The Netflix Model Of Security Awareness Training
Expert Insights spoke to Zack Schuler, Founder and CEO of NINJIO, about why their content first approach is the best way for companies to protect their employees from cyber threats.
NINJIO, founded in 2015, has taken a different approach to security awareness training than many other vendors. They are heavily focused on content, aiming to create high quality and engaging stories.
These are delivered in three-to-four-minute episodes in a unique art style format, to help users learn about security issues and how to protect themselves against them.
Zack Schuler founded NINJIO after identifying a gap in the growing Security Awareness market.
“I saw that most security awareness training appeared to be highly ineffective,” Schuler tells us.
“All of the training that I saw out there, was clearly being used as a “check the box” exercise- we wanted to create something that actually worked. We saw an opportunity for building something memorable, and entertaining, based on topical news stories that people remember,” remarked Schuler. For this they have chosen a visually striking anime approach, which is hugely popular with end users, and admired by other security awareness training vendors.
Netflix model of Security Awareness Training
NINJIO has a content first approach. They deliver training in 3-4-minute long episodes delivered every month as part of their subscription. Companies can either consume their content from NINJIO’s own Learning Management System (LMS) or companies can distribute their content via their own LMS or other content delivery system.
This is similar to the methods streaming platforms like Netflix use to distribute content, but the similarities don’t end there. Just as Netflix uses the wealth of data it has on its users to create more engaging content, NINJIO is doing the same.
“We have really strong data on how people are interacting with our content. In addition, we know how quickly they watch after an episode has been released, what types of content people are interacting more with. We have data scientists using this data to score individual risk profiles of users, which then translate to the risk profile of the organisation the company works for.” Schuler says.
In development is a system whereby NINJIO identifies specific issues their employees need more help with and they will then prescribe specific training for those issues. It will help them to target specific weaknesses within the organisation.
Testing and Training Employees
NINJIO has taken a different approach to phishing training than many other vendors in the SAT market. Most vendors take the approach of conducting a simulated phishing campaign, after which they provide training and further testing.
Schuler remarked, “Eighty percent of Security Awareness Training companies are what I refer to as “phishing first companies.” They start with testing (phishing) and then perform training. Think back to your days in school- when have you ever walked in on day one, been given a test, and then received training after the fact, that’s the reverse of the what’s normal, right?”
Schuler sees this as being more about giving companies peace of mind they have taken steps to protect themselves with a proactive “training first” methodology. He says NINJIO is concerned about “protecting the end user and giving them the tools to protect themselves, and in-turn they will protect those organizations that they work for.”
Working with vendors across the market
NINJIO has shaken up the SAT market with this approach. Due to the content first style, the content has flexible deployment options.
“We have a new approach of selling to other tech companies.” Schuler says. NINJIO is licensing its content to other vendors, such as Cofense, IronScales, Terra Nova, Sophos, and about 50 managed services providers. They use NINJIO content, while using their own testing or phishing protection methods.
This is helping to separate the testing and training of employees. Schuler argues this is a good thing, as too often when one vendor does both, the testing is too similar to the training, which does not reflect the real world. This means that employees are less likely to spot real phishing threats.
Family Use Rights
Part of every subscription, NINJIO includes what they call “Family Use Rights.” This gives each employee of each NINJIO client the ability to sign up their family members to receive content at no additional cost. After asking Schuler about this, he says “If the spouse watches NINJIO at work and comes homes to a family who has also consumed the content, you create and opportunity for the family to have a dinner table conversation about being more secure, or what I call “Secure Living.” Creating this security aware culture within the family unit, makes the spouse that much more invested in security, thus protecting their organization exponentially more than if they simply viewed NINJIO as training mandated by their organisation.”
A new corporate focus?
NINJIO has a unique art style which is popular with customers. “Flexible content styles mean that we are more likely to be liked by businesses of all sizes.” Schuler says. “We have a sole focus on high quality production.”
“Our anime style is popular with customers of all sizes but isn’t always a fit within a particular corporate culture. We have developed a new content style that fits better with more conservative environments. Being this is flexible, we are seeing organisations using both styles. CXO’s may use the corporate training format, while younger end users may prefer the original anime format.”
What sets NINJIO apart?
The security awareness training market is crowded and there are a lot of vendors vying for attention in this space. We asked Schuler what made NINJIO the best vendor in this space.
“Other vendors in the security awareness training market put testing before training. Then they train users toward the next phishing attack. Their solution not only provides simulated phishing, but also simulated results,” remarked Schuler.
“Other vendors also don’t reflect the real world. Our training emotionally engages viewers in the first scene of every episode, is based on real companies suffering significant breaches, and we focus on a single current attack vector, thus not confusing the viewer with too many technical terms. Not to mention, each episode is written by Bill Haynes, a member of the Writer’s Guild of America, and a former writer for CSI-NY and Hawaii 5-0 with more than 71 episodes under his belt. This makes for some great storytelling” Schuler says.