Tyler Tech Podcast

Building a Resilient Cybersecurity Culture in the Public Sector

Episode Summary

In this episode, cybersecurity expert Sam Hamilton discusses the vital role of human behavior in creating an effective cybersecurity workforce. He highlights strategies like continuous education, tailored training, and phishing simulations to foster a culture of cybersecurity awareness. Sam also emphasizes the need for up-to-date training to address evolving threats like AI.

Episode Notes

On this episode of the Tyler Tech Podcast, Tyler cybersecurity expert and account executive, Sam Hamilton, explores the critical role of human behavior in building an effective cybersecurity workforce. Sam shares key strategies for fostering a culture of cybersecurity awareness in organizations, emphasizing the importance of continuous education, personalized training, and storytelling to engage employees.

Sam highlights how tailored cybersecurity education can address specific risks, making the training more relevant and impactful. He discusses successful tactics such as phishing simulations, which track employee responses to identify areas for improvement, and the benefits of positive reinforcement, including certificates and rewards, to motivate employees. He also stresses the importance of keeping cybersecurity training current with evolving threats like AI, ensuring that organizations not only meet compliance requirements but also stay ahead of emerging risks.

Tune in to learn how public sector organizations can overcome challenges such as budget constraints and workforce shortages, and learn why a proactive, engaging approach to cybersecurity is essential for long-term success. Whether you're a leader in the public sector or just looking to enhance your organization's cybersecurity initiatives, this episode offers valuable strategies to drive meaningful improvement.

We also detail our latest white paper about the five main risks of legacy systems. You can download that here: Is Your Legacy Digital Infrastructure Putting You at Risk?

Learn more about the topics discussed in this episode with these resources:

Listen to other episodes of the podcast.

Let us know what you think about the Tyler Tech Podcast in this survey!

Episode Transcription

Sam Hamilton: I think when we talk about a successful cybersecurity program, one of the key components is having some form of metric, right, that you can track. Because if you don't know if it's being effective, you don't know if it's changing behavior, you're kind of working in in sort of a gray area and you wanna have more clarity.

Josh Henderson: From Tyler Technologies, it's the Tyler Tech Podcast, your source for insightful conversations with thought leaders addressing key issues impacting the public sector today.

I'm Josh Henderson, a member of the corporate marketing team here at Tyler, and we are glad to have you with us. In each episode, we explore the technologies, trends, and strategies that are shaping our communities and highlight the people and innovations driving progress in the public sector. If you enjoy the podcast, please consider giving us a five-star rating, subscribing on Apple, Spotify, or wherever you listen, and sharing the show with others. 

As you might already know, October is Cybersecurity Awareness Month, and we wanted to celebrate a little early by bringing you an episode exploring how human behavior plays a vital role in cybersecurity.

On today's episode, we're joined by cybersecurity expert and account executive here at Tyler, Sam Hamilton, who shares strategies for building a strong cybersecurity culture, tailoring training to specific risks, and measuring the effectiveness of your organization's security efforts.

Whether you're looking to enhance your cybersecurity initiatives or better understand the role of employee behavior in preventing cyber threats, this episode is packed with practical tips and valuable takeaways.

We hope you enjoy the episode.

Sam, thank you so much for joining me today on the Tyler Tech Podcast. 

Sam Hamilton: Thanks for having me. 

Josh Henderson: So, you had a session here at Connect, all about cybersecurity and human behavior. So, let's just start off with some of the key components you feel are an effective cybersecurity workforce, are part of an effective cybersecurity workforce education program. 

Sam Hamilton: Sure. One thing that's really important for our clients and organizations in general, when it comes to cybersecurity awareness is looking at your program as a whole, right? And not just, you know, one piece or one time type training. You need to be doing continuous education. You need to be trying different things. So, when we talk about what's most important for clients, ultimately the answer is multiple things. It's not, there's no silver bullet. There's no one thing you do. But what's important is you engage with it over time and kind of track metrics for how folks have improved. So, an example of that would be if you have, you know, a phishing type training. So, email phishing, where you're sending spoof emails to employees and seeing if they're clicking on them or if they're reporting them appropriately. Having metrics associated with that to see improvement over time is very important. Because, obviously, if you have metrics that go the other way, where they're not improving over time, it raises red flags about the type of awareness training you're doing.

Other things that are really important is to find ways to really tailor the program to your organization's specific risks. So, for our public sector clients, what that looks like, if you're a school district, you really ought to have cyber awareness training that relates to student data, student protection, stuff that's more specific to schools versus what a courts and justice type client is going to want. Questions concerning, honestly, going back to use, going to like juvenile records. If that's an area that's a high risk of exposure, you want to make sure that's part of those stories, to make it relatable for your employees.

Josh Henderson: That's great. Can you share some successful strategies you've seen for educating employees about cybersecurity? 

