Lisa Kubicki: Keep it simple, keep it secure

In this episode of the Behave podcast, Ben Donaldson—Community Engagement Manager at CybSafe—sits down with Lisa Kubicki, Director of Trust & Security Training & Awareness at DocuSign.

Guest profile

Lisa Kubicki is the Director of Trust & Security Training & Awareness at DocuSign, where she oversees the company’s security awareness training program. With 20 years of experience in leadership development and change management, Lisa brings a unique perspective to her role. 

Having worked at prestigious universities like Stanford and Cornell, Lisa has a deep understanding of human behavior and change management. By blending her expertise with the latest security awareness training techniques, Lisa is dedicated to keeping DocuSign at the forefront of security and data protection in the industry.

Connect with Lisa on LinkedIn.

Key takeaways

1. A positive reputation is key for any cybersecurity team

A major lesson to glean from the episode is how crucial it is for a cybersecurity team to maintain a positive reputation. According to Lisa, if the team’s reputation is negative, it could hinder employees from reporting security concerns, and can lead to more significant problems in the future. 

Relying exclusively on technology and tools doesn’t guarantee an organization’s safety. It is imperative for all personnel to be actively involved in safeguarding the company, and to accomplish this, a cordial working relationship with the cybersecurity team is indispensable. Employees need to know the cybersecurity team and be at ease seeking their assistance.

2. Strategies for improving your team’s cybersecurity reputation

If you’re looking to boost your cybersecurity team’s reputation, Lisa has some tips to help you out. For Lisa, it’s all about keeping your team motivated and supported, which means keeping them in the loop when changes happen. 

But it’s not enough to just communicate changes—you need to make sure your team feels empowered and motivated by the process. That’s why Lisa recommends evaluating communication training from the team’s perspective to make sure it’s user-friendly, straightforward, and hassle-free. By following these strategies, you can build a cybersecurity team that’s respected and effective.

3. The importance of simplifying communication processes and policies within a cybersecurity team

Lisa emphasizes the importance of simplifying communication processes and policies within a cybersecurity team. She highlights the need of regularly evaluating requests from the team and finding ways to streamline them. It’s crucial to have a clear and straightforward call to action, avoiding unnecessary complexity. 

Lisa acknowledges that people tend to choose the easiest path, and if the process is too complicated, they might look for ways to bypass it. This not only affects the team’s effectiveness but also harms their reputation, making it difficult for others to cooperate and follow established protocols. To maintain productivity and credibility, Lisa underlines the necessity of having straightforward and understandable processes.

4. The challenges of establishing security measures in an organization

According to Lisa, implementing security measures can be daunting and perplexing, yet simplicity is key to effectiveness. She stresses that to encourage compliance, security protocols should be communicated in an unambiguous and persuasive manner. 

Additionally, Lisa highlights three kinds of obstacles to security: will, skill, and hill issues. Motivation is needed to tackle will problems, training is necessary for skill problems, and obstacles must be removed to address hill problems so that employees can comply with security measures.

5. Hill, skill, and will problems in organizations, and how to solve them

Lisa shares valuable insights on how organizations can tackle cybersecurity challenges by involving employees in training and awareness initiatives. Noting that there is no one-size-fits-all approach, and that different people have different learning styles. 

Lisa suggests implementing a regular cybersecurity simulation program as an ongoing practice, with a positive tone and reinforcement of good behavior. Drawing on Osterman’s research, Lisa explained that 15 minutes of training each month can be the tipping point for employees to feel accountable for cybersecurity in their organization. 

She recommends a variety of training and engagement methods—such as regular phishing simulations, internal chats, videos, speakers, and recognition programs—to keep employees engaged in different ways.

6. The importance of addressing the human factor in cybersecurity

Lisa delves into the challenge of implementing a “people tool” in the workplace to reduce cyber risk through behavior change. She highlights the difficulty of selling this approach to decision-makers, who are often more focused on technical solutions and metrics. 

Lisa explains that leadership has not fully embraced the psychological aspect of human behavior, and this has contributed to the underfunding of initiatives that address the human factor in cybersecurity. 

To get more resources allocated to the “people aspect,” Lisa suggests that leadership needs to become more comfortable with the psychology of human behavior. She emphasizes that people are the greatest asset in the workplace and should be treated as such, even though they may be more unpredictable and difficult to manage than technology.

Top quotes from this episode