Security Market Segment LS
Wednesday, 24 April 2019 14:30

Cyber security requires staff commitment: Mimecast official

Mimecast senior vice president and general manager of Mimecast Security Awareness Michael Madon Mimecast senior vice president and general manager of Mimecast Security Awareness Michael Madon

Almost 99% of people "really don't care" about corporate security, warns Mimecast senior vice-president and general manager of Mimecast Security Awareness, Michael Madon.

Mimecast Security Awareness's mission is to avoid employee mistakes in the workplace. And to do that, you have to meet people where they are, not where you want them to be, he said.

That's why Ataata, the security awareness business co-founded by Madon and subsequently acquired by security vendor Mimecast, put its efforts into delivering security training content in such a way that people would not simply tune out, and into collecting data about how employees actually behave (eg, the results of phish testing).

The company could then rate employees according to the risk they represent, and then deliver targeted remedial training.

While Madon agrees that IT security requires a combination of technology (eg, endpoint and network security tools) and training, "you have to arc towards one or the other" according to the problems you face.

For example, malicious insiders represent around 5% of the security problem, but training doesn't work for them. They may deliberately flunk training, he told iTWire, or avoid it completely. "You could give Edward Snowden all the training in the world," he observed.

Dealing with that category of people requires robust technology such as data loss prevention, he said.

But the vast majority of people are good employees who are open to learning providing the material is presented in an effective way – and for most people, that means video. After all, the number two search engine in the world is YouTube, Madon pointed out.

The goal of training is to change behaviour, which can be done by applying fear or humour, and "fear is not a sustainable motivator."

In addition to using humour, Madon advocates microlearning — an ongoing drip-feed of snippets of information — as well as applying technology to measure how people think and act about security.

Mimecast acquired Ataata relatively recently (July 2018), and is still in the process of integrating security awareness training with the rest of the Mimecast platform. For example, this will allow customers to identify the most-targeted people and deliver appropriate training,

"That's the beauty of Mimecast... it's truly an integrated platform," he told iTWire, which means training can be weighted towards actual rather than merely potential risks.

"The goal and power of the platform is community defence" and awareness training is part of that.

The company also realises that there is no longer a demarcation between an individual's work and private activity. Indeed, some organisations encourage their employees to post about work issues on social media, but this carries a risk of confidential information being inadvertently or carelessly leaked.

"It happens all the time," he said. So some of the training materials are set entirely in a home context.

Information leaks also happen in the real world. For example, two people might discuss a business deal while travelling in a hire car or taxi, not realising that the driver works in their industry and is merely moonlighting for extra money. Even if they don't mention the name of their company, the driver may be able to determine if they pay for the trip with a corporate card.

"I know this happens," he said. Furthermore, CISOs have told him about cases where their friends have alerted them to overheard conversations on trains that disclosed corporate secrets.

Madon recommends organisations establish programs that view security holistically and work towards moving people's view of security from "compliance" to "commitment", in the sense that security is seen as a critical factor for personal success.

So a security professional shouldn't have goals along the lines of "reduce the number of times that employees click on fake phishing emails", rather they should be working to change the organisation's culture to include a commitment to security.

HR departments have done a great job in changing some aspects of workplace behaviour (such as treating fellow employees with respect simply because that's the right thing to do), but they should take a similar view of security matters, he said.


You cannot afford to miss this Dell Webinar.

With Windows 7 support ending 14th January 2020, its time to start looking at your options.

This can have significant impacts on your organisation but also presents organisations with an opportunity to fundamentally rethink the way users work.

The Details

When: Thursday, September 26, 2019
Presenter: Dell Technologies
Location: Your Computer


QLD, VIC, NSW, ACT & TAS: 11:00 am
SA, NT: 10:30 am
WA: 9:00 am NZ: 1:00 pm

Register and find out all the details you need to know below.



iTWire can help you promote your company, services, and products.


Advertise on the iTWire News Site / Website

Advertise in the iTWire UPDATE / Newsletter

Promote your message via iTWire Sponsored Content/News

Guest Opinion for Home Page exposure

Contact Andrew on 0412 390 000 or email [email protected]


Stephen Withers

joomla visitors

Stephen Withers is one of Australia¹s most experienced IT journalists, having begun his career in the days of 8-bit 'microcomputers'. He covers the gamut from gadgets to enterprise systems. In previous lives he has been an academic, a systems programmer, an IT support manager, and an online services manager. Stephen holds an honours degree in Management Sciences and a PhD in Industrial and Business Studies.



Recent Comments