How To Sign North Carolina Banking Word

How to industry sign banking louisiana presentation secure

[Music] and so like i mentioned before our first speaker today will be dan lorman dan is the cso at security mentor and is the first cso of michigan he will speak about the important things to consider when building an effective information security awareness program as he will explain more about what makes an effective program is the right combination of skills knowledge executive support and resources so dan i know we ended a few minutes early but if you're on you can take it away when you're ready or we can give you a minute great thank you so much um it's great to be with everyone i'm going to share my screen here in a moment and we'll we'll get diving right in here um is everyone seeing that okay madeline does that look good yep it's all good great thank you welcome everyone uh it's great to be with you this morning i'm coming to you from michigan today it's a kind of a cloudy overcast day but hope you're having a good day wherever you're at today and around the world or certainly all over the united states um this is a really important topic of cyber security uh and uh security awareness training programs and there's so much we can cover in this topic and we're just gonna do it you know really kind of an overview uh in about 20 25 minutes but we as as madeline and kathy mentioned earlier we are going to take some q a at the end so we do want to uh make sure that uh you you bring your questions to us you can leave your questions and we'll make sure that we have some time to go over that um as we go through uh the training today uh my background just real quickly is uh uh over 30 years in the security industry i started the national security agency i was in england with lockheed and mantec michigan government for 17 years so a lot of a lot of different roles at agency cio i was um the cto building michigan.gov the first portal for the state then after 9 11 i became michigan's first ciso chief information security officer and the first ciso in all 50 state uh state governments so um really had a lot of experiences in that role cto in michigan after that and then came back uh for the final three four years uh as as uh chief security officer over physical and cyber security but as we dive into this topic today i really want to um focus on these um these different issues the importance of cyber security training i really want to tell the story and talk about the important aspects of security awareness training programs um really as you think about this in in in a case study so i want to walk you through a case study uh in michigan i actually have many from numerous state governments and lo and um fortune 500 companies all over the world but i want to focus on this story exactly it's a very personal story you're going to uh understand as we go through and then some practical next steps that you can think about if you're just diving into this topic and and really want to take some first steps to move move along and move the move the needle for your company whether that's a small company medium-sized large or whether you're talking about a government public or private sector i want to start off though with a couple questions so if we could have um madeleine if you could pop up the the poll questions i want to just kind of get a feel from the audience and i'll just read these to you here you got about a minute to take both of these so go ahead and jump right in and and uh and answer this when was the last time you took security awareness training so you choose one uh recently like in the past month or two um number two uh sometime in the past but probably pre-covert uh maybe beginning of the year that kind of thing or three a long long time ago perhaps when you joined the company uh don't remember it very well but you did take it somewhere back you know whatever and then number four never what the heck is security awareness training so you're here with us today and uh you're just dealing with this topic for the first time so go ahead and answer that question and then number two we'll answer both of these at once did you like the training that you took did you benefit from the material and you know the answers are here yep i loved it um great training everything was great pretty good um learned some new stuff feel pretty secure as a result not really um death by powerpoint you know or please teach me something i don't already know and then the last one absolutely not death by powerpoint is not training so give you another 10 or 10 seconds or so then we're going to dive right in and um we'll go ahead and go the answers and talk about the feedback that we got so oh why don't we go ahead uh madeline let's go ahead and go to the answers and see what we got here and the answer is uh most of you have taken it recently which is good sometimes in the past year so about a third of you have taken it recently which is great to see um sometime in the past year um pretty good and then about 24 percent never what the heck is kubernetes training so hopefully this will give you some overview on that um what did you think of it uh loved it you know 14 not so many most thought was pretty good learned a few new things uh 19 not best use of my time and then maybe another 10 um death by powerpoint horrible well one of the things i want to just mention right out of the gate um as we think about these poll results is is that um there really is a a huge correlation to how people find uh the training that they're taking as far as value are they learning something new are they actually benefiting is it interactive is it engaging does it engage the culture does it meet the needs we're going to talk through some of those um we'll talk through some of those specific best practices and get near the end of this but you know that's really important as far as the benefits people provide and measuring success and actually changing the culture and