Jimmy Lutz

When establishing and managing a security awareness program, professionals often run into a myriad of challenges. They might lack the support they need to implement the program, they rarely don’t have time to manage the program on their own full-time, and leadership doesn’t always see the overall value of investing into a security awareness program, especially if they’ve never experienced a breach before.

SANS Security Awareness Director of Sales, Jimmy Lutz, and his team work to guide those awareness professionals to a better understanding of how SANS can help them overcome those challenges.  

Backing the widely-recognized SANS trifecta of expertise, Jimmy explains how our they’ve come together to produce an invaluable training program, and how he can work one-on-one with our customers to overcome their challenges in trying to kick off their program when they lack the support they need.


Q1. You and your team have a unique role where you are one of the first points of contact to the customer.  Can you explain what makes this interaction so important and how their challenges or hopes for their security awareness program might affect the conversation?

"Yeah, that first encounter is very important. I think one of the primary goals at first interaction is to work to understand the challenges that the person they're speaking with is facing. There’s a lot of very diverse background of folks, so you can't just assume they have a certain level of experience or expertise when a security awareness program. They probably don't have a lot of time to dedicate to a security awareness program, but it may be very important to their organization.

I like to treat the interaction like a coffee date because we're talking with them, trying to determine if this is the right person to go on a real dinner date with. Meaning, do we want to keep talking? And the way to do that is to understand if there's value for each of us in having a further conversation. Are their challenges different than what we normally face? Do they believe that we could be a good fit for them?

It's in line with our philosophy, which is, we want to help organizations become more secure. That's our mission: To help protect against cyber threats. If we're in a position to be able to do that, then we want to talk with them. We want to explore how we can do that. But it's also equally important if we have that initial conversation and realize based on what they're looking for and we’re really not a good fit for them, then we’ll want to tell them that. At the same time, you know we're not in the business to sell at all costs.

We're in the business to pursue our mission and do that with companies where we're able to help them be more secure." 

Q2. Through those conversations, what do you find is an awareness professional’s biggest blocker or challenge in their effort to establish a successful program to ultimately change behavior? Do you see a consistent trend?

"Yeah, there are very consistent trends. And our Security Awareness Report does a great job of identifying those trends as well.

Usually the biggest challenges to a security awareness officer is that they don't have a lot of time and they may not have much experience. We use the term ‘security awareness officer,’ to describe the person responsible for security awareness, but they typically don't have that specific title. They come from a range of backgrounds and the majority of the time, they have other duties and responsibilities aside from security awareness. Only the most mature and dedicated companies have someone whose job is solely focused on only security awareness. Usually it's one of many hats that they wear.

So one of their challenges outright is that they just don't have a lot of time to dedicate to their program. At SANS, we’re familiar with that and that’s why we designed our product to try and accommodate that.

The two blockers we consistently hear about are finance and operations within an organization. Finance meaning, when you have to justify the expense of paying for training. Someone in finance may say, “Well why are we doing this? We just want to check the box, so I can go find something on the Internet for free.” So, there is a challenge in justifying the expense from their perspective.

Operations is a general reference to managers who have employees that do work that contributes to revenue generation. So if you're in a manufacturing company to the people who are building things, you have sales people who are selling, you're paying them to do those jobs, you're not paying them to take training. Any time that's taken to train employees can be viewed by a line manager as unproductive time. So the security awareness officers get push back from them. We have to make sure that we focus on the learning objectives that the organization has. You also want to minimize the amount of time spent training. There’s a fine line. You have to spend enough time so that they get the learning objective, but not too much time that it is perceived as wasting time.

We have a lot of products that we offer that reinforce the messages to drive behavior change that don't take much, or any time from the learners. For example, we have posters, we have audio casts, we have Micro Videos, things that can be delivered in a way that has people walking through the break room, they see a poster, they have pops up on their screensaver, other places where someone isn’t sitting in front of a computer screen for an hour watching a video that can be perceived by the operational managers as unproductive time.

Q3. Do you notice a significant shift in the conversation if they’re coming to you after experiencing a breach or an incident at their organization? Explain how you work to help them.

"According to the Verizon DBIR (Data Breach Incicent Report), the majority of breaches do occur due to some human error, them doing something they’re not supposed to.

When we’re speaking with a company that has had a recent breach, their urgency is generally increased. So, with security awareness training, if you've never had a breach and you haven't trained in the past, a finance person could make an argument, “Well, why should we do anything differently?“ That is often a tough argument for a security awareness officer and is a probably the reason why some organizations don't do anything.

If they've had a breach, then they generally experience the pain as a result of that. Some are a lot more painful than others and we will sense that. Interesting thing is, organizations tend to spend a lot of money on technical controls like firewalls, intrusion detection, and intrusion prevention systems, but resist when it comes to spending money on training, even though the evidence clearly shows that people are the weakest link.

