Site icon Easy Prey Podcast

4 Levels of Human Factor Security with Roy Zur

Easy Prey
“Cyber security is changing rapidly. Whatever you learn in cybersecurity today is valid for a few months and then you need to reevaluate it to acquire new skills and new knowledge.” - Roy Zur Share on X

Many believe that cybersecurity is for high tech professionals only. It’s important to know that employees at every level can accidentally open the door to your network. Today’s guest is Roy Zur. Roy is the founder and CEO of Thrive DX for Enterprise which is a global education company committed to transforming lives through digital skills training and solutions as well as addressing the human factor of cybersecurity training. Roy is a 15 year veteran of the Israeli Defense Force where he served as a major. Roy also serves as the adjunct professor in Risk Management and Cybersecurity. He is the founder and chairman of the non-profit Israeli Institute for Policy and Legislation and a member of the Forbes Business Council.

“There is something about cyber security that people are afraid of. There are aspects of technological challenges. But cyber security is more of a business issue and human factor issue than technological.” - Roy Zur Share on X

Show Notes:

“This is something that every business needs to understand: The human factor is the biggest risk for the organization.” - Roy Zur Share on X

Thanks for joining us on Easy Prey. Be sure to subscribe to our podcast on iTunes and leave a nice review. 

Links and Resources:

Transcript:

Roy, thank you so much for coming on the Easy Prey Podcast today.

Thanks for inviting me.

So, can you give myself and the audience a little background about who you are and what you do?

Sure. I'm the CEO of the enterprise division of a company called ThriveDX. Formerly, we were known as Cybint, this specific division. I started my professional career in the Israeli Cyber Intelligence Units. It's the unit called 8200. I served there for about 10 years in different cybersecurity and intelligence positions, mostly on the operational side and intelligence side.

One of my main responsibilities in that unit was actually to be in charge of reskilling cadets in cybersecurity from what we call “zero to hero.” These were high school graduates, 18-year olds, coming to the unit with no experience. I've learned there that you could actually take someone with no experience, and in a matter of maybe three to six months, turn them into a cybersecurity professional. That's actually what led my decision later, after my academic studies, to also pursue this as a career path for me.

I know when you have your cadets, you only have them for a couple of years. It's got to be a pretty challenging environment to take someone with no cybersecurity background to practicing, and then have them age out, so to speak, and then have a whole new crop of cadets.

It's a huge challenge because the compulsory mandatory service in Israel is about three years, the basic part. In that case, you actually lose about a third of your entire workforce every year because people are leaving. The next challenge is also the people that you can actually bring are only high school graduates because the service starts at 18 years old.

It means that you need to build your entire talent acquisition and talent curation strategy internally based on this group of people. You can't bring people with PhDs and people that have five or 10 years of experience. You have to build this thing from the ground up. We came up with accelerated learning concepts in this unit of how to take someone and really accelerate their learning through a concept called bootcamp.

It means very high-level intense training. It's like morning-to-night training every day to actually get you immersed into this field. And it's proven. It worked for us. Today, Israel in this cyber unit is maybe one of the leaders of cybersecurity globally.

Wow, it's amazing. Did you find that there were certain characteristics or personality traits of some of your cadets that led them to excel over others?

Definitely. That's a good question because, in general, it's not just about the training, but it's also about the screening. Meaning, the type of candidates you need to identify for these programs. You have to have the right candidate and it's not necessarily about the hard skills. It's not necessarily about actually knowing how to code or how to hack. It's more about your attitude and aptitude.

From an attitude perspective, you have to be a very curious person. You have to be a person that likes to investigate, that likes to get to the bottom of things, asks questions, and be curious enough to actually pursue different challenges and pursue different clues until you find out the reason, and this is really important.

You also need to make sure that this person from an attitude perspective has enough motivation, because there are some tedious aspects of cybersecurity. It’s not all about fighting the bad guys. There are a lot of things that you have to do with reviewing some logs and going after some rules. This is not for everyone, so you need to have someone that has enough motivation for this.

From an aptitude perspective, you need to make sure that these people can learn really fast. Cybersecurity is changing rapidly, and this is not something that you learn once, and then you can continue with whatever you learn for the next few years. Whatever you learn today in cybersecurity is valid for a few months. Then you need to revalidate it to acquire new skills and acquire new knowledge. So these are the main attributes or traits that we were looking for in people.

