Michael Madon is a recognized leader in the field of cyber security and the CEO of Ataata, a universal security awareness platform designed to reduce human error in the workforce. The Ataata platform delivers timely, engaging content to employees and measures effectiveness by converting data into actionable information, formulated to help companies reduce risk. Michael served as the U.S. Treasury’s first Deputy Assistant Secretary for Intelligence Integration. He also served as an active duty military intelligence officer in the U.S. Army and was awarded the Bronze Star. Michael is a graduate of Cornell University, Columbia University and the Wharton School.
Christopher P. Skroupa: What is the current state of cyber security in the modern corporate world?
Michael Madon: “Chaotic” and “haphazard” are the first words that come to mind. The risks and threats are always going to be there, but everyone approaches the problem differently. Show me 10 companies, and I’ll show you 10 different cyber security strategies—there is simply no standard. Security professionals know our field is in a bit of disarray. Unfortunately, hackers do too.
The industry is also facing a certain degree of tool fatigue. There are so many products on the market. Many of them do similar things, and it’s often difficult to differentiate between them. Security professionals typically find themselves throwing a bunch of stuff against the wall, hoping that some of it actually sticks.
But here’s the bigger issue. Too many companies are looking for a technical solution to what is essentially a human problem. Products can certainly help protect data and networks. But even the most sophisticated technology can only reduce exposure so much when a company’s biggest security risk works in-house.
People mess up. Employees make mistakes. And every member of a company’s workforce represents a point of vulnerability. Most security professionals agree that awareness training is the best way to tackle the problem. But traditional training methods (like the industry at large) are all over the map. And frankly, most of them don’t work.
Skroupa: Human error is generally understood to be the biggest security risk most companies face. What can security professionals do to mitigate that risk?
Madon: The first thing security professionals need to do is shift their focus. Unintentional employee negligence is a much bigger problem than intentional attacks orchestrated by malicious actors. Fight the good fight against your enemy, but don’t ignore the friendly fire that can do far more damage.
Depending on which study you read, anywhere between 60% and 95% of all security breaches involve human error. But amazingly, the “people problem” perpetually gets short shrift during spend decisions. Maybe that’s because it’s easier to buy firewalls and endpoint security solutions than it is to deal with Doug in sales, the guy who uses the same password at home that he does at work.
There’s no place for guesswork. Strategy must be driven by real-time data and actionable information.
Employees make bad security decisions, largely because they don’t have a reason to care about security. We need to show them why their actions (or inactions) matter, and how their choices can impact the company and their own lives. Smarter training and better content can help do that.
Security professionals also need a direct line of sight into the problem. We can’t change our employees’ behavior until we understand the attitudes and beliefs that inform their actions. There’s no place for guesswork. Strategy must be driven by real-time data and actionable information.
Skroupa: What are the core components of an effective security awareness training platform?
Madon: An effective platform requires two things: exceptional content and insightful analytics.
Traditional awareness training programs typically don’t work because so many companies focus on one component at the expense of the other. What good is your training if you don’t have a way to measure its effectiveness? We have to engage employees in a new way. But we also need to find out what they’re thinking. A successful platform will help us do both.
Human error runs rampant across all demographics, but the problem is far worse among millennials. A younger workforce is prone to take more chances and more likely to act on impulse. When we start with the premise that employees today have shorter attention spans and don’t spend a lot of time thinking about security, it’s critical that we find a way to capture and keep their attention. Fast-paced, entertaining and impactful content can do that. Security topics may be boring. The content we produce about those topics absolutely can’t be.
Security professionals have spent way too much time in the dark. An effective training platform, complete with real-time analytics and actionable information can help define problems and guide their solutions. We need to evaluate how our employees’ attitudes, knowledge and performance change over time. We also need to know how our people stack up against others in our industry. The data is out there. An effective platform will collect it, analyze it and present it in a way that can be understood easily and leveraged immediately.
We’re never going to eradicate human error. But reducing it will go a long way toward protecting a company’s systems and data.
Skroupa: What impact can reducing human error have on a company?
Madon: It’s simple math. Reducing human error in the workplace saves companies time and money.
We know that security breaches can be massively expensive. We also know that a majority of those breaches involve the silly mistakes, sloppy choices and poor judgment that result from human error. If we can get employees to stop, take a step back and think before they act, they’ll be more likely to make better security decisions. Smarter choices lead to fewer breaches. And fewer breaches means companies will spend less money cleaning up their cyber mess.
Security professionals spend roughly three hours each day dealing with employee negligence. We’re never going to eradicate human error. But reducing it will go a long way toward protecting a company’s systems and data. It will also allow security professionals to use their time more productively.
Nearly half of all companies don’t have security awareness training. That’s staggering and completely counterintuitive. An effective training platform can reduce human error. Ignoring the problem, by all calculations, will not.
Christopher P. Skroupa is the founder and CEO of Skytop Strategies, a global organizer of conferences.