The Voice of Cyber®

Episode 260 Deep Dive: Christina Arcane | Guiding Your Cyber Champions with Cyber Risk Education
First Aired: June 05, 2024

In this episode, Christina Arcane, Director from Inspire Cyber, sits down with us to discuss the crucial topic of cybersecurity awareness and training. She discusses the importance of aligning training with an organization’s brand and culture, distinguishing between cyber risk and awareness, and the challenges in effectively engaging employees in training. The conversation covers a wide range of issues, such as the need for comprehensive, personalized training, the impact of poorly executed online modules, and the critical role of engaging and effective delivery in cybersecurity training. Tune in to gain valuable insights into cybersecurity training strategies and the importance of driving behavioral change across organizations.

For her entire cyber security career Christina has been translating cyber security concepts and providing high quality awareness and training to all roles – from the company graduates right up to the board.

With a wide range of experiences across financial services and technology industries, working with startups, SMB’s and large multinational organisations, Christina has built a career on the intersection of cyber threats, risk and business objectives. In 2016 she co-founded cyber security SaaS startup BreachAware, leading its operations right through to acquisition in 2020. Recently she dived back into the world of entrepreneurship to reimagine security awareness offerings and provide her expertise through her new company, Inspire Cyber.


Help Us Improve

Please take two minutes to write a quick and honest review on your perception of KBKast, and what value it brings to you professionally. The button below will open a new tab, and allow you to add your thoughts to either (or both!) of the two podcast review aggregators, Apple Podcasts or Podchaser.

Episode Transcription

These transcriptions are automatically generated. Please excuse any errors in the text.

[00:00:00] Christina Arcane: The cyber security awareness and training function needs an element of marketing.

[00:00:05] We need to appeal to our audiences, have a bit of a brand that fits in with the organization’s brand, have that culture and that buy in and not just take advantage of the fact that people have to listen to us, like you’re trying to sell to them that they should listen to us, like, you know, you’re a sexy new brand and you’re trying to get new customers.

[00:00:43] KB: Joining me today is Christina Arcane, director from Inspire Cyber, and today we’re discussing the difference between cyber risk and organization wide cyber awareness. So Christina, thanks for joining and welcome. Thank you so much for having me, KB. So let’s start with the difference between the two, because again, I think people interchange terms out there.

[00:01:02] Sometimes people don’t actually know what the terms mean, so I’m keen to get your thoughts on it first. That way we’re all sort of, you know, singing from the same hymn book. Yeah,

[00:01:12] Christina Arcane: Absolutely. And the difference between the two when we look at cyber risk and organization wide cyber awareness is really what’s going to reduce incidents or the impact of incidents in the organization and what isn’t.

[00:01:24] And that’s because awareness is the one way communications. Like, hey, we exist, the topic’s here, here are some tips, have a lovely day. Right, really lightweight, really light touch. But cyber risk is what we actually do, those habits that we have. So there’s no shortage of awareness, in my opinion. So most organizations will have an awareness function.

[00:01:43] There are data breach incidents that are reported in the media with lots of top tips for families. And you know, you do talk about it in your families or organizations have heaps of training on it. Well, sorry, I should say awareness on it. And most of us would know about phishing and scams, but why are they still the leading point of [00:02:00] entry of cyber attacks?

[00:02:01] Why are they still so darn effective? That to me is the clear difference between when you have just received awareness versus when you actually know what cyber risk is and the things that you do to prevent it from happening.

[00:02:14] KB: All right, so let’s use an example on that note. So, for example, in Australia, the suns burns a lot, and we get sunburn, so it’s like the awareness is when you go out, you know, when you’re a kid, it was like no hat, no play from memory when I was in like primary school.

[00:02:27] But it’s having the knowledge then of when you do get burned, well, what do you do, right? So, that’s the way I was drawing the parallels from what you were saying.

[00:02:34] Christina Arcane: Yeah, absolutely. And it’s like, how is that sunscreen there? Like, why, how did it get into your bag? Put it into your bag, you know, have that forethought, especially in projects.

[00:02:44] I love this message in projects because there’s a lot of security embedded in projects that we don’t think about before it happens. And that equivalent is, you know, before you leave for the day to go out into the sun, you’ve actively thought about what’s the risk and you put the sunscreen in your bag.

[00:03:01] We’ll apply it, you know, the first layer before you’ve left the house and then you have it to reapply again. And in projects, like this can convert to things like penetration testing. The cyber team knows penetration testing is needed. The project team might know that there are security risks as such, but everything’s happening, there’s lots of people involved, and that the alignment ballot are like, oh, let’s talk to the cyber team.

[00:03:22] And the cyber team say, hey, there’s a penetration test that’s needed. And that could be, you know, two week turnaround, six weeks if you look at, you know, from discovery all the way to the mitigation techniques. And at that point, the project’s success, you know, whether it’s on time and under budget, is severely at risk.

[00:03:39] So they’re kind of faced with a decision there between, you know, ticking off the security boxes and putting the project at risk. And if we can kind of identify that this was going to be a problem, that the cyber risk was going to be there at the beginning, We could have put the sunscreen in the bag earlier and not forget it at the point in which we need it.

[00:03:57] So it’s things like that. I think that’s actually a really good analogy, KB. I [00:04:00] might use that again in the future.

[00:04:01] KB: But why do you think people don’t think about the risk? Because you’re right, there’s a lot of awareness, a lot of documentation that we’ve had in companies, a lot of these posters, a lot of stuff online.

