Interview: Cyber security awareness education at Lola Tech

minute read

We recently sat down with Director of InfoSec Claudiu Muresan to discuss his cyber security efforts at Lola Tech. Claudiu has been leading the internal learning and development initiative, ensuring employees engage with educational material and implement lessons in their day-to-day.

Tell us why it was so important to get staff trained on cyber security?

Our internal security awareness programme is the foundation on which we build our company’s cyber security programme. Employees play a crucial part in an organisation's overall cyber security stance, and a well-trained workforce greatly strengthens our own security posture, as well as positively impacting our clients’. So for us to build secure products for clients, we really needed to ensure that every developer lives and breathes cyber security. We’d always had informal cyber security knowledge exchange happening, but we needed something structured to ensure quality and consistency.  

For us to build secure products for clients, we really needed to ensure that every developer lives and breathes cyber security.

With any internal programme, it’s so important to get senior buy-in, otherwise, it hits snags and roadblocks fairly quickly. How was senior leadership recruited for this initiative?

The leadership team has actually always been supportive of our cyber security initiatives. It helped that our internal efforts mirrored a wider trend in the industry for greater supply chain security - it demonstrated that our programme was timely and topical. Crucially for a long-term project, we had full and public support from senior leaders to implement our curriculum.

Staff engagement is notoriously difficult to achieve, especially when it’s non-compulsory. How have you been getting staff interested and kept them engaged?

Well, as an ongoing initiative - after all, cyber threats constantly evolve and so we have to, too - it’s really important to keep staff continuously engaging with the material. Our programme has two parts: one mandatory for new employees and one optional for existing staff. All new employees have to complete the internal programme as well as an online training course. That’s the easy one - it’s simply not up for discussion. For the rest of the employees, we rely on their curiosity and eagerness to learn. There is no ‘stick’ - just the carrot of new knowledge and better skills. We then use internal communication channels to announce and distribute security blog posts and articles. Word of mouth is very effective and, again, leadership plays a crucial role because they reiterate the importance of the programme and encourage their teams to participate.

You had to find an external source for most of the learning material. Why did you choose The National Cybersecurity Alliance?

We searched for a long time for effective teaching material which we could use in our security awareness programme. We eventually landed on The National Cybersecurity Alliance because we loved their blog posts and video materials. Their chosen topics matched our list of priority areas, and we also liked how they used an episodic format to disseminate their messages.

So what’s the structure of the programme, and why does it work?

The programme runs over several months, with each week dedicated to a cyber security topic. For each topic, we start a discussion thread on Slack, where we then incorporate the relevant National Cybersecurity Alliance videos as well. We also add links to other writing on the subject, from diverse sources like expert blogs, news sites, forums and more. These discussion threads are crucial - they allow us to discuss real-life examples and personal experiences, as well as sharing anecdotes and the odd gif to keep things fun. It all works because we’re keeping things light and entertaining, to ensure the learning process is not just rewarding but also enjoyable - after all, staff still have to do their day jobs and have plenty on their plates. Switching things up between text and video is also key, that mix of media avoids things becoming monotonous and staff zoning out.

Going forward, what are your plans for ensuring continuous engagement and, ultimately, awareness?

We’ll continue to run the programme each year to ensure we stay on top of emerging trends. In addition, our plan is to mark a “Cyber Security Month” every year, to push a sustained message of security over a longer period of time. That should ensure we manage to connect with everyone in the company and will drive wider awareness of our internal programme and deeper knowledge of cyber security issues.

You started planning this programme back in mid-2020, so looking back at the initiative so far, what’s been the hardest - and what’s been the most satisfying?

Without a doubt, the biggest challenge was to review and identify the best learning materials for our programme. Once we landed on the right tools, ensuring continued engagement became the obvious top challenge. This is an ongoing task and will continue to keep us thinking of new methods for sure. I was actually really pleased to hear from a colleague that their partner saw our blog posts and decided to use them to raise awareness at their company. That was pretty satisfying.

Have a project in mind? Let's talk.

Contact us