Training a secure workforce

“Important: The deadline to complete your mandatory training course is approaching.”

This is an email that many of us have relegated to the darkest corners of our inboxes – we’ll get to it later.

Regardless of industry, organizations of a certain size can see these kinds of requirements start to appear. They wedge their way into the gears of what had always been a fast-paced company, free of red tape and checkbox requirements. At the same time, hyper-growth companies face serious security challenges that can stem the flow of information and ideas.

With a fresh approach to security training, Blend is avoiding overly strict mandates while educating employees on security threats.

Why we’re not okay with boring security training

As we add more business functions and people, the need for distribution of security knowledge increases. At one time, it might have been possible for a small group to act as enforcers of “security best practices” company-wide, but this strategy won’t grow a security-conscious organization.

At Blend, we have a full team of intelligent people that realize how important data security is to the success of our products. They aren’t satisfied with a lecture on “how things are done”. They want to acquire the skills needed to build out their vision and avoid security incidents. Our customers also need to be confident that working with Blend means they are getting the comprehensive security controls they expect from each member of the organization.

Knowing these things, the Blend Security team has developed a security training program focused on delivering relevant information to the learner.

  • Purposeful timing: We refuse to front-load a pile of generic security tips and tricks into a bloated yearly training.
  • Deliberate scoping: We scope courses narrowly, and deliver messages strategically to maximize comprehension.
  • Transparent discussions: We make security discussions transparent, and create our content using real feedback from Blend employees.

We believe that an effective training program encourages questions, promotes the importance of security across all functions, and provides engaging ways for employees to boost their security acumen.

Listening over lecturing

Smart and sustainable company policies arise from a mix of top-down goals and ground-up feedback. To deliver the best security content to Blend employees across diverse teams, we needed to know what gaps in knowledge and resources people were experiencing.

We hypothesized that employees would want a variety of courses, something like a university elective structure for security training. We collected direct feedback by asking participants in our trainings about what they liked, and what they felt was missing from the course. We also gathered employee sentiments from several forums, including Slack security channels, requests made to the security team, and other interactions. The following is a collection of general sentiments about the state of security education at Blend:

  • Smart people fall for fake emails (phishing) all the time.
  • Our customers ask tough security questions.
  • Requesting privileged access is harder than it should be.
  • Sensitive data isn’t always simple to identify or handle.
  • Passwords are a huge pain.
  • Lectures are an interruption to the workday.
  • Contacting security should be easy and guilt-free.

While it’s true that not all of the sentiments above can be addressed by a good training program alone, there are three key issues that we are able to tackle by improving organizational knowledge:

  1. Hands-on training is a must for a large population of our employees.
  2. Repetition is needed for digestion of tricky concepts, but distractions from daily work should be kept to a minimum.
  3. An approachable and helpful security team is crucial for changing risky behaviors.

We reasoned that our hypothesis was proven mostly accurate. Blend employees want a personalized education, like consumers of a premium product. To effectively transfer security knowledge, we need to provide a tailored experience for employees. This is the story of how we’re delivering on that goal.

How we shape secure processes at Blend

Ensure that training modules aren’t an onslaught of forgotten security information

To offer relevant content, we limit the scope of each course. We refer to each course as a “module” and assign each module a set of focused objectives. Modules are meant to shape secure workflows at Blend, which is a gradual undertaking that changes how employees get their work done every day. Process shaping is a deliberately unobtrusive way of building security into the Blend product. In order to see how this unfolds, we’ll take a look at a couple of the active modules at Blend today.

When a person starts a new job, an onslaught of information and tasks can be unavoidable. For compliance reasons, a new employee may need to sift through dozens of pages of documentation in their first week alone. Handbooks and policies are signed, but much of the valuable information in these documents is not truly retained. To aid in comprehension, the majority of new hires at Blend wait to participate in orientation until after the dust has settled on these initial tasks (2-3 weeks after start date).

Provide simple and guilt-free ways to get in touch with the security team

The orientation module focuses solely on how to contact the security team and perform self-service tasks. We promote multiple channels for reaching out to security so that everyone can feel comfortable raising an issue or making a request. This touchpoint is also an opportunity to introduce the team in a friendly setting. Our structured content takes about 15 minutes to go through, and the rest of the time is spent on questions. Since most of the participants in the course have already been working at Blend for a couple of weeks, this short primer on security culture helps spark a queue of questions.

That is the key component to enabling an interactive session. Participants need to enter the class with a receptive mindset. If they can make a link between the module and their responsibilities, questions arise naturally. As a result, guidance is more likely to be applied by participants immediately and has a better chance to become part of their workflow.

Get the right (engaging) content to the right people at the right time

Modules take the basic tenet of shaping secure processes and apply the methodology to specific areas of the business. Another module we offer targets users who need privileged access. When an employee submits a request for privileged access (e.g., VPN, log analysis roles, etc.), an alert is generated for the security team. Security checks to see if the requestor has completed the requisite training within the last calendar year. If they are missing the training, access approval can’t be granted. The training is then assigned to the requestor, with approval dependent on completion.

Linking a training module to a request serves two purposes. First, we incentivize requesters to complete the training as quickly as possible. We also avoid the trap of pushing educational requirements on large swaths of employees, while ensuring that participants receive relevant information at the right time. The content takes the form of a two-part guide, beginning with the review of a short document. They sign off on the responsibilities of having privileged access and then complete a brief knowledge check to test comprehension. Once the tasks are completed, the original approver is notified, and the request for access can be implemented. The process takes about five minutes and provides useful tips right when they are needed.

To shape secure processes across our workforce, we need to assess how people do their jobs, acknowledge the pieces that work well, and modify the parts that aren’t effective. Applying this methodology through the lens of security results in a program that influences people and encourages secure practices across the company.

Use feedback to improve modules over time

We want to make sure that our evolving training modules are having their intended impact. Effective security education should result in a decrease in employee-caused incidents and an increase in employee-reported issues. We want to be notified when things go wrong since we can’t prevent all mistakes from happening; to do that, we trace metrics with internal tools, and use the insights to inform the direction of the program.

As our team grows we plan to adjust by tracking the numbers as a percentage of the total security incidents reported over a designated period so our data will always be relevant.

Our security training shapes processes that need little maintenance, and are more resilient to organizational change. Preventing security incidents from happening is the primary goal of the program.

A look at what we’re building next

Beyond our current modules, we are introducing some really cool new material and features over the next year, including:

  • A live capture-the-flag environment with OWASP-inspired challenges for developers
  • A collection of operational security demos for traveling with your work computer, transferring sensitive data, securing your internet connection, etc.
  • A security communication role-playing course for our growing sales and client services departments
  • A social engineering campaign that uses organizational knowledge to launch spear-phishing attempts and sophisticated website spoofing

We’re excited about where Blend security is headed, and we’re looking for help improving training and building new security software. If you’re interested in any of the projects mentioned above, reach out to us, we’re hiring!