Transcript
What happens when your program plateaus? You've got solid completion rates. People know the basics. The phishing numbers aren't disastrous, but they're not really improving either. Engagement feels flat. Reporting stalls. Leadership starts asking, are we getting real behavior change? To help us unpack this, Ant Davis is joining me. Ant spent more than a decade leading awareness and engagement inside some of the UK's largest retailers, and now focuses on developing the people behind awareness, not just the programs. He's building a community and academy for practitioners who want to move beyond compliance and into real behavior change. Today, we're turning that experience into a practical playbook. How to diagnose a plateau, what actually moves behavior in large, lower maturity organizations, and what you should change right now if things feel stuck. So, hello, Ant. So great to have you with us, and maybe you can introduce yourself to the audience today. Hi, Elliot. Yeah, thanks for having me. I have done security awareness for about 12, 13 years, have built platforms, programs from scratch, and have joined established programs. So there's lots of things. I've worked in organizations where I've had complete freedom to do what I want, and I've worked in an organization where I had very little freedom to do what I want. So challenges, it's never been dull. Let's just put it that way. So yeah, and now, like you say, I'm now focused. I have a great passion about helping other awareness professionals to do better. We all face the same challenges and struggle with the same risks or similar risks. So, you know, a lot of us work in silo, and I'm passionate about bringing us all together and sharing the burden, you know, helping others help each other, essentially. Well, your passion for this subject really does shine through your work and your thought leadership. So it's a pleasure to have you today. And let's just dive right in, and we'll start by defining the plateau. So when you say an awareness program has plateaued, what do you mean? What are the signals you trust most to diagnose that plateau? For me, it's when things can just become maybe a little stale, like stuff starts to just flatline. It might be that reporting rates have just carried on or maybe have slightly declined. Maybe conversations around security aren't happening as energetically as they once were. It could be that training completion is a struggle. Maybe you put lots of effort in delivering training last year, and this year you're delivering the same training you did last year, and getting that kind of user engagement and the momentum. I think momentum is a big thing. If things just start slowing down, then I think you know deep down when things just aren't quite as exciting for everyone as they once were. But obviously, that's just internally. Externally, cyber criminals and attackers are all still very much knocking on the door and trying to get in. So, yeah, it's very important that you identify when your program is starting to plateau, and then address that. How long do you let flat metrics run before you intervene? I think you don't want to have a knee-jerk reaction, because there could be other factors at play in the business, right? It might be that there's larger projects at play, or focus has shifted slightly. So, it's important that you look at why you think your metrics are flatlining, and have those conversations with the rest of your team or your CISO, and assess basically, you know, is there other factors in the business that may be impacting that? And if there are, then when are they expected to end? I think the problem is the slower you go, the harder it is to get more momentum again. So, it's important you remain relevant. So, three months, I think, would be, if I'm not seeing a needle move at all in three months, I'd start asking why, and what can I do to start getting that needle moved again? Okay, so three months, I mean, that's, you know, effectively a quarter. But sometimes we actually have people who will say that they come to us after a year or more, several years of having stagnant rates of engagement. And so, if reporting rates and click rates, meaning simulated phishing email reporting rates, and simulated malicious link clicks, if those haven't meaningfully shifted in 12 months, let's say, what's your default assumption? Is it a content problem, a culture problem, or a systems problem? I get why some people would wait 12 months, first of all, because 12 months, you know, if you're not, I was all over my metrics and all over my program, and not everyone is. So, 12 months is quite a realistic figure for some organizations that aren't hot on it, that haven't really driven engagement. So, 12 months, if things aren't moving, I think you have a combination of culture, you have a combination of content, and maybe systems. I think you need to look at what's not working. One thing I always measure on is how frequently are you engaging with your end user? And I think that's something that not a lot of programs, I know programs out there that don't measure this. Are you consistently connecting with your colleagues, with the people in your business? Do they know you exist? Or are you only knocking on their door once a year for annual training and then phishing emails? So, I think that's a content issue. Is your content engaging? Is it relevant? Do they like it? Have you asked them if they like what they see? Or are you just making an assumption and delivering it? And with the culture problem, I think you need to decide, you know, is cyber security, is information security, whatever your function is called, is it just there in your business because it needs to be? Is it a compliance requirement and that's all it is? Or are you actually trying to make your culture more secure? And if you're just there for compliance, then you're probably fine with your metrics, as long as the auditors are happy. But does that make your business secure? So, it's that whole cultural piece. You need to be in the culture. Don't try creating a new one. A lot of organizations talk about creating a brand new culture. You need to identify your existing culture and then work out how your messaging can fit in around that and complement your existing culture. And that's quite challenging for some organizations because, you know, I changed jobs, two businesses in the same vertical, same industry, extremely different cultures, extremely different risk profiles as well. What they cared about and what they identified as risks were completely different. So, every organization is unique and that's why you in your organization, knowing your organization, really need to look hard on that to find out what's not quite right for you. Yeah, I like that answer a lot. And I mean, it all circles back to culture. But you said one thing that I think shouldn't be overlooked. And you said that you're trying to engage with the audience. You're trying to engage with your users. And I found that to be really interesting is the fact that we're often trying to figure out how that's this, you know, one directional. We're trying to engage with them through these assumptions. But I thought that was really interesting. What you said is that there is kind of a two-way engagement going on. If you're managing a program, even in a large company, like you've worked with, with, you know, thousands of users is trying to engage with them as well and figuring out like what it is that they need. And what does that look like? If you're trying to engage with your users, if you're trying to