The very first time Christine Izuakor, senior manager of global security strategy and awareness for United Airlines, gave a talk on cybersecurity best practices to some of the global company’s 88,000 employees, only three people showed up. It was disappointing, she said, but also inspiring.
“I knew I had a lot of work in front of me,” she said March 6 at RSA Conference 2019 in San Francisco, where more than 40,000 IT pros are discovering the most effective ways to keep their networks safe. “But the good news is that today, our sessions are always standing-room only.”
How did Izuakor achieve that? By taking a cue from threat actors who seek to hack United’s network and those of almost every business: She applied their tactics to her project of “hacking” the airline’s employee culture around the issue of security, added a combination of change management techniques and old-fashioned marketing, and watched the culture shift.
“When you do this well, you see people who go from running from the security and IT teams to going up to them proactively and asking for advice and making suggestions,” Izuakor said. “They go from feeling resentful of anti-phishing campaigns because they think their employer is trying to trick them to looking forward to them. And they go from being satisfied with doing the bare minimum in terms of security compliance to looking for ways to do even more.”
Hackers’ Own Methods Can Be Used Against Them
Izuakor said it occurred to her that hackers’ own standard attack methods — reconnaissance, weaponization, delivery, installation and action — could be used alter the culture at United and get employees to take security more seriously.
Starting with reconnaissance, she researched the state of security culture at United. She asked colleagues to tell her what words came to mind when they thought of cybersecurity. “The overwhelming majority said ‘fear,’” she said. “You have customers who are fearful of having their identities stolen and employees afraid of hurting the business. So, there’s just tremendous fear and uncertainty about it.”
She knew that, like a hacker who seeks to steal data, her own hack would need to focus on stealing that fear and replacing it with confidence.
Create a List of Assets to Use to Build a Cyber Culture
Next, she identified the weapons she had at her disposal:
- Branding. United built an internal branding campaign with the theme “protect our airline.” Its goal was to underscore that every employee has a responsibility to help the business and its customers stay safe. “It’s something relatable that everyone can really get behind,” she said.
- Empowerment. A brand that is nothing more than an empty slogan is not much of a weapon. “It’s vital to empower your people to live your cyber brand,” Izuakor said. “We want people to understand what their role is in the bigger picture of our security strategy.”
- Demystification. A big part of people’s fear around cybersecurity is simply not knowing enough about threat actors’ tactics and how to combat them. That’s solvable with education and reinforcement. “People should know that threats are real, not theory, that fighting them is a joint mission between IT and employees, what their role is in that mission and that the organization’s IT security professionals are there to help,” she said.
The next step in the attack chain is delivery. For United, that meant engaging employees with a full-court press of communication approaches, from the company’s intranet and employee newsletters to in-person trainings and anti-phishing program. Installation and action, she said, are about “embedding good cybersecurity practices in your organization’s DNA. I annoy people with cybersecurity — literally, sometimes I don’t go away.”