[00:04:09] But obviously, it’s not getting to the point where it’s sinking in around, well, I’ve got to actively do something about it. Why do you think that’s the case? I

[00:04:16] Christina Arcane: think there is a disconnect between awareness and training. We do a lot of awareness, but we need to be doing more training. So awareness should be, it needs to be there, but it should be a small part of the piece, the 0.

[00:04:28] 5, what I would say of an FTE maximum, right? It’s the training piece, the actual practice of those habits because cyber and security is applied in so many different ways in each one of our roles. How could you possibly account for that unless the person is well trained in knowing how to identify, well, what is the cyber threat?

[00:04:47] Or what is it that I’m doing that’s opening up a vulnerability? You know, did I make a mistake that could lead to a security risk? Am I creating automations that might have loopholes because of the way they’re set up? You can’t put that. In a one hour webinar that’s designed for the whole company. So this is where that emphasis on training needs to come in so that we can mitigate at that point and get that practice.

[00:05:11] You know, do those workshops, pre think of these things to actually reduce the cyber risk outcomes that we’re seeing everywhere. And often, I think I saw the number this morning. 9, 748 data breaches in 2024 globally have been reported. I don’t know the specifics of how they gathered that, but already that’s, that’s a huge number, right?

[00:05:31] So, we’re not talking about something that’s going to be really minimal impact to the organization. We’re talking about training that’s going to have a huge impact. And the cost that comes with it.

[00:05:41] KB: Okay. I do want to get into the training side of it. However, I want to get back to the awareness for a moment, because I mean, I’ve been in the space probably about a decade.

[00:05:50] And I remember, and this was part of the reason why I got into what I was doing from a different sort of perspective is you go to all these conferences and then people would. Back then we’re saying like, you know, [00:06:00] what do you think is wrong with cyber? What’s missing? It’s just awareness. We need more awareness.

[00:06:03] We need awareness. Then you’re sort of saying we need less awareness and more training. So follow along from the awareness side of it. So why have people being so heavy about the awareness to the point where it’s like awareness is one thing. We’re then taking the action and de risking yourself as another.

[00:06:18] So why have people historically been so fixated on all this awareness stuff?

[00:06:23] Christina Arcane: Yeah, look, it’s a really good question, uh, and I do wonder why the awareness has got the most, and you know, maybe it’s the most presentable, it’s the most, uh, you see it more than you see everything else, so like, when you put up to the board or to an audit committee, you know, what are you guys doing in terms of awareness and training for cybersecurity, it’s very easy to say, hey, look at the 12 articles we put on the internet.

[00:06:44] Uh, look at our mandatory training module that everyone has to do, you know, the, the one hour really easy top level one, look how many people filled out this optional quiz because we offered AirPods, right? Really tangible numbers. Uh, and what you find actually, so I’ve done this before and these numbers, whilst they’re great in the, in the scheme of getting engagement from your employees.

[00:07:03] So let’s say, you know, 60 employees signed up to a webinars. Great. You know, 250 filled out the quiz. Maybe 1200 read the internet article. As far as engagement goes, sorry. The second you have say a 5, 000 seat organization. And using that 1200 number, because that’s the highest, that’s 25%. So, is it good enough when our objective is to reduce cyber risk, which is based on actions, to be measuring our effort in awareness campaigns that reaches such a small subset of where our problems actually stem?

[00:07:34] So, when everyone’s kind of looking at, oh, we can really present the awareness, I think we actually have to go undercover and start looking at how we do that. Yeah, training, proper training across the business and how we measure proper training across the business, which is quite hard, but then going back to a point before the phishing emails, right?

[00:07:52] We all know about them. That’s a point of entry into an organization and awareness really only covers that point of entry most of the time because it [00:08:00] has to be a high level has to be suitable for everyone. But it only scratches the surface, but we need to start thinking about how a cyber attack, you know, TTPs, there’s multiple stages to an attack.

[00:08:10] How are we educating on those stages and how different roles can actually have an impact in those stages and not just the point of entry. So if a successful cyber attack happens, we’re actually not equipping the hacker with everything that they need to get the job done. We’re reducing their impact when they actually enter the organization.

[00:08:31] And this can’t be done with just awareness. This has to be done with training. And I’d love to see a more emphasis on quality training in this space.

[00:08:39] KB: Okay, I want to get into that, but again, I want to press on this a little bit more. So you raise a great point on, you know, the intranet, 25%, you know, and I know people are going to say, you know, security is everyone’s problem.

[00:08:49] Yep. Okay. Totally understand that. But then equally, you can say, well, you know, from a finance perspective, it’s equally everyone’s job to reduce costs or make money, right? But here’s me, I’m not going on the internet to look up how do I reduce costs and make more money for the business because I’m just, you know, I’m just a cyber person.

[00:09:05] So, how do you get it to the stage where you’re sort of engendering that this is a thing that people should care about at the end of the day? Because the way I see it sometimes, if you’re not from a security background or tech, You’re just, you know, hailing in finance, you know, paying everyone’s salaries every fortnight or whatever it is.

[00:09:21] Why should I care that much? Absolutely.

[00:09:24] Christina Arcane: All the examples that we see, it’s that whole, you know, when it gets close to home, people take it more seriously. What’s difficult about that is you also don’t want to fearmonger people into caring about security. I think we actually have to just understand that some people simply aren’t going to care.

[00:09:41] That’s the nature of an organization and all the different roles like you’re right. You don’t care about finance. I’ve never been in finance finance. Numbers scare me. I really don’t like numbers. Sometimes I don’t really care about numbers and that’s okay. Okay. Not to care where we want them to care is then when we do deliver training [00:10:00] to them and we have them in the room.

