Ashley Rose, CEO and Co-Founder of Living Security, agreed to sit down with Safety Detectives’ Aviva Zacks and told her about how her company is solving the problem of inadequate security awareness.
Safety Detective: What do you love about working for Living Security?
Ashley Rose: Definitely the people that we get to work with every day. We have a lot of smart, talented, and mission-driven people at the organization—people who really believe in what we’re doing and what the organization’s mission is.
I also love our clients. They believe in our ability to make a difference when it comes to protecting organizations, and there is something very inspirational about that.
We also do a lot of community outreach. For instance, we were recording a training series this week in the Austin community, and we have actors, videographers, photographers, and people working sound and lighting on the set. I went on set yesterday and they all were telling me how much they were learning about cybersecurity because they were working on our project. We get to reach a lot of people in a lot of different industries and it’s pretty awesome.
SD: Why is security awareness training inadequate and how do you think it can be improved?
AR: There are two major gaps within the security awareness and training industry that Living Security set out to solve. The first was the lack of engagement. Companies were implementing security awareness training for a compliance checkbox, and they really missed the mark when it came to what would get people engaged and interested in cybersecurity or cybersecurity best practices to actually make them and their organizations more secure.
We saw that even though people were taking training and were a hundred percent compliant, there was no retention or behavior change after the training. And ultimately, because the security team was much less interested in their people and more interested in the checkbox, it also reinforced a negative culture around cybersecurity for organizations.
The second issue—and Living Security is solving this—is that up until recently, outside of compliance metrics and phishing click rates, there really wasn’t a holistic way to measure the impact of training. So, we have this lack of data and measurement and the ability to really prove an ROI for cybersecurity human risk. Both of those areas provide an opportunity for improvement.
SD: Why haven’t companies done more to reduce human vulnerabilities to cyberattacks?
AR: First of all, there hasn’t been another option. The market need was to meet compliance and to get their people trained. The vendor community responded and created easy-to-deploy training content, which had not been available up until four or five years ago when Living Security started. Then, there weren’t a lot of alternatives.
Secondly, not having the data to measure effectiveness meant that it was easier to invest and show ROI investment in technology versus people. So, if you’re on a security team and you need to ask your CFO for a budget to invest in a better and more effective program, they’ll ask you what you hope to accomplish by implementing this new tool. I don’t think it was from a lack of caring. It was from a lack of understanding and being able to see a proven difference in change and having an alternative option.
SD: What is cybersecurity human risk management?
AR: Cybersecurity human risk management is moving away from the compliance-focused approach of security awareness training to a risk-based approach for managing human risk. It is leveraging data to provide visibility into risk and then prioritizing what matters so that organizations can make informed decisions. In the same way that you would look at enterprise risk within the organization, it’s really about transparency and prioritization and then informed decision-making.
SD: What do you think are the worst cyberthreats today?
AR: You can’t wake up without hearing another new story around a ransomware attack. Ransomware is at an all-time high right now. I was listening to a podcast this morning with the recent statistic around an attack every 11 seconds. Obviously, we’re seeing a lot more leveraging of trusted relationships through the supply chain and managed service providers. They’re able to reach many more companies on a global scale. I think they’re projecting about a $20-billion cost in ransomware-associated attacks this year, and we’re seeing, of course, an uptick in government and administration focus around ransomware, what to do about it, and how to make the change.
SD: How do you think this pandemic is changing the way companies are handling their cybersecurity?
AR: I think it goes back to the worst threats that we face. People are at home. They’re outside of the four walls of their protected corporate environment, and we’re finding that not only have a lot of cyber hygiene principles slipped backward. People are leveraging personal devices to access the corporate network and to do work or access corporate applications. Oftentimes, they are reusing their passwords or not locking their laptops. And so, there’s a lack of control from a technology perspective that a lot of organizations really worked to build up over the last few decades.
There are other components, but people need to operate securely no matter what they’re doing. Things like working, playing, living securely—and understanding and focusing on the person holistically—are much more important. Understanding what people are doing online, what they’re accessing, and giving them the tools and techniques that they can implement in a home-based environment become much more important. And then you layer the increased risk associated with COVID, the uptick in ransomware, COVID-19 scams—people are tired and we’re all just physically exhausted, and that creates the additional risk of falling for an attack or threat across our environment.