and having people apply really different behaviors because a lot of this is really about individual behaviors and actions people take uh with with their computers at home and at work now with kobe 19 especially so i want to start with a couple quick headlines i think most of you on the line today uh we had a great first session there we have some great sessions coming up um we know christian judge well i know um david spark and a lot of the other speakers are coming up great speakers uh very engaging um this topic of what keeps cyber security cios what keeps um uh cios up at night and and the answer for a large number of people is that cyber security keeps cios up at night there's one poll from um wall street journal um and then this quote specifically around uh from um cio at procter gamble is is it really during covid we're seeing uh an explosion in incidents we're seeing an explosion in um challenges and vulnerabilities uh numbers of ransomware attacks way up and and so as we think about this and we think about the challenges you know we think about what can we do about that a couple other quick headlines again just cheating up the topic uh as we dive in uh covered air cyber security threats are are are being confronted each and every day and then a lot of times you see this kind of thing here's three tips well that's great you know three tips for 2020 and you say okay what would those tips be you know and some organizations are at a very basic level of awareness um there may be sending out emails they may be sending out something they're at least you know trying to provide tips that can help so do not click on malicious links use right uh the use anti-malware change your passwords certainly you can't argue with any of those tips um but again i think for most people a lot of people think well those are things i've already heard before um again teach me something i don't already know um and as we say to people just don't click on links well what do you expect people to do i mean they get links how do you train them to actually know and analyze and know what to do in those situations mike rogers uh this goes back you know a few years actually you can see the date here i think is actually back in about the 2011-2012 time frame mike was a congressman from uh michigan uh head of the cyber security committee in the house intelligence committee um did one of our cyber summits here when i was cso in michigan and um he you know talks about 80 of cyber security problems can be solved with great computer hygiene i've seen numbers up high of 90 percent that if people had done something differently if they're taking some different kind of action have they not clicked on the link but had they changed their password had they re not reused their password had they used two-factor authentication had they do done something differently than they would have not been the breach that happened and and and i think that's that's the challenge that we see really across the board and some some management some people i've seen um and there's certainly nothing wrong with with cartoons and fun but i've seen people send out cartoons like this you know in this corner we have firewalls encryption antivirus software etc in this corner we have dave which is a human error factor so i mean really this is kind of teeing up the topic how do you get your employees engaged how do you train them in the right ways how do you build a program that's going to be effective in the long run and measure the results and see it continually get better over time that's really what we're going to talk about i want to start um the story kind of going back to 2004 and take you back to my first experience with cyber security awareness training when i was ciso in michigan government and so this takes us back about 16 years now um and you know i knew at the time this had come out with their standards national institute of standards and technology that we need to have security awareness training programs had laid out the process and kind of said you know hey this is what you need to be doing um we built our own homegrown program in michigan government we called it most michigan online security training we had some basic you know powerpoint modules around these topics um very compliance focused was kind of check the box get through this get done see you next january very much focused on checking the box and and a lot of people view security awareness training in that kind of a context they're thinking really how do we get this done and uh we followed up with a quiz and we wrote it out and you know it's better than nothing so what i can what i can say is i mean i'm partially guilty because i was the co-author of this certainly it was one of the first programs in the country in state governments in all 50 states back and we just started the msi sac with will pell grant a lot of organizations and uh it was certainly better than nothing the problem was uh by 2011 we did some feedback on this and we've been doing the same thing over and over and over again you know we all heard the phrase you can't keep doing the same thing and expect a different result but by 2011 we we actually came in i had a couple different jobs between those two been cto for the state running the data centers consolidating data centers and technology and help desks came back as cso we had a new governor rick snyder at the time came from gateway computers um really wanted to focus on cyber security so we really put together a world-class team just look at a whole wide range of different topics that michigan did a great great work with that you know the michigan cyber range making cyber michigan cyber disruptions a response strategy um our cyber corps uh civilian volunteers a lot of great things happened one of the things we did was really award-winning was around awareness training but we went as we started we said let's talk to our employees what was that employee feedback and people said to us you know