Mimecast Security Awareness's mission is to avoid employee mistakes in the workplace. And to do that, you have to meet people where they are, not where you want them to be, he said.
That's why Ataata, the security awareness business co-founded by Madon and subsequently acquired by security vendor Mimecast, put its efforts into delivering security training content in such a way that people would not simply tune out, and into collecting data about how employees actually behave (eg, the results of phish testing).
The company could then rate employees according to the risk they represent, and then deliver targeted remedial training.
For example, malicious insiders represent around 5% of the security problem, but training doesn't work for them. They may deliberately flunk training, he told iTWire, or avoid it completely. "You could give Edward Snowden all the training in the world," he observed.
Dealing with that category of people requires robust technology such as data loss prevention, he said.
But the vast majority of people are good employees who are open to learning providing the material is presented in an effective way – and for most people, that means video. After all, the number two search engine in the world is YouTube, Madon pointed out.
The goal of training is to change behaviour, which can be done by applying fear or humour, and "fear is not a sustainable motivator."
In addition to using humour, Madon advocates microlearning — an ongoing drip-feed of snippets of information — as well as applying technology to measure how people think and act about security.
Mimecast acquired Ataata relatively recently (July 2018), and is still in the process of integrating security awareness training with the rest of the Mimecast platform. For example, this will allow customers to identify the most-targeted people and deliver appropriate training,
"That's the beauty of Mimecast... it's truly an integrated platform," he told iTWire, which means training can be weighted towards actual rather than merely potential risks.
"The goal and power of the platform is community defence" and awareness training is part of that.
The company also realises that there is no longer a demarcation between an individual's work and private activity. Indeed, some organisations encourage their employees to post about work issues on social media, but this carries a risk of confidential information being inadvertently or carelessly leaked.
"It happens all the time," he said. So some of the training materials are set entirely in a home context.
Information leaks also happen in the real world. For example, two people might discuss a business deal while travelling in a hire car or taxi, not realising that the driver works in their industry and is merely moonlighting for extra money. Even if they don't mention the name of their company, the driver may be able to determine if they pay for the trip with a corporate card.
"I know this happens," he said. Furthermore, CISOs have told him about cases where their friends have alerted them to overheard conversations on trains that disclosed corporate secrets.
Madon recommends organisations establish programs that view security holistically and work towards moving people's view of security from "compliance" to "commitment", in the sense that security is seen as a critical factor for personal success.
So a security professional shouldn't have goals along the lines of "reduce the number of times that employees click on fake phishing emails", rather they should be working to change the organisation's culture to include a commitment to security.
HR departments have done a great job in changing some aspects of workplace behaviour (such as treating fellow employees with respect simply because that's the right thing to do), but they should take a similar view of security matters, he said.