Whatever you learn today in cybersecurity is valid for a few months. Then you need to revalidate it to acquire new skills. -Roy Zur Share on X

It's that person who likes to pull on threads and see anomalies in the data when they're just skimming through stuff.

Exactly. Even in this group of cybersecurity professionals, you have subgroups. You have people that are going to threat hunting, or people that are going to SOC analysis, and people that are going through secure code. These are also different people, but they do have something in common with this, which is curiosity and an interest in actually finding the reason behind things.

Did you find it challenging, like you talked about coming up with a curriculum and a process? It's one thing if you are a college professor teaching history of the 1800s. The history of the 1800s doesn't change every three to six months. But what you're doing, I'm sure there's a core that stays the same, but there's a certain amount of the training that has to change, because cybersecurity is evolving.

You can assume that about 20-25% of the curriculum changes on an annual basis, or at least evolve or updated on an annual basis. So on average, every four years is probably a totally new program. To do that, no matter how good you are as an educator, as a cybersecurity education specialist, you actually have to be connected to the field. You have to work with the people who are actually in the industry, the government agencies that are dealing with that.

In general, our approach, it was true for the military and it's true today. What we're doing at ThriveDX is actually working with educators, industry experts, government experts, and constantly reviewing the threats and constantly identifying what is changing, what tools are available, what processes are available and keep updating this in the different curriculum that we have.

Is it challenging making that switch from, you've got people who have to be there, and you've got them for 24 hours a day effectively, to all of a sudden moving over to a corporate environment where people have families and kids and go home at the end of the day, trying to apply some of that same bootcamp mentality to a different situation?

Definitely. It's not for everyone and we have different models. First, not all of our training is bootcamp style. So the corporate training for people who are already working in a corporate environment in different groups, not just cybersecurity professionals. These can be cyber professionals, or application security experts, or IT people, or just general employees that require awareness.

There, the concept is totally different. It's a lot about micro-learning, very short training, focused training that takes in consideration that it's a work environment, you have limited time, you still have work to get done, also you have your life and family and other stuff. This is, of course, on the corporate side.

We do have our suite of products. We do have bootcamps still, in this case, some of them are part time. So these are actually good for people that are working and not this from day to night, 24/7. But surprisingly, you'll find some people that actually prefer to take off like two or three months of their professional life. They still have their personal life, of course, in the evening, et cetera, but kind of like saying, “You know what? Now I'm going to get myself immersed in cybersecurity for two to three months.”

Maybe these people are right now unemployed. Maybe they're between jobs. Maybe they decided to shift their career and start something new. They actually prefer, in some cases, to take our full-time programs, which we also have available. We actually find people that can do it. The results are amazing, because it’s changing their entire mindset because they're doing it day, after day, after day for three months. This is really, really intense. This is really successful.

When you have people looking into cybersecurity, are there any common misconceptions about the field?

Yeah. I was one of the keynote speakers at a conference a few months ago at the NICE conference, the National Initiative of Cybersecurity Education by NIST in the US. Actually, the topic of the entire conference, not just my speaking session, was demystifying cybersecurity. That was the entire topic of the conference, because there is something around cybersecurity that people are afraid of or deterred. They think about this thing as a very complicated, very complex field. Super technical. Super technological.

In some aspects, it is. There are a lot of aspects of technological challenges and technical challenges. But in my point of view—and it's not just my point of view—cybersecurity is much more a business issue, or a human issue, human factor issue, than a technological challenge. I mean, if you get to the core of this, this is about protecting assets, networks, people, data, secrets. Protect them against those who are trying to steal them, change them, create something, spy on them.

The mindset has much more business elements to this than the technological elements to this. You actually need to understand what's behind it, the motivations, et cetera. Once you think about it like this and you find out that actually, this is not necessarily just for the super techy people, keyboard kids from ages three years old that started with your keyboard.

No, it's actually for a lot of people. You can find veterans, law enforcement agents that decided to shift into this career. You can find financial analysts that now become cyber analysts. It's actually a field that is open for many, many different people.

Let's talk more about the human factor because I think a lot of times we think of the hard skills of coding and things like that. Can you elaborate more on the human issue?

