Founded in 2008, Wombat Security Technologies grew out of cyber security research by the company Co-Founders at Carnegie Mellon University. Wombat provides innovative training and filtering solutions to global enterprise customers. In 2011, the Company has more than doubled its customer base, including the addition of many Fortune 500 companies and large government entities. The Company also released its Security Training Platform in September 2011 and continues to augment the breadth of its training portfolio.

In the following interview, Joe Ferrara, President and CEO of Wombat Security Technologies, discusses 1:1 with Rake Narang, Editor-in-Chief of Info Security Products Guide, a different approach to training end-users, justifying the ROI and defending against cyber security attacks.

Rake Narang, Editor-in-Chief: What are the challenges that companies face these days in implementing effective security awareness trainings? Is there a measureable ROI on such training programs that make them worthy of security budgets?

Joe Ferrara: The biggest challenge that companies face is finding cyber security training solutions that are truly effective and change employee behavior. The traditional training approaches of instructor led classroom training or computer-based video or slideware training are boring and ineffective. In a society of people with short attention spans, audiences “check out” within minutes of being talked at, and little, if any, of the information is retained. Additionally, internally developed security training takes significant resources, time and expense that companies could spend elsewhere.

Chief information security officers (CISO’s) quickly abandon their old training methodologies after learning about a new method that is scalable software, engages the user in practicing what they are learning, and takes less than ten minutes for each lesson.  They also love the fact that they gather actionable and measureable data about their employee population to be able to address weaknesses instead of the “check the box” training of the past.

For normally much less than they are paying today, CISO’s can have engaging and effective content that is constantly updated to defend against the latest types of attacks. Most importantly, CISO’s have seen up to 70% reduction in susceptibility to attack after implementing training in this methodology. The ROI is clear, costs are less, valuable security resources can focus on core tasks, and in the end companies are better protected from the incredible cost of cyber security attacks. According to a 2011 Ponemon Institute study, the average annual cost of cyber security breaches is $5.9 million a year per organization.

Rake Narang: What’s more important, training application developers or end-users? How is Wombat’s cyber security training solution different from traditional training?

Joe Ferrara: We believe it is important to train both end users and application developers. However, our focus is on end users, which is often the most overlooked area in a company’s security defense.  No matter how airtight the security infrastructure is, one wrong move by an end user can lead to a security issue, a breach, and loss of data. Most recently, the industry has seen a shift in the attack target from the infrastructure to the end user through social engineering, phishing attacks, and other methods… and many people today consider humans to be the weakest link in security.

Wombat’s cyber security training is different because of its application of learning science principles, coupled with cyber security expertise and engaging software techniques. Users are taught practical concepts and they practice them immediately as part of the training, which results in longer retention of information. Each training module is less than ten minutes and collects critical data to understand vulnerabilities. Not only is the training more effective, it is also measureable.

We recommend a combination of simulated attacks and ongoing training to reinforce the concepts taught.  Many customers start by sending a simulated phishing attack to their employees, which provides immediate training and collects baseline data about employee susceptibility to attack. Wombat’s Security Training Platform combines the simulated attacks, training modules, administrative functions, and reporting and analysis all into one system.  The Platform enables CISO’s to show employee knowledge improvement over time. Our customers have seen significant reductions in the susceptibility to attack.

Rake Narang: What important advice would you give to security officers so that they can plan and implement their training programs better?

Joe Ferrara: What I find interesting as I talk with CISO’s is that many are still in the “check the box” mode with cyber security training, just worrying about whether someone has taken training and not worrying about how effective the training actually is.  Most get less than 60 minutes a year for cyber security training across the organization so it’s more of a firehose treatment where they hope that something sticks.  With our solutions, the CISO and their team take a much more proactive stance first by attacking their employees to get a baseline of vulnerability and then training in bite-sized modules that focus on specific subjects so employees can learn and retain the information.  Many organizations are still hesitant to attack their employees, but the reality is that the cyber criminals aren’t hesitant at all.  Either way, they will get attacked.  At least if the company does the attacking, the employees who fall for the attack get immediate training and the security team can address training needs proactively.

The advice I give to security officers is to use the data that we gather to track the success of your training, but also to justify the cost of the systems, including the training solutions, to their management team. With the cost of cyber security attacks, the proactive approach to safely attack and train employees is easy to justify.

Company: Wombat Security Technologies, Inc.
4620 Henry Street, Third Floor,
Pittsburgh, PA 15213 U.S.A.

Founded in: 2008
CEO: Joe Ferrara
Public or Private: Private
Products and Services: Highly effective software-based cyber security employee training and testing solutions that help change employee behavior and gather critical data to improve a company’s security posture.

Company’s Goals:To provide actionable and measureable data to identify weaknesses in an organization’s employee population and change employee behavior to protect organizations against cyber security attacks.  Increase the penetration and effectiveness of cyber security awareness training through the most effective and engaging cyber security training and testing solutions.