If, like us, you’re curious, then you might be wondering what other security awareness practitioners are up and how they got into the work they do. Because it’s such a new area of work, people often have very different journeys into the industry.
So, we’re thrilled to have Jason Hoenich in the hot seat for this Q&A style post. Even more so because Jason’s company Habitu8 are sponsors of the Re-thinking the Human Factor podcast.
Jason’s the guy behind world-class awareness programs used by mom-and-pop companies like Walt Disney and Sony Pictures Entertainment, as well as the creator of Habitu8’s wildly popular and infectiously funny Hashtag Awareness ® video series.
Tell us a bit about you, your company and what you do?
I’m a security awareness practitioner by trade, and have built programs for some of the most recognisable brands in the world over the last 10 years including Disney (Marvel, ESPN, ABC, Pixar, Disney Studios, Theme Parks & Resorts), Sony Pictures Entertainment (remember that infamous cyber attack by North Korea?), and Activision Blizzard (Call of Duty franchise, Guitar Hero, Skylanders, etc.).
I founded Habitu8 because we wanted to share the unique experiences and learnings I was having as well as provide a high-quality product that didn’t yet exist in the space. I was tired of the existing guidance from vendors who had never done the work and who refused to invest in quality content.
How did you get into doing this?
Kind of by accident? I had spent several years as the “tattooed computer guy” in my local community. I really enjoyed working directly with people while I repaired their computers. I’d say like 80% of my effort was on the education part after I had cleaned off any viruses/infections they had. The repair part was easy and typically automated, whereas explaining how it happened and how to avoid it in the future wasn’t. People really appreciated having someone take the time to explain stuff to them.
Eventually I found myself in roles at jobs where I could do that on a larger scale, using my marketing & sales background to my advantage. Then more official roles started to pop-up with the title of “security awareness” in them and I was like “Oh hey! That’s what I’ve been doing!” Then a fortunately timed moved to Los Angeles and suddenly I was working with all of these really amazing brands. It was a dream!
What do you think are some of the key challenges facing the security education and awareness industry today?
I think right now the industry is suffering from years of poor guidance dumped into the space by inexperienced vendors. A lot of research that was available in 2013 when I was at Disney was mostly just opinions by technical folks on how to train on cyber risks. Not a single vendor or researcher was talking about this stuff based on actual experience running or managing or having built programs. But we’re changing that now by providing great resources on strategy for managing a program and with great training content.
Because of that, the industry was shaped by vendors whose motivation was to sell licenses to their phishing or LMS products or by research about technical industries. But security awareness and behaviour is a social psychology industry. Behavioural psychology is much different than computer science.
There’s also a bit of “Well, this is how we’ve always done it” mentality that I think cripples new ideas and the ability to move forward.
What big changes do you see happening in the industry over the next 3 years?
I think we’ll begin to see phishing become more of an email security practice. The threat will still be there, but I think the focus that phishing simulations being the defining element of a security awareness program will shift to focusing on changing human behaviour.
I think (or perhaps continue to hope) that the viewpoint of “the user is the weakest link” will begin to fade away to more human positive outlooks. Once we have an industry of professionals who have a respect for their coworkers and we begin to fix the existing broken security processes and architecture that cause friction in our daily lives, we’ll begin to see a more empathic industry focused on supporting good behaviour habits, and not on blaming someone for “being stupid”.
What drew you to want to sponsor the Re-thinking the Human Factor podcast?
From the day I discovered the Re-thinking the Human Factor podcast a few years ago, I’ve been a huge fan. Bruce & the team have pulled in some amazing guests and I’ve gotten so much from every single episode. Re-thinking the Human Factor is having exactly the right conversations at the exactly the right time this industry needs them. I want to help amplify that message any way I can. It (and the book) are the first resource I recommend to anyone I’m working with. It was a no brainer.
What’s been your favourite episode and why?
Dan Ariely, hands down. I’m an obsessive nerd when it comes to behaviour change, neuromarketing & science, etc. To be able to listen to a conversation with such a brilliant psychologist speak explicitly about our wonderful industry was just amazing. There’s so much good stuff in there. It’s a really great intro into the concepts and world that most professionals in this space need to be taking into consideration.
What one thing do you want the RHF listeners to take away about your service?
We’re a “for us by us” brand. We started this company because we care, and we’ve done the work and understand the needs of the role. It’s why we created all of our free strategy guides to help folks get started with a framework that makes sense and guidance that has led to success. Oh, and we have the best training content out there haha!
If you’d like to listen to Jason and Bruce chatting on the Re-thinking the Human Factor podcast, you can do that right here.