How I Pulled Off an Edgy Security Campaign – SANS Security Awareness Summit 2018
Key Takeaways
Shares strategies for creating effective security awareness campaigns
Full Transcript
hi my name is Lisa Plaga Meijer funny thing happened on the way to San securing the human I'm no longer with cdk global but I did get their permission from cdk legal to present this today and I'm exploring a lot of opportunities a lot of movement in the market right now and and I am enjoying some much needed time off so if you were here last year when I spoke we looked at a casting video of a guy named Pavel and a campaign called do you sir do know and we were in the ideation phase well Pavel came to life this is the article that ran in our newsletter I'll just read it for you in case you can't make it out from the back do you yes or do no gaming show with Pavel coming soon we are pleased to announce an exciting new security quiz show produced by the cdk global security organization hosted by Bach Rania's most loved television and online personality Pavel Draganov Pavel started his career starring in many surveillance videos he since moved on to hosting reality shows such as who in this van can swallow the most diamonds quickly and which is your least favorite finger do yes or do know is his breakout game show he is very excited just look at him so that went to that link down there in the bottom left went to a teaser video about the campaign that was on our on our portal the just the campaign in a nutshell it was a cheesy 70s game show theme we hope to develop the characters and the intrigue enough that we could stretch it for six to twelve months to leverage our spend I did have a champagne budget unlike the last speaker it takes all kinds right anything works we had about a hundred thousand dollars but out of that we got sixteen videos we had one day of taping which is important to keep it on budget and that included a live event five locations I'll talk more about that later but fifty-five percent of our employees watched that first teaser video that was unheard of for for corporate comms so this is our friend pavel smiling charming but he's got these finger tattoos and these neck tattoo sticking out and you're not quite sure what to make of this guy is that smile genuine or is that genuinely evil when we play the game show it's clear he's here to help us he's got all this great advice but we're not sure how we feel about him and that's exactly what we were going for is that intrigue I'm not sure how I feel about this guy that's what that's what got us the eyeballs when you play the game show he seems to know an awful lot about a lot of bad stuff even though he seems like he's here to help us so what was his background maybe right there's we were going for that intrigue not just not being sure how you feel about him that ambivalence I'll show you a short compilation video in a in a minute but just in a nutshell as I said we we spent one day filming we got about 16 1 2 3 minute videos out of that one day shoot for the shoot we used a combination of actors and employees we took about a hundred still shots like the one you see here we use those for banners on our employee portal posters digital signage thumbnails for newsletter articles and then of course we had swag we had baseball caps do yes we do no stickers which I still have a huge supply of anybody wants one and in true Pablo fashion we did rub on temporary do yes or do no tattoos when we did the live game show well we released about four videos over the course of about four or five weeks and then we started promoting the live event in five different locations when we did the live game show we realized that you know there Pablo was already sort of recognized by a lot of people because we've been getting good view rates on the first couple of videos so we decided to see if people would let him tailgate in in the morning there's another character you'll meet named Brian who's kind of a perfect victim to Pablo's thinly veiled aggression he's kind of the bumbling fool so we discovered him during the taping he was just hired as a local actor he'd done improv comedy and improv acting has had the Pavo character so when you put those two guys at your front door in the morning pavel in his suit with his tattoos a cup of coffee and a cell phone keeping in mind this is a software company where people usually come in in jeans and a t-shirt you would be amazed at how many people will hold the door open for somebody holding a cup of coffee in a cell phone so the reactions ranged all the way from I know you you're the guy from those videos I'm not gonna let you in all the way to I'm not security it's not my problem that I just let this guy in but the Brian character would stand on the inside and you know as Pavel was cruising in behind somebody and he would say you know kind of ham it up you know did you just let the guy in he looks really scary is he with you so we did it in a way that wasn't threatening you've got two guys that are used to doing improv so um so it was actually kind of fun so then we would play the live game show during the bulk of the day people could just drop in play for as little or as much as they wanted to and then in the afternoon when you get that like 3:00 3:30 4 o'clock lull in the office is the time to go home yet we had pop will take his cheesy fake 70s microphone and Pavel and the Brian character and I just walked up and down the cube farms and would sort of randomly ask people security quiz show questions and you kind of got that prairie dog effect in the cubes and a few prairie dog then you better be sure that bob was gonna be coming at you with the microphone to ask you a question so that went over really well as well so let's take a look at what some of the videos look like oh and welcome to do yes or do know the game show that tests your knowledge of internal securities of where you are now working cdk I am Hospital I know what is bad the nerves Brian let's get to you know you have animal pets yeah I can't I mean buttons how adorable oh please is this your company email yeah how