You can you use an analogy of a castle. If you want to try and break into a castle, what's easier: Trying to break through these giant stone walls or bribing the guy at the front door to let you in? [laughs] It’s a lot easier to get the guy to let you in. That’s the approach hackers have taken with people. They can send a bunch of phishing emails, which doesn't cost much money or time. All it takes is one person to click on a phishing email, and then they’ve got access and can work their way in from there. Organizations, I think, are more and more coming to realize that and they are less resistant, but we still face that with some organizations."

Q4: What do you think sets SANS apart as leaders in the industry? How is SANS different?

"If I were to choose just one thing that I think really sets SANS apart, it would be our expertise. And I'll touch on our three unique types of expertise.

First, our subject matter experts. SANS is known around the globe as an expert organization in cybersecurity because we have instructors who are world-renowned experts. They deliver in-person training at various locations around the world. Those experts are at the forefront of the industry.

They are the ones who write our content for the security awareness courses, so the same expertise that goes into creating those classes come from the same experts who know the types of breeches, know how to protect, and are the ones writing the courses.

Second level that sets SANS apart is our adult learning experts. Rather than trying to create content that is one-size-fits-all or content that may or may not ultimately resolve the behavior change, we take advantage of adult learning experts to write the content designed to change behavior. There are certain things that are more effective in getting adults to change behavior, so we write our content to maximizes the chance inspiring behavior change.

We also recognize that organizations are different, so rather than having a one-size-fits-all, we have a variety of styles of content with multiple tiers. For example, if you have a more traditional organization, we have a more traditional type of content they can use that will resonate with the learners. Versus if you have a young startup tech company, you’ve got a very different demographic and may want a different kind of content. We have different types of content for those types of organizations.

And with an organization that has never trained before, they're going to need different training than someone who's been training for 10 years and wants to further advance the learners. So, we have different tiers, different difficulty levels if you will, to maximize the impact on the learners.

 Finally, we invest heavily in people. We’re focused on customer relationships and we've invested heavily in our people. Specifically, our client success teram, whose job it is to work closely with the customers, to help design, implement, and manage their security awareness program. Our client success team have a very wide range and deep range of experience that they can bring to the table to help the customers put their program together, choose the right curricula, and manage it throughout the life cycle of their security awareness program.

Between the wide range of subject matter experts that we have and the investment in the client success team in the collective experience that they all have, those are a lot harder for competitors to replicate and I don't know of any of our competition that do those anywhere near to the level that we do."

Q5. You mentioned that in the cybersecurity industry, humans are the weakest link. Where do you think we evolved from the time that you started in this industry and where do you think we’re heading to get ahead of that threat?

"The “threat” has evolved. When you first heard about hackers, you heard about people breaking through firewalls and writing code in a way that would penetrate somebody's website. Those are the types of hacks that you that you heard about early on in the days of cyber threats. The internet hasn’t been around all that long and before it existed, computers were mainly stand-alone. The threat was a lot lower because in order to access a computer, you had to physically go where it was.

Once things started getting connected, people found that they could write code and send that code to gain access to another computer. For a while, that was the most effective way to do it. But about 7, 8, 9 years ago, we started to see a shift. The hackers, using the analogy I did earlier about the castle wall, realized that it was easier to get someone to click on a phishing link and remotely infect their computer. That's become the dominant way for folks to gain access to other computers.

When I started in cyber security, people talked about awareness, but there was not a lot of emphasis on it. The real focus was on the application development, security, and firewalls, intrusion detection, intrusion prevention and coming up with new and unique ways to do all that. While that all is still important, I've seen the emphasis on the human element continually increase in response to the threat and the breaches. So I like I said, look at the Verizon DBIR and you will see that human error is involved in a majority of those breaches.

People are focused more on security awareness. Yes, there are still technical tools that can be put in place to help keep learners from doing erroneous things, but ultimately if an email gets through and it has a link and I click on it or go to a website that is infected and sometimes those things are still going to get through, people are still going to do those things.

Until a better mousetrap is invented, until that’s developed, that it keeps people 100% from being able to do the wrong things, then security awareness is going to continue to be important in our world.


The team of experts Jimmy mentions in this interview recently released exciting refresh to the cyber security awareness training for employees collection called the 2019 SANS EndUser Training Series. To check out the latest on the 2019 EndUser Training Series, or to even schedule a demo of the visit the EndUser Training page.

No other organization boasts the depth of expertise as SANS. Our experts know every type of cyber attack and threat. Inside and out. With SANS, your training will focus on the key behaviors that most effectively manage your human risk. Learn more about Jimmy Lutz and get to know all of our experts here.