Does Security Training Really Work? David Tyburski, Chief Information Security Officer at Wynn Resort sits down to talk to Steve Moore about security training, specifically phishing training. He shares his thoughts on the idea of training vs education, positive vs negative reinforcement, and offers suggestions for engaging with employees.   David Tyburski’s Current Role I'm currently the global CISO for Wynn Resort, a casino in the north end strip in Las Vegas. About 9 years ago, Wynn put a directive to have a more dedicated security focus in on the environment in the organization. They basically handed it to me and for the last nine and a half years I have run this organization building it from just me to the organization it is today, managing all their properties & operations worldwide.   What Advice Would You Give Your Younger Self? One thing I would say is to be a little more attentive to the tool-set you bring, because we did a lot of false starts along the way as far as buying tools. If we'd spent a little more time evaluating where we could really use them, we would have been in a better position in the early days. And we do that today by ensuring we have good proper use of cases for every tool that we bring. Also, I'd tell my younger self to spend more time on the use case to know how to use it instead of just going to get it. Understand not just the reason why you want it, but how you will use it and what you expect from it.   What Bothers You About Phishing Training? It's not necessarily all phishing training, but what bothers me is that we're attempting to teach non-security professionals to be security professionals. They have backgrounds that are varied from us, they don't spend their time looking at security incidences or reading on security articles, but they're extremely talented people in other ways. They do an amazing job at what they do. But we as security professionals try to teach them that they've got to know what we know. So I think security professionals need to do a better job of understanding their role in the business, and building a technology solution around that instead of trying to get them to understand their business. Training vs Education There's a major difference between training & education. Wynn is an education program, because we're not training people but educating them. We want to give them the security knowledge and information they need for their organizations. We're educating people, trying to give them knowledge and not just teaching them the steps to accomplish something. We have to be able to transfer knowledge, and that's an education program. We have a continuous education program. We break up the topics and put them into small easy to digest chunks and we continuously run a new topic every week. It's timely and we do everything we can to relate it to everyday life. People are like water and will always try to take the path of least resistance. So in that light, if we can make our security program and educate our people in the right way, that the security of the organization is the path of least resistance, then it's no longer security fighting the rest of the business but security enabling the entire business to operate.   Should Information Security Be More Aggressive with Email Attachments? For an HR person whose job is recruiting, he needs to open the resumes he receives as attachments to emails. So how does information security help or enable that process and allow the person do the job safely? One way we can do this is to intercept the email, pull the attachment out, and re-write it in our own PDF where we turn off all the problematic ability and take out any possibility of weaponization, restrict what that PDF can do and look like, bundle it up and put it back in the email and send it off to the recipient. Now we won’t mind if the HR person opens it because it's safe.  So to them they simply open the resumes the way they need to open them. They're doing their job and we'r