The Great "Automation" Hoax: Why You Can't Automate Security Awareness Programs
STOP TRYING TO AUTOMATE EVERY F*ING THING.
How do you automate logical thinking and the ability to reason? You don’t. Yet this is what a lot of the security awareness mega vendors want to have you believe.
Successful security awareness programs require knowledge of a company’s culture. It is relationship based, it is being able to have conversations around why someone continues a specific behavior. It is about getting involved in the day-to-day issues and problems your coworkers face. Automation won’t give you that.
I’m seeing this obvious trend within the security awareness industry to market “turnkey” solutions for security awareness programs boasting phishing simulations, large content libraries, dashboards, and even automated security awareness programs. There is nothing ASAP about security awareness. Security awareness is intentional, it is deliberately engaging with people.
From the end user experience, automating security awareness campaigns means allowing an algorithm to decide whether or not you’re forced into taking another training module because you responded to a phishing simulation.
Who honestly wants to be blindly assigned training modules? I can assure you, no one does. I sure as f* don't.
No one wants to have a training module pop up at a moment when you’re trying to get something done. I’ve tried it. I’ve manipulated phishing simulation platforms to test this in real environments – you know what the completion/view rate was for those trainings? Nearly none!
Now, I’ve spent many years managing programs for large brands like The Walt Disney Company and Sony Pictures Entertainment. Believe me, if there was any way to actually automate my job, I would have figured out a way to do that and cruised under the radar for as long as I could.
Security awareness doesn’t work that way. It is a hard lesson we have to learn via our own experience. You can’t automate learning in the corporate environment. You can certainly automate assigning a required training and then bugging the shit out your coworkers and employees to complete that training. You can definitely automate randomly assigning employees and coworkers training modules based on actions an algorithm has deemed risky.
Hell, you can even automate sending phishing emails to employees marked as repeat offenders. This is all based on an algorithm written by an engineer with likely zero hours experience building security awareness programs. But it will definitely send phishing simulations whenever you tell it to. MAGIC.
We’re stuck in the space of not wanting to acknowledge how crucial and important the process of security awareness program management is with vendors wanting to push and sell a magic product that “does everything”.
There are core aspects to security awareness programs: marketing, education, and training. Marketing supports the “awareness” function, education supports the learning function (these two together are what will drive behavior change), and training is what drives the compliance requirements in most cases. Phishing simulation being a training function that is universally accepted to be effective, but there is no “set it and forget it” approach that will prove effective.
\RANT\ I don’t understand the mentality from vendors who think you can automate everything. Awareness, as a function, will never be able to be automated until you have a fully automated workforce.
The promise of automated dashboard metrics, automated security awareness programs…is a farce. Sure you can automate numbers to appear in a dashboard - but those are usually sales tactics designed for a demo to sell a product. When this mindset is the force behind a company, and the cause is “marching to an IPO”, then the motivation behind the company isn’t pure. You're just participating in someone else's goal to be the biggest.
What about your program? That's what I'm interested in, how is your program doing? How can I personally help you figure out the hard stuff?
As security awareness practitioners, we should be extremely cautious of vendors promising all of these magic solutions. Those of us in the space know this isn’t possible. You can’t automate a live training session customized for your environment. You can’t automatically assign training based on a single user action.
Investors have become obsessed with the behavioral psychology trend and hype words. Ideas that we’ve been using for years to better our programs and create behavior change are the new buzzwords equally $$$$. So we have vendors spitting out this language and slapping them on their websites and products claiming to be using “proven methods”, without much actual understanding of what they’re selling.
We will not be able to automate ourselves out of this. The only way out of this is through this. We have to be engaged with our programs, we have to have well thought out plans, we have to put in the time, effort, and resources.