figure out what it is that they're looking for. Engagement is something that I think is so powerful. I think about the work I've done and the successes that I've had. And I've used so many marketing techniques. Essentially, I've described myself in meetings as the sales and marketing team for secure behaviors. Because we want people to buy into our message. We want people to think about the messages that we're putting out there. So for me, it's really important that you treat it a lot like a marketing campaign. How do I market being secure to my colleagues? How do I make them want to be secure? So there's numerous ways you can do that. And I think things like gamification, making exciting and, you know, adding some intrigue behind it is really important. There's other simple things like I used to run a bi-weekly newsletter for eight years in an organization. And it got excellent engagement. It was delivered pretty much every two weeks. And it talked about things that would be relatable in their home life, at work, and in the news. And people would have conversations on channels like Slack or Teams talking about the content of those newsletters. So they would start conversations. And that's really important. To the other extreme, you know, champions networks are another great way to get engagement. Because then you've got, you know, if you think newspapers used to have a guy on the street corner or a woman on the street corner shouting the headline and handing out the newspaper, that could be your champions. You know, shouting out your headline in team meetings or stand-ups. And that's more engagement. That's more people repeating your message. So they're your influencers almost. That's the new version of influencer marketing is your champions. So all of that helps drive engagement and helps bring your message aligned with the culture. And also then it makes it relatable. Those champions, or if people are talking about security and you can see those conversations going on on Slack, for example, you can find out what challenges they're facing. People might talk about an issue in their area. And all of a sudden, you've got visibility of something that you wouldn't have if you're just talking at them constantly. If you're just talking at them once a year with train, or you're just sending them simulated phishing emails. For me, you need to go beyond that. That's great. And it's really good to help build your brand. But you need to go beyond that. Yeah, that's really powerful. And being able to get some kind of a dynamic and engaging communications signal that's going over to your user group. That's really powerful. And then also deputizing some of your users into champions. I think it's a really powerful outcome of that great bidirectional engagement between the user base and between the security awareness administrator. I think that's beautifully answered. And you first said you talked about yourself as a marketer. And there's a little dirty secret that I think that us marketers and communications people can have is that we are effectively social engineers. We do a lot of the same kinds of things that social engineers will do. But the difference is that our intent is to actually help people. That's why we do what we do is that we're trying to help people. We're trying to drive them towards helping them help themselves by doing some kind of an action, by engaging them, by getting a little bit into the psychological wiring that people have and kind of like pushing on a little bit to get them to do things. So I want to talk a little bit about that, about behavioral science. I've seen you talk before about behavioral science. So I know that this is something that you have a lot of thoughts on. So which behavioral science principles have you seen that reliably change behavior at scale? I think one of the big ones that seems to be popular at the moment, I think has a lot of success with is, you know, things like nudge theory, for example, where constantly at the moment of action or within a short while of someone doing something, getting a message to them going, thank you. So someone reports a phishing email. It's really good if they can get a response quickly to go, thank you, that was a phishing email. Here's how you defended our business or no, that's a safe email. Thank you. So that kind of nudge and just in time kind of learning, I think is really important because then it's relatable and people can tie that message they've just received with the action they just recently performed. With things like if someone reports a phishing email and then they don't hear back for 24, 48, 36 hours about whether or not that was actually a phishing email or not. They won't remember what the email was because they've done a million different actions between now and then. So I think keeping that kind of relevant and keeping it in time so they can still remember the cause and the effect is really important. So what does that look like? How do you apply that in practice? How did you apply that in practice? Tooling is one thing. So tooling like phishing simulation platforms and training platforms, you know, a lot of platforms now have these functions built in because they drive secure behaviors. And it's, I remember a time when the only metrics we used to be able to provide were click rates and that would occupy the board report and training completions. But I think now it's so much more than just how many people have completed annual or quarterly training and what's our phishing click rate look like. You know, now there are all these micro interventions we can deliver in multiple platforms as well, you know, get people where they are. So if it's nudging them on Slack or giving them a Slack message or sending them a message in Teams, all of that is really helpful because people don't just sit in the inbox anymore. I've worked with people that hardly ever check their email and spend most of their lives on Slack. And I know someone in an organization that doesn't simulate phishing at all because very, very few people actually use email. They only use Slack. So the risk profiles, again, are different. You need to simulate what the risks look like in that business and get them where they are, rather than expecting them to come to an inbox and check their email. Oh, that's a great point. Because we oftentimes talk about how you need to get some kind of a training program or a defensive posture in relation to the threats that are coming in. But of course, you have to have something also set up for the actual system that you're operating within too. So that switch from email to Slack is a great example of that. So when you apply a program that kind of moves beyond just that old school click rate and completion rate, and you do these nudges, the just-in-time learning, you're really focusing on the behavioral science principles of learning, of behavior change. of behavior change. What have you seen actually change as a result? I think the one thing, you can look at metrics. And I've seen in an organization where sharing behaviors have improved. So people, rather than making documents available to all, have actually applied security controls. And it's kind of, we have policies that define how we should behave. And this is a really interesting thing, really. And I've seen this a lot. Policies are like written by a team. And no disrespect to anyone that writes policy. Policies have to exist, I get that. But policies often predict this kind of utopian space where this is how everyone's going to behave. This is the law. This is how... They don't