Posted in Engineering

Training a secure workforce

“Important: The deadline to complete your mandatory training course is approaching.”

This is an email that many of us have relegated to the darkest corners of our inboxes – we’ll get to it later.

Regardless of industry, organizations of a certain size can see these kinds of requirements start to appear. They wedge their way into the gears of what had always been a fast-paced company, free of red tape and checkbox requirements. At the same time, hyper-growth companies face serious security challenges that can stem the flow of information and ideas.

With a fresh approach to security training, Blend is avoiding overly strict mandates while educating employees on security threats.

Why we’re not okay with boring security training

As we add more business functions and people, the need for distribution of security knowledge increases. At one time, it might have been possible for a small group to act as enforcers of “security best practices” company-wide, but this strategy won’t grow a security-conscious organization.

At Blend, we have a full team of intelligent people that realize how important data security is to the success of our products. They aren’t satisfied with a lecture on “how things are done”. They want to acquire the skills needed to build out their vision and avoid security incidents. Our customers also need to be confident that working with Blend means they are getting the comprehensive security controls they expect from each member of the organization.

Knowing these things, the Blend Security team has developed a security training program focused on delivering relevant information to the learner.

  • Purposeful timing: We refuse to front-load a pile of generic security tips and tricks into a bloated yearly training.
  • Deliberate scoping: We scope courses narrowly, and deliver messages strategically to maximize comprehension.
  • Transparent discussions: We make security discussions transparent, and create our content using real feedback from Blend employees.

We believe that an effective training program encourages questions, promotes the importance of security across all functions, and provides engaging ways for employees to boost their security acumen.

Listening over lecturing

Smart and sustainable company policies arise from a mix of top-down goals and ground-up feedback. To deliver the best security content to Blend employees across diverse teams, we needed to know what gaps in knowledge and resources people were experiencing.

We hypothesized that employees would want a variety of courses, something like a university elective structure for security training. We collected direct feedback by asking participants in our trainings about what they liked, and what they felt was missing from the course. We also gathered employee sentiments from several forums, including Slack security channels, requests made to the security team, and other interactions. The following is a collection of general sentiments about the state of security education at Blend:

  • Smart people fall for fake emails (phishing) all the time.
  • Our customers ask tough security questions.
  • Requesting privileged access is harder than it should be.
  • Sensitive data isn’t always simple to identify or handle.
  • Passwords are a huge pain.
  • Lectures are an interruption to the workday.
  • Contacting security should be easy and guilt-free.

While it’s true that not all of the sentiments above can be addressed by a good training program alone, there are three key issues that we are able to tackle by improving organizational knowledge:

  1. Hands-on training is a must for a large population of our employees.
  2. Repetition is needed for digestion of tricky concepts, but distractions from daily work should be kept to a minimum.
  3. An approachable and helpful security team is crucial for changing risky behaviors.

We reasoned that our hypothesis was proven mostly accurate. Blend employees want a personalized education, like consumers of a premium product. To effectively transfer security knowledge, we need to provide a tailored experience for employees. This is the story of how we’re delivering on that goal.

How we shape secure processes at Blend

Ensure that training modules aren’t an onslaught of forgotten security information

To offer relevant content, we limit the scope of each course. We refer to each course as a “module” and assign each module a set of focused objectives. Modules are meant to shape secure workflows at Blend, which is a gradual undertaking that changes how employees get their work done every day. Process shaping is a deliberately unobtrusive way of building security into the Blend product. In order to see how this unfolds, we’ll take a look at a couple of the active modules at Blend today.

When a person starts a new job, an onslaught of information and tasks can be unavoidable. For compliance reasons, a new employee may need to sift through dozens of pages of documentation in their first week alone. Handbooks and policies are signed, but much of the valuable information in these documents is not truly retained. To aid in comprehension, the majority of new hires at Blend wait to participate in orientation until after the dust has settled on these initial tasks (2-3 weeks after start date).

