A good security stack deserves a good security culture (Stu Sjouwerman, KnowBe4)
May 08, 2024Season 1Episode 2
Coen or Sander
The human is often seen as the weak link in cybersecurity. You can have all the security tooling in the world, but if attackers target people they can still get in. People in general, so also employees of organizations, need to be made aware of how to spot these types of attacks. In other words, we need Human Detection and Response, i.e. HDR just as much as we need MDR and XDR.
KnowBe4 has been founded to address the challenges organizations have with educating their workforce on cybersecurity. During RSA Conference 2024, we sat down with founder and CEO Stu Sjouwerman.
We discuss the current state of affairs in security awareness inside organizations. A central theme for KnowBe4 nowadays is something they call adaptive human risk management. This is the foundation for a risk-based approach to cybersecurity through a human lens. You could see this as an extension of the many examples of risk-based cybersecurity approaches you can find in other areas of cybersecurity. The idea is to create a healthy security culture, alongside a good security stack.
There's more to it than security awareness training
We don't really discuss 'traditional' security awareness training all that much during our conversation. That's more or less table stakes now, even though there's still room for improvement on that front. However, KnowBe4 is also looking into new areas. Its acquisition of Egress is a clear example of this. Egress is a company that focuses on e-mail security. There already was a tight integration between the two players, which will become even tighter after the acquisition.
The fact that KnowBe4 ventures into the area of e-mail security may seem a bit strange at first sight. After all, KnowBe4 never was a 'traditional' security technology company, right? But if you factor into the equation that e-mail security is still the number one attack vector and that there a very strong human element to it, it actually makes perfect sense.
At the end of our conversation, we also touch on the role AI plays and is going to play in cybersecurity from a security awareness perspective. We zoom in on the rise of deepfakes. These keep getting better and better, so are harder and harder to detect for humans at the other end of them. Sjouwerman recognizes this is going to be a serious challenge, but he's also rather optimistic that common sense (and some technology of course) will eventually win this battle too.
We hope you enjoy this new episode of Techzine Talks on Tour.
The human is often seen as the weak link in cybersecurity. You can have all the security tooling in the world, but if attackers target people they can still get in. People in general, so also employees of organizations, need to be made aware of how to spot these types of attacks. In other words, we need Human Detection and Response, i.e. HDR just as much as we need MDR and XDR.
KnowBe4 has been founded to address the challenges organizations have with educating their workforce on cybersecurity. During RSA Conference 2024, we sat down with founder and CEO Stu Sjouwerman.
We discuss the current state of affairs in security awareness inside organizations. A central theme for KnowBe4 nowadays is something they call adaptive human risk management. This is the foundation for a risk-based approach to cybersecurity through a human lens. You could see this as an extension of the many examples of risk-based cybersecurity approaches you can find in other areas of cybersecurity. The idea is to create a healthy security culture, alongside a good security stack.
There's more to it than security awareness training
We don't really discuss 'traditional' security awareness training all that much during our conversation. That's more or less table stakes now, even though there's still room for improvement on that front. However, KnowBe4 is also looking into new areas. Its acquisition of Egress is a clear example of this. Egress is a company that focuses on e-mail security. There already was a tight integration between the two players, which will become even tighter after the acquisition.
The fact that KnowBe4 ventures into the area of e-mail security may seem a bit strange at first sight. After all, KnowBe4 never was a 'traditional' security technology company, right? But if you factor into the equation that e-mail security is still the number one attack vector and that there a very strong human element to it, it actually makes perfect sense.
At the end of our conversation, we also touch on the role AI plays and is going to play in cybersecurity from a security awareness perspective. We zoom in on the rise of deepfakes. These keep getting better and better, so are harder and harder to detect for humans at the other end of them. Sjouwerman recognizes this is going to be a serious challenge, but he's also rather optimistic that common sense (and some technology of course) will eventually win this battle too.
We hope you enjoy this new episode of Techzine Talks on Tour.