Sam Hamilton: Going back to tailoring specific stories for your clients, finding ways to do that storytelling that helps connect the dots versus just, you need to pay attention to what is being sent to your inbox. You need to pay attention to vulnerability management. Being able to tell a story of, for example, a superintendent was looking at their email and they received a request from what they thought was their director of finance for an authorization on a specific wire of accounts. There's a couple of different ways of trying to explain it, but the main point was, this happened, it could happen to anybody. And what you're looking at, at the end of the day, is why is this something that you are potentially at risk for? Being able to answer that question through story tends to be a lot better than just saying, email phishing is happening, right? Be like, this can happen to anybody.

It's not a matter of if, but when, when it comes to some form of cyber risk, some form of cyber threat. And awareness training is, you know, one of many pieces that kind of goes into that. 

Josh Henderson: And just to let you know, just putting it on the record, I've never failed any of those compliance tests. 

Sam Hamilton: Folks who work in cybersecurity do fail them. That's part of the question where it's like, you want to be able to relate to folks and say, it's not, you're never going to be perfect when it comes to this, but it comes down to like the culture of awareness and being like, thinking first about is this something that I should be clicking on? Is this something that's legitimate? If that's in the front of your mind, it's going to go a long way. 

Josh Henderson: Now, how do those, how do information security policies contribute to an organization's overall cybersecurity initiatives? 

Sam Hamilton: Something that we say all the time is you cannot enforce a policy that does not exist. You can't follow a plan that hasn't been written yet. And so, when you are looking at an effective cybersecurity program, an effective cybersecurity awareness training program within that, it needs to be backed up with specific policy. And so, a good example would be acceptable use policy. What technology can our employees use? What sort of software or, you know, sites could they access on a work laptop? If you don't have that clearly written out, you can't enforce it, you can't teach to it. And so those are the types of things where you really want to have things backed up in policy, then through, then as well in action, so you can kind of enforce that and then through education on top.

All of that kind of has to go together. If you have conflicts there or things are out of date, it's going to cause more confusion. It could cause more issues for employees. 

Josh Henderson: And now you touched on this a little bit already, but can you just give us some examples of ways in which you can empower employees to kind of think more clearly about this stuff or to make better choices about? 

Sam Hamilton: Yeah, something that we talk about frequently and it's really exciting for our employees or not our employees, but for our clients when they kind of get to the point of having a more active cybersecurity culture where they have employees that feel empowered to come and talk to IT about questions. A good example is, you know, one of our clients we were speaking with that recently started a more robust training program. They used to do it biannually, now they're doing it annually with certificates that they actually print out for their employees.

The woman I was speaking to was like, honestly, just having those certificates where they print them out, they get to put them on their desk, they're proud of them, they get to show off, be like, look, I got it, I finished it. The ways in which you're encouraging folks to feel more empowered, feel like they're engaging with it. Often the positive reinforcement goes a long way. We've had some clients that'll say, we put out a monthly email blast for the folks that all passed the phishing engagement or completed their training.

Sometimes they're giving out gift cards, things like that for coffee or they're doing special events where it's like this division all completed their cybersecurity awareness training on time, therefore they get XYZ. That positive reinforcement goes a long way. 

Josh Henderson: Stay tuned. We'll be right back with more of the Tyler Tech Podcast.

I hope you're enjoying listening to this episode of the Tyler Tech podcast.

I'm here with my colleague, Jade Champion, to talk about the importance of tech modernization.

Are you struggling to maintain your legacy systems? It might be time for a change.

Jade Champion: That's right, Josh. We just released a white paper that outlines the five main risks of legacy systems and the benefits of modernizing your digital infrastructure.

Josh Henderson: From security weaknesses to inefficiencies and high maintenance costs, legacy systems can really hold back government agencies. So, what are some of the benefits of future proofing with an updated tech stack?

Jade Champion: Modern cloud-based solutions help to streamline processes, protect against cyber threats, improve the resident experience, meet compliance requirements, and provide more scalability.

Josh Henderson: Are you ready to leave your legacy systems behind and improve your digital services?

Check out our show notes for resources to help you get started and reach out to us at podcast@tylertech.com to connect with a Tyler expert today.

Now let's get back to the Tyler Tech Podcast.

That's great. And now, so that's the employee side of things. From the organization side of things, what are the best ways you've seen in measuring those results? Or what are you looking for in a positive result? 

Sam Hamilton: I think when we talk about a successful cybersecurity program, one of the key components is having some form of metric that you can track. Because if you don't know if it's being effective, you don't know if it's changing behavior, you're working in a gray area and you want to have more clarity. You're not always going to get that with cybersecurity training because it is very like one-to-one with individuals. But different tools, automated tools that have the ability to track both completion of training, track the phishing engagement type metrics that I was talking about. Having that as part of your planning and then making decisions based on those results, you want to be able to switch things up year to year. There's some things that are always going to be constant, but you want to be, for example, if you are doing cybersecurity awareness training and data privacy is really an area that you're having issues with based on results or based on how folks fill out the quiz, being able to add more information about that the next year, is really a good way to show success. That shows that you're growing as an organization, you're targeting those areas. And organizational leaders that actually engage with that and think about it that way are going much further in terms of success with their program than the folks that are just doing it to check the box. And that's really what we look to see. It's like the actual active engagement, continuous improvement piece. 

