what really grates his cheese about the security awareness training industry.
Jason has created countless video training programs on everything from CEO fraud to password security for the likes of The Walt Disney Company, Sony Pictures, and other companies you know and love. He co-founded Habitu8 in 2017 with Chad Loder (a respected CISO and founder of Rapid7) to help companies redefine what an effective security awareness program looks like.
Let’s dig into some questions.
Q: What do you love about working in security awareness training?
I love getting my coworkers to that “aha!” moment. It’s something I connected with more than 10 years ago, and it’s become the foundational goal throughout nearly every aspect of my work. I love getting that complex, seemingly overwhelming idea or topic to suddenly make complete sense. Most of the time, the reason why people don’t understand or engage with something is because of how it’s presented. So putting my right-brain skills to work in a left-brain industry is really impactful.
Q: What do you hate about working in security awareness training?
I think something that is really frustrating to me is the amount of poor guidance out there that’s being delivered by vendors claiming to be security awareness companies. If you do a bit of research on any of them, you’ll likely find most of them have never managed an actual awareness program for actual users. There’s a huge difference between selling ideas for your product and selling a product based on real-life experiences. But hey, that’s why I founded Habitu8, to fix that.
Q: What do most companies get wrong most of the time?
Almost every company I speak with (and this included me as a practitioner for a long time) wants to do security awareness but often has no clue where to start. It seems like such a logically simple place to start—but knowing why you’re starting an awareness program is crucial. But you can’t successfully know that unless you’ve put time into developing a strategy around security awareness and built a program plan to work from throughout the year.
What ends up happening is that once you’re two to three months into your new program year, things come up unexpectedly, and you’re forced into a reactive approach by shifting focus to the latest threat. When you have a plan and strategy in place, you can reference it each time something new comes up in order to say, “That is definitely important, but it doesn’t fit in with our current strategy.” It also leaves room to then say, “But here is how we’re supporting already…”
It’s easy for a CISO or IT team to throw you off course if you don’t have anything in place to push back on. With a solid plan and strategy in place, you can maintain control of your program throughout the year.
Q: How do you feel about annual training?
Although it’s a necessity for most companies right now, I personally don’t really like it. However, in order to get the industry matured to a point where we can consider more relevant and effective options, we need to do it. And not only that, we need to be really f*ing good at it and bring the best experience we can each and every time—otherwise we won’t be able to break out of the mold.
Annual training works to maintain compliance for most companies, which is extremely important. I think we can move past it creatively, but it will likely take a few more years of getting “everyone” up to the same basic level.
Q: What do you think about quarterly training?
I’ve got my eye on quarterly training out of sheer curiosity. It brings into play some of the learning and behavioral science around repetition and engagement. However, it can easily create an overwhelming management process for the security awareness practitioner if she doesn’t have the right resources in place to support the effort.
Q: OK, then what about monthly training?
I’m leery about this, but only from my own personal experiences managing programs. I think in theory and on paper this looks like an amazing solution. What it doesn’t take into consideration, however, is the cognitive fatigue that happens from forcing users to take training every few weeks—especially when they may have other required courses they’re forced to take as well. But I’ve seen programs successfully roll these out because the company culture supports monthly required trainings.
Q: Which industries “get” security awareness training and which are completely missing the mark no matter how hard they try?
So far, I’m really impressed with the healthcare and financial industries. They show a genuine desire to hire and staff teams, as well as provide budgets that allow them to be effective—and the CISOs really seem to get it.
I’m really excited at what we’re seeing with our customers. Tech companies still seem to have that “meh” mentality, which I understand, especially as most are growing and scaling in weird directions. But, when they’re ready to turn it on, we’ll be here, and I’ll be excited to help them build out top-notch programs for their users. Everyone is on a different journey.
Q: What is the typical security awareness training professional actually like, personality-wise? Are we talking IT crowd, Silicon Valley, or more prime-time TV drama?
If I think of the 300-400 peers in this space that I’ve met that are actually in the trenches managing programs? We’re all pretty similar. Security awareness is an emotional role, requiring solid communication, and at the very base of it is empathy. You likely won’t find a more empathetic group of users within the IT/IS (information security) space anywhere. We care about our coworkers, we’re good communicators, and we’re not afraid to point out things that don’t work. To me, that’s the DIY networks like Netflix, Amazon Studios, and Hulu. We like high-quality experiences that tell a story.
Q: Can you tangibly measure the success of a security awareness training program? Or is it all anecdotal and feel-good feedback?
You absolutely can measure the success of programs. However, I don’t think most programs are set up for success. Most programs started with doing some phishing simulation and annual training of some sort. It is more of a check-the-box “OK, we got this, now what?” approach.
And I’m not shaming anyone here—if anything, I take my gripes with the vendors in the space that have been selling the idea of an automated program and turnkey solutions that claim to create awareness programs. Those dinky dashboard metrics you get from those providers don’t tell an accurate story of what you’re doing. They tell a story of what the product is doing so it can justify the license cost.
This is why I’m so persistent with recommending having a strategy and program plan. It’s why we spent time developing one, based on my experience at Disney and Sony Pictures. It works. It just works. If you know what your “why” is each year, and identify your goals, you can then track progress and metrics that will show behavior change if you spend the time to preemptively think through your goals and set them up.
You can’t retroactively go back and build magical metrics. It doesn’t work like that. Do it before you start.
Q: What do you wish security awareness training professionals would stop doing?
I believe that, if my peers would stop believing they can’t make a change to existing policies or thinking that “this is how we’ve always done it,” then they would be able to unlock amazing growth for their programs and their coworkers.
Who cares? Question the status quo! Do it respectfully, build a plan to propose an alternative, and ask for permission to beta test it. Also, stop saying users are the weakest link. Just, stop it. That’s my mom you’re talking about. That’s my wife you’re talking about. That’s me. That’s you.
Q: On the flip, what do you wish they’d start doing?
Taking risks. Exploring outside-the-box thinking and solutions. Just because the culture of a company may not accept something doesn’t mean it may not resonate with your coworkers. That’s how you change behavior and culture, by finding what your coworkers really like—not what the execs like. If you can show your execs your users love something, they’ll listen (hopefully).
Q: What really grates your cheese about the security awareness industry?
Vendors pontificating about guidance and solutions when they’ve never spent a sincere minute managing a program in the trenches. Would you select a doctor to do outpatient surgery who’s read a bunch of studies and research and has a good feeling about how to do it? Or the one who’s done 10K+ hours of surgeries? Hell. No.
Want to connect with Jason and the Habitu8 team to see what we can do and how you can become the hero at your company? Let’s talk.