As a global leader in optimized resource management, Veolia group — and its more than 160,000 employees — designs and provides water, waste, and energy management solutions that serve millions of people worldwide. Compliance has always been a top pursuit for the organization, but as information security and compliance have increasingly intertwined, educating end users has become more challenging — something that Veolia’s John Hield knows all too well.
Hield, the Data Protection and Information Governance Leader for Veolia UK & Ireland, recently spoke with Jess Phillips of Intelligent CISO about his career evolution and how infosec has taken a lead role in compliance efforts. Once primarily focused on managing IT processes in relation to a variety of standards and regulations, he soon recognized the convergence of compliance and information security. As Phillips noted, “Hield found that the steps the business needed to take to comply with regulations, and the steps it needed to take to protect against data breaches, were often very similar.”
Leading the GDPR Charge
Phillips acknowledged Hield’s role as a “cybersecurity and compliance mentor,” noting his extensive experience speaking at industry events and presenting to internal audiences about topics like social engineering, social media safety, and data protection. But it was his early, proactive interest in the General Data Protection Regulation (GDPR) that Phillips said cemented his status as a “a true pioneer in his field.”
Back in mid-2016 — “months before many UK organizations would have even been aware of [GDPR’s] existence,” Phillips said — Hield volunteered as Veolia’s project manager for GDPR. An integral member of the working group tasked with GDPR planning, Hield worked in concert with the head of Veolia’s legal team, ultimately becoming the Data Protection Officer (DPO) for Veolia UK & Ireland.
Making End Users Part of the Defense-in-Depth Equation
In his DPO role, Hield took on a challenging assignment: Delivering security awareness training to end users.
He and his team first started with readily available resources, like email, a shared intranet, and Google Communities. They provided employees with infographics and statistics, and posted blogs about relevant cybersecurity topics. But these methods proved unsuccessful, Hield noted, because end users were not engaging with the content and emails and blog posts were going unread.
Beyond the wasted time and effort, this lack of engagement brought another concern: Since Hield was unable to prove employees were receiving training, he was also unable to prove compliance with the GDPR and other regulations that mandate cybersecurity training.
This type of misstep is not uncommon among organizations that are first starting cybersecurity education programs. Emails, infographics, and blogs are ideally used to raise awareness and reinforce key best practices. Because they are more passive types of content, end users generally have difficulty engaging and developing lasting knowledge from print and electronic media. And, as Hield noted, the lack of measurement is a particular challenge; the ability to develop baseline and ongoing measurements and to effectively gauge progress is valuable not only within regulatory-heavy environments, but within all organizations that wish to target specific vulnerabilities and gauge ROI.
To eliminate that uncertainty, Hield shifted to an in-person training model, delivering hour-long presentations to end users at different company locations. Though he found this approach more effective, it had serious logistical challenges. Many company sites couldn’t support larger-scale gatherings, which forced Hield and his team to deliver smaller sessions, some with just six to eight attendees. The interactivity was high — a plus — but with 5,500 IT users across more than 400 sites in the UK and Ireland, it wasn’t a viable approach for Hield and his three-person team.
This scalability problem led him to consider computer-based training, an option he knew would give him more flexibility and reach. But he was discerning about his research, saying, “Our goal when we develop training is to really make it as approachable as possible. We didn’t want [our end users] to be intimidated.”
He ultimately demoed two solutions — one of which was Wombat Security — and gathered a group of internal users from the organization’s finance, IT, and HR teams to test each platform and provide feedback. As Phillips noted, “Overwhelmingly, the trial users preferred [Wombat’s] solution because Wombat’s interactive, step-by-step modules were more engaging than the other company’s video-based modules, which end users found overly technical and hard to engage with at their desk.”
Success With Wombat
Hield kicked off training in early 2017 by sending an introductory email to his end users. He also invited users to try any (or all) of the other 35+ interactive training modules available within the platform. Within the first week, the team tracked 1,200 module completions (both mandatory and optional).
Hield had asked end users to complete the Security Essentials module within 90 days and was pleased when 80% met the deadline with just a courteous reminder email each month. It was also beneficial, Phillips reported, that “department leads acted as stakeholders during the campaign.” Managers reached out to him to identify staff who had not completed training “so they could personally incentivize them to do so.”
Another bright spot was the popularity of the optional training: Hield logged 4,120 voluntary completions over a six-month span, with mobile device security a particularly popular topic. One hundred employees took all of the available modules.
Onward and Upward
Hield continues to rely on the Wombat toolset to deliver ongoing, broad-based cybersecurity training, as well as more targeted education based on results from vulnerability assessments. He sends challenging ThreatSim® simulated phishing attacks — including those with corporate messaging and attachment lures — and tailors his follow-up training to address the vulnerabilities these tests reveal.
He is also planning mandatory GDPR training using Wombat’s GDPR modules in early 2019 — though, as Phillips reported, “he has noticed that a lot of people are already voluntarily doing [these modules].”
In addition to increased end-user engagement, Hield has seen “immense” ROI from his training efforts and a positive response from other areas of the business. When Hield presented the Veolia UK & Ireland program at a global security summit, Phillips noted, his colleagues “were blown away.”
“We can see the main difference [with the Wombat solution], and it ticks all the compliance boxes as well, which is important for us,” said Hield. “It really works for us.”
You can read the full article on the Intelligent CISO website.