this is boring this is tech speak this is irrelevant it's outdated it's death by powerpoint it doesn't really work for us it doesn't apply to me it's somebody else's job in a word this thing was a flop so we knew we had to basically throw it all away we needed to go out and we need to find something different and we did that in 2011 2012 we rolled out um we rolled out um basically a new program but before we did that we had to address some issues we had multiple audit findings we had minimal participation actually only really um we had about three thousand and fifty thousand state employees were thinking the training in 2011 from the previous year so we kept doing the same thing over and over again but we weren't even getting the buy-in and we weren't getting the bottom up participation um and then you know we said you know we had a new governor as i mentioned new sense of urgency new michigan cyber initiative new strategy by the way they're still doing those cyber summits governor rickman's have one coming up in uh in michigan here in october but new executive management and a new approach so we went out as i mentioned and we asked people what is it that you're looking for what is it that you're looking for in online training what are the best practices out there and we you know we clearly looked at a variety of things and one of the things people obviously love is they love games and they love interactive content they love content it's you know you think even something like weather.com one of the most popular sites on the internet why is that because you can zoom in to your zip code get it hour by hour for your zip code and you can go zoom out you can look at the whole country you can look at the hurricane that's coming up in florida excuse me in uh gulf mexico right now to texas and louisiana you can see those details and you can you know take it from one day one hour all the way out and you can look at maps and if you don't believe any of that you can look at the radar and see what's coming across you know lake michigan and see what storms are going to be hitting you in a couple hours if i'm here in central michigan so people wanted that interactive engaging content we saw that as a real um uh real challenge is you know how do you make this engaging how to make it interactive how do you make it something that that people like we also said okay we did a brainstorming session we said people wanted a fresh approach people like to see something that's brief something that's frequent something that's interactive you know you see all these different things engaging focus convenient measurable gamification make it competitive make it something that's you know if you can really think about it new and different and then really how do you make it fun so you know that's really the challenge so as we came across with a with a with a cross-functional team and we built the programs built in rp went out said we want to look what's best in the world we want to really search the globe and we want to find out we weighed uh talked to 20 vendors eight bids uh four live demos and then the winning bidder you know really we came in with security mentor and this again was in in 2012 2013 timeline uh because of the fact it was brief frequent focused content that was delivered in a in a way that was that was very very um meaningful to specific questions that people had but what if you think about this wider challenge i just give you one quick example when i say gamification or games within lessons i'm not going to do a demo anything right now it's not about convenience but whatever vendor you pick whether it's security mentor or someone else um you need to really think about how do you make it something that is sticky how is it going to be memorable so for example we had a challenge um and i know airports are kind of a lot most of you aren't traveling now the airlines are struggling um but you know we did a lot of traveling a lot of you've done a lot of traveling through the years and we think about you know lost and stolen devices you have them in taxi cabs in new york city and cities around america again people aren't doing a lot of traveling right now but as you think about going through an airport and you think about you know fbi numbers were in the 11 to 15 000 losses stolen devices weekly in airports you know back in this timeline and um so we say how do you do that obviously everyone would agree you know we don't want to be losing our devices now you can you can encrypt them you can you can back them up as we just heard earlier in the session there are things you can do to protect them but clearly no one wants to lose their laptop right they don't want to lose that data or that smartphone that you have or other device and you know so how do you help people so we put together a game around this and and we walk through people through the tips things to do things not to do but then we ask you know what are the places where are people gonna lose um their device and you know we ask people what are the top 12 based on real data where are people losing it they're losing them at the security checkpoint are they is it at the restroom is it the vip lounge is it the food court what are the most likely places and it turns out as we looked at the data the number one place was the bus or the taxi cab the transportation either between terminals in the terminals or getting to and from the airport that's where people were losing it so how do you gamify that you can walk through literally imagine this a game where you are that you are that um uh mario figure if you will and you're saying walk through uh your normal thing you know when you get to the airport you leave the rental car you you go um you actually go into an airport you you uh you go to the kiosks you go through a security checkpoint you walk through the different steps and people have to find these in 60 seconds and you're running around you're trying to find the loss of stolen