Mimecast Makes Security Training a Laughing Matter
Mimecast has found the best way to train employees on cybersecurity is with a healthy dose of humor. The company has developed a sitcom-style training program it offers via a subscription that’s making a big difference. Jann Yogman, senior director of product management, talks with Charlene O’Hanlon about the company’s unique approach. The video is below, followed by a transcript.
Charlene O’Hanlon: Hey, everybody. Welcome back to TechStrong TV. I am Charlene O’Hanlon, and I am here now with Jann Yogman, who is the senior director of product management at Mimecast. Jann, you guys have a very interesting way of going about doing your cyber security training, am I right?
Jann Yogman: Yeah, that’s right. When you think security training, awareness training really about anything, most people’s reaction is just to fall asleep. We do it a different way, that if we can get your attention, if we engage you, we think that you’re more likely to pay attention and be more likely to understand why your security decisions matter, and hopefully make better choices for your company and for yourself at home, too.
O’Hanlon: All right, so tell us your big secret. How do you guys do that effectively?
Yogman: We just put our hand into the big junk bin, and pull it up and put it on paper and have people read it, and we’re good. No, the truth is, the quick version of the story is that about five years ago, I came into this not knowing the first thing about cyber security, information security. I come from a TV background. I’m a writer, I’m a creative, I’m a self-proclaimed funny person, and a good friend of mine from college, who was/is a cyber security expert, had this idea that just stemmed from this notion that security training was boring, that we were losing people, they weren’t paying attention, and the true message of what we wanted to convey wasn’t getting across. He came to me, and it wasn’t a case of being able to think outside the box and do it differently, I literally just didn’t know the box was there.
Any of these concepts have to be explained to me first, so I, as a regular person, not a security expert, can understand them, and then I take that and I deliver it to other people like me, regular people, in a way that they can understand. That’s how the startup was born, and now we’re almost at our three-year anniversary from when Mimecast acquired that startup, and so we’ve five years into this.
O’Hanlon: All right. Great, so you guys are using humor as your main mechanism, I’ll say, for delivering cyber security information and education. Who is your main audience? Are you talking to Mimecast customers specifically, or are you opening this out to kind of the general public or organizations to kind of bring you on as the cyber security training person? How is this being disseminated?
Yogman: We are software-as-a-service, in addition to things like e-mail security, web security, archiving, and the regular, important blocking and tackling that goes into any security effort, realizing that employees be regular end-user people sitting in the cubicles, all the way up to the boardroom, play a role in this. Some say they’re the first line of defense, others say they’re the last line of defense. Whichever your perspective is, it’s pretty important. Our customers are Mimecast customers that may or may not have some of those other protections in place, but we’re global. Our content is seen around the world in just about every place that you can imagine, and the last I’m told, and I could be making this up, is our audience every month is about three million people who do watch awareness training videos.
O’Hanlon: Excellent. Are these videos readily available? I mean, can you go onto YouTube or someplace like that and take a look at them?
Yogman: There is some information that we have on our YouTube channel, and a lot of things, Human Error on the Street and other things that we do make accessible to others. But, really, that value is our training, which is a short video, one question ‒ it’s not a long test, but one question ‒ to show us that you got the key takeaway. You find out whether or not you got it right or wrong, the reason why you got it right or wrong, and you’re done. The entire process happens in three minutes or less. It’s once a month. It is a slow, steady drip, and that is delivered each month to companies who say, “This is the vehicle we want to use to train our workforce.”
O’Hanlon: That’s pretty cool. I think that’s probably a much better way to do any sort of training, rather than give them 18 modules at once and you’ve got to get it done by Friday; otherwise, you’re not going to get the credit. It’s like if you do a slow and steady drip, the retention there I think is much greater than if you throw all the information at them at once.
Yogman: It’s easy to say that we want to keep security top of mind. That feels like a buzzword or maybe a marketing pitch. But, the truth is we’ve seen this phenomenon where people in offices are asking when the next video is coming, so think about that. To know, “When are you going to give us more training, because we want to see what happens to these characters,” we do it sitcom style, so you tune in each month and you see what they are up to. Here’s the distinction. We can do a video about being suspicious of phishing attacks, or why you should have a strong password, or why you shouldn’t use the same password for everything, or when we’re allowed to go back into buildings, why we shouldn’t hold the door from somebody who doesn’t have credentials to be there.
It’s that specificity, but, at the same time, I don’t think it matters what that particular month’s module is about. What it does is every month it reminds us to be vigilant, to slow down in any situation, to take a step back and think, “Is this real? Do I need to verify this?” That constant, that slow drip that we’re talking about is what does literally keep security top of mind. We’re not pushing them away. We’re just part of that journey with them, and it’s effective.
O’Hanlon: Yeah. Well, it sounds like it. I imagine it would be for a lot of organizations. It sounds like you make it very accessible to the ‒
Yogman: Yes.
O’Hanlon: ‒ average person so they don’t feel intimidated by a lot of the jargon and things that I think a lot of the cyber security companies in general kind of throw out. The average person doesn’t know what a zero trust network is, or what phishing with a P-H is unless somebody is explaining it to them. I think people in the cyber security sector kind of take a lot of those things for granted. They think that people automatically know it, and the truth is they don’t. It’s easy to see how folks who are not cyber security professionals would get very intimidated and frustrated, and just kind of give up on trying to learn this, so kudos to you guys for making it accessible to the masses, and helping encourage more cyber security education at a level that makes sense for everybody. Do you guys have any plans to maybe make this more accessible to the general public, like can the average person subscribe to something like this that’s not in the corporate setting?
Yogman: You know, that’s a great question. Because they keep me in my lane, I know what our plans are in terms of future content that we’re developing, but what I do know is that there are some talks. Just the landscape is constantly changing in the way that we disseminate content, so even with the way that we are delivering our content, either through our own platform or through an LMS or whatever it may be, I know that there are constant discussions about making it more accessible because there have been, obviously, high-profile attacks recently. At the end of the day, a lot of it just comes down to creating an access point, making a simple mistake somewhere, and everybody benefits if we are more cyber-savvy.
O’Hanlon: Absolutely.
Yogman: Getting this type of training, this type of mainstream understanding, I think, is critical and I’m all for that.
O’Hanlon: All right. Well, fingers crossed that this does become more accessible to a larger group of people, but Jann, what you guys are doing is truly awesome and I give you guys major kudos for providing that essential cyber security at a level that people can understand, so thank you again, and thanks for being on TechStrong TV. I really appreciate it.
Yogman: Thank you for having me.
O’Hanlon: All right, everybody, please stick around. We’ve got lots more TechStrong TV coming up, so stay tuned.
