Developing a Phishing Awareness Program with Brent Maher, CTO of Johnson Financial Group

Show Notes

In this episode:

00:00 — Welcome

01:31 — What Works? What Doesn't?

02:43 — Successes In Mitigating Phishing

03:56 — The Human Element Of A Phishing Program

06:34 — Getting Approval For A Phishing Program From Executives

08:45 — Challenges In Implementing A Phishing Program

11:27 — Sign Off

Brent Maher:

LinkedIn — https://www.linkedin.com/in/ciso-brentmaher

Thanks To Our Sponsors:

Heinz College CISO Certificate — https://www.heinz.cmu.edu/programs/executive-education/chief-information-security-officer-certificate

CISOWise vCISO — https://www.cisowise.com/

Follow CISOWise on all podcast apps.

Website — https://www.cisowise.com/podcast

Show Notes & Transcript — https://www.cisowise.com/podcast/005-developing-a-phishing-awareness-program-with-brent-maher

Transcript

[00:01:08] Introductions

I'm joined today by Brent Maher. The CISO at Johnson Financial Group. Brent, welcome to the program.

[00:01:14] Brent Maher: Thanks Earl. Good to be here.

[00:01:16] What Works? What Doesn't?

[00:01:16] Earl Crane: And I wanted to ask you based on your experience as a cybersecurity leader, and you've been in the field for a long time, what have you discovered works well to drive your security initiatives?

I definitely think having an engaged with the business mindset is paramount. Aligning up with strategy, business strategies, aligning your cybersecurity strategy is important. Depending on where your function sits, aligning well with key stakeholders like IT audit and risk are obviously really important to us and financial services.

[00:01:53] Brent Maher: A couple more tactical items, I think some phishing, email phishing capability. 90 plus percent of cybersecurity incidents. Used in some way, shape, or form are instantiated by using some kind of social manipulation in large by email services. So having a really strong email simulated phishing program is important. And then also really just taking care of kind of some blocking and tackling. So vulnerability management is another kind of ABC 1, 2, 3 type services that we really have focused on and strengthened in years past.

[00:02:28] Successes In Mitigating Phishing

You mentioned that 90% of incidents come through a phishing attack vector. Can you share some of your successes that you've had around phishing and mitigating that threat?

[00:02:40] Brent Maher: Yeah, so we've really focused on several layers. People process and technology. We really haven't shied away from that strategy. So need some standard controls. So, email filtering technologies are in place.

[00:02:55] Brent Maher: And so once you get the technology in place. Obviously operations needs to be able to handle live incidents as they come in through the email vector. I guess what I've spent a little bit more time talking about is, securing the human element.

[00:03:09] Brent Maher: So, we have in any, like many organizations, several individuals that are using email on a daily basis and preparing them for email phishing schemes that will come through, make their way through the filtration systems, because that's just the reality is they're not going to catch everything. Especially highly targeted attacks that don't come through in large volumes. That have an easier way of coming through down to the associates.

[00:03:34] Brent Maher: So our program really is centered around preparing those associates for an adversarial email.

[00:03:41] The Human Element Of A Phishing Program

(User Training And Phishing) Can you talk a little bit more about what you found really works when you're operationalizing your phishing program, dealing with the human element.

I think one of the key transitions that I've seen be successful is really differentiating between providing awareness to your user base or actually educating them and preparing them to take action. So, one of the things I've seen in many programs struggle is, and when I speak to awareness is, hey, if we do a simulated phishing, so you actually inject emails into your environment, and you measure the susceptibility your users have against those threats.

So when I say awareness, if you only do that three or four times a year. Your user base really isn't going to pick up on your annual training see 3 or 4 simulated templates a year and really build a muscle memory off of how to identify malicious emails.

[00:04:38] Brent Maher: So it's like trying to learn how to hit a baseball, and you're only going to throw four balls at the kid and hope that he learns how to swing. So what we really did, I've seen successful is definitely upping the volume of how much reps they're going to see simulated phishing email.

[00:04:55] Brent Maher: So, in our organization and many in our vertical are simulating these every single month so that the employees receive enough volume to build muscle memory. And then the other part is really focusing on adult learning theory. So how do adults learn? And, many of us have children, and they can sit through school in eight hours and, professional workers aren't geared to sit through an hour-long class that is really not in alignment with what they're used to.

[00:05:24] Brent Maher: So really shrinking those learning opportunities down into micro lessons, and they're highly targeted.

[00:05:31] Earl Crane: How is that micro lesson implemented? We have a specific email template, let's say it's your package has arrived from a very popular online, distribution provider.