always reflect real life. And the problem is, real life for a team writing the policy might look very different for an HR team or a people function or a developer. You know, there's so many different user profiles in a business that sometimes one acceptable use policy written in legalese by someone, because it has to be kind of a formal document. When was the last time you read an acceptable use? I mean, you might, Elliot, don't let me ask you that. But when was the last time, audience, when was the last time you read an acceptable use policy and understood it and followed it to the letter? Probably never. In which case, these just-in-time nudges and these interactions when we're actually performing our tasks are really important to drive that behavior change. And it's almost like an acceptable use policy in real time. You know, it's like, oh, you're not allowed to do that because it says so in the AUP. Here's how you should do it correctly. And those behaviors will then change the next time someone might remember that intervention and then make that change. It's cars nowadays, any modern car has to have, in the UK, and I don't know if it's the same worldwide, has to have a lane departure warning. So when you're driving in a new car, you're driving and you go near one of the white lines, the car beeps at you and gives you a little tug on the steering wheel. And it's really annoying. But it's also quite difficult to turn off. Every time you get in the car, you have to turn it off. So what you do is, my driving's probably got better now because I'm being nudged about like just drifting a little bit or, and it's way too sensitive. But my driving is probably better. I probably drive in a straighter line now because I've been nudged and nudged and nudged. And now I drive straighter. And that's what we need. It's those kinds of things we need to bring in. You will always get the people that will ignore or turn it off. But the majority of people will drive in a straighter line if they're nudged directly. Oh, that's a great visual. That's so true too. Because I mean, when you make these nudges as part of your basic workflow, it's kind of like being on the highway where you don't have to like pull over every couple of miles and like look at a large sign telling you how to drive or telling you to stay within the lane. But when you actually do have that little nudge, absolutely, it's going to give you some kind of reminder that you shouldn't drive sleepy. You shouldn't like, there's all these things that you should do or else you're going to get that little that little nudge. I mean, that happens like without revealing too much about our own system here at Hawksound. But like the other day, I wanted to look at a new AI tool. So I typed it in the browser. I was going to go look at it. And I got a little nudge saying, you know, you shouldn't use this AI tool within this. And if you do use it, you have to talk to the admin. Fine. Fair enough. That there is a perfect example, because how often is someone going to go and check a list of approved software or a list of approved solutions to find out if they can do it? Because they want to use it right now. Like they've got a need. Oh, someone's told them about it or they've Googled it. And that's the answer to the challenge I face right now. I want to go and use that tool. But they're not going to go, oh, where do I find the approved software list? I think it's on, you know, they're not going to do that. They're just going to go ahead and use it. You nudge them in real time. Okay. I'm not allowed to use that, you know, and or they're accepting that risk. And therefore, if something goes wrong, they've accepted it. You know, it's, you know, at least you've nudged them. So they now know that they're potentially causing an issue without that kind of nudge. They just go ahead and use it because people won't take the time to check a list of approved software. Most people won't. Yeah. A hundred percent. Yeah. Really well articulated. And yeah, the visual is something that's just so in line with what we're trying to do. This is kind of a funny question. So what was the smallest measurable signal that told you that the nudges, this whole program, this whole behavior change program, what was the smallest measurable signal that told you that it was working? It's a really good question. Um, I love it when someone comes up to you and tells you about a behavior that they've changed. So, um, I had someone, I did a campaign once about passphrases. So the organization I worked in changed from an eight character password that expired every 40 days to a 15 character password that never expired. So it was aligned with like NIST guidelines at the time. And, um, you can imagine the behavior change piece and that whole cultural shift from for years, eight characters regularly expiring and all of a sudden, 15 characters that it's nearly double the length. Like, well, that's a tough thing to market really. Like, you now have to remember a password that's twice as long and it needs to be secure. And so there was zero complexity on it, we then did a marketing campaign around passphrases. So we ran, um, lots of images. Uh, there was colorful umbrellas in the sky and we said like yellow umbrella central or something like that because in the middle was a yellow umbrella. And then there was rubber ducks running down a gutter. So we were like gutter duck race, I think, or, you know, giving people suggestions so they can visualize their passphrase and use their passphrase. And then I had someone come up to me in a lift and they said, I stepped in the lift and they were like, my new passphrase is really funny. And I was like, Oh, is it? What is it? I don't know. I'm not telling you, but it's really funny and I'm never going to forget it. And just that little, like that little validation that that behavioral change piece, they, they weren't complaining. They were like, it was really funny and they wanted to tell me, but they couldn't. So it was just that little thing, like those little remarks that you get or comments that you get, obviously things like that bring friction, but if you market it well, one good comment, it's often the loudest voices that are the ones that don't like the friction, but that one good comment justified it. And I was like, yeah, I like that. That's good. That's a great one. I love about that comment too, is it's kind of evidence of both like they actually changed the password and of culture change because they knew they couldn't tell you what it was. So there's a lot of kind of a, yeah, it's a real subtext inside of that comment. That's really funny. Yeah. So, and if someone listening here has zero budget and limited influence, and I'm sure that's that someone here is listening to this podcast, which behavioral lever gives them the biggest return? Zero budget and limited influence. One of the things that I and relatability. So understanding what frustrations people might have and also making things relatable to their actual life. If we talk about these great big plans or great big behaviors, they can feel quite alien to an individual whose job is not security. We live and breathe it. So it's really easy for us to assume that everybody's going to be secure and why wouldn't they? But I think if we can make things relatable to their individual roles, their individual lives, even at home, which I've had great success with, then they'll bring those behaviors and they'll understand and they'll empathize with you about why you're trying to make them act in this way. So it might be inconvenient