devices almost inevitably when people play this they don't find four or five generally they don't find number one which turns out it was you know the transportation so why do i tell you that little story why is that so important well you want to tell real life stories about things that are really mattering to people and make it sticky make it so that it's memorable and now when i go to the airport i think about each of those places that are most likely going to be lost and stolen devices and i think about what i can do to protect myself and make sure that i'm not leaving things in those places i had someone real true story before i left michigan government who came up to me and said dan i need to talk to you and say i'm sorry i can't leave for a meeting i can't do that i said no no you really need to hear this i said okay what is it he said i was literally in orlando airport i was with my wife and two daughters and we were um we were literally we were we were um got off the bus we're heading to the airport we're going in to fly back to michigan and i was thinking about that game i said yeah it's sticky isn't it doesn't it i remember but we said yeah it is and uh he said i i reached down to my belt and my smartphone was gone i said really he said yeah he said and i told my wife and daughter stay here he ran back to the bus he literally jumped in front of the bus which is not something we recommend right he stopped the bus gets him on the bus walks in the bus driver says what is it he's my phone is on this bus he said how do you know that he said because i was texting with my friend on the way to the airport i know it's here he goes back there's his phone seeing one sitting on the luggage rack what had happened was t they were last ones off the bus he pulled put his phone down pulled his two bags off for his daughters put him on the curb pulled his and his wife's bag off put him on the curb and started walking but he's thought about that and he actually got went back and got his phone back that's what i'm talking about you know really practical security when he got back his wife said you need to go tell dan lorman thank you because you would have lost your device had you not i do not remember that had that not been sticky training that was memorable that actually helped you so those are the kinds of things you really want to be doing you're providing practical training that people really can use and love we wrote this out in michigan um you know we i won't go through all the details but uh huge success interactive training people loved it measurable metrics measured people's feedback people said we love this training i'm learning something new it's engaging it's interactive it's fun um we have we measured the training results positive ratings you know what employees say end users clearly you can measure quizzes you can measure um assessments you can measure phishing we'll talk about that in a moment there's other ways you can test people but are they learning something new are they engaged are they really in uh feeling benefit from it those are really important factors um just a few of the feedback so you want to make sure whatever you do whatever training you offer get that end user feedback find out what's working what's not working change it up do something different don't always keep safe with the same thing don't keep doing the same thing and expect a different result so you want to really be thinking about that keep thinking about tips about how you can constantly be refreshing you know we think i tell people how many of you got the same iphone you had for the last 10 years almost no hands go up how many have an iphone one or a android device from from 10 years ago almost nobody usually we get a new device some people get new devices every year some people get every couple years but you want to be refreshing your training because technology is changing we want to constantly be providing a relevant new material in this case we closed 11 audit findings we manned it got the training mandated from some uh organizations nacio the national association of state cio's called it a best practice national government association best practice for the nation you know really trying to make this engaging interactive make it something that people can use and that is relevant in their lives so how do you get started just some tips here we're going to go to your questions here in a moment um certainly get those questions in just some some summary uh points here quickly and then i really i know uh we have whole classes by the way i teach at secure world events which obviously have now been gone online and they're not uh not being around the country but we have a detailed class we offer a half day that goes into hands-on what are the specific things how do you get uh management by and how do you get some of these things to happen in more detail but these are some of the major components you want to really think about what policies do you have in place are people following them you know a lot of people have policies and they're quite frankly ignored um especially hard right now with working from home with people doing telework with covert 19 um do you have guidance it's amazing some of the surveys employees saying around the world 50 plus percent saying management has given us no guidance which is hard to believe on what we should be doing differently at home or especially in some places people are using work laptops other places that we're using home laptops or or home devices and home networks it's important that you have policies and procedures management buy-in and it's not just i've never known a management management executive in any company or government that raises their hand and said i don't care about cyber security so clearly a lot of people think oh i've got management buyers and they're for security no one's ever against security it's kind of like being against air you know you can't you can't be against it but are