did you get billed what does Brian's company email password buttons buttons one two three I'll give you partial credit good job Brian I do not hack Napoleon was a hacker yeah don't be in Napoleon be an Alexander Oh like Alexander the Great female shows up he's electronic reading card from babushka babushka been dead many years oh I miss my grandma maybe you got lost on a server no stupid man that is a scam you get scammed and you compromised company no points for you okay here are your points Oh Rick I send you email with attachments okay do you open the attachment do I know you know no one could know Pavel do you tell GS oh no I think I've just ignored that's a good Dalek that's very good that's not good good isn't it it is Peter Little Joe this question is for you you receive an email offering large sum of money in the return for many company secrets and passwords do you take the money honestly I do not even know why we have this question in the amount of pause you give me I will consider yes and I will wait for your soul oh my of course not no thank you how much money we talking here the way [Music] so those are kind of some snippets from the best of as you can imagine we had a blast taping this when we when we had the Brian character show up the actor and saw how well he went with the pavol character there was no question we had to take Brian on the road with us right so why is this edgy anybody so we're kind of picking it a stern European stereotypes here aren't we right we knew this we acknowledged this right I mean I might not be a fair comparison but I'm a German descent I lived in Germany for 13 years and I grew up watching reruns of Hogan's Heroes it never occurred to me to be offended by Hogan's Heroes right it's comedy it's fiction it's made up right but nonetheless there are sensitivities around this stuff right so we prep for those we discussed it at length all the executives all of HR the executives in the individual locations where we were doing the live events HR business partners HR vice presidents the entire c-suite right we talked about it at length we had legal sign-off do the reasonable person test what a reasonable person be offended by this right we even put a disclaimer at the beginning of each video talking about how this was a fictional character from a fictional place so we we acknowledged it upfront and I loaded the lips of all the executives right so as I said the first video goes that we get a 55 percent a view rate and corporate comms deleted corporate comms left the comments turned on on the portal marketing's advice was to turn it off and corporate comp said no we'll leave it on okay fine so we had one mildly you know I don't think this is very piecey type comment by the third video we had 1800 views in the first five hours by the third week right so we've definitely given some engagement I go to Chicago we do the first live event that's our headquarters kind of a stuffy atmosphere but still all the senior executives play lawyers played everybody had a good time two days later we get on the road we go to Cincinnati where we have a large office people love the Brian character there they left a cheer for an underdog right so we had people you know Brian for president it was which was great because when people's in the audience started cheering Brian for president Pavel under his breath and his microphone in his Eastern European accent said we can make that happen so so working with improv comedians with the playoffs believe me so anyway we had this line out the door and any of you that do events you know it's exhausting right but lying out the door people would from a department would come play and then they'd go back and tell their co-workers and then more people would would come and so by the end of the day it's it's late I'm flying back to Austin that an item and Cincinnati so that means I got changed planes in Houston I get on the plane at 7:30 at night I'm not gonna be home till probably midnight I decide but I'm thrilled I'm just thrilled it couldn't have gone any better I sit down at my seat on the plane and I decide to check my email one more time before I shut off my phone and this is what I see this is the subject line of an email from a VP of HR to my boss and to me so I spend the rest of that flight as you can imagine pretty crap down right because I just thought I came off of a great day right so unbeknownst to me while I was playing the game in Cincinnati and didn't have time to look at the Chloe portal that day there were a few more negative comments from one particular individual and then a few more people that chimed in with him and then is often the case in America these days this groundswell of people with an opposing opinion hey this stuff is great are you kidding do you want to go back to boring security stuff like we love this and so there was this debate going on and a little bit of controversy and that's what caused the HR VP to send this email so I get home that night and I do a little research on the one guy that's sort of started the whole thing right the guy who was the most outspoken and negative about it and I do a I do a search on him on the employee portal I wanted to see his picture he works in Cincinnati office and I thought wouldn't it be something if he actually played the game that day what if he came in late in the day and actually played and had a good time and sort of changed his mind like who knows I'd like to see if he was actually there do I recognize this guy so nothing against nose rings but when I look him up on the employee portal I couldn't see him because the only his picture was just a close-up of his nose ring so you can't make this stuff up right so I do Google Images and I get to his wide-open Facebook page and saw his picture there and glanced at a post he had done just in the few days previous and he had shared a story about a angry mob of farmers in India who had set some elephants on fire that was a really graphic image horrible story about these elephants terrible thing but what got me was the comments that he posted along with that story and I'll