to restrict sharing on a document because what if I need to share it with other people? I then need to go back in and re-share it. So if you want to help them understand why in a way that they would understand, that's really clear. And I think I've recently had something similar with, with my mom. My mom, her email account got hacked recently. And then it was only, she called me and basically said, people are getting messages from me, emails from me. And then this light bulb moment I hadn't configured 2FA multi-factor authentication on her email account because I put it off because I thought that behavioral shift was difficult and I didn't have the motivation to deal with that because it would have been me that had to support. Whereas now that whole mopping up, that whole incident actually took longer than it would have to configure the multi-factor authentication on my mom's account and bring her on that journey. She now has multi-factor authentication. I had to enable it. I should have enabled it long before, but I waited until something happened to do it. And then it wasn't that difficult. So I think that just have conversations, water cooler moments or, or stand-ups with your people and find out what challenges they're facing. Talk to them about stories like my mom getting hacked because someone will go, oh, I haven't got multi-factor authentication on my account. Maybe I should enable that. Or, or, you know, password strings, her password, it would have, they'd have compromised her account because she had password reuse. Not heavily. I won't get into the details about my mom's security posture, but it was an old password. And again, a miss on my part, but have those conversations and explain what can happen. And then they'll go, oh yeah, I use the same password on my email as I do for my shopping. I should change that. Yeah, you should. And that's an example why. So I think conversations and storytelling is really, really important. I probably should have mentioned storytelling sooner. Storytelling is a really powerful tool for behavioral change because it makes people empathize and makes people understand and see it from their view. Most people have a mother or a loved one in their life that maybe isn't that IT savvy, maybe is a little more vulnerable and they're the people that, you know, those stories people can relate to. Oh, a hundred percent, a hundred percent agree on the storytelling. That's a really powerful answer too, probably because you are giving a personal story. And sometimes when you give a personal story and those communications, those engagement communications we spoke of earlier, that can get people to realize that this actually is a really human to human issue. It's not just a compliance issue. It's not just some kind of a protecting the corporation. It is like, this comes back to something that I've thought of for a long time is that I think cybersecurity and cybersecurity awareness has for a very long time been miscast as a corporate compliance exercise when really it's a life skill. And by giving people this life skill through a program, they are able to do what you did for your mother. They're able to come back and they're able to protect their parents, their children, their loved ones, their friends. And I think that's a really a powerful tool that we're giving people. And that's a real motivating part of this whole thing that you're doing with your career here is like, you are actually equipping people with the skills and tools to protect their own loved ones and giving them that life skill. So that's really powerful. And, you know, I think that like, if the beginning of that is just MFA, I think that is a very powerful lever. It's something that most of us don't really do in our private lives. We do it because we're forced to, but that it's absolutely a very important beginning lever. And that's a great story around how it's more than just like do MFA and now you do it. It's complicated for people to implement. Whoever it is, people are not like going to naturally gravitate towards using MFA unless you are maybe in the IT department somewhere. So yeah, very, very interesting story that you told there. The problem, I think this is the problem with a lot of what we're trying to do, because cybersecurity at times being secure is inconvenient. Like it does add extra friction into processes. You know, how many times have you tried to enter a password, like when creating an account and it says it doesn't meet their requirements and you need to add a exclamation mark or a number or that kind of thing, because that's an inconvenience, but there's a reason why that complexity is required on that site. And another example is, you know, getting in a car and putting on a seatbelt. We will know that it's going to save our lives if we have an accident, but there are still people out there that don't put a seatbelt on when they drive. There are doctors who smoke. So we need to help people understand why this is acceptable friction, why it's an acceptable inconvenience, because actually this small inconvenience now could protect you from a massive inconvenience later. You know, just clipping on your seatbelt can protect you from a really big inconvenience potentially later on. So again, companies like Microsoft don't market MFA heavily because it's not going to make you buy their products more. This is a, it's a behavioral thing, which is why we exist as security awareness professionals. And it might feel like a thankless task sometimes, but the impact we have in people's lives, like you say, goes far and wide. We make not just individuals secure, but then if they pass that message on to their loved ones and people in their lives, you know, six degrees of separation almost. You telling one person to enable MFA might make six people safer. So it's an interesting way to think about it. We're all kind of superheroes in a way, with a really strong message. superheroes, in a way, with a really strong message. That's so well put. Yeah, I'm gonna start thinking on what I'm gonna call myself if I have to develop a superhero alter ego, because, yeah, it's true. You are, there's a whole kind of this whole kind of shadow realm that we're entering every time we enter into the digital world, and once you're in there, you know, someone who you normally wouldn't be very afraid of if you saw them on the street is all-powerful, and they become arch, you know, they become big villains, and you have to somehow develop your super powers to keep them from doing all kinds of nasty stuff to you and your finances and your data and your privacy. So switching the gear a little bit to, like, training. So when training stops moving the needle, so let's talk about why does that happen. So what's the biggest design mistake that causes programs to stall? Talking about training specifically, I have been on called before as saying training is draining, and yeah, training, training quite often, I know large organizations that deliver training, and it's a compliance requirement, and indeed an organization I was in, I shifted my training. We kind of acknowledged the fact that the annual training we, to deliver for SOX 2 compliance, was just a compliance requirement. We kind of acknowledged the fact that this training isn't gonna bring any behavior change because the minute you mention it's training, the minute you mention it's mandatory, and then, you know, everybody has a job to do, and then you're asking them to take seven minutes out of their life to do training. So, you know, you've got that disengaged, it's like someone