Darrell Flinn is an experienced Head of Information Security with over 15 years of experience working in London, Belfast and Dublin. He has held roles in Information Security in a variety of industries, including finance, insurance, gambling, recruitment, travel and Fin-Tech. Darrell is a Certified Information Security Manager (CISM).
While working for Europe's fastest-growing fintech, I was tasked with finding a new security awareness tool. I looked at three of the largest and leading providers, and this is what I found in terms of what needs to be considered when going on this journey.
Often information security is pitched as being sexy and dangerous to generate clicks on news websites or sell products/services. In my 16 + years working in the industry across businesses as diverse as gambling, travel and fintech, I see the industry in a different light.
I often use analogies to convey a point, so I’ll stick to this trusted approach. I often get the urge to change my car. I’m a sucker for learning about the latest EV or admiring the interior of a luxury saloon. After a few minutes of reading or watching content, the realisation dawns on me each and every time. I don’t need a new car, my current car meets all my needs and has a couple of extras too. Once I do the basics right, such as service it annually, replace the tires and drive responsibly, I should expect all my driving needs to be met.
Information security is fundamentally the same as the day I started working in it, and I suspect it will be the same the day I retire. Information security teams have a finite amount of resources, whether that be people, money and, of course, time. So my approach and recommendation are to do all the basics correctly and prioritise them in order of importance to your organisation and the risks it faces. Do this, and you will have created meaningful value.
While compliance with industry regulations and information security standards is important, it is not enough to protect an organisation from cyber threats. A compliance-first mindset, where employees treat information security as a tick-box exercise, can be detrimental to an organisation's security posture. Instead, organisations should focus on engaging employees and fostering a sense of ownership to create a culture of security that is sustainable and effective.
To achieve this, organisations can start with a problem statement:
“The need for compliance with information security regulations has made it mandatory to have information security awareness. However, due to lack of proper awareness, the risk of our employees falling victim to cyber attacks has increased.”
This statement can be used to identify the root causes of the issue and develop targeted solutions. Yes, compliance requirements adhering to internationally recognised standards and industry regulatory needs must be met. But there is far more that can be achieved, such as:
Gaining employee buy-in and, as a result, a true sense of ownership. Don’t assume you know what they don’t understand. When people get what they want, they are more engaged.
Issue meaningful digestible just-in-time training off the back of areas identified as not being understood adequately.
Meaningful trackable metrics and reporting - these can be used to evidence maturity to your board, customers and regulators.
clicks on phishing emails
submitting password credentials
departmental/region/business-line performance when targeted with phishing emails
By focusing on engagement, ownership, and meaningful metrics, organisations can create a comprehensive and sustainable information security awareness program that truly protects the organisation from cyber threats. While compliance standards and industry regulations are important, they are only one piece of the puzzle when it comes to information security.
When it comes to selecting an information security awareness tool, it's important to remember that companies want to see their actual pain points addressed. This is a critical factor in determining which tool to choose. In my experience, companies often buy these tools to meet compliance requirements or simply because they think they should. But they should be focusing on solving the real security problems they face.
After running a proof of concept with three of the largest and leading providers/tools in this space, I selected CultureAI over its competitors as it addressed the actual pain points of running such a tool. The reason I chose CultureAI was due to its ability to provide worthwhile insights from phishing reporting, which can actually be acted upon to improve the business's security posture. It also offers easy-to-use reporting buttons, which work regardless of the browser or operating system your business uses.
CultureAI provides phishing templates that are designed to test staff and provide feedback that is immediately actionable. The training content provided by CultureAI is easily digestible, relevant, and editable. Additionally, CultureAI allows you to design and configure automation awareness programs easily and quickly. This, in turn, provides meaningful and actionable data that empowers you to make meaningful changes in your business.
The ease of use for employees in reporting phishing emails was also a critical factor in choosing CultureAI. The reporting button is easily accessible regardless of the browser or operating system used. Automation is used intelligently, saving resources and allowing the information security team to focus on other security problems.
What sets CultureAI apart from other information security awareness tools is its ability to provide insightful and meaningful data about employees’ security behaviours.
This monitored information can help recognise problem areas that need to be focused on, making CultureAI stand out with regard to providing information to executive committees and the board. By using the data provided by CultureAI, organisations can get a clear picture of their security posture and take steps to improve it. This data can also help to identify potential threats before they become a problem, allowing the organisation to take proactive measures to protect against them. This level of insight is essential in today's fast-paced business world, where threats can emerge at any time and from any direction.
Companies should focus on solving their actual security problems when selecting an information security awareness tool. Compliance requirements must be met, but the focus should be on addressing real pain points. In my experience, CultureAI does this better than any other tool on the market.
The future of the awareness/human risk management industry lies in using data-driven security coaching, automated interventions, and nudges to empower users to prevent breaches and not cause them. While AI and automation are important components, they should not overshadow the need to focus on the basics of awareness. The limited budget, resources, and regulatory demands of the industry make it crucial for providers to offer solutions that can make a real impact.
In addition to providing easy-to-use reporting tools and phishing templates that employees are likely to fall for, awareness providers should focus on using data to deliver relevant and meaningful training content. By analysing data from phishing reports, providers can identify areas where users need more education and offer targeted training to address those gaps. Automated interventions and nudges can also be used to remind users of best practices and alert them to potential security risks in real time.
Ultimately, awareness providers need to focus on empowering users to take an active role in preventing breaches. This means providing training and resources that are easily accessible and actionable, as well as using data to deliver personalised coaching and interventions that address each user's unique needs. By taking a holistic approach to awareness and human risk management, providers can help organisations stay secure in an ever-evolving threat landscape.