and I'll read you what he posted where are the mass shootings when you need one a few humans I hate you so this is obviously somebody who's an upset individual you know kind of lives his life in a very angry place this made for a very interesting call with that vice-president of HR the next morning because who should own the security culture in our organization a one small very vocal individual or is it the security organization who's trying to change the culture trying to make security fun and and I neglected to mention the thing we're trying to get is engagement in this campaign that was our number one goal we certainly got engagement right there were fewer the people that had chimed in with him on the portal and just out of curiosity I looked at their training records to see if they had completed you know training how'd they do on phishing like how sort of security aware are these folks and I'm sure this is anecdotal but I wouldn't be surprised if across the board it proved out the two or three people that had posted negative comments none of them had taken a single assigned security training module ever these are those people that you chase to be compliant right the ones that you keep sending their mails to to try and their managers and their managers managers to try and get them to participate so these people who never took their training watched every one of those bobble videos I had all the click-through data I could see you know who watched what so I got eyeballs from people on security content that normally you couldn't get to engage so for me that was a win right so needless to say we kept rolling we did not stop the program but this is the lesson learned internet trolls are a thing the marketing department was right do not leave comments turned on on the portal so after this we turned off comments and we kept going so a little bit about metrics of course they had all kinds of metrics on how many people viewed the videos and all that good stuff but um we had just started our fishing program right before we kicked off cobble so we did that first mock fish right where people click and get a 404 error instead of a teachable moment and we did our first real fish real fake fish about three months three to four months in the end of the panel campaign we were able to cut our click rate in half and we upped the report rate by two hundred and fifty percent in three months time so I have to believe that Pavel we I'm sure we would have eventually gotten to those results but I think Pablo was like a fast-forward button and when you think about that hundred grand that we spent if I think about all the tools in the technology that our security folks are so quick to to purchase right to protect the company at that point you know for me to be able to go to the sea so and the CIO and say you know hey give me a hundred grand and I'll be able to click here and cut your click writing to happen in three months would you do it compared to what you're spending on all the technology and the tools I think a lot of them would do it in heartbeat right those are those are pretty strong results so this warned my heart this was a couple months into the campaign I'm sitting at my desk and we encourage people to report incidents any which way right like we have emails we have phone numbers ping me on I am that's that's fine just any which way you can report things we want you to report things and this came from a person who reported an incident ping me and I am worked in Accounts Payable not a place you want to hear about an incident coming from right turned out to be a kind of a data incident a human error incident but you never know what the outset right so so I think her for reporting it and she pings me back because of that powerful game show I thought I should that's the engagement we wanted right so that that were my heart so how do you do edgy every company every person every organization has a brand and I think you have to start by being honest to that brand so what is a perceived brand of your organization not what the security people all say about themselves but what do the rest of the employees in your organization think of the security folks we were too closed off we want it to be more fun more engaging you know we want people to come talk to us whether it's apps a core physical security or whatever it was we just wanted more engagement so what would your employees say about you or the Department of no are you the policy police are you good guys fighting crime like what is the current perception and start with that and be honest about that right own that and then find a way that you can change it or turn it on its head somehow I'll give you an example that predates Pavel cdk used to belong to a DP the big payroll processor and four or five years ago before it was fun off they had the traditional one our annual security training nobody liked it everybody hated it you click through it while you're on a conference call or something right so when I join the security organization for marketing I said we're going to change that we're going to do something completely different but I use that dislike of the training for Grahame to change perception to capitalize on getting more engagement so we chose wombat that has a cyber strength assessment right it's a pretest and we sent out that pretest and we said everybody if you get 80% or more on all the topics covered in this pretest you won't need to take any more security training people hate security training so they're like awesome give me my pretest right so what's the dirty little secret about the pretest it's training in and of itself so then we had people come back they get their training assignment after they did however they did on the assessment and then they'd call and they'd email and they'd reach out to all these people in security organization wanting to argue about the finer points of one of the questions or one of the answers because maybe they missed by just a few points so what is all that what were all those calls and emails engagement exactly we had people talking to the security department