they walking the talk are they actually taking the training themselves are they actually doing things um and and really leading by example a quick story governor rick snyder literally um one time at a cabinet meeting he asked before cabinet meeting was there he said how many of you in the cabin have taken the training no hands went up so when i took the training it was great training i love the training i learned a lot i want each one of you to take the training and i want each one of your direct reports to take the training and i'm going to ask you again next month took him 30 seconds to say that 30 seconds but the effect was huge the next month he comes back he says how many of you taken the training all the hands went up but we know that half people in the room actually had not taken the training um half of them had but the ones that didn't it was actually good because they ran back they canceled meetings we know in some cases they they called staff meetings and said i told the governor we took this we're all going to take it right now talk about the leadership team for major agencies in government we're going to take this right now because i just told the governor we're going to take it we're going to get this done cancel your meetings get this training done so that leadership by example is huge if you get that but management buy-in um it's great also you need to have bottom-up so you need to have that top down you want up word of mouth you want to have um measure with surveys um you can have checklists you can have a variety of different methods to do assessments and quizzes um there are a lot of different techniques you can do to measure things you can also use fishing um we have a fish defense module i know a lot of vendors offer that where you can actually test employees and see how they're doing don't just rely on fishing though fishing is a huge issue um i think there's gonna be more set uh sessions on that more details on that the data behind it i think you can drive that phishing down um that's important but there's a lot of other aspects passwords and and uh lots of other social media how you know variety of different topics that are really important there to engage your staff in um so you can test them in a wide variety of ways and make sure that you are constantly improving constantly getting better i i have a bunch of slides i pulled out of here i wanted to keep this short i want to get to your questions here in a moment but certainly you can partner there are free resources available and stay safe online i know kristin judge who's our next speaker worked over there uh stay safe online and and uh they've got a lot of great resources available there's others um available as well from nist and and other places um you can go and get involved in cyber security awareness month october is coming up be planning for that now there's a lot of free resources there a lot of organizations like isaac's information sharing analysis centers in your industry offer training as well you can you can talk to them about training that they they work with and partner with a really good security awareness training company like security mentor because we can provide we've been through this all over the world all over government state local um really i run public sector practice but i work with biggest corporations in the world and uh really uh important to have that track record and we can help you and kind of mentor you through the process of making sure that you're changing the culture making it a um making it a a approach that is that is repeatable that is engaging um you certainly want to be constantly uh providing material content that is sticky engaging and that people are gonna love um so with that i know we got about seven minutes left and so i'm going to jump over to catherine or madeline you guys um have any questions come in and uh happy to answer any questions yes so dan thank you again so much for that presentation we do have a few questions in chat as well as we collected a few questions beforehand but just starting with the first question that appeared so this is from john mary and he asked you were one of the earliest and most effective pioneers in getting cyber security established in state government how did you educate people who didn't understand the threat great question john thank you for that um i'll tell ya in the early days it was hard because the focus was all around 9 11. the focus was all around um you know the focus was all around buildings and blowing up buildings and it was very it was very big in the conscience in the mind of americans around um it was about 2002. um i will tell you one thing that really helped us is you know practical business examples so we had just closed a lot of buildings we had built michigan.gov we were the first state to have a gov domain a lot of states have on that uh portals that um you know at that time and of course every state's got portals now um providing uh government services at the time we had taken like literally a thousand different government services condensed them into one portal one set of um you know one set of colors one set of content management system so it was online not in line people could register you know things that we take for granted now like uh getting your driver's license renewed campground reservations practical business things of government paying your taxes online those kinds of things um had just come online they'd close a lot of offices and we help them understand that what's at risk is if this doesn't work people we have to reopen all those offices and we're going to have to bring back all those employees that left on early out so you know there was a financial cost to it they're showing them the risk and putting it in their own language you know going around one thing we didn't talk about today was road shows we would go around annually to each agency and talk about their specific agency the national risk the global risks