Speaker 1:
Welcome to this new episode of Techzine Talks on Tour. My name is Sander and I'm at the RSA conference in San Francisco and I'm here with Stu Schauermann, founder and CEO of Nob4. That is correct. Yes, welcome to the show. Glad to be here. So yeah, nob4, you're a bit different from many of the other vendors at RSA, right, because it's usually about technology the new XDRs, the new MDRs, all that stuff, sure, but for Nobby4, you're in a different space.
Speaker 2:
We like to call it the human risk management space, simply because you do have the tools XDR, sim, et cetera, et cetera but you also need to create a strong security culture and that's your humans, and so you need to train them. They need to understand what risky behavior is, and that's why, 13 years ago, I started Nobifor to handle that side of the InfoSec risk management.
Speaker 1:
So how would you rate the awareness of security awareness training in the market?
Speaker 2:
It has been a little slow in the first few years, but afterward it's gone skyrocketing. We have 70,000 customers globally. We're training 60 million people. Here's a fun little stat Walk on the street. In any city in the United States we train one in ten people.
Speaker 1:
Okay, that's a nice statistic.
Speaker 2:
Yeah, that's a fun little stat.
Speaker 1:
So next time we go out in the US, you will probably see someone that's being trained by 94.
Speaker 2:
You will. Now we need to get the other nine.
Speaker 1:
Yeah. So the current state of affairs when it comes to sometimes also called HDR, to just as sort of a nice play on MDR and XDR, obviously. So the current state of affairs is quite. Is it good? Would you rate it as security awareness training is getting enough attention? I mean, it could always be better, obviously, but what's your assessment by now?
Speaker 2:
yes, if you look at the 2024 Verizon data breach investigation report, it is still a super high percentage of data breaches caused by human error, and so you do need to address that specific problem, and the KnowBe4 platform is specifically built for that. It's easy to use. We're expanding. The big news at the show is that we are acquiring a British email security company called egress. Is that because email is still the the most?
Speaker 1:
important attack factor. People interact with email, obviously. Yeah, email is still the most important attack factor. People interact with email, obviously.
Speaker 2:
Yeah, email is still the number one attack factor that bad actors use to get into the account. The email makes it through the secure email gateway. It makes it through the standard spam filter. It winds up in the inbox. It's very sophisticated, so egress can grab that last bit there that everyone else misses.
Speaker 1:
Yeah, but it's not too big of a digression for Nobby Ford to go into the I would almost say proper security space. But that's not the right word.
Speaker 2:
But you know what I mean. Right, I know exactly what you mean. No, it is actually the best of both worlds. We're better together. We've been integrating for the last 12 months, and so it's a two-way street for data. And the more data that you have, the more you can see what that end user actually gets in their inbox the better. You can train them for it, so it works great.
Speaker 1:
Yeah, and when you look at the rest of the stack, of the security stack, how does KnowBe4, or maybe more broadly, security awareness training? So how does that integrate into that world, because it sits on top of basically everything, right, yeah?
Speaker 2:
Well, apart from security training and phishing testing, we have a product that is called Security Coach. And what happens with Security Coach is we interface with all the existing products in the security stack. They all have a cloud interface, they all have cloud APIs. So we ingest their alerts, we figure out which ones are user generated and which ones are indicating risky user behavior, and so we can, for instance, we integrate with CrowdStrike, so CrowdStrike throws an alert. We see it. We send a little security tip to that user with hey, you just went to risky website so and so.
Speaker 2:
And that's how we integrate.
Speaker 1:
So then you're actually getting closer to the resolution point, right, because if you're only focusing on on on training, then you're obviously that's very important, but you also want to be able to, to, to act as soon as something happens, yes, which we now can't, yeah, yeah well, I, that's a, that's an interesting, uh extra I mean extra feature.
Speaker 2:
Extra feature feature right.
Speaker 1:
Yep, but how do you measure whether security, awareness, training and everything that you do so, the human element, whether you've been successful in actually achieving the goals that you set out, because that can be quite difficult to measure.
