Annual security awareness that doesn’t suck. Announcing WISE
We’ve been doing some really innovative security awareness work for the past two years, but it’s all been pretty quiet. We’ve had customers who are really forward-thinking and realize that if they change their users’ behavior, their security will improve. So, we do a lot of really focused behavior design work. And we do a lot of cultural assessments to help organizations understand what their true user security posture is and what steps they should be taking to change the issues they’re having.
And in all that work, the one constant refrain from our clients is:
“We’re doing all this cool stuff. But our annual awareness training still sucks. Don’t you make something we can use for that?”
I’ve always had to say no. Which pained me, but we were too busy working on the customized, advanced behavior-design solutions. But I knew that if we were ever going to do it, we had to make it not suck.
Today, I don’t have to say no anymore. After nearly a year of work, we’re announcing the Workplace Information Security Education (WISE) training solution . It has three main components that are designed to provide annual awareness training in a way that nobody else I’ve ever seen is doing.
You can read the actual product pages for all the details, but there are a couple of features I wanted to point out here that get me excited for what we’re doing.
We spend a ton of time on annual awareness training. In a 10,000 person organization that has a one-hour annual training, we’re spending almost 5 FTE worth of time each year on getting the users trained. And everyone agrees that the training is generally a waste of time (this is probably the one place that Dave Aitel and I agree). But it’s not because users can’t be trained – it’s because the users watch the video, learn what phishing means or what a password is and they leave without any new behaviors.
So, we built WISE Awareness with the idea of changing behavior. When users watch it, they come away ACTING in a more secure way, not just knowing some stuff. Because it was built by a team lead by a behavioral scientist, not a bunch of security geeks like me. As I always tell our clients – having a security person building your awareness content is about as smart as having a sociologist perform your next web application penetration test.
Whenever I get consulted on a breach, it’s always because a key employee got phished. A C-level executive, program manager, project manager, or some other person in an important role seems to always be involved. Not to mention that they actually have security responsibilities that aren’t covered within the “normal” awareness process. I’ve rarely seen any security awareness content that does a good job preparing a program manager for the security implications of using contractors, for example.
But these are the kind of security issues that change the way that an organization actually behaves around security. We’ve given a number of role-based trainings over the years where we focused content on an organization’s key roles, but there’s never been anything that’s cloud-based, affordable and designed to augment the current awareness program. There is now.
Big security awareness customers sometimes have their own LMS. For those that don’t (and for smaller organizations), nearly everyone who’s doing security awareness these days is providing a cloud-based solution. But I’ve heard two complaints over and over about the cloud model:
- “Our security policy doesn’t let us use the cloud” or;
- “Cloud models require all this wrangling to get user lists. I wish we could just connect it to Active Directory.“
So, I knew if we were doing this, we had to solve those two issues. And we did. WISE is available in the cloud as well as a customer-premises virtual appliance. And that virtual appliance connects to Active Directory for user syncing.
So… we’re going to be at RSA this week. Come see us in booth #3111 and I’ll show you all of it. We’re also going to be having a show/launch special on pricing, so this is a really good week to talk to us.