[00:05:42] Brent Maher: Okay. Well, what we'll do is we'll build custom training every single month and shrink it down to two minutes or less. And we will point out to the end user the exact things they should have spotted on the exact email they just clicked on. And when they click on the email, it auto launches the training right on the spot.

I get a two-minute dose of the exact thing that I just clicked on, and it creates a high level of correlation between what we're trying to teach them to what they've just experienced. And we've seen some significant progress in reducing our overall susceptibility to email phishing schemes.

[00:06:19] Getting Approval For A Phishing Program From Executives

(Reporting To The Board) I recall when we first started doing phishing awareness training. And the conversation was that we would start sending employees fake phishing emails. The CISO I was working with at the time back at a government agency had a concern that we would be sending and tricking employees.

How was your phishing program received by board members and did they have any comments?

One of the tactics I took is to get buy-in at the top early. And in order to do that, really a strong business case needs to be developed. So early on in this podcast, I mentioned, 92% of cybersecurity incidents originate in some way, shape, or form through social manipulation, mostly through email. So I think that's an important metric when you're talking to executives about the threat landscape.

[00:07:08] Brent Maher: Another technique that I've used in several of my selling experiences and especially through the phishing program is also making a connection between peer bench markings.

So in my case financial services, but whatever vertical you're in, go out and figure out what the benchmark is for your particular institution. So I did that and figured out where we were as an organization relative to pure and helping illustrate that there was a gap.

[00:07:33] Brent Maher: Also identifying kind of real life stories. So what are some of the marquee breaches that occurred related to a email intrusion. So providing a level of reality to the situation. So we're not focused on unrealized threats. There's been threats that have been realized in other institutions, here's the risk factor, and here's where we are relative to peers really brings together a nice set of selling points to the executive group.

[00:08:00] Brent Maher: Some of the other things that I learned along the way, so sell at the top. So, we have various committees that allow me to do that. And then also creating visibility at the board level. So it's an important thing to our organization and developing a handful of metrics relative to how well your users are doing, relative to the phishing program. So that the board has visibility and the board is expecting management to drive this as an important element through the organization.

[00:08:30] Challenges In Implementing A Phishing Program

(User Training And Phishing)

[00:08:30] Earl Crane: What were some of the challenges you ran into when you were starting your phishing awareness program? How did you overcome those? And did you have any lessons learned?

One of the things that we learned along the way is, you have a user population that is going to move, in a direction at their own pace.

[00:08:46] Brent Maher: And I think, one of the challenges that we experience was providing various email templates of very different degrees of complexity.

[00:08:55] Brent Maher: And one of the things that we learned through that process is, we actually now have a classification scheme. Think of complexity level one through four and four is sort of the extremely hard to detect. Really very little tells other than just, this is something that an individual would typically ask me for. And level one is like the easy stuff, misspelled, weird domain on and on.

[00:09:19] Brent Maher: So one of the things I think is we learned along the way is creating a complexity scheme and then staying true and consistent. We're not going to move to level two until we feel like we have the right, user behaviors occurring at level one.

[00:09:34] Brent Maher: And I would say, another one is really when you do get to higher levels of complexity in these phishing simulation programs, you do start to push the edge, and you do need to prepare yourself for users being frustrated, because essentially you are trying to trick them Into clicking on a template. And so not everybody looks at that like, hey, great, thanks for educating me. I feel much better now that I know. Some people feel that it's very adversarial activity within your own company.

[00:10:04] Earl Crane: So how do you deal with that response?

[00:10:07] Brent Maher: So I think bracing yourself for that outcome and then prepping for a response to that. So, what I was less smooth at early on and in much better at now is really providing a response to those challenge discussions with business partners. Early on, I think it was just, hey, this is what the threat actors are up to. And I think really painting a much cleaner narrative to value proposition. This is what the adversarials are up to. Here's the metrics, in terms of how many companies are falling victim to this.

[00:10:39] Brent Maher: And I've also, I've gotten asked from board members. So how far do you push this? When are we done? And I think having an answer for that too is important. So, we create the adversarial environment up to the level that the threat actors are willing to take. So when we see threat actors cooling off in this space, that's when we peel back.

[00:11:00] Brent Maher: But again, the whole point is to prevent a breach. And if our adversaries are getting very tricky and very manipulative, we need to prepare associates for that same level of adversarial activity.

[00:11:12] Sign Off

[00:11:12] Earl Crane: Brent, I really appreciate you taking the time. Thank you so much for sharing your experience and wisdom here on CISOWise.

[00:11:19] Brent Maher: You bet.