that would never normally talk to us because we cap wise on the fact that everybody hates security training right so we took a negative brand attribute and turned it into something positive if you do something edgy not everyone is gonna like it and that has to be okay the definition you know by definition it's not going to be everybody's cup of tea I'm not talking about willfully being willfully offensive there's a fine line between being edgy and offensive edgy makes you want to engage and offensive just turns you off so there's a great article if you download the presentation later out there called how to be edgy without alienating your customers and I won't go into detail but good article this is just a piece of Lisa's general advice video video video video having come from the world of advertising and marketing I can tell you people love it and it's not changing so some of the recent stats 100 million hours of video are watched on Facebook every day in 2017 seventy five percent of all Internet traffic with video streaming a video tweet is six times more likely to be retweeted than a photo tweet keep it short one to two min we neglected to post an archive at the beginning of all the probable videos I didn't realize how many people would want to binge watch Pavel if they hadn't seen everything so we made sure to set up an archive Oh control the message as best you can even though in the world of social media we loaded those executives lips right if somebody said you know I I don't like this you know I find this offensive to Eastern Europeans whatever it was culturally insensitive we made sure that all of our executives HR business partners everybody knew how to engage that person one-on-one in a conversation and turn that conversation into a discussion about security and how do you feel about it as opposed to you know I'm offended because I don't like cobbles accent or or whatever it would be so you have to manage those situations one-on-one and not let them snowball and then finally carry the campaign through everything you do we very recently had a rash of smash-and-grab laptop thefts and so this was a some digital signage that I created and we used it the newsletter as well if you remember last year I spoke about ad age and at age are too glad age is a great publication if you need creative inspiration that there was a new product being sold in the advertising market it was seven-second ads and those actually happened great if you watch the Winter Olympics or the NFL there were these split-screen you know during the huddle you'd see this little little sevenths like an ad pop up because Americans attention spans are so tiny right 7 seconds so the beauty of this is that once you've developed a character and you've gotten intrigue and and you really permeated with your message do you need more than 7 seconds to get the idea of this poster so little copy in it so much right you're only gonna get their attention for a few seconds so I was I was I was thrilled with how we were able to to leverage this and have fun most of all just have fun you [Applause]
Original Description
Description:
SANS Summit schedule: http://www.sans.org/u/DuS
You know you need to create attention-getting security awareness campaigns, but how do you keep from getting the wrong kind of attention from HR or Corporate Communications? How do you get executive support for doing something that’s a little outside the box?
Security awareness goals are quite different from corporate communications goals, and you need to be able to clearly articulate how it’s different, and how the tactics need to be, too.
Lisa led a disruptive campaign that had employee engagement measures 300% higher than other corporate comms campaigns. During the campaign period, phishing click rates were cut in half, and phish report rates went up 250%. But the campaign was not without its risks.
The most innovative, ambitious campaigns all have an element of risk. Say the word “risk” to a security professional, and it generally evokes the negative. But in the creative world of marketing and advertising, the real risk is not taking any risk at all.
About Lisa Plaggemier
Lisa has spent her career branding and marketing cars and trucks, software and data, and now security. She has combined her passion for the automotive industry with a fervor for security awareness to help CDK, OEMs, and dealers manage their risk and grow their businesses securely. Lisa worked for marketing for Ford Motor Company in the U.S., Europe, Africa and the Middle East. She is currently the Director of the Client Security Advocacy Office for CDK’s Global Security Organization. Lisa graduated from the University of Michigan and currently lives in Austin, TX.
Watch on YouTube ↗
(saves to browser)
Sign in to unlock AI tutor explanation · ⚡30
Playlist
Uploads from SANS Institute · SANS Institute · 55 of 60
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
▶
56
57
58
59
60
SANS FOR610: Reverse Engineering Malware: Malware Analysis Tools & Techniques
SANS Institute
SANS Institute Cybersecurity Training Customer Stories
SANS Institute
SANS Institute UK Cyber Academy
SANS Institute
SANS Institute UK Cyber Academy
SANS Institute
CISSP® Prep Exam, MGT414, by SANS Institute
SANS Institute
SANS Institute's Rob Lee Discusses The OPM.GOV Hack on CNN
SANS Institute
Information Security Training from SANS Institute - Student Testimonials
SANS Institute
SANS NetWars
SANS Institute
SANS DFIR NetWars
SANS Institute
Hack The Drone - SANS Cyber Academy UK
SANS Institute
SANS VetSuccess Immersion Academy
SANS Institute
SANS Cybersecurity Training, Certifications & Placement for Veterans
SANS Institute
The 2015 SANS Holiday Hack Challenge
SANS Institute
SANS VetSuccess Academy: Hands-on Skills
SANS Institute
SANS VetSuccess Academy Overview
SANS Institute
SANS ICS Security Summit & Training 2017
SANS Institute
Exploring the Unknown Industrial Control System Threat Landscape – SANS ICS Security Summit 2017
SANS Institute
WannaCry recap, patches, and analysis
SANS Institute
If We’re Doing So Well at Cyber Security, Why Are We Still Doing So Poorly?
