Iron Man started his journey from scratch, and your security awareness program can too.


Iron Man wasn’t built in a day. Neither his costume – nor his ego, for that matter. The creation of the superhero and his high-tech armor was born out of necessity – to prevent shrapnel from puncturing his heart. The solution was the creation of Iron Man’s first ever Electromagnetic Reactor – and, well, the rest is Marvel Cinematic Universe history.

But how does this relate to creating a security awareness program? No, it does not mean you add monitoring The Avengers to your cybersecurity program (we tried!). But it shows that the first foray into building such a life-saving program often comes out of necessity. No one expects to be trapped in the caverns of a terrorist group or see their organization’s protective walls breached – but it happens to superheroes as well as ordinary businesses.

So you need to build something better to make sure your organization will survive missile attacks – be shot down by the Ten Rings Terrorist Organization or by a ransomware-as-a-service group using smishing on an executive. Many stop there, when their first-gen defenses are in place and they’re lulled into a false sense of security, but you don’t have to.

more than human

Much like the Iron Man arc throughout its decade-plus saga, your security awareness program should begin with an origin story – a set of guiding principles that explain your current actions and motivations. future. Many see humans as the faulty link in cybersecurity, and in some ways they can be; according to the World Economic Forum, 95% of cybersecurity breaches are caused by human error. Using this data, many organizations will purchase technologies to strengthen their defenses and limit their employees’ visibility into the threats facing the organization. For my team and our security awareness program, we have chosen the opposite path. We equip our humans with the technology, tools and training they need to be frontline defenders against cyber threats.

This process of embed security awareness into everything your employees do takes time. It can take months or even years to energize the Pikul collective of your company – the live arc reactor that advances your security awareness program – but it’s worth it. To start, you need toStart the training journey early — incorporate training early in the job, during new employee orientation.

Next, you need to incorporate real-world training and simulations into your employees’ everyday work environments, including things like phishing simulations, crisis tables, and social media alerts. For content inspiration, it’s important to “run on reality” and use real things that happened to your company or your employees as the backbone of this training content. Often, in the case of malicious cyber actors, reality is stranger than fiction.

What’s your Jarvis?

Once your arc reactor is powering the daily movements of your program, it’s time to set up your “Jarvis system”. In Iron Man, Tony Stark uses his Jarvis AI to plan everything from interplanetary drone strikes to dinner reservations. In the case of your organization’s Jarvis, the scope of what you expect from your system is much smaller. Jarvis, in a sense of security, is a combination of internal programs and external tools and technologies that creates a hard shell around your employees — think proactive threat intelligence, defense-in-depth processes, automation, and machine learning.

The complexity of your Jarvis system will depend on the size of your organization and what you can invest in external resources. Simple open source phishing simulations and basic firewalls with Intel feeds are a good starting point for small organizations; Medium and large businesses can also turn to email gateway analysis tools and complex phishing simulation services. Regardless of your buying power, a good mix of external tools and resources with your internal expertise and processes is essential to ensure the success of setting up your own Jarvis system.

Once you’ve found your Pikul and activated your Jarvis, you might be wondering what else you can do to build security awareness in your organization. For me, it’s about mixing people/processes/technologies to focus on psychology. Security programs built with cyberpsychology at the center create a collaborative, not punitive, relationship between your security team and the employee base and empower employees to be proactive and stay alert to threats through interactions and positive reinforcement.

You never know your team’s true potential until you give them the right training, technology and confidence – this is where the psychological element comes in. After all, Tony Stark wasn’t a superhero until he donned the costume. And to end with my favorite line from Tony to Peter Parker, “If you’re nothing without this costume, then you shouldn’t have it.”


About Author

Comments are closed.