CyberVault Podcast: Why Security Awareness Training Fails with David DellaPelle

[Applause]

Katie:
Welcome back to the Cyber Vault. I'm very excited today to be joined by David DellaPelle. David is CEO and founder of Dune Security, a company tackling one of the biggest blind spots in cybersecurity right now: how humans actually interact with security policies in the real world. We're going to dig in today into why human behavior is still the weakest link in security, how Dune is flipping the script on security awareness, and what it really means to build a human-first security culture.

David, thank you so much for joining me here. Why don't we kick start and give you the floor so you can give us a bit more of an introduction to yourself.

David:
Awesome. Katie, thanks so much for having me. Really excited to be here. Like you mentioned, we're building Dune Security. We are a relatively young company, about two and a half years old, but I like to say punching far above our weight class in defending some of the biggest enterprises globally from human-centered risk. So things like social engineering and insider threats, we are quantifying and reducing that risk and therefore preventing it overall.

Katie:
Building something very exciting, and you're 100% right. What you've been able to achieve in that short space of time is impressive as well. But I think we can really dig in straight away because, like I mentioned, you're really flipping the script on security awareness here. Let's just get started on where you saw the opportunity in the market and realized there was a big gap in the space. What do you think is the biggest misconception you're seeing in how companies are thinking about this, more specifically that human layer of security?

David:
Yeah, I mean, you know, human-layer security, right? Social engineering accounts for something like 85 to 90 percent of breaches. When the attackers are coming into the company, they're not using brute force to break down the castle walls. It's a very small percentage of the time they're doing that. A much larger percentage of the time they're actually tricking employees or soliciting employees or contractors within companies who actually have rightful access into the networks.

So I was looking at the space with my co-founder Michael Wade and realizing that there are a couple of companies dominating in the space, and they offer something called security awareness training. The security awareness training is completely standardized. Everyone's receiving the same quarterly trainings. People are receiving maybe a phishing test that's also on a regular cadence, manually scheduled maybe monthly or quarterly, but it's not individually assigned to every user based on their risk and role. So it's completely ineffective because high-risk employees aren't held accountable and low-risk employees’ time is wasted.

Furthermore, you have this big issue where the CISO and the end users have a bit of an adversarial relationship because the CISOs are saying, "Hey, do your training," and the end users are saying, "You know what, I don't want to do that. Can you just screw off? I want to get back to my work." So it's kind of a broken model, and we're set out to fix it.

Katie:
And I think we could talk about what human-first security actually looks like in practice. I think another thing that people look at is, yeah, it's just a bit of training, like training videos or something that doesn't always show the actual implications of why it's so important to take the training seriously. A lot of people don't realize the risk or how much of an impact they can have if they do click on a phishing link or whatever it may be. What does this actually look like in practice? What are the things that can keep employees a little bit more engaged when it comes to this kind of training?

David:
Yeah. I mean, training isn't the entire answer, right? Training is a piece of the puzzle. We like to talk about how legacy security awareness training is dead because we firmly believe there’s something much bigger here.

But at the basics, if you're just talking about things like training and testing, social engineering testing like phishing or SMS smishing testing, everything has to be specific to the user. You can't have a phishing test or a type of training that goes generally to every single person.

There are eight billion people in the world. Let's say maybe a quarter or an eighth of them are in a corporate environment where they’re using computers. That’s a potential source of breach for attackers to get in. They have to receive both training and testing that's completely specific to their role and also to their risk through displayed behaviors.

There's a very big picture here that security awareness training is not solving, and we think that market is a dying one.

Katie:
Yeah. I think following on from that, when you look at traditional security awareness programs, they are kind of dead. They’re falling short. Like you mentioned, it's probably because training alone isn’t setting the foundation for what can be done here. Would you say it’s tech issues, culture issues, or something else? Where are the foundations for where we can really make a difference?

David:
Yeah, I think people talk about how security awareness sometimes isn’t the job of the CISO or the security organization, or they say it’s a cultural issue. I totally disagree. I think there are ways to implement technology that can solve this problem. It’s not a cultural issue. It’s a tech issue.

Think of it this way. The classic analogy of a doctor: the doctor needs to run all the tests and exclude all possibilities before prescribing surgery or medicine. That’s how medicine works. Why can’t that happen with individual user risk?

What we do is pull in a variety of data sources. We launch automated spear phishing, SMS, deepfakes, and even encrypted-channel attack simulations, because that’s what attackers are doing, right? Real attackers like Scattered Spider.

Every single test is specific to the user based on their business impact. We built a language model purpose-built to understand where people sit in the company and what type of risk that person puts the company at, so the testing can be completely specific to their role.

We also start to pull in signals from the rest of the stack. We're doing this with endpoint solutions, identity, DLP, email gateways, and even HRS integrations to pull in data sources for a more complete risk picture of each user.

At that point, you can start to train people. What we found is about 70% of users are quantifiably low risk, and they should be rewarded with far less testing and far less training. Nobody really wants to do training. For low-risk employees, we give them time back so they can focus on their work.

About 25% of employees are in the moderate-risk category. These employees have a moderate business impact. For example, maybe they’re a mid-level marketing manager with some access permissions but not the full keys to the kingdom. Maybe they fail occasional attack simulations or are inconsistent with training. Their cyber hygiene might be moderate.

For these people, we want to move them into the low-risk category through completely targeted user-adaptive training specific to their risk and role. But there’s still 3 to 5% of high-risk employees who might be negligent or even malicious insiders. Sometimes, no amount of training is ever going to fix them. So we want to create maximum risk thresholds for these employees and integrate with the rest of the security team to start locking them down. Performance management could be a solution, or access restrictions. It’s up to the company, but we provide the real-time intelligence for them to make the right decisions.

