Register now for the Open Source Security Summit on December 7, 2023!
In 2021, Bitwarden held a security expert roundtable with cybersecurity industry leaders for the second annual Open Source Security Summit. Executive Director at the National Cybersecurity Alliance Lisa Plaggemier, Associate Professor of Cyber Studies at the University of Tulsa Dr. Sal Aurigemma, and Partner & Head of Cyber Security at Zuhlke Dr. Raphael Reischuk shared their perspectives about public/private cybersecurity partnerships and collaborations, fostering cybersecurity awareness amongst the public, and open source security trends and challenges. The Q&A below, as led by Bitwarden product manager Gina Tran, captures their viewpoints.
Gina Tran: To kick things off, what advice would you give security leaders that are trying to improve security practices within their employee base?
I think we have to stop using FUD (fear, uncertainty, doubt). We’re a glass-half-empty people in the security world; you just have to get on Twitter for five minutes to see that. Some of us get a little grumpy about security. We use militaristic language and the average person is going to have a fight-or-flight response to that and disengage.
We should be selling positivity. We should be talking about the peace of mind you get from using a password manager and the speed and convenience from using one, instead of talking about all the scary reasons why you should use one.
Training and awareness programs should be positive and empowering. Fighting bad guys is empowering, if you have the right tools to do it. I’m a big advocate for letting the marketing professionals sell people on the positives rather than using hackers in hoodies and FUD language.
Gina Tran: Raphael, your thoughts?
Dr. Raphael Reischuk
I think one of the fundamental things is to make people personally concerned about cybersecurity. It’s not good if we only think other people are affected or some business is affected.
Each and every one of us can be affected. The only way for us to get this mindset right is to go with the paradigm of ‘hack yourself first’.
I’ve had very positive experiences getting other hackers to hack your organization. This sounds very strange and people are concerned, but you don’t tell anybody, you just tell the CEO. Once you do it, the results are amazing. People are overwhelmed. They are thankful. They don’t blame you for doing that but instead say ‘this was one of the best exercises we did’.
I like the approach of creating awareness not by telling people ‘look, this is what you have to do’ but instead ‘look, this has happened to us and we should be thankful it’s not a real attacker’. I think this is the mindset we need and I’ve had very positive experiences with this.
Gina Tran: Dr. Aurigemma, what would you add based on some of your academic research?
Dr. Sal Aurigemma
I think Lisa and Raphael are right on point. One of the big things about not hitting just on FUD is overwhelming people in their ability to respond to danger. Do people run away from it or do they take actions to try to protect themselves?
What Raphael is talking about is making it real, making the threat real so it’s not foreign, and what Lisa’s talking about in terms of providing that positive support.
OK, so there’s a threat. You know it can impact you and your organization.
The good news is, there are things you can do to mitigate the threat. If you build that into your training activities as a part of your everyday workflow, then your cybersecurity hygiene is going to increase because it’s something you can do versus somebody else’s problem.
Gina Tran: Dr. Aurigemma and Raphael, you two come from a long history of academia. How do you think businesses can work with academic institutions so that students can better instill security practices before they enter the workforce?
Dr. Sal Aurigemma
This is kind of like telling on academia a bit, but I think many universities like mine have good relationships with organizations that employ our students from an HR perspective. But rarely do we get any feedback from employers about what our students are doing well or poorly upon entering the workforce from a security perspective. The openness that academic institutions rely on to thrive in an academic environment is not the most conductive thing to building sound security practices as our students head into the workforce.
Those of us that teach cybersecurity, we’re much more likely to incorporate knowledge and skills into our curriculum that build on security hygiene, but we’re in the minority of classes taught at any university or college.
So, for instance, I require all of my students to use Bitwarden and multi-factor authentication for their various projects, whether it’s coding or infrastructure, and then any accounts they need to build - but I’m in the minority.
The best way for employers to affect what we do in academia in terms of building up our security hygiene is to provide feedback in ways that matter. Nothing speaks louder than a donor organization asking for something in return or an organization telling an institution they need to improve student security hygiene in order for continued recruitment.
Businesses that support internships have a lot of influence in preparing students for security expectations when they enter the workforce.
Gina Tran: Raphael, what would you add to that?
