Iron Man wasn’t built in a day. Nor was his suit — or ego, for that matter. The creation of the superhero and his suit of high-tech armor came out of necessity — to keep shrapnel shards from puncturing his heart. The solution was the creation of Iron Man’s first-ever electromagnetic reactor — and, well, the rest is Marvel Cinematic Universe history.
But how does this relate to building a security awareness program? No, it doesn’t mean you add watching The Avengers to your cybersecurity curriculum (we tried!). But it does show that the first foray into building out such a heart-saving program often comes from necessity. No one expects to be trapped in the caves of a terrorist group or to have their organization’s protective walls breached — but it does happen to superheroes and everyday companies alike.
So, you have to build something better to ensure your organization survives the missile attacks — whether being shot by the Ten Rings terrorist organization or by a ransomware-as-a-service group using smishing on an executive. Many stop there, when their first-gen defenses are in place and they’re lulled into a false sense of security, but you don’t have to.
More Than Human
Much like the arc of Iron Man throughout his decade-plus saga, your security awareness program needs to start with an origin story — a guiding set of principles that explain your current actions and future motivations. Many deem humans as the faulty link in cybersecurity and, in some ways, they can be; according to the World Economic Forum, 95% of cybersecurity breaches are caused by human error. Using this data, many organizations will purchase tech to bolster their defenses and limit their employee’s visibility into threats facing the organization. For my team and our security awareness program, we chose the opposite course. We equip our humans with the tech, tools, and training they need to be first-line defenders against cyber threats.
This process of embedding security awareness into everything your employees do takes time. It can take months and even years to spark your company’s collective Pikul — the energized arc reactor that drives your security awareness program forward — but it’s worthwhile. To begin, you need to start the training journey early — incorporate training at the very start of employment, at new employee orientation.
Next, you need to embed real-world trainings and simulations into the day-to-day work environments of your employees, including things like phishing simulations, crisis tabletops, and social media alerts. For content inspiration, it’s important to “run on reality” and use real things that have happened to your company or employees as the backbone of this training content. Often in the case of cyber bad actors, reality is stranger than fiction.
What’s Your Jarvis?
Once you have your arc reactor powering the day-to-day movements of your program, it’s time to set up your “Jarvis System.” In Iron Man, Tony Stark uses his Jarvis AI to schedule everything from interplanetary drone strikes to dinner reservations. In the case of your organization’s Jarvis, the scope of what you’re looking for your system to do is much smaller. Jarvis, in the security sense, is a combination of internal programs and external tools and tech that creates a hard shell around your employees — think proactive threat intel, defense-in-depth processes, and automation and machine learning.
The complexity of your Jarvis system will depend on the size of your organization and what you can invest in outside resources. Simple open source phishing simulations and basic firewalls with intel feeds are a good starting point for smaller organizations; medium to larger organizations may look to email gateway-scanning tools and complex phishing-simulation services as well. Regardless of your buying power, a proper blending of external tools and resources with your inside expertise and processes are vital to ensure that the setup of your very own Jarvis system is successful.
Once you’ve found your Pikul and activated your Jarvis, you may be asking what else you can do to supercharge security awareness at your organization. For me, it’s all about blending the people/processes/tech to focus on psychology. Security programs built with cyber psychology at the center create a collaborative, not punitive, relationship between your security team and the employee base and empowers employees to be proactive and stay vigilant from threats through positive interactions and reinforcement.
You never know the true potential of your team until you give them the proper training, tech, and trust — that’s where the psychological element layers in. After all, Tony Stark wasn’t a superhero until he put on the suit. And to end with my favorite line from Tony to Peter Parker, “If you’re nothing without this suit, then you shouldn’t have it.”