Sometimes a single experience or just one data point can radically reshape an individual’s entire outlook — at least, that was the case for Michael Madon, the senior vice president and general manager for security awareness and threat intelligence products at Mimecast.
Madon is the co-founder of Ataata, which in July last year was acquired by Mimecast for an undisclosed sum. Before Ataata, Madon was part of a security software vendor RedOwl (acquired by Raytheon subsidiary Forcepoint in 2017), which had a focus on user and entity behaviour analytics (UEBA).
Madon’s background, however, largely comprises roles in the military and intelligence sector, including deputy assistant secretary for intelligence at the US Department of the Treasury.
Madon says his focus for much of his career was on the security threat to organisations posed by malicious insiders. However, reading a 2014 study from IBM, Madon says, was an “eye opening event”. That study — the IBM Security Services 2014 Cyber Security Intelligence Index — concluded that of the incidents assessed for the report, human error was a contributor in 95 per cent of them.
“I realised that I’d probably, for the last 20 years, been focusing on the wrong problem – or at least not focusing on the main problem,” Madon told Computerworld during a recent visit to Australia. “And the main problem wasn’t these evil employees or employees that wanted to hurt the company — the real problem was the employees that were terrific employees and want to do well, but they’re not focused on security.”
He describes that as the “first ‘ah-ha!’ moment” on the road to founding Ataata. A second was reflecting on his experience with security awareness training in the US Army. “It was awful,” he said. “It was boring. People were doing everything they could to get out of it. The mentality was ‘click and drool’.”
And the last was the reaction when he presented the somewhat heretical idea to CISOs and IT pros he knew of doing something humorous for security training. He that when he ran the idea past them, he “saw them smile for the first time, ever, since the ’80s”. “That’s when I knew I was on to something there!” he says.
He reached out to his “battle buddy” from business school and founded a company with the goal of reducing employee security mistakes through the use of humour and analytics — a mission he likes to describe as “very much like a reverse mullet”: “Party on the front and analytics on the back.”
The approach that Ataata took towards security awareness and reducing employee risk was “holistic”, he said. “We’re not just phish testing – yes we have that capability, but we’re not a one-trick wonder.”
The real “magic sauce” for having employees engage with security awareness is relatively simple, Madon said: Humour.
“Our content is world class,” he said. “Our chief creative director was Michael J. Fox’s right hand for 10 years. We use top-flight comedians and we’re now internationalising our pool.”
Security training should be engaging, and it also needs to be persistent, he said: “That doesn’t mean once a week and that doesn’t mean once every six months. The general rule of thumb that we’ve found is it’s about once a month.”
Backend analytics allow interactions with the Ataata’s platform to be captured and measured. Scores for knowledge, engagement and sentiment can be combined to produce an overall indication of risk — either at the organisation level (which can be normalised across the platform) or within particular business units and divisions, down to the individual level.
Madon said the ultimate goal should be to change an enterprise’s security culture from “one of compliance to one of commitment, where employees understand why security is important not just for the company but why it’s important for them and why a secure company helps them do their job better.”