Dr. Raphael Reischuk
What I see is that people from the academic point of view have questions like, how is business, what are the challenges you are solving for the clients and the customer out there, and often they have no idea.
So what we do is go to the universities and give talks about actual projects and actual problems we have solved for them. And then students start realizing, this is far away from what they’ve been taught in classes. Of course, you need the fundamentals and you need the basics for sure, but reality is often different.
You don’t break cryptography, you bypass it. And this is something people probably don’t learn in a cryptography class. So I believe an exchange, a close exchange between businesses and universities is key. And, it helps both sides.
Gina Tran: Dr. Aurigemma, you were awarded the Collins College of Business Teaching Excellence Award. By 2027, companies are expected to spend $10 billion on security awareness training, even though every new hack shows that it’s not always effective.
What guidance would you provide on how companies can better teach and educate their employees based on what was effective with your students?
Dr. Sal Aurigemma
I don’t think anyone will be surprised to hear that teaching difficult concepts, such as those associated with cybersecurity, is not cookie cutter where one method is successful for all types of people and learning types.
For every class I teach, I need to know my students - their baseline knowledge, their demographic differences, and how they react when they do and do not understand something they’re being taught. There tends to be different categories of learners and communicators. The same goes for security awareness training in any organization.
I have not come across many organizations that have security awareness training other than one-size-fits-all and they’re surprised that they don’t get great results across the spectrum of their workforce.
Does your organization capture pre-and-post-training knowledge metrics and do you use that to re-examine how you’re doing your training? If you don’t, you should - and if that sounds like work, yes, but that’s work you should be doing.
I talk to a lot of organizations who do phishing tests. And the conversation goes something like this:
“Great, what do you do with that data?”
“We report metrics. We report the percentage of people that clicked on the link. Then we talk to them.”
“Great, how’s that going?”
“Pretty much the same over time.”
Clearly we have a problem here. There's a mentality where they say ‘I have a requirement to do security awareness training’ so they do it to check off the box.
Businesses need to embrace the effort it takes for people to really understand your employees and what can help them learn more effectively.
Gina Tran: Lisa, similar question. On your LinkedIn, you state ‘what’s the difference between user behavior and consumer behavior? Nothing.’ You talk about using global marketing/advertising to sell employees on improving security habits.
How can businesses sell on why better security matters?
Well, I completely agree with what was just said. If I take a marketing lens to training and awareness - and having worked in training and awareness for a long time - I'll admit that most of the content out there is kind of lousy. You have to look really hard to find really great training content, so a lot of folks are creating their own.
For example, if I was a marketer trying to work with Ford for a long time, trying to sell you a Mustang or an F series pickup truck, I’m not going to have a one-size-fits all message. Marketers and consumer companies go to great lengths to cohort data, customize, and personalize as much as possible. And I think that's going to be the future of awareness programs.
There are lots of tools out there to do that from a corporate comms perspective. We just haven't gotten to the point where we're leveraging those in security training and awareness yet. I was doing some of this manually when I was running a program.
If I’ve got a software developer and looking at the data I can see they’ve read a newsletter article I’ve put out, they’ve been to our security portal page on AppSec, and now they’re probably ready - if I think about it as a sales funnel, I’ve made them aware and I’m pulling them through that funnel. We get to the point where they say ‘yeah, you know what? I really want to take OWASP Top 10 Training’ instead of us pushing that training at that individual.
I had a VP a long time ago who used to say: don’t feed him lunch, make him hungry. We have to take that same perspective with training and awareness. We have a tendency, because we’re very passionate about security and want people to stay safe, to give them all this great advice all at once. It’s overwhelming.
The advice I give to a software developer is going to be very different from the advice I give my mom or my kids. I believe the future of security communication will center on personalizing and customizing messages, training, general awareness content, and the information that we put in front of people.
The threats to somebody in accounts payable are very different from somebody in HR to somebody in software development. The one-size-fits-all approach just isn’t working and the content has to be engaging. I want to see more consumer-grade content. Something I watch or engage with because I want to, because it makes me hungry to learn more, not because somebody assigned it to me and because there’s a compliance deadline and everybody’s gotta do it.