[00:10:01] And this is something we can definitely jump into a bit more, which is what does really good quality training look like. When they’re in that room, they care in that room. They’re working on ways to understand how it applies to them. So when they do come across that instance, because they understand it, they’re naturally going to care that bit more to help rectify it.

[00:10:21] And that’s something we see often when you properly understand something, when you’re good at something, you’re more passionate about it. So we just want to take down the barriers. And I think there’s still too many barriers to people understanding security because of the way we communicate it. So if we can take down that barrier, put them in a room, and I mean that, you know, in a classroom, that could be virtually as well, not necessarily in the room, um, but put them in a room, get them to understand truly what the concept is about, they’re naturally going to start caring about it more, and that, I think, is the extent to how you get that across, and you need to, you see that with lots of different, I guess, initiatives of the business, you know, when you’re trying to get an improvement in culture in many different facets, it’s when people start participating, and Getting their own passion for it, that you see the best results.

[00:11:06] So that mirroring that sort of strategy, I would

[00:11:09] KB: say. So getting back to the caring side of it again, now this is important because not many people will talk about this. It’s sometimes, and again, I’m just looking at all of this objectively is it can come across like double standards. So what I mean by that is it’s like, as an industry, we want Helen from finance to care about what we do, but we don’t really care about what Helen does.

[00:11:28] So how is that fair? When you were to look at it. From like a holistic perspective. Cause it’s like, well, we want everyone to care about us cause we’re security. Hey, I’m all for it. I’m in cyber security as well. But then it’s like, yeah, but I don’t really care what any other department does or what in what’s important to them.

[00:11:42] So how does that then work from a, you know, a dynamic perspective?

[00:11:46] Christina Arcane: Yeah, it’s just, I think, down to teamwork and what you’ve highlighted there could be the difference. So when you have a very effective professional business professional, doesn’t matter what role they’re in versus an ineffective one, which is how are you influencing [00:12:00] the people around you and getting them buy in.

[00:12:03] So of course, there’s always going to be competing priorities. And I think if we have a really good risk framework, and we understand what are these key risks, now this isn’t just across security risks, this is across any kind of risk, fraud is a risk, privacy is a risk, workplace health and safety, and if we look at all of these different things, pull them together, prioritize the impacts they’re all having.

[00:12:28] and tackle it from a holistic point of view. So what I mean by that is have a front door to all the risks that a business can have and educate accordingly. Each of those topics I just mentioned, usually there’s a separate module, uh, when you sign up to a business or sorry, when you’re a new employee, you’ll have a different module that you have to complete in the first day, 45 days of starting at the company to be educated on each of these topics.

[00:12:51] And then all Usually the content is drafted independent of one another and then you’re like, well, you know, privacy wants you to care about this work health and safety wants you to care about this. But if we can bring them all together and there’s a fractal to the business that prioritized accordingly and we.

[00:13:07] As a team share the communications that we need and the content and collaborate better, then we can actually start reaching our audiences more effectively across all of them. Because I am a quite a bit of an advocate, not just for security, but for also all the different topics fraud. I know in many capacities in which I worked, most cyber incidents had a fraud component.

[00:13:27] So we had to work together anyway. So extending that relationship, you know, when finance has a problem, help them out and they’re going to help you in return. So really. Managing those relationships across the business to build culture as a team. So I guess the bottom line there is teamwork, right? Just how we would expect it to work a lot harder when you have large organizations.

[00:13:47] But not impossible either. It’s just the way you manage it.

[00:13:50] KB: Okay, I wonder if we’re both now into the training side of it. You mentioned it, but what I want to get into before that is, don’t people hate training though? Because I’ve been in training [00:14:00] before and it’s like, oh, three days of training. You’re falling asleep.

[00:14:02] I don’t care. The person that’s talking is boring. You know, the guy beside me is on his phone, like, that just is what makes me have triggered, it triggers me when I think about training.

[00:14:13] Christina Arcane: Absolutely. And I think you pretty much nailed it there when you say it’s dry and it’s boring. And I want to correct the statement to people hate poorly delivered training.

[00:14:22] And we’re seeing this more often. Training is very accessible and that’s not necessarily bad. It’s not often presented by someone who is naturally or trained to be a really good presenter and facilitator. And that makes the difference between training that is boring that people hate. And training that is actually engaging.

[00:14:41] And I think I’ll give you a quick example. I was in an environment once where there was a change management lead that had to do a rollout of a new product. And they did a training presentation. It was about half an hour and I had a slide in it because they did the right thing. They came to security and they said, you know, can you help me out?

[00:14:56] Is there a secure component? Yes, absolutely. Thanks for contacting me. Let me put something in there. And for the rest of the call, I’ll be there as a support. So I’ll answer any questions. Just call me if you need it. My mindset was so clocked out of that presentation, even though I was a part of it, so the section that I wasn’t presenting, that when I was called upon, I was like a deer in headlights, because all I heard was my name, and I, and it was evident, I was really embarrassed, because I had to be that person, she said, I’m sorry, could you repeat the question, and I put that down to that this person wasn’t an inherent trainer.

[00:15:30] They’re like, how hard can it be? I’ll put together a presentation. I’ll deliver it across the business. Everyone’s going to see this presentation, but it wasn’t delivered to the quality. And I’m talking back to basics quality. Now, how are you actually teaching concepts? Can you teach them from the back of the room so that people can get the concepts themselves?