SANS Institute
Graduation Day - SANS HM Gov Cyber Retraining Academy
SANS Institute
Incentivizing ICS Security: The Case for Cyber Insurance – SANS ICS Security Summit 2017
SANS Institute
SANS Data Breach Summit & Training 2017
SANS Institute
SANS Secure DevOps Summit & Training 2017
SANS Institute
How Threats Are Slipping In the Back Door - SANS ICS Security Summit 2017
SANS Institute
SANS Webcast – Continuous Opportunity: DevOps & Security
SANS Institute
SANS Cybersecurity Programs for the Department of Defense
SANS Institute
SANS Pen Test HackFest Summit & Training 2017
SANS Institute
SANS SIEM & Tactical Analytics Summit & Training
SANS Institute
If We’re Doing So Well, Why Are We Still Doing So Poorly? – SANS ICS Security Summit 2017
SANS Institute
SANS Institute
SANS Institute
ICS515: ICS Active Defense and Incident Response
SANS Institute
SANS Institute
SANS Institute
Introducing the NEW SANS Pen Test Poster
SANS Institute
SANS Institute - An Inside Look at the Newly Updated ICS515 Course
SANS Institute
SANS ICS Security Training, Munich, Germany
SANS Institute
SANS Automotive Summit Webcast
SANS Institute
Privesc Playground - SANS Pen Test HackFest Summit 2017
SANS Institute
Introduction to Reverse Engineering for Penetration Testers – SANS Pen Test HackFest Summit 2017
SANS Institute
Honey, Please Don’t Burn Down Your Office: Fun with Smart Home Automation
SANS Institute
SANS Security Operations Summit & Training 2018
SANS Institute
Sh*t Happens! (But You Still Need to Drink the Water) – SANS ICS Summit 2018
SANS Institute
ICS Threat Intelligence: Moving from the Unknowns to a Defended Landscape – SANS ICS Summit 2018
SANS Institute
You’re Probably Not Red Teaming (And Usually I’m Not, Either) – SANS ICS Summit 2018
SANS Institute
A Sneak Peak at the New ICS410
SANS Institute
Jumping Air Gaps – SANS ICS Summit 2018
SANS Institute
Introduction to Linux
SANS Institute
Introduction to Malware Analysis
SANS Institute
You’re Probably Not Red Teaming (And Usually I’m Not, Either) Webcast by Deviant Ollam
SANS Institute
Hacking your SOEL: SOC Automation and Orchestration – SANS Security Operations Summit 2018
SANS Institute
Hunting for Post-Exploitation Stage Attacks with Elastic Stack and the MITRE ATT&CK Framework
SANS Institute
Apples and Oranges?: A CompariSIEM – SANS Security Operations Summit 2018
SANS Institute
SANS Webcast - Perimeter Security and Why it is Obsolete
SANS Institute
SANS Webcast - Trust No One: Introducing SEC530: Defensible Security Architecture
SANS Institute
The Science of Security: The Psychological Impacts of Security Awareness Programs
SANS Institute
How I Pulled Off an Edgy Security Campaign – SANS Security Awareness Summit 2018
SANS Institute
Practical Advice for Submitting to Speak at a Cybersecurity Conference
SANS Institute
SANS Webcast - Consuming OSINT: Watching You Eat, Drink, and Sleep
SANS Institute
SANS Webcast - Zero Trust Architecture
SANS Institute
SANS STX Cyber Range
SANS Institute
Part 1 – SANS Institute and Tenable talk about cloud security
SANS Institute
More on: AI Marketing
View skill →Related Reads
📰
📰
📰
📰
We Cut Employee Onboarding Time Without Hiring More Trainers. Here's What Changed.
Dev.to · Saifuddin Tipu
UK Spouse Visa 2026: Financial Thresholds, Eligibility Logic, and What HR & Compliance Systems Need to Handle
Dev.to · ImmigrationGPT
HRM: Simplifying Complex Payroll & Salary/Benefits Configurations at Scale
Medium · UX Design
Organizational Culture and Enduring Impact
Medium · Startup
🎓
Tutor Explanation
DeepCamp AI