Speaker 2:
Very good question. The only way to do that is if you have a baseline with the existing call it risk score, and so we have a huge amount of metrics that we know per user, and then, once you have a baseline for that user and you know the click percentage over time, you can then actually see that after 90 days the click rate goes down by half, and in 12 months it goes down over 80%. And so there's just hard numbers.
Speaker 1:
And does it stay down?
Speaker 2:
It stays down.
Speaker 1:
Even if the attacks differ, people get smarter in general.
Speaker 2:
Well, yes, that is all predicated on one very important thing you do need to send these people one phishing test a month and you need to give them a two, three minute little training module to keep them on their toes with security top of mind.
Speaker 1:
Yeah, if you do that, yes, Okay, and obviously you don't want to annoy them too much. No, because it should be sort of, can it be fun to do?
Speaker 2:
It can, and if you do it right, it is because you make it a game. You make it a contest. We have gamified leaderboards. You can play the game with the people in your department. You can do some extra training and get a higher score If you present it as hey, this is a game we play to keep our organization safe and oh, by the way, you will also learn how to stay safe at home. Then you get people's buy-in and there's no problem whatsoever.
Speaker 1:
And how do you I think, especially when you look at the email security, I get that right. So that's very tangible how do you and that's something that is very risky so, when you go for a risk-based approach, which is what a lot of companies do nowadays, sure, when you go for a risk-based approach, how do you determine what's risky? I mean, obviously, email is one, but then you have a lot of other stuff that you need to take care of and you're not able to actually do everything in terms of training as well, I would imagine right.
Speaker 2:
There are many different types of risk, you're right. Well, I would imagine right, there are many different types of risk, you're right. One example is you find a USB stick in the parking lot with layoff plans this quarter. Yeah, and you know that is obviously left by bad actor. Plugging that in your machine is tantamount to inviting disaster. Yeah, so we do train about a whole bunch of different risky behaviors.
Speaker 1:
Yeah.
Speaker 2:
But if you can also see it when it happens and the endpoint protection throws an alert, then you can do this real time and that truly works.
Speaker 1:
Does it differ per sector or per vertical what you should prioritize more over other stuff?
Speaker 2:
Well sure, different verticals have different rules. The most extreme example that I ran into is that banks they said if you haven't finished your security awareness training by Friday, end of business. Don't bother to show up on Monday because you're fired. Now, that is a little extreme, that is a little extreme, but there are highly regulated industries where this type of training is mandatory.
Speaker 1:
It's a compliance issue and you just have to do it. But then also those industries have different prioritization lists in terms of what they deem most risky.
Speaker 2:
Yes.
Speaker 1:
Yeah, okay. So because that's obviously, organizations need to determine for themselves what they give in terms of risk scores to different kind of vulnerabilities, right?
Speaker 2:
Totally, and that's why we have something called smart groups. You can identify groups in your organization as higher risk and lower risk. You can put those into a smart group and then the smart group you can say okay, for these folks they need individual training on and you specify topics, okay, and then ai is rolling out exactly the training for that particular person yeah, yeah, it's funny, you should AI.
Speaker 1:
Obviously we need to talk about that as well, because that's a big thing, not only on the defense side, but also on the attack side. Right? How do you prepare your people for, for for AI based?
Speaker 2:
attack by showing them how AI based attacks look you do example deepfakes. You show them example voice, which is cloned and stolen. You make them aware the fact that it is more important today than ever, that especially when it gets it's urgent they are, they are made or asked to do something there is an action that they need to slow down and think twice yeah and go into.
Speaker 1:
Let's make sure this is not a scam yeah, but but I would especially the deep fakes are extremely difficult to recognize sometimes, right.
Speaker 2:
And more so by the month.
Speaker 1:
Yeah, and now they used to only be audio. Now video is getting more popular and better as well.
Speaker 2:
Yeah, Ever better. It's very. It's getting very scary yeah.
