Special guests in interviews
With Birgit Schneider
What does it take to increase IT security in a company? Why is the human factor so important? And how do you find out where your company can still improve and what the right measures are for improvement? You can find out all this and more here in the advice studio. Today's guest is Dr. Thomas Schlienger, security awareness pioneer and founder of TreeSolution Consulting GmbH.
Thomas Schlienger: I recognized more than 20 years ago that the human factor would eventually become critical for IT security. Just like in traffic or in nuclear power plant security, human behavior also plays a decisive factor in IT.
But changing people's behavior is a challenge. We work with our customers to ensure that the secure handling of information and IT systems becomes part of the corporate culture. Only then will security become an everyday practice with risks decreasing in the long term.
I find the interface between people and technology incredibly fascinating. I’m glad that I can provide security officers with proven solutions and to support them in achieving their goals.
Fortunately, it is now recognized that humans play an important role in security. Almost every day you can read about a new incident in the press. However, we find that most companies underestimate the difficulty of the situation. As in information technology, they would like to just install a security update for people. They think that one single action can solve all the problems. But it doesn't work that way.
There are two main reasons for this:
First of all, customers must find out where the problem really is, so that they can set the right priorities for the actions. For example, is it simply a matter of more training, or does the management have to be brought on board first? Or do certain target groups, such as the finance department or the field service, need to be trained on certain topics? And how can we show how successful these actions have been? Very few providers are able to offer support here and if they are, it is no more than simple KPIs such as the number of clicks in a phishing test or participation rates in training courses. These do not give any real information about the actual behavior. With our Security Awareness Radar®, on the other hand, our customers get this real information and much more.
Many overestimate what can be achieved in a short period of time and underestimate what can actually be achieved in the long term. I therefore always recommend planning for the medium to long term over 2-4 years and thinking about how best to spread the activities over this period. That’s because you can only really change something through continuity.
We should also be aware that there are different types of learners. Not everyone learns the same things in the same way. It is therefore important that employees get information via as many different channels as possible, e.g., e-learning, films, and printed media.
Many providers promise that a few simple awareness-raising or training measures such as animated films, sporadic e-learning courses, or annual security days will solve all the problems. But that's just not true. To get secure behavior to become a habit needs much, much more.
But most providers lack this understanding of the complex relationships of human behavior. They cannot properly advise their customers on this or offer the right solutions.
What is also often kept secret is that if the management and the team leaders do not support security and act as role models, then all measures will be ineffective and fizzle out. In such a case, it would make more sense to start with management workshops before any comprehensive employee training.
We probably have the longest experience in the market. I've been dealing with the subject since the year 2000. First during my doctoral thesis and from 2005 also with my company TreeSolution Consulting GmbH. We have specialized exclusively in the area of security awareness and information security culture. In everything we do, it is important to me that it is scientifically sound but also practicable. We don't want to waste employees' valuable time.
Our focus is therefore clearly on sustainable behavioral changes. We don't want to create an awareness placebo effect to satisfy a compliance officer or auditor. Therefore, we always consider the entire system in which people work. Our approach to measuring security culture with the Security Awareness Radar® is unique in the world and our customers confirm again and again that such a measurement is extremely helpful.
Based on our many years of experience, we have therefore put together a special package: the Security Awareness Club. This allows our customers to measure their security culture, plan and prioritize actions, and then immediately implement awareness and training activities with the materials available. An all-round carefree package, so to speak.
Although we've been around since 2005, we're not necessarily well known because we're very specialized. It sometimes takes a little longer to build up trust in us, especially when it comes to long-term commitments or very large projects.
As a small company, we are often asked whether we are even able to provide the service promptly and with high quality.
But in fact, these two points are actually arguments for us and not against us. Since we have been focusing exclusively on security awareness for many years, we are absolute specialists in this field. You won't find better quality anywhere. And as a small company, we can also respond flexibly to customer needs.
With pleasure.
Thank you very much! How can you be contacted if there are still questions?
On our website www.treesolution.com you’ll find the contact menu with various contact options at the top right. You can fill out the contact form, write an e-mail, or make an appointment for a consultation.
Want to do it right away? Make an appointment for a free consultation here.
Another tip: it is important to have a strong human firewall. Thomas Schlienger explains how you can build one with little effort in this webinar (in German only): https://www.treesolution.com/webinar