[00:15:46] How can you actually deliver something with that interactive element to the training is the best quality. And then people won’t hate it so much. Like I remember the training courses I’ve done. Then I’ve actually enjoyed it. Like I liked the trainer, the [00:16:00] content may have been dry, but they delivered it in an engaging way.

[00:16:02] And I remember it. I don’t remember the ones that were really bad because they just sort of disappear in the background. So I’d like to change that narrative and get people like training again, by delivering, you good training and not underselling the skill set that’s required to deliver good training.

[00:16:19] KB: Look, I agree wholeheartedly. Now, I want to sort of go into that example a little bit more. What would you say would define someone is not a great trainer? Just from your own experience and things that you’ve observed, because perhaps people aren’t aware that they’re not a very good

[00:16:33] Christina Arcane: trainer. Yeah, exactly.

[00:16:34] Yeah. Like we, we undersell the training skill set. So they aren’t aware. They do think, you know, how hard can it be to put it together? And in some degree, it’s not hard. Yeah. But what is hard is you kind of have to think about what actors and actresses go through, you know, when they, in character, they have, each character speaks differently.

[00:16:54] They have different tones in their voice. They have different pitches. Sometimes they do dramatic pauses, right? God, this has taken me back to drama in high school, actually. But it really is implementing those sorts of techniques into a presentation so that You’re communicating those concepts correctly.

[00:17:13] We’ve all heard of storytelling, right? We need to use storytelling more so that there’s something for the audience to connect to. But that doesn’t just mean having a story. It means being able to tell the story in a way that’s engaging too. So, I think the way that these, Whenever there’s a presentation to be done, if there was a central unit, and sometimes like the learning and development team can help you, you know, train the trainer, but not just on the content, on the actual delivery of the training, you know, do a check in, do a practice, give them tips, tell them how to present, and if you have sort of a central control unit that helps with that, then you’re going to get the message more effectively out.

[00:17:53] Because your trainments are more effective than what they do.

[00:17:56] KB: Do you have anything that would sort of indicate as well like, Oh, this person’s not the [00:18:00] best in terms of maybe they don’t know the content enough. Maybe they haven’t practiced enough. Maybe they seem nervous. Maybe they are hung over that day.

[00:18:07] So it’s not coming across great. I’ve seen all of these things and you’re right in terms of, you know, when I’m doing these MC things, when I’m often saying to companies and clients, it’s like, Yeah, okay, you can just get Helen from Accounts up there, but does she really know the art and the craft of doing this to get people excited to know, you know, when something bad happens and someone falls off the stage, how to manage that?

[00:18:30] You need to have experience to do that properly and to keep people engaged, which is hard. And I think the same sort of work, uh, in terms of the mindset. Is similar to what you’re sort of saying on the training front. I can’t really remember when I had a great experience with training. I’ve just found it very

[00:18:50] Christina Arcane: banal.

[00:18:51] Yeah, I’ve got a good example here, actually. Because one of the, I guess, arguments to this is, well, we’ve got to give people a chance. Right? People need to present how they’re going to get better if they’re not practicing. And I attended an industry day, I guess, conference day where they had a bunch of KBs on stage, you know, everyone did about half an hour each and we got a lot of topics in and it was a cyber security industry day.

[00:19:13] At the very beginning, it was vendor backed, so it was the vendor managed the whole day. They had said that they have a program internally where they’re improving the training and presentation of their people so that they have the opportunity to broaden their skill sets. Awesome. They didn’t just put their people up on stage there though.

[00:19:31] They went through weeks of building their presentation and working with experts so that the presentation was at the level that they wanted it to be in order to, to deliver on that opportunity. And I think there is sort of the key to doing this is you can give opportunity to people to present, but still ensure that the quality is there.

[00:19:49] So you’re not compromising the messages that you’re trying to deliver. And this, and it comes with effort, right? If you’re, if you’re passionate and you want to put in the effort, you know, you’re certainly passionate. Maybe I’m passionate about [00:20:00] what I do. And you wouldn’t get us in front of people not, you know, trying to deliver our very best because this is what we do.

[00:20:07] So if we could help others do the same or recognize any time there’s a presentation, that person might need a little bit of assistance to deliver. Like, let’s do it. Let’s give them that opportunity. Let’s train them. Um, and this industry day really sort of brought that to my attention. I’m like, hey, this is a really great way to do it because I don’t want to leave people behind.

[00:20:25] There is so much room in this space. We need more training. I’m an advocate for more training. But for more training, you need more trainers, and this is how you get more trainers. You help them. You teach them. Train the trainer, but in a good way.

[00:20:38] KB: So, Christina, you talk a lot about going back to basics to overcome common IT obstacles.

[00:20:43] So maybe give me an example. Talk me through this. Now, I ask this question because I remember This was probably going back about, I don’t know, seven years ago. And I was in the room with the CIO of a, of a company. And he was like, you know what, KB, I’ll do this trainings. But the part that gets me the most about the training is they don’t say why we shouldn’t do it.

[00:21:01] Just don’t pick up, you know, this was back then don’t pick up a USB and plug it in, but there was no why behind it. So I’m really keen to see what you think about this and, you know, inject some of your thoughts into this, because again, everyone talks about, you know, the basics and, you know, don’t do this.

[00:21:16] Don’t click on that link. But maybe it’s still not resonating with people. Yeah. Absolutely.

[00:21:21] Christina Arcane: And it isn’t resonating when the concepts, the IT reason behind why it’s missing. An example is domain names, right? I have done workshops at a high level. So this is if you’re phishing, MFA, your passwords type of situation.