Provide simple and guilt-free ways to get in touch with the security team

The orientation module focuses solely on how to contact the security team and perform self-service tasks. We promote multiple channels for reaching out to security so that everyone can feel comfortable raising an issue or making a request. This touchpoint is also an opportunity to introduce the team in a friendly setting. Our structured content takes about 15 minutes to go through, and the rest of the time is spent on questions. Since most of the participants in the course have already been working at Blend for a couple of weeks, this short primer on security culture helps spark a queue of questions.

That is the key component to enabling an interactive session. Participants need to enter the class with a receptive mindset. If they can make a link between the module and their responsibilities, questions arise naturally. As a result, guidance is more likely to be applied by participants immediately and has a better chance to become part of their workflow.

Get the right (engaging) content to the right people at the right time

Modules take the basic tenet of shaping secure processes and apply the methodology to specific areas of the business. Another module we offer targets users who need privileged access. When an employee submits a request for privileged access (e.g., VPN, log analysis roles, etc.), an alert is generated for the security team. Security checks to see if the requestor has completed the requisite training within the last calendar year. If they are missing the training, access approval can’t be granted. The training is then assigned to the requestor, with approval dependent on completion.

Linking a training module to a request serves two purposes. First, we incentivize requesters to complete the training as quickly as possible. We also avoid the trap of pushing educational requirements on large swaths of employees, while ensuring that participants receive relevant information at the right time. The content takes the form of a two-part guide, beginning with the review of a short document. They sign off on the responsibilities of having privileged access and then complete a brief knowledge check to test comprehension. Once the tasks are completed, the original approver is notified, and the request for access can be implemented. The process takes about five minutes and provides useful tips right when they are needed.

To shape secure processes across our workforce, we need to assess how people do their jobs, acknowledge the pieces that work well, and modify the parts that aren’t effective. Applying this methodology through the lens of security results in a program that influences people and encourages secure practices across the company.

Use feedback to improve modules over time

We want to make sure that our evolving training modules are having their intended impact. Effective security education should result in a decrease in employee-caused incidents and an increase in employee-reported issues. We want to be notified when things go wrong since we can’t prevent all mistakes from happening; to do that, we trace metrics with internal tools, and use the insights to inform the direction of the program.

As our team grows we plan to adjust by tracking the numbers as a percentage of the total security incidents reported over a designated period so our data will always be relevant.

Our security training shapes processes that need little maintenance, and are more resilient to organizational change. Preventing security incidents from happening is the primary goal of the program.

An update on what we’ve built so far

Over the last 12 months, we’ve been able to put in place two of the most ambitious training programs mentioned in our original post. First we implemented fully-automated phishing tests across the organization, including tracking for failures with thresholds for remedial learning. In addition, we have worked closely with our technical leaders in the engineering department to offer hands-on secure development labs for engineers. Both of these programs are expected to provide a significant lift to our already strong security culture at Blend.

That said, our work is never finished and we continue to focus on user engagement with these programs. We believe that the most effective learning experiences are the ones that our employees truly want to participate in, and that will have a direct positive impact on daily work. We can deliver on this belief through multiple approaches.

For the social engineering and phishing program, we’ve implemented a simple way for employees to report suspicious email messages. With a single tap, the employee receives immediate feedback on whether the message was a test or a live phishing attempt and can carry on with their day knowing that they’ve made Blend a more secure workplace. Regarding our secure development labs, engineers participating in our live workshops get to see examples of common security vulnerabilities as they appear in securely sandboxed versions of Blend. Feedback on both of these programs has been positive so far, and we’re excited to improve our partnerships and delivery of content at Blend.

It has been critical to have the support and sponsorship of the leadership team. As you plan your own initiatives, be sure that your priorities align with those in management at your organization. We know that security is and should continue to be a part of everyone’s jobs, and developing engaging programs provides us with the chance to solidify this culture in collaboration with company leaders.

The future has never looked more exciting for Blend and the security industry as a whole. Best of luck in your work, and don’t forget that our Security team is still growing! Reach out to us, we’re hiring!