watching a program, you don't really want to watch it, but your other half puts it on. So training, straightaway, mandatory training, annual, you're on an uphill battle to try and get people to engage. The way that I've had great success with that is by making the training really engaging, storytelling, animation, characters, you know, making it really great that people spoke about it, and people never talked about training until we made it great, and I think a lot of off-the-shelf training I've seen is dull, it's, you know, it thinks it's clever and it thinks it's smart, but actually, from an end-user perspective, when they're busy in their lives, does it grab them? No, it doesn't. So I think training, you either acknowledge that it's a tick-box exercise that doesn't move the needle and you're gonna change behaviors in other ways, or you make your training great, you make it awesome that actually people want to get involved, and it might be that it looks great, it tells a great story, it sounds great, or there's something tied to it, like gamification, that encourages people to do it. There needs to be some motivator to get them to engage with training, but it's important to remember that annual training, for me anyway, in my opinion, annual training, quarterly training, how much of that is someone going to remember three days later, seven days later, 20 days later, three months later? Probably not a lot, and that's why a consistent heartbeat of messaging is really, really important with security awareness. Yeah, that steady heartbeat, I think it's, well, a good way to put it, and I might even put in another thing as far as, like, a design flaw, and you've talked about this a couple times, about how old-school training, they only measure completion rate and failure rate, and I think that's an actual design flaw in most programs, because it is a little bit harder to design a program that's actually going to follow the reporting rate, which I would submit, and I'm not sure if you agree with this, but I would say that, like, the most simple way to see that a behavior is actually changing is that you're actually focusing on the ideal behavior you want to have changed, which would be to recognize and report phishing email. So I wonder if also that's one thing about, as far as design flaw goes, is that everything is so, like, consequence-based, so punishment-based, it's so focused on the, on the failure. Like, imagine, I'm not sure what everyone in the audience, if anyone else here is a sports fan, but, like, I think about with sporting statistics, if you, whether it's a great footballer, if all you ever, if you just focus on how many goals that Messi missed in his career, if you only focused on how many losses that Michael Jordan had in his entire career in basketball, that would give you a really incomplete picture of their actual skill, and of, like, all the wins that they actually had, all the goals that they actually scored as well. So I think focusing on failure is a sort of doomed to failure approach, and, yeah, I'm not sure what you think about that. It's funny you use that sporting analogy, because I saw an example of that just a couple of days ago. There was a thing I saw on social media that was talking about the most overhyped soccer players, football players, for those of us not in the US, most overhyped football players in the Premier League here in the UK, and it mentioned Didier Drogba, who's, like, a legend, you know, used to play for Chelsea, an absolute legend in the Premier League, and it was complaining that the majority of his goals per season came from penalties, and that actually, in open play, he didn't score a great many goals season over season over season, but he still scored the goals, and he's still, like, regarded as a great, but there's probably always a way you can slice the statistics to make it, to make it negative, to make it not great. I've seen training before. It could be legal training, code of conduct training, GDPR training was a great one, where it tells you how much the fines are if you do this, and then one of the questions to make sure you've paid attention is, how big is the fine you receive if, and then you have to select the right fine value. Why, as an individual, do I need to know how big the fine is? It's not me that's gonna pay it. It's my organisation, which, in my eyes, I've got pots of cash everywhere, so it's not actually me that's gonna have to pay it. That's not gonna encourage behaviour change, in my opinion. That's not something that's gonna make me go, oh, I don't want my company to be fined 4% of annual turnover or 14 million. I probably got that wrong. That's probably not what the GDPR fines are, because it didn't work. It didn't transfer, so it's, um, that's not the right kind of questions to be asking. The right kind of questions to be asking are related to the behaviours that lead to the fines, for example. Don't talk about the end game. Talk about the things that I can do to bring that change, because just scaring me with big data breach notifications. They talk about three terabytes of data. That means nothing to most people. That could be one large file, but when you say 15,000 Excel spreadsheets and 4,000 PDF files, all of a sudden, I'm like, oh, that's a lot of spreadsheets, and there's probably... It makes it more relatable to the user's world, so it's really, really important that we kind of get the messaging right on that and talk to people in a way that they understand in training. I think that's really, really important. Yeah, absolutely. That's really kind of crazy, actually. I can't imagine how that would help anybody. You're assuming they would have read some great big compliance document and memorised the fines, or you're, like, really kind of giving them some kind of a guilt trip, like, naughty, naughty. If you don't do the right thing, then it's going to really cause us some headache here, so it's going to cost us more money. Sure, I mean, we'd prefer not to have that happen, but I mean, that's not exactly going to motivate you to build the skill that you're going to take home, you know, be able to protect yourself and the people around you. You get different people in different places in the organisation as well, and that might work with senior leadership who are really close to the business's finances, but if you're someone that isn't, like, in the senior top level of management, and you're very detached from the way the business earns and the way the business runs, and you're, you know, at the coalface actually doing, you could be in the warehouse, or you could be in the delivery, or in the shop, or just in the office answering the phones, that's, it's nothing, it's meaningless to you. Why am I motivated to stop the company having to pay this massive fine? You know, it's, make it relatable to me, make it relate to the work that I'm doing and the actions I portray, you know, because not everyone understands the finances of business or cares about how a multi-million pound organisation might face a massive fine. Yeah, precisely. I want to go back to the heartbeat of the programme we were talking about earlier, and I'm going to combine a couple of questions I had written down here, and you talked about having that steady cadence of communications to the organisation about having, and whether that's newsletters or whether that's frequent simulations, but many large corporations, and I think this also goes back to the question of a design flaw in the programme, still rely on, whether it's for cultural reasons, or whether it's just for