The other day, the VP of Product and I released new branding guidelines on posting about Pistachio online. Anyone who has worked with branding before knows that following guidelines is of the utmost importance, and the consequences of failing to do so would be very costly for the company. We have a brand image that we want to cultivate and maintain, and that requires consistency in everything we do.
So what did we do? Well, we talked to the various managers in the company and asked them to tell their teams. So they did, and that was it. We didn’t send out a quiz to every person. We didn’t make them log in to a platform to prove they understood the branding guidelines. No, we told them what they needed to know and walked away.
That’s how most things work at most companies. Well, except for cybersecurity awareness training. Awareness training still comes with a quiz. It’s not good enough that someone says they understand that it is dangerous to plug in unknown USB drives. No, they also need to answer questions to prove they understand it.
Does that sound healthy to you? To me, that isn’t how you build a security culture. It’s how you build a culture problem.
Security awareness has become actively hostile to the people on the receiving end of the training. It’s not good enough to simply give employees the information they need; no, they need to be tested. Falling for an attack simulation is seen less as a learning opportunity, more as a problem that needs to be remediated. The products that deliver security awareness solutions are often not focused on helping employees learn, but rather on reporting bad behavior to managers. And when we aren’t treating employees like a security vulnerability, we are infantilizing them by pretending they need a fun video or game to learn anything.
This isn’t how we should be treating our colleagues. That is what the people on the receiving end of security awareness training are, after all. Colleagues. Jim from Accounting might not be good at spotting phishing emails, but you know what he is good at? Accounting.
I understand that the stakes are high when it comes to cybersecurity, and to many IT leaders the culture of control around security awareness feels warranted. However, the reality is that cybersecurity doesn’t have a monopoly on negative outcomes. All around us there are ways a company can fail if people aren’t properly aligned, and every department has that “one thing” they’d love to control with an iron fist. As a product leader, I sometimes wish the sales team had to take a monthly quiz about the product and the features they can and cannot sell. But I don’t actually make them take a quiz, as that would be way too aggressive. It would cultivate resentment.
I don’t necessarily think that security awareness’ culture problem is the fault of IT departments, at least not originally. I imagine that the problem started due to a desire to satisfy regulatory requirements. If the law says you must prove your employees have necessary security training, what better proof than making everyone take a short quiz. However, that doesn’t justify where we are today. Organizations that don’t have these regulatory obligations still want the same control, and it extends far beyond what any legal regime asks for. 
Making a Product People Like
Building a security awareness product is challenging, as the buyer (usually IT admins) isn’t the same as the end user (everyone at a company). And what IT admins want isn’t necessarily what end users would like. That presents a challenge, because pleasing the buyer might mean making a product that most users will hate.
And yes, most people hate security awareness solutions. If I’m at a party and someone asks me what Pistachio does, I say “we are a tech company” and divert the conversation. I don’t want to admit that we are a platform for security awareness and attack simulations. People hate those things!
I don’t want people to hate my product. I want them to love it. I want everyone who touches Pistachio (including IT admins) to think it is great. Given that I am not going to convince every person at a company to love quizzes and surveillance and punishment, my only option is to convince IT admins that there is a better way. Many people working in security awareness already get this, but we need even more on our side.
My appeal is this: A zero trust principle doesn’t work when it comes to people’s knowledge and skills. Not everything needs to be verified, observed, and recorded. If you want people to care about security, you need to let them learn in peace, without the fear of being tested or punished. When failing a phishing simulation comes with a stern warning and mandatory follow up training, it’s not hard to see why people build resentment towards these types of exercises.
So let’s stop, take a step back, and start giving people the space they need. Let them enjoy their security training, not by making it into some game with pointless leaderboards and gold stars, but by allowing people to learn in an easy, convenient format free from testing and punishment. To me, that is the only true path to building a security culture at a company.