Josh Henderson: Of course, at Tyler, we deal with the public sector exclusively.

And there are a lot of challenges involved in working in the public sector, whether it's workforce shortages or budgetary constraints and things like that. What have you seen as some common challenges that organizations face, in that regard, when implementing cybersecurity awareness training programs, and how can they overcome them? 

Sam Hamilton: I think a classic example, and this is something that folks that are working in cybersecurity would understand very well. When you come up upon, this is your annual cybersecurity awareness time, you’ve got to do these automated classes. It's not hard to mute the classes, run them in the background to skip the videos sometimes and just go right to the quiz, and be like, I don't need to I don't need to engage with this because I've done this before. I've talked with CISOs that do this. I am guilty of doing this, at times. It's like I have too many things going on, but I need to get this done. So that's sort of putting it as not a priority is one of those main challenges where it's like, I got to roll my eyes, and I got to go through this. It's a waste of my time. It's not a waste of your time, but if the material is not engaging in a certain fashion, it's going to cause that sort of effect. So, one of the ways to overcome that is to sort of supplement those automated training tools with more creative challenges. Here at Tyler Technologies, we do during Cybersecurity Awareness Month, different challenges that are sent to employees. There are quizzes, games and there are rewards for that. 

Another big method that we would push for clients is actual instructor led training, classroom environments where there's more time for questions and answers. Folks don't feel like they're just sitting on their laptop at home or in the office kind of going through the motions. That Q&A and interactive piece goes a long way for helping folks connect the dots. So, if we talk about cybersecurity and it's like, well, how does this relate to me? It's like, well, have you ever received a text message?

In the past, I don't know, week, two weeks, that says USPS tried to deliver a package to your house and it sends a link with it. That's an example of a phishing scam. Ultimately, they're looking to make money from you in some fashion. It's going to be a couple of steps along the way. But being able to connect the dots of like, it's happening in my personal life, it's happening in my professional life. This is not going away. Finding ways to get folks to hear that. It could take a bunch of different methods, everyone has different learning styles, but for our employees, they just need to have different methods of consuming that information. So, for business leaders, unfortunately, you just do the one thing, press the box, and it's going to work out. You have to engage with it in different platforms. 

Josh Henderson: That's really great advice. I just kind of want to close things out now with sort of a sustainability question in terms of cybersecurity and cybersecurity awareness. How can organizations ensure that these education programs stay relevant and effective over time? 

Sam Hamilton: It's a great question. We've worked with clients that'll have, and they still have, policies around beeper usage or the fax machine. Some folks still are using fax machines. It's totally fine. And they're not necessarily being updated to keep up with times. And currently, with AI and generative AI tools, you have to be very current to kind of get an idea. So, for example, with cybersecurity, a big concern that's going to continue is AI spoofed voice calls. Where it's like someone doesn't take much in terms of having some form of recording. This podcast is a good example. This is enough sort of, voice from both of us that somebody could very easily use an AI tool to spoof our voice and then place a phone call with that. You need to inform clients of that. You need to inform your employees of that rather. And so, keeping your program up to date.

What's nice is when you work with a third party, like if you're working with Tyler Technologies, for example, or you're working with another platform that uses tools. We're actively making sure that we're keeping material up to date. You want it to be engaging, but you also need it to be something that's relevant. And AI is something that's moving very quickly, especially when it comes to different threat detectors. So, education around that is key. And so, making sure that that continuous improvement is front of mind when it comes to anything you're doing with cybersecurity, but specifically awareness training is incredibly important. 

Josh Henderson: That's great. I feel like that's the perfect place to end it. Thank you so much, Sam. 

Sam Hamilton: Thanks for having me. 

Josh Henderson: I hope you enjoyed this conversation with Sam Hamilton. If you'd like to learn more about cybersecurity best practices and other topics we covered in this episode, be sure to check out our show notes for additional resources.

As cybersecurity threats continue to evolve, it's more important than ever for public sector organizations to build a strong culture of cybersecurity awareness.

From training employees to stay vigilant to developing policies that safeguard sensitive information, there are many ways to protect your organization from emerging threats.

Tyler Technologies provides solutions designed exclusively for the public sector, with experts ready to support your organization in navigating these complex challenges. If you're interested in learning more or have questions, we'd love to hear from you. Feel free to reach out to us at podcast@tylertech.com to connect with a subject matter expert. Whether it's strengthening your cybersecurity program, adopting new technology, or exploring another topic entirely, we want to know what you'd like to hear on future episodes. Fill out our audience survey in the show notes to share your feedback, and don't forget to subscribe, rate, and review the podcast.

For Tyler Technologies, I'm Josh Henderson. Thanks for joining us on the Tyler Tech Podcast.