limitations of the programme platform they're using, they rely on yearly training. And so I guess my question to you would be, is annual training fundamentally flawed, or is it just poorly executed? And the follow-up to that would be like, what's your advice to the audience on the length and the frequency of training for actually getting to that behaviour change, to getting a better result of behaviour change? For me, I've had a conversation once with an auditor when I was being audited for the training for SOC 2 purposes, and I said, is there any way to change the question for those that have completed security awareness training annually to, can I just tell you how I've engaged with my audience over the past 12 months? Because that will actually give a much better figure than this, you know, mythical percentage per year. I don't rate security awareness training annually as a good behavioural change tool. For all the reasons I've said, mandatory, training is draining. It's just there, you're taking someone away from their work, that they've got their own pressures and their own, you know, time constraints on, and you're all of a sudden, oh, I've got 12 days to complete this training, you must comply. Oh, like people aren't going to learn from, for me, for me, that doesn't work. And I don't think quarterly training works either because, you know, it's more frequent, but again, you're just taking someone out of their world four times a year instead of once a year. You do get to repeat that message more frequently, but quite often the training won't be that great either. For me, in an ideal world, I wouldn't do any training and we would be able to measure engagement successfully throughout the year. And that engagement might be training from phishing emails. I mean, when I say training, I mean like big annual training, everybody completes it at the same time. For me, micro-training associated with the actual behaviours, you're doing the reporting of an email or something new that comes in, I think is important. But one big, everybody must complete this seven minute annual training course. It, for me, it doesn't change behaviours. What it does do, just a caveat to that, I built an annual training course some years ago at an organisation I was at, and it was completely different to anything that that organisation had experienced before. It featured cartoon characters. It was animated. It was narrated by three different narrators. It told an engaging story. It was colourful. It was bright. It got talked about and it basically disrupted enough that it helped us build an internal brand for our function. People all of a sudden noticed us because we stood out from the noise. So training can be really, really useful as a disruptive tool. Many times when training is audited, they don't audit what's in it. They just ask if you've delivered it. So if you can deliver that training and use it as an opportunity to promote being secure in a different way, be disruptive, stand out from every other piece of dull, boring, off the shelf training in your organisation, you know, we are, security awareness is exciting, it's engaging. It can be exciting, engaging and can be different. And I think training, annual training is an opportunity to build your brand by standing out from the crowd. But if you just want to tick a box and get compliant and go, yay, 90% of people completed their annual training, we're secure, I think you're a compliance led organisation if you're doing that and you're not actually trying to change behaviours. That's my opinion anyway. Really well said. No, having an internal branding is such a powerful thing. I think that that's a really interesting point to bring up. I interviewed someone a while back, it was one of the biggest financial institutions in the UK, but he came on a webinar with us and talked exactly about that. They had colour branding, they had mascots, their security function. I think he was a former BBC reporter for years, a communications guy, and he had this whole, very much like what you're describing, like this very slickly produced, video content driven, interactive platform. And they finally got some engagement, even with people who had never really engaged with security before. And that's something that goes back to this whole idea of storytelling and two way engagement, is that you are trying to get people to look at security differently than it's typically messaged to them, which is very compliance driven. And I think you're absolutely right on with those points. Just one question about that. When you do a programme like that, did you see that even people who would normally be unengaged or outright cynical about cybersecurity and your in your previous cybersecurity efforts, previous cybersecurity. did you ever see those people get won over by some kind of an extra effort beyond like that quarterly or year long security awareness thing? Or do you more see the people who are already engaged, like at least by numbers, by being like completion rates, so they just get more vocal. We were actually reaching new people when you do that extra effort. We absolutely reach new people. We got amazing completion rates and we had people talking about our training on Slack and people having conversations about it. It was called out in town halls and stuff like that. And this, no one talks about how great the training was in town halls, had the CTO mentioning something about it. So I actually have right here, this is how, if you wanna know how to disrupt, if you wanna know how to disrupt on your annual training, this is how you disrupt on your annual training. And this is actually the puppet. This is the puppet that we got in the very first training. And basically we called her George and she walked around the office. She was an employee. She got a phishing email. She reported it. And this is exactly what we did. We had one person comment. One person commented, we're not kids. Why are you using Muppets? But everybody else loved it. And then she became the mascot of the whole function. You mentioned the financial institution that had mascots. She became our mascot. We had desk mats, T-shirts, coasters. She appeared on posters and digital signage. And the minute people saw her, they thought about security. And it made it fun. We didn't use it in everything because sometimes the message needs to be serious. But on occasion when you need to disrupt and you need to stand out from the crowd and a purple puppet won't work everywhere. It won't work probably in a law firm in London or somewhere in the FTSE 100. But in many organizations, just being a little disruptive in different ways can really, really help. And it's a shock to the system. It just makes it stand out. It's really, it brings a lot of difference. Oh, a hundred percent. First of all, that puppet is amazing. I would love to have George as one of my office mates. I think that she's amazing. That is fantastic. And the other thing is that, I love what you mentioned how there was one person who just said, I don't like George, we're not kids. That's fine, that's a valid comment. But most everyone else did. Like very few people had a problem with it. And I think that that's one of the things that's really important. What's your overall goal? Is your goal to not upset anyone? Is your goal to just sort of like, just keep your program as low profile as possible, just do what you need to do to kind of get by? Or is your goal to actually change behaviors? Is your goal to actually change culture? Because sometimes you got to do things that are like, it won't