[00:21:36] So that the top level, I actually think of it like a pyramid when it comes to training on cybersecurity. Um, so like all the triangle, the bottom layer is your cybersecurity professionals. So the technical layer. The middle layer is what I think business professionals need to understand, which is more in depth, um, but not as deep as what cyber professionals need.

[00:21:55] And the top little triangle is the, literally every single citizen from, [00:22:00] you know, the second you use a computer at, well, I was going to say 12, but I’m going to say that kids access the internet much earlier than these days, all the way up to, you know, my grandpa who’s 85 and also uses a computer for his email.

[00:22:11] That’s a top triangle. And in that top triangle, which is where your awareness comes in, that’s your lightweight training most organizations do, a lot of people actually still don’t understand how what comes after the at symbol is what determines a real email address that’s legitimate from a fake one.

[00:22:29] And when I do communicate this concept and I break that down and that kind of goes hand in hand with, well, if they do click a link and they land on a web page, how do they know that that URL at the top is the real, you know, Microsoft. com, for example, compared to something that’s not Microsoft. com, but looks like it.

[00:22:46] And that to me was sort of inherent knowledge being in the industry. I just, I just knew I know how to read a domain name. But so many people don’t, and we sort of skip over that sometimes when we do social security education. And when we skip over that, well, they’re not really getting the understanding that they need to mitigate that when they come up against it.

[00:23:06] Another example is the difference between Saving locally to your desktop or saving to a corporate cloud with corporate files, you know, people might say, well, I just saved it. You know, I click save now. Where did it go? I don’t know. I know one drive is notorious for not telling you where it saved it. When you said when you download a file and where did it go now, but by not understanding how your.

[00:23:28] Work environment is set up from sort of a really basic network structure, like, you know, this is where you should save documents. This is the cloud. This is how it works. People could be saving documents all over the place. And when they do that, they leave them exposed to sort of hackers when they do get in finding them.

[00:23:45] And when they find them, they use them ends up with a significant data breach or cyber incident, depending on the interests of the hacker. So there’s little things like that, you know, password managers, they aren’t inherently easy. I understand that. So how do [00:24:00] we overcome that obstacle? We’re going to teach them how to use it.

[00:24:02] And what are the foundations? Why are they using it in this way? If we cover those, people actually start upskilling, not just committing to memory, like you said, but what not to do’s or what to do’s. They’re actually understanding the background, which means they’re going to remember it better.

[00:24:17] KB: So would you say generally historically across our space, people have overlooked some of these more nuanced things that you’re saying around understanding the mechanics of how things work?

[00:24:27] Which maybe gets them to think about what they’re doing a little bit more before they do it, for example. Why do you think people have overlooked that, though? Because that, when I look at this objectively, it does seem obvious. However, again, sometimes it’s that forest of the trees analogy. Like, when you’re so close to something, it does seem obvious to you, but perhaps You know, you need to explain things a little bit more to other people.

[00:24:49] Yeah, absolutely.

[00:24:50] Christina Arcane: I reckon, because I’ve thought of this too, I think surely, like how, how we’ve stumbled across this understanding and not sort of seen it before. And I think it comes down to how limited space you get in an organization to communicate security topics because it’s such a small space. Like you only get an internet article X amount of times.

[00:25:12] You only get communications out to the business here. So working with what you get versus the amount of topics you have to cover, you go straight to the, to the good stuff, right? Only tell employees. Don’t reuse your password. Don’t do this. Do do this. Because you have to, they, they only have a certain amount of time, your employees, you have only a certain amount of space to communicate with them.

[00:25:35] So you’re going to hit the main points and nothing else. And we got so used to having to do that, that that was just skirting across the underlying why. And it was really hard to go back and explain the why because we just kept working with the parameters in which You have to get information across.

[00:25:52] And that sort of leads me to why we need to not focus so much on awareness and start shifting the business [00:26:00] to prioritizing training. Which is very important. There are a few things that businesses can do to prioritize training.

[00:26:07] KB: Okay, so maybe elaborate on that a little bit more because you’re right and I think that there is enough stuff floating around there.

[00:26:13] But I’m also then curious to how do you deliver these things effectively so it’s not just, Oh, we’re doing another training with Joan and Joan’s boring as hell. Like we want to make sure that people are actually understanding this.

[00:26:23] Christina Arcane: Yeah, so you get confident trainers is my first one. You know, get either, either train your trainers or get confident trainers in to do sort of the classroom workshops or virtual hybrid sessions, um, so that presentation and the training.

[00:26:36] Is the quality that you need to get the communication across. So first of all, that’s, that has to be a priority there. The other thing is that you need, those trainers need to sort of teach from the back of the room. So stop just the one way information overload training and start from having the sort of the school of students or the audience teach themselves based on things that you can relate to them.

[00:26:56] You can ask certain questions, you can do activities. You know, our activities these days are simply the whole, you know, like Slido, you put a word in and then there’s a word cloud of everybody’s words, you know, that’s great, but that’s just the surface of some of the activities you can do to drive a message.

[00:27:13] The other thing I’m going to say is two things. These are my favorite. These are really important. The first one is meetings. Meetings are always in the way. I cannot tell you how many courses, workshops I’ve delivered, uh, sessions that people have had to leave halfway through or jump in and out or not attend at all at last minute.

[00:27:32] Because they had important meetings. But another narrative going on in the business is that, Oh, we need to have meeting free days because we’re too bogged down by meetings. And everyone gets it. This should have been an email instead of a meeting. And yet none of that is happening. We’re still in those bad habits of letting meetings run.