In our point of view at ThriveDX in general, the human factor needs to be like its own category in cybersecurity. When you think about cybersecurity as a field, you have different categories. You have things like network security, or cloud security, or endpoint security. To every one of them, you have different tools and solutions that can solve the problem, patch a problem, and find a solution.

The problem is that eventually, when you think about cybersecurity and eliminating the threat, it's not just about these technologies. There's also the human element to that. There are different aspects that when we think about the human factor in cybersecurity, there are different groups within your organization that have access to data or to code or to the network, or are actually managing the security of the organization.

Their knowledge, their skills, their capabilities on solving the problem, or even identifying the problem are actually key to the security of your organization, much more than any other system that your organization could put. 

So human factor security is about patching the human brain, in a way. It's like if you patch a system, here you need to patch the human brain, and the human brain needs to be repatched again and again, because it doesn't stay. It's not a static thing. It's a changing thing. You need to continue identifying the necessary skills. That's something that every company needs to understand. The human factor is the biggest risk for the organization.

That's something that every company needs to understand. The human factor is the biggest risk for the organization. -Roy Zur Share on X

If you're looking within the human risk, are we talking, like, social engineering training, how to identify phishing, and things like that?

You could divide the organization to, I would say, four main groups. The first group, which is maybe the biggest group, you can even call it everyone, which is the general employees, the workforce of the organization, which is everyone that has access to any system. It can be a laptop, computer, or mobile device of the company. Everyone that has access to the system, which in modern organizations, you're talking about like 95% of the workforce or even more. Everyone that is actually working with a system of the company.

These people need to be “patched” or trained for things like phishing, social engineering, awareness in general or beyond the awareness, having understanding of how hackers and these adversaries are targeting them. They need to be trained in a way that will actually change their behavior. Just to know that something can happen, or to be aware of that, doesn't necessarily mean you're going to change your behavior. We all know this from our lives. We know a lot of things are not working. They're not good for us and we still do that. So that's the first group—everyone.

Then you have another group, which is, let's call them the technological professionals in your organization. They're not cybersecurity professionals, but require cybersecurity skills. They require cybersecurity skills, because they deal with things that have a huge impact on the cybersecurity of the organization. 

The best examples are the engineers and developers. They actually develop the code of the systems of the organization or code of systems that are going to customers. Their lack of knowledge in secure code and application security is critical, because that's what creates the vulnerabilities. So that's the second group. 

The third group, you can think about the executives in the organization. These are actually people that are not necessarily technological, but their decisions are going to have a huge impact on the organization. These can be financial executives, risk, compliance, supply chain. All these people make decisions that affect security.

The last group, the fourth group, is actually the cyber security professionals, which is the smallest group, but still needs hands-on skills and security. When you think about the organization, you need to make sure that every one of these groups gets the necessary training, skills, and knowledge to perform.

So each of the information that you're teaching each of these categories of people is fundamentally different.

Totally.

I assume when you're talking to the corporate execs, it's more about getting by and to empower the other three groups to do what they need to do. I know 10-15 years ago, if you tried to go to an executive and say, “Hey, I need a couple of million dollars for cybersecurity,” they would laugh you out of the room, because, “who's going to target us? Why? What do we need to worry about? We don't have anything. We don't have any state secrets here. We want to give that money to the marketing department.”

Exactly. Today, the challenges may be different. Today, they understand it's a huge risk, but some of them and I myself, I'm even teaching cybersecurity at an MBA program in one of the universities in Israel. One of the things I hear from the executives there—it's an executive program—I hear that they are in this situation where they know cybersecurity is a huge issue, but they feel they lack the knowledge or skills to even ask the right questions. Then in a way, now they're actually providing the budgets, but they’re feeling they're forced to provide the budget because these doomsday scenarios that are being presented to them.

If you think about this, we're addressing this in a professional way that will allow them to make decisions. This is actually shifting, and now they need the skill. Definitely, the different skills and knowledge for every one of these groups is significantly different, but also the delivery method is different.

For example, a developer wouldn't want to watch most developers, wouldn't want to watch videos or play general games. They want to review the code. Show them. If you want to teach them cybersecurity, teach them through the code. Show them the code, show them the vulnerabilities in the code.

