Transcript
Conference and Awards. And I'm thrilled today to be joined by Jason Harper. He is a security manager with Uber. And today we're going to be discussing security awareness among some other topics. So let's jump right in. First, tell me a little bit more about you. Tell me about you and the Beyond the Checkbox program at Uber. I'm happy to. Yeah, so I've been working in cybersecurity as a career for a really embarrassingly long time, probably more than 30 years. And today at Uber, I'm responsible for a number of programs, both on the engineering side and the non-engineering side. And the one we're talking about today is in regards to human risk management, which really just comes down to how do we help our personnel cross the globe, understand the risks that they take, help them manage it effectively without really turning them into cybersecurity and risk experts themselves. Yeah. So would you call this a human risk management program? I would, because the primary focus here is behaviors of the personnel themselves. Uber, like a lot of companies, has a variety of types of job roles. You could be highly technical or not technical at all and still be very successful. And we don't try to lean into one job type or another. So there are all types of choices people make in the execution of their roles, and we want to meet them where they are. So we're absolutely managing the behaviors and human risk element of each job role. Oh, yeah. And tell me what kind of problem you were trying to solve with launching this program. So as someone who's worked in a lot of large corporations myself, even before I had a role like this, I had to take training. This is usually a, I mean, and not to steal my own title here, but it's really a check the box type program. We have compliance obligations to meet as an organization for everyone to be trained in cybersecurity and risk. Generally, what I've seen is, you know, once that's done, everyone forgets about it and they go on with what they're doing. And the type of people at Uber and in many corporations is, you know, they're very smart. They're very savvy. They know what they're being measured on and how they deliver their program. And they will take the shortest path to that. So the problem we're trying to solve is how do we encourage personnel to make the right choices as it comes to their everyday job and still sort of play within the bounds of the rules of the organization. And why did you select Hawks Hunt to help you try to solve the issues? So we were looking for a partner that would enable us to deliver a few things. One of them is adaptive phishing. A previous, we were doing this before, it was very quarterly based. It was a, it was very manual to do. So with Hawks Hunt, we're able to deliver adaptive phishing. So for us, that's as you do better, the phishing gets harder. As you do worse, it gets a little easier, follows up automatically with training for you. Also, I have a very strong preference and philosophy around micro-training. So typically, corporate training looks like a multi-module, 30 to 40 minutes, do it once a year. It can just be very dull. So Hawks Hunt enables us to deliver three to five minute training at the time that we detect a particular behavior. And we can do this very, very regularly. So we believe investing in smaller training opportunities, sort of snackable training opportunities, is a better path. And then finally, it allowed us to gamify the security awareness. So people get badges and awards and, you know, they feel good after taking the training. What results did you find most impressive about it? So, I mean, I would say the most subjective one is people responded positively to us without us asking. So I would get emails or Slack messages about how great they thought the training was and how because of its opportunistic nature, when they did something, it was right on time and it made sense to them, right? So we got lots of really positive results. I can't speak for all the awareness people out in the world, but it's very unusual to get very positive results for making people take training. Additionally, there's a lot of apathy in the corporate world for training itself and for the results of it. And we found that once we were really able to measure response rates and engagement rates with Hawks Hunt, we could see the numbers going up. And that told us that people were much happier to engage with it. They found it valuable. We could see it in the numbers from the platform itself. And even in just phishing reporting rates, I mean, you have a couple of choices, right? You can delete it. You can ignore it. You can click it. But getting actually people to report it has been difficult for us. So we saw our numbers go up maybe 3x, which is just incredible for us. In addition, we were able to tie what we were alerting people about behaviorally to our telemetry. So we could actually see when behaviors were moving in a positive direction. So if we were alerting people or nudging people about use of, say, SaaS services that we didn't really want them to use, we could see at an individual level, a group level and an aggregate level, that number go down. And so to us, that was a very clear indicator that the training we were doing and the integration with Hawks Hunt was working. Now, what kind of feedback have you gotten from executive leadership about this program? The one constant refrain that we hear is that they really like the empathetic approach we take to training and they like the fact that it is small and frequent enough to keep the topic at the top of their mind, but not so frequent that we're taking away from the work that they're doing and the focus they have from their work. So by keeping the training central to what it is that they're doing, so for developers or for marketing people, salespeople, we really do try to target, you know, what do these folks need to see and hear on a regular basis. So that specificity has really worked in our benefit. What about, you know, you mentioned some feedback from employees that was surprising and kind of out of the blue. Any other feedback from employees or even, you know, from other security team members on the program? You know, it does become kind of a meme inside of Uber. And what we notice is, and I think this is across the board, you know, enterprises send lots of emails for people to do things and they really don't look much different than phishing emails. And so, you know, in our in our Slack channels, we constantly see messages marked with a Hawks Hunt emoji because everyone is now suspicious. And I don't think it was our intent to make people very paranoid, but it is really wonderful to see that people are taking a second look at everything and really asking the question out loud, am I being phished? Like, is this something I need to worry about? And we jump in, of course, and we tell them, you know, we don't leave them panicked for too long. But before, we would never see anything like this. People would just click it, ignore it, delete it, whatever. But it's just really great to see the engagement. Who would you recommend Hawks Hunt to? Everybody, really. If I had a peer who was looking for a human risk management platform that they could start their program on or build an advanced program on, I would recommend Hawks Hunt. Great. All right. Well, Jason Harper with Uber, thank you for joining us today. Thank you. It was great. And thanks to you for watching. I'm Joan Goodchild with CSO. We'll see you next time.