Speaker 1:
Well, that's not very hopeful message for the listeners. Yeah Well, that's not a very hopeful message for the listeners no, no. Is it even possible to have a human determine, based on training, whether something is a deepfake or not?
Speaker 2:
Well, the human needs to keep in mind a few ground rules that never change regarding social engineering, whether it is text or email or slack, or teams or deep fakes, wherever they come from, which is is somebody trying to manipulate me? Is there some sense of urgency? Are there things that they want me to do that could be risky? If you keep those ground rules in mind and stay cool, calm, collected, then whatever type of social engineering and tech comes your way, you will still be able to say hold on a minute.
Speaker 1:
But that's common sense, yes.
Speaker 2:
And that's what we're training people in yeah common sense, whereas it might be. Um, they have a recording of your daughter, yeah, um, and a scary person calls you up and say we have your daughter, I need $20,000. That's the time when people need to be understanding oh okay, well listen, I'm hanging up.
Speaker 1:
I'm going to call my daughter on her phone, Maybe also, especially when this gets very widespread. You have to determine some sort of a safe word or something.
Speaker 2:
Absolutely that could work. Yes, a safe word that you have with your this absolutely that that could work. Yes, a safe word that you have with your family is a super good idea, yeah okay, yes, I just I just thought that up here. So that's a yes, this is okay. Starts to become a very popular thing.
Speaker 1:
Yeah, well and I think it makes perfect sense. Yeah, and what about the? The? The your side of the of side of the argument? Do you foresee integrations with deepfake kind of solutions, like you do with email security, for example, or with CrowdStrike, but maybe specifically with deepfake kind of, because that's not a very big area yet. But the winner of the sandbox innovation. Sandbox this week at RSA conference is a deepfake detection kind of engine Right. Is that something that you see as a potential interesting integration?
Speaker 2:
for you as well. Yeah, absolutely. Deepfakes are obviously a technology attack. You can use technology to protect against those attacks as well. It is still relatively easy to get around the watermarks, but it's day one of AI, so we will get there.
Speaker 1:
You don't really know what everything is going to look like at 4 years time anyway, right?
Speaker 2:
No.
Speaker 1:
So what do you prepare yourself for or against?
Speaker 2:
This is hard, yeah, it's very hard to determine. You have to play it by quarter.
Speaker 1:
Yeah. That's as far as you can see the old saying that for American companies, the future is in 90 days, but that used to be the saying for financial stuff but it's the be the saying for financial stuff, but it's, it is.
Speaker 2:
It is wild to see how fast AI is developing the in the new models, of new frontier models coming out are the fastest technological development I've ever seen, and I've been in this business for 40 years.
Speaker 1:
Are you in general? Are you? Optimistic about the future of cybersecurity in general, with everything that's coming our way.
Speaker 2:
It is a chess game. Unfortunately, the bad actors have white, so they always have the advantage. But if you're smart enough and you can plan some of that future and you build a really strong security stack on the technical side, combined with a really strong security culture, you have a pretty good chance on keeping the bad guys out.
Speaker 1:
And there will always be the outlier cases. I mean, I've heard people say, people that actually know very well what it's like to be phished and you know all that stuff, but then after they just called their bank, they actually did get an email from that bank just so accidentally in terms of timing. Yes, those things I mean you cannot protect yourself against those things. In general, it's very hard to do, at least very hard to do, do it's?
Speaker 2:
never perfect.
Speaker 1:
Yeah.
Speaker 2:
But if you can, you know, take 90% of the risk down. You are already way ahead of the game.
Speaker 1:
Yeah, okay, I think that's a nice thought to.
Speaker 2:
That's a wrap.
Speaker 1:
Yeah, to close it off.
Speaker 2:
Yes, I think we're almost out of time. Anyway. Yeah, my PR gal over here said it's time.
Speaker 1:
People are getting upset and anxious, yes, so thank you very much for your conversation. Absolutely Sander Nice to do my pleasure and, well, I hope to talk to you again sometime, absolutely.