[00:27:52] The way we work. And so as long as that’s occurring and we’re not empowering employees to say, Hey, no, you need to be in training. [00:28:00] This is what you’re going to do. We’ve already got an expert trainer, so we’ve taken down the obstacle of it being boring. Now we need to let them know, ditch your meeting. It’s okay.

[00:28:08] I want you in this training. And a way to sort of, uh, the concept there is the sharpening of the axe. Training is the sharpening of the axe. And I’m referring to that, you know, that analogy about the, the woodchopper who keeps chopping all day, but then another one keeps going for a break every hour or whatever it is.

[00:28:23] And he’s like, well, how are you ahead of me when you’re taking so many breaks? And he’s like, because I’m sharpening my, training is sharpening the axe. So we have to give it the attention and the break that it deserves. But meetings get in the way. And so the last one is. More effort into marketing, the cyber security awareness and training function needs an element of marketing.

[00:28:45] We need to appeal to our audiences, have a bit of a brand that fits in with the organization’s brand, have that culture and that buy in and not just take advantage of the fact that people have to listen to us, like you’re trying to sell to them that they should listen to us, like, you know, you’re a sexy new brand and you’re trying to get new customers.

[00:29:03] Really put that marketing perspective in and look, that can apply to most functions, actually, not just cybersecurity. I think everyone, if they put a little bit more into marketing, you know, their own personal brand, we might get a little further with the messages we’re trying to communicate.

[00:29:18] KB: Okay. So there’s a couple of things in there that I want to get into.

[00:29:21] I want to start with getting, like you said at the start of your conversation here around getting good trainers. So now one of the thing that gets me is when I’ve been in corporates before, or even at conferences, and it’s like, okay, everyone stand up and shake your hands around. Like I’m Wiggles concert.

[00:29:40] It kind of feels like that. I find that personally, Christina, real cringe. So, would you agree or disagree that that would be a high caliber trainer or maybe not? That’s a hard one because it

[00:29:51] Christina Arcane: depends on the context that they’ve done it in. I don’t like making people dance. I think not everyone likes it and you know, it is feels like a bit like a Widdles concert.

[00:29:59] I do [00:30:00] see the value in circulating the blood. It’s like when you’re sitting at home all day and you haven’t moved for a while, you know, a few hours gone past you’re working and you haven’t actually got those endorphins going. It’s the same reason why, you know, when you exercise, you have so many benefits because your blood is moving.

[00:30:15] So also like to the clarity of your brain. So I wouldn’t say, you know, if it’s just, Hey, out of nowhere, get up and shake, right? Not so much. But there are other ways you can do that. You can get people up physically to do an activity if you’re in a classroom environment, right? So that if you’re putting them into groups to do an activity, you know, you Make sure the groups is that people have to physically move across the room, or if you’re teaching a concept, does everyone have to be sitting to learn that concept?

[00:30:43] Let’s go over here. I’ve got a poster that I pre bought, brought with me that I’ve designed to communicate a concept. So let’s go look at it. I’ve put it over here at the back of the room. So let’s get up, walk over to it, have a discussion around the poster, and you’re sort of achieving the benefits of physically getting up and moving without the whole You know, let’s put on a Wiggles routine and have a bit of a go, right?

[00:31:04] So, you know, pros and cons of such, such a skill set. There are ways to do it that aren’t so cringe. Because I get it. Like, we don’t want to be cringe.

[00:31:13] KB: Yeah, and look, this is really important for me as someone who has participated in Crinsworthy content before working at companies, whether it’s, you know, online training, which we’ll get to in a moment, but I remember explicitly working in the bank and then the GM gets out and then everyone looked around like, why are we doing this?

[00:31:32] Like, it’s so awkward. Or when you’re at a convent, it’s like, Hey, everyone, how’s your day? And then it’s like, you didn’t say it loud enough. I can feel the awkwardness in people sitting around me thinking I don’t want to do this. So for me, like when I look at cringe training, for some reason, we just seem to be cringe in our space.

[00:31:53] And that’s what bothers me because it actually does the opposite of what we’re trying to do. It actually gets people so [00:32:00] off cyber security to be like those guys. Are a bunch of weirdos. There’s Hey, those guys are really intelligent. The way that they did their training is intelligent as well. So I’ve found just over a decade.

[00:32:12] I’ve been in rooms and around this type of security awareness training where I’ve genuinely felt embarrassed that that’s the stuff that we’re putting out and that we’re trying to tell people to be like, Hey, we’re the cool kids.

[00:32:23] Christina Arcane: Yeah, look, I would love to hear your opinions, KB, in another time on the Apple releases and the Microsoft releases.

[00:32:31] Have you seen them where the executives would get up on stage and it’s like a full on concert to release the new iPhone? It’s sort of that, that vibe is what I’m getting, that, you know, can be a bit cringe. You literally have on stage, you know, a whole bunch of people, very technical in nature, and they’re sort of doing a dance like they’re, you know, lead guitarists in a band.

[00:32:51] And there’s something that, I don’t know, I watch them and I think, I’m kind of like, cool, like, you know, we’re doing it differently. We’re giving it a go. And then I’m also like, there’s something about this doesn’t fit sometimes. So I think my mood can depend on whether I’m on floor or against that, but cringe, cringe has its place sometimes.

[00:33:08] And the reason I say that and sort of to challenge that notion is when you have such a diverse workforce, different people, cultures, ages, demographics, sometimes that low hanging fruit, the cringe of corporate humor, because you don’t want to. You know, offends too many people. You want to make sure that you’re doing it respectfully.