please everybody, but it will get a whole lot more engagement and a whole lot better results if you do. And I'm even thinking of Hawk Sun sometimes where Hawk Sun is like overwhelmingly well-received by organizations. And that's whether that's like old stuffy, kind of like, you know, traditionally, seemingly a stuffy industry, very large companies. And Hawk Sun does involve stuff like Gamified Stars that are in this journey that people go on when they're completing the fishing simulations and completing the awareness things. But sure, I mean, I'm sure that one out of every couple thousand are going to say, eh, I don't like games. And that's fine. That's totally valid. That's fine. But you're trying something new to get over that plateau. And I think that you're looking at that goal to actually do like what you've just done with your program. You're kind of putting yourself out there. You're taking a chance. And I think it's really cool that people in your seat are going to try and do that. And, you know, if you got one or two kind of like unhappy responses, it's, you know, hear them out, but, you know, it's okay because you're also getting a lot of really good responses too. It used to be, I remember a time when we didn't run intelligent fishing. We ran one campaign. Everybody received it at the same time. You know, back before we could fish intelligently and you'd have one template that went out to all employees. And then you'd have to like man Slack to make sure someone didn't mention it. And you'd have to quickly go, I've deleted your message because it's a fishing campaign. Well done for spotting it and well done for sharing it. And every now and again on Slack, someone would make a discussion about, oh, I hated the latest fishing template, blah, blah, blah. Oh, they need to try harder to try and catch us or that kind of thing. You're always going to get someone that finds fault with what you're doing. That was too easy to spot. Try harder next time. And I, once upon a time, I used to get really upset by this and it used to really bother me, but then it kind of dawned on me, hang on. They're talking about fishing and they wouldn't be talking about fishing if I didn't fish. So just the fact that like it or not like it, think it's great or don't think it's great. Think it's too easy or not too easy. It doesn't matter. They're talking about fishing and they wouldn't have been talking about fishing if I didn't go fishing. So that's the difference, I think. Just the fact that they're talking about it, positively or negatively, they're talking about it. And that means it's here, right in the front of their head, which means next time a suspicious email lands in their inbox, they're going to remember the fishing email they didn't like and might act actually safer next time. So yeah, there's no such thing as like bad marketing or bad PR, I think is the saying goes. It's all PR, it's all marketing. Yeah, that's absolutely right, 100%. You know, engagement is engagement. I mean, like how much better is it that like people are actually talking about it? I mean, it's one thing if we're talking about it and it's like a really big issue, but if people are just saying, yeah, I wish it was harder. Well, that's great. I mean, that's actually like really good feedback. And then other people are saying that, you know, it was too hard. That's also good feedback. What was really good is the message that, where someone said, oh, why are you using Muppets? We're not children. The responses to that overpowered the negativity because that was on a Slack channel. Why are you using Muppets? We're not children, one negative. And then the thread was like, oh my God, I love George. George is great. Can I get a George? Blah, blah, blah, bring George back. You know, it was overwhelmingly positive. So it was like, oh, okay. And all of a sudden that negatives like flipped into a massive positive. So obviously if everything's negative, it's probably not landed and you need to rethink it. But, you know, don't be disheartened by the one or two negative voices, the one or two disgruntled people that don't engage properly. They're still engaging and they might engage with the next one. They might engage next time. So we're kind of rounding towards the end of our time, but there are some questions I'd love to kind of go over before we're done here. And just to kind of tie a bow on this whole idea of like compliance versus behavior change. And what do you do if you're seeing that your completion rates are high, like you have good completion rates, but it's clear that behavior isn't changing? What does that tell you about the design of the program? I think for me, in one thing tells me that it's largely compliance focused. Like you're telling people they need to complete their training. They need to behave in a certain way, but they're just ticking a box. They're not actually, you're not actually having any impact. And I think it's really easy to hide behind those statistics and deliver those and go, yeah, we're still doing brilliant, look at our stats. But are you, all that effort you're putting into delivering that training, is it actually making your organization safer? Are your individuals better off for completing it? And that's a really tough one. And that's why you need to look beyond just training metrics and phishing reporting is really good. That's a good behavior and you want to make sure that grows. But when it comes to things like annual training, quarterly training, you need to look behind those training statistics and you need to go into more actual real actions. How many conversations are people having about security? How are we more secure? What's been reported? Are we seeing actual behavior change? I used to work with the SOC and SecOps team quite regularly to say, okay, what are you seeing? Are you seeing less of this? Are you seeing more of this? So you can engage with those technical teams, if you have them, to actually see if behavior is changing. Oh, we've just done a three month campaign on how to spot phishing emails. And we've gone into detail on that. Have you seen a reduction or an increase in phishing reported? Sharing, you might've done a three month campaign on how to share documents securely and properly aligned with your policy. Are we seeing less sharing infractions? Are we seeing more secure behaviors there? So work out where you can monitor these behaviors and then get those metrics. Because I think that's where you're really driving behavioral change. If you're just looking at how many people complete annual training, you're a compliance led organization. You're not actually changing behaviors. Because once a year, everybody's fine. But what happens 11 months later when no one remembers that training anymore? Yeah, 100%. And I think you just answered a lot of my next question I was going to ask you, but like, you know, like what would be the interventions you think are going to give you the highest ROI? And you've talked about MFA. You've talked about these different communications channels you can develop. You talked about what you just talked about just now about monitoring, information sharing. I'm wondering about if one of the things you were talking to the SOC though, when you brought that up, what do you think about real threat reporting? Like, have you ever talked to the SOC about if they were seeing any kind of an elevation in real threats being reported? And whether that's also, it doesn't, it could be false positives. It could be false negatives, but like, do you like people might be reporting like