and cyber but then their risks statewide their risks in their agency how were their people doing in their agency what was their risk profile so putting it in business terms and actually making it relevant for the management and the executives in government that's how we got the buy-in it also helps to have a person at the top who does it but even those early days with governor engler and then governor graham home they really bought in because we made the business case next question um yes so we have another question in the chat asking what sort of resistance have you encountered in your quest to kind of educate people about cyber security and how did you deal with it yeah no a great question i you know as i mentioned in the beginning a lot of people think well that's not relevant for me um especially hear things like um you know teach me something i don't already know the things i've kind of mentioned you know i've already heard all this you know come on i know i need to change my passwords um but giving practical tips i know kristin judge who's coming on next was really good at this you know telling people the value of something like two-factor authentication and how easy it is to use it was free the price is great and uh and yet i guess at the time it was like seven percent of america was using it now it's like 25 but still three out of four people don't use two factor for facebook for social media for banking i mean it's unbelievable that they don't use these but understanding the tools they don't have to be hard to use showing them how to do it showing them the value and making it relevant in their situation one exercise we go through in our four hour seminar is we talk about the employees and we talk about what makes them tick some employees are really motivated by family and their home situation other people are more about promotion some people are more about um other things so what are the motivators and making sure your training addresses those specific personal aspects of the training for that individual audience awesome thank you and so another question we have this is more about i guess general cyber security but the question is like i want to start my career in cyber security can you suggest maybe a road map yeah it's a whole it's a whole session 30 minutes just on that one but actually we've done so we have to come back and invite me back and we'll do a 30 minute one just on that topic it's a great question um there's a lot of great programs in community colleges and and uh you know a lot of individuals are involved in cyber competitions now i know you guys are talking about competitions um certainly would encourage you at the high school level to get involved in those cyber competitions around the country there's some great programs in michigan and all really all 50 states have great cyber competitions program almost like we have you know quiz busters you have cyberbusters kind of thing you know really um getting involved in in that um a lot of great cyber security of uh certified programs in community colleges and universities around the country so i i would get into one of those great programs um you know get an internship get involved early get your hands on the people that have been most successful that i've worked with um students were very assertive they stuck with it um they they were willing to go the extra mile and um they they work really hard so have a great attitude um get up get a job you know get whether it's an internship student job very very helpful early in your career and then get into one of those cyber programs nsa certified programs you can look it up there's lots of great programs all across the country thank you we have another question from todd asking do you see any significant difference between how public and private sector organizations approach cyber security uh it depends i mean to a large extent yes that's a lawyer answer right that's every lawyer i know the first whenever you ask him a question the first thing that says it depends you know it really i mean i've known some i always said we have the leaders the followers and the laggers and you have it in all three categories you've got it in in government and you have it in the private sector um we've got some great leaders in government we've got some real laggards in government um and you're i i see that um you know for the leaders on both sides i say there's a lot of similarities they got that management buy-in they got a bottom-up program that people love they got it um really uh engaging interactive i've called out to my friend lear earl duby does a great job he has a global 40 000 people all over the world and in 12 plus languages they're in china they're in europe they do a great job at leer um i've seen some great states north carolina does a great job a lot of really good states that are doing a great job in this um and uh and and and other states that are that are kind of far behind that kind of just do what they have to do and and just check in the box so um i think it's more it's more of the leaders follows the laggards than it is you know all government's good or all private sector is bad or vice versa um i don't want to say that all private sector gets it because i've even known companies that really did a great job i come back three four years later i'm talking to them and not so much anymore it kind of goes in a pendulum swing so you really want to build that culture of security i i say like i'm a big sports guy but like like building a winning football program that wins year after year after year not just a one-time thing and then they never win again but you want to keep it going for the long haul thank you so much um unfortunately we're gonna have uh be out of time now so um so we're gonna move on to kristin judge she's our next speaker and she's the thank you dan um and she's the founder and ceo of the cyber crime support network and she's going to be talking about supporting cyber crime victims