[00:33:30] So there has to be potentially like a small layer of cringe that helps, but. I don’t, I’ve never been personally called cringy or cringe worthy. So I think there are other techniques you can do that aren’t cringy, but actually get engagement. And I’ve always got really great feedback. So, you know, maybe there is a better way to do it than in instilling corporate cringe.

[00:33:49] KB: Well, I’m asking this question because I go out and I ask people in market about what they think. And then whether I inject some of that into the, the, the interview that I’m running with you today, I’ve personally been involved with it. [00:34:00] And you know, even before doing our interview, I was like asking people in my network, like, what do you think of security awareness training or like just generally and people are, Oh, it’s cringe.

[00:34:08] It’s boring. It’s, uh, you know, we’re just doing it for a tick in the box. So I, I try to get a bit of a, you know, a rounded approach from industry to sort of see like what is going through people’s mind and then getting someone like you to respond on that. And that was something that came up was it’s cringe.

[00:34:24] So again, these are things that we have to do better in our industry that, you know, it’s getting people like you on the show to explain, Hey, we haven’t done this so great in the past, but this is how you can go about improving it moving forward.

[00:34:37] Christina Arcane: I didn’t agree more. It absolutely like improve it moving forward and actually acknowledge.

[00:34:43] The skill for what it is and that we have to put that effort in, you know, it’s crazy because they’re not putting effort in the other thing as well. That can help with that is the security awareness and training teams. Most organizations will limit it to 1 maybe 2 people. You really aren’t going to get quality with that many people working that function.

[00:35:02] We’re trying to say that cyber security is everyone’s responsibility. We’re trying to distribute cyber skill sets amongst the business. But we’re limiting the team that are trying to achieve those objectives. So what’s the bigger picture here? Like we should be getting, or at least collaborating with collaborating, sorry, with more people.

[00:35:21] And not just making it be, you know, sole responsibility of one, maybe two people, because that’s the outcome you’re going to get. So, you know, I completely agree. I’m all for this entire conversation. Sometimes I just look on the other side as well and think, you know, well, what is the obstacles to achieving this quality training?

[00:35:38] And, you know, budget. management buy in, you know, all the things that are coming down from the top. So now the conversation is, well, how do we get them to see that this is not working? And if we want to reduce the costs associated with cyber incidents and get our people truly understanding it, this is what it’s going to take.

[00:35:57] Quality, training, more people, [00:36:00] a bit more budget, and move it up that way.

[00:36:02] KB: What about online training? Now, I have worked a lot with a lot of online training and I remember when I was an internal employee in security, I was on the list for people who hadn’t completed it. And the reason I hadn’t completed it was it was cringe, boring, terribly executed.

[00:36:19] And then I just clicked next, next, next, next, next. And that is, that is a hundred percent true because I didn’t feel it was engaging. And so then I thought I’m in security and I’m thinking this is bad. Imagine what other people, institutional banking are probably thinking of this. So, I was let down by that because they invested a lot of money into this and then I think that, you know, now people aren’t really reading it or watching the little video, they’re just clicking next to get through it and hoping they get a pass to get off the, you know, the normal compliant list.

[00:36:48] Christina Arcane: Yeah, and that’s, that’s the problem, right? It’s a module designed for compliance, so you’re never going to get take on that. I agree with you. I click through, like, as fast as I can for those modules. You know, not just the cyber one, the privacy one, the fraud one, I think there’s one on the project frameworks as well.

[00:37:05] Whatever that may be, I’m clicking through as fast as I can because they’re limited to what they can communicate. And instead of trying to build these huge modules, right, you gotta like, why are they there? We want people to know, to be introduced to the world of cyber security, because this is our front door to when someone starts new, right?

[00:37:26] We wanted them to start working in the ways that we work here and thinking about security. Seriously, that’s number one. Number two is what we want. When order comes, we say, Yep, every single person has done training. Here’s the, here’s the list, right? Because you can actually attest that these people have done it, the logs for it.

[00:37:42] And here’s the module, you know, read through it, and it’s going to make sure it ticks the boxes. You can still tick the boxes, but communicate in a much simpler way. The why shouldn’t start in a compliance module at the beginning of somebody’s work relationship. They should be shorter, [00:38:00] simpler. Hey, this is who we are.

[00:38:02] Here are some of the things we’d like you to keep an eye on. Throughout the next six months, we’re going to engage with you in other ways as well. And you tell them that in the module. So you, you start it like it’s a relationship. You can still seek your compliance fixes and now actually start. An effective relationship with the newbies in your organization and take them through a journey as you as they go on where they’re actually digesting those concepts that you have because and the reality about digital based security training online modules is they’re needed, right?

[00:38:32] We have too many remote workforces that will never be in the room. At the same time, even, because we have too many time zones across our larger, larger organizations. Uh, we have people who prefer to sit behind the computer and learn. They’re not people who want to be in a classroom in front of people.

[00:38:48] That’s too much for them. So, you can still use modules to target these audiences. In beneficial ways, but the everything in one module upfront, that’s terribly boring and people click through just to get to the end. Is it the way to do it?

[00:39:04] KB: So what you’re saying is you have to be a little bit more selective with the modules and then how you are distributing those across your organizations, et cetera, based on, you know, how people learn, for example, because you’re right.

[00:39:15] What I’ve seen in the past is just people just. calling up some vendor, getting off the shelf solution, and then we’re just going to implement it across x many thousands of people who all learn differently. I’m an audio person. Some people aren’t. They have to read stuff. They have to watch stuff. So, would you say companies need to have a blend of all of the things, and when I mean all of the things, actually doing it right as well, not just getting a generic off the shelf solution in order to keep the powers of the bee happy?