Gina Tran: Lisa, switching gears. Every October the National Cybersecurity Alliance works with the Cybersecurity Infrastructure Security Agency (CISA), to drive education via a campaign called Cybersecurity Awareness Month. Based on your tenure, what industry changes have you seen in terms of driving cybersecurity awareness?
Before I was the Executive Director, I was on the board for a few years running training awareness programs. We leveraged resources from the National Cybersecurity Alliance to run a cybersecurity awareness month campaign at the company where I worked.
We’re changing our focus at the NCA to communicate more to the consumer public. We’re getting good engagement from consumers and mainstream press. No matter how you feel about the mainstream media these days, I think you can say they have their finger on the pulse of topics people want to hear about and there’s been an appetite to learn more about staying safe online.
As I discussed, we differentiate the way we talk to parents trying to protect their kids during back-to-school time or middle-aged folks like me trying to stop their mom from clicking everything she sees. The more we tailor the message to specific demographic groups, the more engagement we see, and those trends are definitely up year-over-year.
I think we still have a ways to go. We did a report this year called ‘Oh, Behave’ about end user behavior, it’s available on our website staysafeonline.org, and it’s all about people’s beliefs and attitudes about security. We still have a lot of communication to do to change consumer perception.
We’re completely redoing our website so it’s much easier for the average consumer to get plainspoken information about these complex topics so they have a place to go and learn things in layman’s terms. So, look for more of that to come from us. We at the NCA are reporting to CISA this week, actually, on the results from this past October.
Gina Tran: Last question for the panel, and I’d be remiss not to ask this at the Open Source Security Summit. How do you see open source software and security coming together, and what are the benefits and upsides to businesses?
Dr. Sal Aurigemma
I use open source security applications in pretty much all of my classes and in much of my research. With the resources that are out there, the community that are providing these tools - it’s not just an application to do encryption, password management, or MFA. It provides an opportunity to educate people on how to use these different technological tools that can help us secure and move our organizations forward.
I enjoy using open source tools in particular because there’s usually a community that comes with it that is there to help people overcome the challenges they’re coming across.
Now, when we have our employers come and talk to our students and they talk about the applications, firewalls, programming, and what kind of tools they use. The students can then understand where the speaker is coming from because we’ve used these tools, or tools like them, in our class. They can understand how a password manager works because we use Bitwarden. They can understand how different VPNs work because we’re using WireGuard.
So, what we’re doing is we’re taking these foundational elements of cybersecurity that are baked into these tools and showing our students how to use them. Then explaining to them how private companies are taking these same fundamental concepts and packaging them so they can be deployed in an organization in a way that moves it forward.
In the future, I see more emphasis, especially from the training perspective, of getting people to up-to-speed. Lisa talked about filling that gap between cybersecurity jobs and awareness.
Open source security tools have a huge place in preparing the future workforce, whether it be current students or people transitioning from different career fields who need to understand what it’s going to take to help secure the nation and world moving forward. Global security starts with individuals.
I think without open source security tools we’re at a significant disadvantage. We need more of them, we need good documentation, we need communities that keep supporting those tools and that spirit of giving and sharing and helping each other out.
When I think about awareness, public interest, and getting somebody to the point where they say “OK, you’ve convinced me, I need to use a password manager. Which one do I use?” I think that’s where the message about open source comes in.
When I think of the consumer problem we’ve got right now, it’s both the lack of awareness that solutions exist and getting rid of the perceptions that lead to people distrusting security tools. As I think about open source and security education for the general public, we have to be really careful that we don’t overwhelm people with details that might not be necessary until they’re further into the process. The work we do at the NCA is about raising overall awareness and then the industry folks get into the specific features and benefits once someone has made the decision that they’re ready to use the technology.
Dr. Raphael Reischuk
For me, open source is the fundamental prerequisite for getting security right.
This is one of the reasons my colleagues and I founded the National Test Institute for Cybersecurity - because private testing companies will not get access to closed software companies. Our hope is that we as a national institute can get access to critical systems or systems that have been in use all over the world.
The Open Source Security Summit is an annual confluence of security experts, thought leaders, influencers, and open source enthusiasts. Each year, this summit provides a forum for the conversation about the integral role open source software plays in the security industry. Learn more at opensourcesecuritysummit.com.