Expert Talk - The TreeSolution service: IT security in companies and employee behavior

Special guests in interviews

With Birgit Schneider

What does it take to increase IT security in a company? Why is the human factor so important? And how do you find out where your company can still improve and what the right measures are for improvement? You can find out all this and more here in the advice studio. Today's guest is Dr. Thomas Schlienger, security awareness pioneer and founder of TreeSolution Consulting GmbH.

Birgit Schneider: You are known as an expert in corporate security, especially IT security. What is special about your work?

Thomas Schlienger: I recognized more than 20 years ago that the human factor would eventually become critical for IT security. Just like in traffic or in nuclear power plant security, human behavior also plays a decisive factor in IT.

But changing people's behavior is a challenge. We work with our customers to ensure that the secure handling of information and IT systems becomes part of the corporate culture. Only then will security become an everyday practice with risks decreasing in the long term.

I find the interface between people and technology incredibly fascinating. I’m glad that I can provide security officers with proven solutions and to support them in achieving their goals.

What typical mistakes do customers make when securing IT in their companies?

Fortunately, it is now recognized that humans play an important role in security. Almost every day you can read about a new incident in the press. However, we find that most companies underestimate the difficulty of the situation. As in information technology, they would like to just install a security update for people. They think that one single action can solve all the problems. But it doesn't work that way.

There are two main reasons for this:

• The risks and forms of attack are changing. As a result, a company's security requirements are constantly changing.
• Many people underestimate forgetfulness: what is not repeated regularly is quickly forgotten. We all know that. The everyday routine takes over again and you go back to unconscious behavior patterns.

What is important for customers to consider so that they can make the best decision when selecting and commissioning awareness and training measures?

First of all, customers must find out where the problem really is, so that they can set the right priorities for the actions. For example, is it simply a matter of more training, or does the management have to be brought on board first? Or do certain target groups, such as the finance department or the field service, need to be trained on certain topics? And how can we show how successful these actions have been? Very few providers are able to offer support here and if they are, it is no more than simple KPIs such as the number of clicks in a phishing test or participation rates in training courses. These do not give any real information about the actual behavior. With our Security Awareness Radar®, on the other hand, our customers get this real information and much more.

Many overestimate what can be achieved in a short period of time and underestimate what can actually be achieved in the long term. I therefore always recommend planning for the medium to long term over 2-4 years and thinking about how best to spread the activities over this period. That’s because you can only really change something through continuity.

We should also be aware that there are different types of learners. Not everyone learns the same things in the same way. It is therefore important that employees get information via as many different channels as possible, e.g., e-learning, films, and printed media.

Dr. Schlienger, you are a well-known expert in your field. Be honest: What do other providers in your industry try to keep quiet? Let us into a few secrets!

Many providers promise that a few simple awareness-raising or training measures such as animated films, sporadic e-learning courses, or annual security days will solve all the problems. But that's just not true. To get secure behavior to become a habit needs much, much more.

But most providers lack this understanding of the complex relationships of human behavior. They cannot properly advise their customers on this or offer the right solutions.

What is also often kept secret is that if the management and the team leaders do not support security and act as role models, then all measures will be ineffective and fizzle out. In such a case, it would make more sense to start with management workshops before any comprehensive employee training.

Dr. Schlienger, there are a lot of different IT training courses on the market and just as many competitors and providers. How exactly does your offer differ from the others?

We probably have the longest experience in the market. I've been dealing with the subject since the year 2000. First during my doctoral thesis and from 2005 also with my company TreeSolution Consulting GmbH. We have specialized exclusively in the area of security awareness and information security culture. In everything we do, it is important to me that it is scientifically sound but also practicable. We don't want to waste employees' valuable time.

Our focus is therefore clearly on sustainable behavioral changes. We don't want to create an awareness placebo effect to satisfy a compliance officer or auditor. Therefore, we always consider the entire system in which people work. Our approach to measuring security culture with the Security Awareness Radar® is unique in the world and our customers confirm again and again that such a measurement is extremely helpful.

Based on our many years of experience, we have therefore put together a special package: the Security Awareness Club. This allows our customers to measure their security culture, plan and prioritize actions, and then immediately implement awareness and training activities with the materials available. An all-round carefree package, so to speak.

Dr. Schlienger, you no doubt always hear arguments from your customers against using your service. What are they and how do you deal with them?

Although we've been around since 2005, we're not necessarily well known because we're very specialized. It sometimes takes a little longer to build up trust in us, especially when it comes to long-term commitments or very large projects.

As a small company, we are often asked whether we are even able to provide the service promptly and with high quality.

But in fact, these two points are actually arguments for us and not against us. Since we have been focusing exclusively on security awareness for many years, we are absolute specialists in this field. You won't find better quality anywhere. And as a small company, we can also respond flexibly to customer needs.

Dr. Schlienger, can you summarize the three most important aspects for optimal employee training in IT security?

With pleasure.

1. Actions carried out once or only rarely are a waste of time because they are soon forgotten. It is therefore important to stay on the ball and carry out regular activities.
2. The time available for training is always limited. Measures should therefore be based on hard facts, like those from our Security Awareness Radar®. Furthermore, the training should be continuously optimized.
3. Everyone learns differently. Some like detailed explanations, others prefer short keywords, while yet others like humor and emotion. A successful training campaign must therefore address all types of learners.

Thank you very much! How can you be contacted if there are still questions?

On our website www.treesolution.com you’ll find the contact menu with various contact options at the top right. You can fill out the contact form, write an e-mail, or make an appointment for a consultation.

Want to do it right away? Make an appointment for a free consultation here.

‍

Another tip: it is important to have a strong human firewall. Thomas Schlienger explains how you can build one with little effort in this webinar (in German only): https://www.treesolution.com/webinar