They used to read code and review code, versus IT professionals that maybe will prefer something that is more video, versus a cybersecurity professional that would prefer to hack into the lab, and an executive that maybe prefers a live workshop, something that is much more interactive with maybe a facilitator or moderator. These groups not only require different knowledge and skills, but also different delivery methods.

You definitely don't want to put code in front of the marketing person or the pretty delivery stuff in front of the cybersecurity expert. “I just want to get into the code. I want to see how you got into my system.”

Exactly. “Why are you wasting my time on these things?” Time is super and you know that in the corporate environment. If you compare the corporate environment to the education environment, maybe in education, university, spending more time is considered better. You spend more time in a longer degree, in a longer program.

But in a corporate environment, it’s actually the opposite. Spending more time on something, meaning that this person is not working on an important task of the corporation. It's also about being very focused and giving the people the training of everything they need, but only what they need, and not going beyond general enrichment that's not relevant at this point.

But that's going to be a hard obstacle to work within. We need people to be competent in what we're teaching them, but we don't have the luxury of 16 courses that are each two hours apiece on eight different topics. You've got to turn it around and give them the most important material in the shortest amount of time.

Yeah, and it's going back to the same accelerated learning concept. In any topic, in any subject matter, you can always learn more, and it's never-ending. In every field, it's never-ending. I think the question is—it’s like the 80/20 rule—you need to identify what's enough to start working, and then the rest will be on-the-job training, will be something that will let you learn as you go.

You have to understand what's the core competencies that someone needs for a specific position. Once you identify this, then you focus on this. Then later if there's more time, if the person is interested, if the organization is interested, then they can go beyond that. But that has to start with the core.

How much time does it take to provide training to each of these four categories? Some more and some less?

If you think about awareness, or beyond awareness, like the training for everyone, that usually is only a few hours per year. For some organizations, it’s like three to four hours a year. Others even go up to 10 or 12 a year. But more than that, it's just not very effective and people lose patience. They don't really want to be part of that.

The way to do it in a smart way is make sure that the training is being led by a real-life event. I'll explain. Instead of just putting thousands of people in front of a generic video and telling them to watch this, and then answer questions, that's not really effective, (a) because you don't know if this is the right training for them, and (b) they're not really emotionally involved in it. They'll just do it for compliance, maybe, but that's it.

Think about something else. What if, instead of saying everyone needs to learn this, you are actually creating a simulated phishing attack that the employees are not aware that’s coming. The organization, of course, is aware. Based on the results of the phishing attack, the different people and different employees are getting training directly on the mistakes they made in the phishing attacks.

For example, there was a phishing attack around the clicking links. The 10% of the organization that will click the link is now immediately being transferred to an online training about why clicking links is dangerous and what you could have done. Your action and immediate reaction to this action is something that is much more effective because it's creating this emotional, “Oh, wow. I actually made this mistake right now. I could cause a huge breach for my organization.”

For the awareness, I would say a few hours a year combined with, on average, not less than four phishing simulations or attacks on an annual basis, like once a quarter, at least. Some organizations even do 10 a year, but that's maybe on the high side.

For the developers or for the executives, I would say that's also not more than probably 20 hours a year. Some organizations go up to 40, like five full days a year of workshops. I would say 20 to 40, that's the typical executive training, which is more in-depth. This usually includes workshops, some working with the trainer that is qualified to answer questions, et cetera.

On the developer side, that depends. The training itself has to be very short. Short, meaning five to 15 minutes, probably closer to five on every segment. With developers, that would actually allow them to explore themselves. I wouldn't force developers to sit for hours of training per year. Again, I don't know all of the developers, but in general, as a group, it's a much less compliance group.

The developers, it's much more they want to do what makes sense for them, and I would actually get them excited about security by actually showing them the code of real breaches and exploring the breaches. I would say probably less than 10 hours a year, but divided into many, many small segments of five to 10 minutes.

With security professionals, that depends. If you are just starting security training, if you're just getting into the field, then the average bootcamp, not just by ThriveDX, if you also look at the market, our bootcamp is about 480, almost 500 hours. The full bootcamp, very intense. If you look at some other bootcamps that are maybe shorter, could be 250 hours. 