[00:39:43] Christina Arcane: Yes, absolutely. You want to achieve both. You want to keep the powers of that bee happy, but you also do it effectively. And if I tell you what that looks like, because that can be really hard to tell to some people, it’s, you know, have a 15 minute cyber module, so it’s so short, but even less. That just hits the main points [00:40:00] when they start.

[00:40:00] And literally introduces them to what’s going to happen over the next six months. And in that six months to that group of new starters, you distribute different types of education and communication. So this is now blending where we, cause you have to start with awareness. They have to know that you’re there.

[00:40:17] That’s why I mean by it before, like. It is still a place for awareness, but you have to shift it into training. So then, so maybe it’s an email out to them within the first week saying, Hey, you know, you ruined our training. This and that information security policy, you know, please have a quick, quick look when you have a chance.

[00:40:32] You know, maybe there’s an Easter egg hidden in there that we’d love or a question we’d love you to answer on it, you know, maybe a little boring, but it’s simple. It’s one touch point. We haven’t done it in 10 different concepts with 10 questions at the end, all at the same time. So, Take care. You know, and then maybe it’s two to three weeks later, we was like, Hey, we’ve got a 15 minute with like all the new starters from this month.

[00:40:51] Jump into and we’re going to have a quick discussion about cyber security for those who aren’t a fan of jumping into that 15 minute. And it’s like, Hey, we’ve just sent you all a video and the video might be very different and engaging. And then those who preferred that video. Yeah, they’re watching that.

[00:41:06] They’re getting the message through. So, drips and drabs, and what I can’t stress enough is it has to be a continued journey, understanding your audience and getting feedback at every point of the way and pivoting to that west, yeah, you said, getting. Something better than pleasing the powers that be with a, you know, module at the top, top of the day.

[00:41:28] KB: So you want to give people options around, hey, here’s the video verse, here’s comes along for this training thing. And you, when you say continuous, what does continuous look like in your eyes? Yeah, so

[00:41:38] Christina Arcane: in my eyes and what’s best for an organization may be two different things. All the same, in the sense that in my eyes, It will have to fit the organization.

[00:41:47] So there’s a degree of general advice I can give, and there’s a degree of, Hey, I’d love to know these bits and pieces about your organization to give something more specific that would work for you. But nonetheless, the [00:42:00] generic advice that I would apply to say, well, what does it look like if we’re touching base more frequently is to have 10 minute modules distributed quarterly on cyber security concepts that can be done in a creative way, but not necessarily like I’m not asking like for movies.

[00:42:17] I’ve seen some modules where it’s a movie to get across a cyber security message and look that might suit your organization. It just depends, right? I’ve, I’ve had engagements with companies that are very traditional, um, because of the way, the nature of the company. So, you know, sort of similar to your banking structures.

[00:42:32] And I’ve had engagements who are primarily tech companies. It’s a completely different audience again. Um, you would not communicate to a tech company audience the same way you communicate to a banking company audience. Unless you’re looking at the banking’s tech team, it would be different, maybe more similar to the tech team.

[00:42:50] So you want to have a suite. So I would say you kind of build all your content up front and have a suite of options, 10 minute videos, quick articles, activities at the ready, and then understand your, your channel. And then for each of your identified groups where you can kind of bundle, well, what would their training personalities might be like, or how are you going to reach this audience?

[00:43:12] And that’s going to be in combination of. Not just what their training needs are, from a, like a, I prefer videos to, to written articles sort of flavor, but also how is audit going to track that you’ve hit, hit the groups that you need to hit, because there is a balance here, right? You want it to be engaging, you want to reduce actual cyber risk.

[00:43:30] We do also have to hit compliance and regulatory requirements, and there’s more and more on that happening. So once you have a full layout of all these components, it’s very simple to deploy them. At a schedule that’s easy for your environment, where you injecting interest topics. If you find a really cool article that’s suitable for secured developers, how are you getting it to them?

[00:43:52] So you set the framework and it’s really just, you know, plugging in as you go different components that you’ve already got so that [00:44:00] we’re building that up. What’s most important for me? Because this is a full rounded program. Is then, you know, whether it’s every month, every quarter, it depends on your workload, how many people you’ve got, how many people in the company, what are your target groups, you’d have that classroom training for those who need it most.

[00:44:17] And this could be your risk and compliance teams, right? They’re often doing a lot of cyber risk and managing the risk frameworks, but they don’t have the cyber knowledge that they need your audit teams. How are they auditing something? They don’t know. It could take a lot of time. Business analysts, project managers, developers, some of the other groups, get them in a room or hybrid, of course, virtual as well, and deliver a course like training module.

[00:44:42] So that could be on it, like just the hour, get them for two hours, have activities and actually deliver something meaningful to that group and do that. More than what we’re doing it now. I don’t even think some organizations correctly do that without and I’m talking like this is the difference between just really lightweight training that companies would do or an online module between that and like a full 2 day cyber security course.

[00:45:05] There’s an in between that we could be giving. To our people. And that’s why I think the sweet spot is.

[00:45:10] KB: So Christina, is there any sort of closing comments or final thoughts you’d love to leave our audience with today? I think

[00:45:16] Christina Arcane: it’s just about thinking of the impact that you need your training to have, realizing what it’s going to take to get it and actually executing it is what’s most important.

[00:45:28] And it really is about quality of the training. That’s what we have to focus on. If we want to get the reduction of real cyber risk across the organization.

Share This