spam as phishing emails, but sometimes they do look very similar. Have you ever gotten to that part where you're actually looking at like reporting as kind of the hero metric? I worked in an organization where we didn't actually measure how many phishing emails were reported. So our simulations, we didn't have a, because we didn't use a button where I worked, it was really difficult to get a reporting rate. And it's kind of one of the regrets I have about that. Like we had years of behaviors telling people to report in a certain way that wasn't a button, but it meant that we missed out on a vital metric, which is how many people are actually reporting phishing and who's actually reporting phishing. So that's one thing I would have changed. I think I had a conversation with my SOC team once, and I said to them, if you, because typically us people that work on the human side of security think differently to the people that work in a SOC team. Typically in my experience, analysts are very analytical, you know, embedded in the systems, can see all these tells, but many of the analysts I've worked with don't ask the why or the how, like the technical why or the how they've got covered. But when it comes to, you know, the emotional triggers that would be pulled on, it's not their expertise, it's not their job. That's, you know, why we as awareness people exist. So I had a conversation with my SOC team once, and I said, if you see an email gets reported and it makes you go, hmm, or, tell me about it. And I went, anything that makes you go, ooh, mm, or ah, I wanna know about. Because that's made you think something differently, or it's unique, or maybe it's some new trend, you know, they're the ones, tell me about those, tag me in those, and I'll consume those, because they're the ones I'll be able to tell stories about. And I think that worked really well. It's like, oh, I've seen this, and it made me go, ooh. I'm like, brilliant, lovely, thank you, I can use that. So yeah, that was, that's really, really important. It's also important to see those trends as they occur in your business. So if there's an increase in a certain type of attack, it might be that, you know, someone, we had this, someone in finance was getting payroll type attacks. I want to change my bank details from a random email address. So we did awareness to that team that there was currently a campaign targeting them focused around these. And that's really important, because then you can get into some targeted awareness messaging about where threats may be appearing. Recent retail attacks last Easter in the UK, messaging goes out to IT support functions about password changes and about accounts, because that was what the attackers were using out in the wild. We needed to target the messaging. So yeah, talking to your teams about what they're seeing, that kind of threat landscape, what they're seeing come in and what they're seeing reported is really important, because then you can actually be really targeted in your messaging or just general, but it's all more stories to tell. And it all comes back to storytelling and it's relatable. We've seen this in our business. Oh, have you? Oh, that might come to me. Immediately someone relates to that. So yeah, it enables storytelling in a really effective way. It all comes back to storytelling. And one thing that, so I don't mean to make this any kind of infomercial about Hawks Hunt, but I think it's relevant just to point out here is that when you talked about how that was kind of a point of regret for you about monitoring and measuring and making that an actual KPI with the company and the awareness program with regards to reporting threats, simulated or real threats. That is one thing that I have heard kind of open people's eyes about Hawks Hunt, which is basically designed to connect the simulated and real threat environments. So Hawks Hunt actually with a button, you're actually able to report both the simulated threats and the real threats of the same button. And so on top of that, Hawks Hunt is also designed to do exactly what you're talking about, where once something is reported and there's like a larger campaign trend, and it could be at a specific large company or a specific company. specific industry, which happens quite often we're seeing is that we also our analysts say, ooh, and that's something that I don't want to spoil what's going to come up here pretty soon. We have a phishing trends report we're gonna release and there are some crazy new trends that have come up either throughout 2025. What we've already reported on is a 50x increase in SPG files becoming malicious. But also stuff, you know, there's gonna be some pretty wild stuff about calendar invites and especially with AI generated phish. And if you as a program, whether you have a platform like Hawks Hunt or whether you're doing it manually, being able to have that connection between your awareness program and the SOC where you can do exactly what you said say, ooh, okay, let's turn that into a training moment here. I think it's really powerful and it's nice if you can have, again, I don't mean to sit here and like Hawking Hawks Hunt too hard here in the podcast, but it is kind of nice to have something that automatically does that for you or it takes the most recent threats and trends and turns that into your educational curriculum. I think having the ability to automate that is awesome. Because I really, I had to have that conversation and I was reliant on the SOC analysts to deliver that messaging to me. And, you know, they've got their own agendas. I had to nudge them more than once to like, oh, don't forget if you see anything because I haven't heard anything for a week or two. And it was like, oh, yeah, we forgot we'll do it. So if you can automate, they're busy doing their own thing. If you can like automate that and automate their life a bit as well, I think it's brilliant. It really does help because then, you know, it almost moves a tool like Hawks Hunt. If it does what you say, it moves it from more than just an awareness tool to actually part of the security stack. So it actually becomes part of the whole arsenal that the security function has in a business. Quite often the awareness thing is like, oh, we need a training provider. And then the fishing and draining just falls in under that. So if you can add more strings to the bow and actually know we provide value in other areas, that's brilliant. That's really good. Good to hear. Good to hear. So what's one action based on this conversation we've had that every listener should take right now if they're trying to get past those plateaus, get past that stagnation? Do something to stand out from the crowd and make people take notice. Buy a puppet and make a video of it or change a colour on a poster or get something on digital signage that just like hops. And all of these, you know, you don't need big money. That puppet was less than £100. Digital signage, just literally flip the colours, do something that stands out, a poster campaign. Just be a little disruptive and maybe ask for forgiveness once rather than permission, because quite often permission doesn't come. So I've asked for forgiveness more than once. And if you do that once, you know, just to get notice and then you can back that up with evidence. Stand out. Be brave. I think is, yeah, that's my message. Hey, I love a good inspirational message to close out a podcast here. So much appreciated. And this is a lot of fun. Look forward to talking to you again soon. It was a pleasure. Thank you. Have a great day. Bye.