We also have an extended version of the bootcamp that can be more than 500 hours. If somebody will tell you, “You can go from zero to hero in cybersecurity in 40 hours,” it’s not possible. Not that I know of. But you also don't need three years. You could do it in three to six months, or six-plus months, not full time, and learning these 400-plus hours, and you'll be very successful.

Let's go through each of these groups again, and let's give what you think of as the core learning for that group. If you're talking about everyone, we've talked about phishing links with like, “Hey. Don’t just click on things when emails arrive. Have a certain amount of suspicion about anything that comes out of bandwidth.”

I think in a way, there is a concept in learning and education. It's called the Bloom's Taxonomy. Bloom's Taxonomy defines the levels of, let's call it learning and education that you reach. The basic levels are what is known as remember and understand. This is something that I would say, the awareness group or the general employees, that everyone needs to have.

You need to make sure that your people first remember. They remember the do's and don'ts. They remember that's the basics. They can go beyond that, but you can’t go below that. But beyond that, they actually understand. This is where you want them to remember and understand. 

Now, the next group, the executives, or decision-makers in general, they also need to apply. That's another level. Of course, they also need to remember and understand. You have to remember, understand, and they need to apply. They need to actually make decisions based on that and apply them to their organization, to the departments, et cetera.

Then the technical groups that are not cybersecurity professionals, like the IT, developers, et cetera, would say in the Bloom's Taxonomy, they analyze and evaluate. They actually use the cybersecurity skills and knowledge to analyze their work, to analyze the code, to evaluate their code for example, to analyze the network, and to evaluate the network.

The next level, like the actual cybersecurity professionals and comparing it to the Bloom's Taxonomy, they actually create. If you think about learning, when you can actually create new stuff, new knowledge, then you actually completed the entire process from remembering something, understanding something, applying it, analyzing it, evaluating it, and eventually creating something new.

We expect that our security professionals will not only be able to, again, understand or apply something, but now to create something new. For example, to understand how they would take what they've learned. Now, they create a new concept for their own organization that is different. That’s, I would say, from a pedagogical point of view maybe how I would address these different groups.

Yeah, because you don't want to overwhelm people with more than what they need to do and what they need to function in their roles.

Exactly. Look, people that want to move up in the hierarchy of their knowledge and their skills can definitely do that. People can learn more, people can grow into different positions, and you find people that start from just taking awareness courses to saying, “Wow, it's interesting, and maybe I'll learn more and learn more.” And suddenly, they are shifting into cybersecurity positions. You will find even CISOs—Chief Information Security Officers—that didn't start their career on the technological side. They actually started on the business side or compliance side, and there are different people there.

Do you find the obstacles in the training different for each of the groups?

For sure. I mean, first, what motivates people, or incentivizes them to do the training? It’s different. I would say that the awareness is very much compliance-driven. To be totally candid, most people in a typical organization don't like to do awareness training,

“This is your responsibility. Go watch this video. Take this quiz.”

Yeah, so our responsibility is to make it less painful. It's not going to be amazing. They're not going to say, “Wow. I'm so happy I learned it.” These are the kinds of things that you need to know. It may “save your life” or at least save your professional lives when something happens, but you don't really see how it directly connects through day-to-day.

The first challenge is that different groups have different motivations, different incentives—that's one thing—versus maybe the security or IT professionals that see how the training is directly connected to their professional progress. They actually want to do more training and acquire more certifications.

Again, one thing we need to identify is the motivation behind the learner. In general, in learning, in education, we must move from a teacher-centric, or teaching-centric, approach to learner-centered approach. Meaning, the learner is the focus. It's not about the teacher, no matter if it's online, or if it's live with an instructor or whatever. This is something that we have to think about the learner when we think about the different groups. The motivation is really important. 

We must move from a teacher-centric, or teaching-centric, approach to learner-centered approach. -Roy Zur Share on X

Of course, also, the content, the delivery method, as I said, is something that needs to be different. So you need to tailor the delivery methods for the different groups. So again, this is different. 

But still, I see this as one suite of the human factor category. I don't know if you compare it to the Office Suite—Excel, Word, and PowerPoint—they have different purposes. They're being used by different professionals, but they have something in common around as a suite of office solutions. In this case, there is something in common around human factor security.

It's all tied in with the people in some way or another. We talked about the executives. Do you find that executives are much more cognizant? They understand the importance of cybersecurity and the ongoing effort, or is it still a bit of a challenge to convince them?