Katie:
I suppose that’s really what defines how much of a differentiator you are in the market as well. When you can really talk about data, decisions are key. It’s easier to make a decision when you know why you’re making it rather than someone just telling you it’s the best thing to do. You don’t want to penalize people who don’t need the investment or make them feel like they’re wasting time. That can build resentment toward security itself.

So if we look at what security leaders need to either stop doing or start doing if they actually want to influence secure behavior, is there something that stands out to you?

David:
Yeah. For me, what we’ve been looking at is off-channel attacks. It’s not just about how secure your email is or how accurate your risk quantification is through phishing simulations or even SMS on work phones. It’s deeper than that.

What happens when an advanced persistent threat group like Scattered Spider goes off-channel through Signal or Telegram on employees’ personal devices? There’s no corporate cybersecurity solution that can help with that. If Scattered Spider is soliciting employees, it’s a challenging situation for companies because it’s a complete blind spot. They have no idea how to quantify that risk—until Dune Security.

Katie:
If we look at something immediate and measurable that CISOs or security leaders could do this quarter to make a quick impact, what would you say is the first thing to look at?

David:
If you can actually quantify risk automatically, you can then reduce risk automatically—both in terms of social engineering risk and wasted time.

You need AI in the backend to automate these previously manual workflows. There are amazing human risk and readiness professionals in large enterprises who report to the CISO, but they’re spending too much time manually dealing with low-risk employees. If you automate that process and identify low-risk employees automatically, you can then spend more targeted effort on the high-risk ones.

It’s not about replacing any function. It’s about enabling and empowering that function with powerful AI.

Katie:
Awesome. Do you think there are ways to measure success when it comes to changing user behavior, or are there specific metrics that matter most?

David:
Yeah. We have a pretty robust algorithmic approach to risk quantification. What we do, which I think is powerful, is prevent repeat offenders. If someone fails a simulation or displays high-risk behavior, we test them again on that same thing. They’ll receive just-in-time training based on their points of failure, so people are trained on what they’re bad at, not what they’re good at.

Then we test them again to see if they’ve improved over time. That’s the key unlock we’ve seen at Dune Security and for our current customers like OSF Health, Warner Music Group, and Polen.

Katie:
For sure. And I think that’s the most important piece—you want to know what you’re doing is having a positive impact. It can be hard to change routines and have that positively received.

To dive into you guys a bit more, this is clearly a huge gap in the market. Humans are arguably the biggest vulnerability in most businesses. You’re still early stage, but you’ve achieved unbelievable things in a couple of years. What’s been the biggest challenge in building a security product that prioritizes people?

David:
I think what we’ve done well is provide amazing customer success, engineering, configuration, and customization for enterprise CISOs and their teams. The challenge is prioritization.

You want to optimize for the whole. She who optimizes for the whole is rewarded. There are always competing priorities in the product roadmap. For us, it’s very important to figure out, using frameworks like RICE, what’s the most important thing to build urgently today versus what can be deprioritized to tomorrow.

We want to reduce human risk and prevent social engineering and insider threats for every enterprise automatically. Different companies have different needs, and building to meet those needs is the most important thing.

Katie:
Let’s look to the future. You’ve built something valuable and you’re still early in the journey. What’s next? Any particular solutions you’re working on that you’re excited about?

David:
Yeah. There’s a lot. There’s something we’re releasing today called the end-user phishing playground. Every user—we have millions now—can go into the platform and clone their voice. We can show every user how easy it is to clone their voice, and it tells a story back to them. That ability to increase user engagement is powerful.

We’re doing a lot to enable security awareness managers and human risk and readiness folks. In the longer term, we’re focused on security automation.

Right now, we’re focused on quantifying and reducing human-layer risk. It’s important for us to be trusted by every enterprise as the best at doing that. Once we can do that, we can get deeper into the rest of the stack.

Imagine a world where your network could be segmented automatically based on human risk profiles, or MFA step-up enforced based on human risk profiles, or email security thresholds adjusted dynamically. You have to start somewhere, and everything takes time. But getting into automation for that last mile—the 3 to 5 percent high-risk users—will be very exciting.

Right now, it’s semi-automated, where we integrate and loop in the security operations and identity access management teams within the platform. But in the future, being able to act on systems automatically will be powerful.

Katie:
Absolutely. Exciting times ahead. What you’ve brought to the table is something clearly needed in the market.

So, David, for anyone listening who’s resonated and thinks, “We need this in our company,” how can they get in touch or follow the journey?

David:
Things are quite busy right now with demand. We’re having a little trouble keeping up because the threats are so high. That said, we have a very high-touch process to help people learn about their risk and implement solutions using Dune Security.

The best way to get in touch is to go to our website, dune.security. You can book a demo there. It’s likely I’ll even be on that demo. We’re building out a sales team—we’re about ten people on the go-to-market side—but I’m still heavily involved. I look forward to speaking directly with anyone who reaches out.

Katie:
Fantastic. That’s what we mean by exciting times. When the demand is surging, you can clearly see the passion here. That’s how you know the foundations of the business are being built on real value.

David, thank you so much for such a real and forward-thinking conversation. It’s clear that if we want security programs to actually work, we need to stop treating people like the problem and start designing with them in mind.

To our listeners, as always, don’t forget to subscribe, share this episode with your security peers, and get connected with us and with David and the team.

That’s it for today. Thank you so much for tuning in, and I’ll see you next time for Conversations Shaping Cyber.