It really depends on the industry, vertical, geography. There are a lot of studies globally where you can see differences between countries, when you think about executives in different countries or assuming the executives are also dictating their company's decisions. You see how some companies and some areas are more mature. 

You see industries like the financial industry, healthcare industry, government, that are more mature in the cybersecurity understanding and posture because they were also targeted, and other industries that are maybe still behind or catching up. 

In geographies, you see some countries. I think the US is better than most of the world but still maybe a bit behind some other countries globally in understanding the importance of cybersecurity from a business perspective.

You see some regions in the world that are, I would say, 10, maybe 15 years behind. They will need to move much faster. They need to accelerate the change. I would say to executives, indeed, that different companies in different regions are very different, but in general, we see this improving year over year. 

People do understand. And because of a cybersecurity attack or a breach, it's not a matter of if; it’s a matter of when. Every executive will have to face this at some point in their career. Even if they are not convinced now, then they will be convinced after the first feature or the first attack.

After it happens, they'll be convinced. Are you seeing more small businesses taking cybersecurity seriously? To me, if I'm looking back 10 or 15 years, a lot of small businesses were like, “I don't have tons of financial data on people.” Because they looked at it as a risk profile. “I don't have billions of dollars in bank accounts. Why would anyone want to attack my business of 50 people?”

It's interesting. On average, small- and mid-sized businesses are actually affected by cyber breaches and cyber attacks even more than the larger businesses. I'm not talking about the number of attacks or the size of attacks. But if you compare this to their size, if you compare the losses caused by the cyber breach versus their total revenue or your total value, then you see that small businesses are actually affected more seriously by cyber.

So regardless if they are taking this seriously or not, they should. Now of course, small businesses have a lot of challenges to deal with. Cybersecurity is just one of them. They sometimes don't have the resources or the people, which is a big, big challenge. There is a huge talent shortage in cybersecurity, so a lot of them are going to MSPs or MSSPs—managed security service providers—to support them.

Not everyone understands the need for cybersecurity.

I see a shift there. But still, if you compare small business to enterprise, definitely you'd see small businesses that still don't understand why they need it. Unfortunately, this is where a small business that usually decides to take the training, it's usually either they got hit and they understand now they need to change their behavior, or in some cases, the second popular thing is that they're also a vendor of a larger organization.

That large organization is forcing them to do that. Either going through some compliance process, or it's a regulated environment, a regulator told them. Small businesses that decide out of the blue to say, “You know what? Cybersecurity is important.” There are a few. Not many.

I suppose a few insurance companies will force their clients to take cybersecurity measures.

It's a really, really important point what you're saying right now—the insurance companies. We have a lot of discussions with insurance companies, and around cyber insurance in general. We do see that cyber insurance right now is starting to force businesses that if they want to get the policy—it’s not even to affect the premiums, even if they want to get the policy—they have to put in place several things.

One of these things now is awareness training. Beyond awareness training, and more and more insurance companies will not give you a policy if you don't do that. That could actually educate the market much faster than any education company could.

Yeah. As we wrap up here, are there any particular resources that you have available for people who want to learn more about cybersecurity education?

In our thrivedx.com website, we actually have blogs, resources, and very professional articles about different topics from awareness and application security, et cetera. For the developers among the listeners, we also have in a website called application.security a lot of different challenges and free practice environments on different breaches that actually happen.

In general, we have and we believe as an education company that first we need to make sure that everyone has access to resources and awareness of cybersecurity. Of course, we have these available for the general audience.

Awesome. If people want to find you or ThriveDX online, where can they find you guys?

They can go to thrivedx.com. That's the main website, and there are several segments there. So we have segments for education institutions, segments for enterprise, and also segments for individuals and talent that we provide. I would say the main domain side.

I'm also available on LinkedIn, Roy Zur. I'm happy to connect there and share ideas, thoughts, and opportunities. We do it a lot. We also have some other groups or other websites in the group that are dedicated to specific audiences. I would say the most popular one is application.security, which is specifically for developers and engineers. It’s very popular among developers and engineers with a lot of free content and exercises.

Awesome. Roy, thank you so much for coming on the Easy Prey Podcast today.

Thanks for inviting me. It was great being here.

 

Exit mobile version