Why utilities are switching to Curricula’s fun security awareness approachCentral Electric Power Cooperative (CEPC) is an electric generation and transmission cooperative that delivers power to eight distribution cooperatives across Missouri. Critical infrastructure electric utilities like CEPC, have strict compliance standards under NERC CIP with some of the most expensive regulatory penalties of up to $1 million per violation, per day. As CEPC was ready to level up its cyber security awareness training program, the team made it a top priority to go above and beyond NERC CIP compliance. NERC CIP requires utilities to update their security awareness on a quarterly basis to achieve compliance. CEPC was looking for a way to drive better engagement from their employees and create better outcomes for security. Like many organizations, CEPC was stuck in a contract with KnowBe4 and decided to pursue switching to Curricula, knowing it was time to do something different. In this case study, we hear from Cyber Security Analyst, Andrew Broyhill, about:
- Why and how CEPC switched to Curricula
- How Curricula has changed the way employees view security awareness training
- What they’re doing to meet NERC CIP compliance standards while also having fun
We want employees to learn by bringing a positive culture to this, and people love that. I don't think we could've done that without Curricula.
Why organizations are switching to Curricula for their security awareness trainingSwitching from one vendor for security awareness training to another may seem difficult from the onset. Curricula’s team made the process as painless as possible without pressuring us into launching before we were ready. They were truly a partner as their team understood each step that was required to get the program configured for CEPC systems. In Andrew’s case, “We had a lot of issues with our previous vendor at the time and needed effective training that employees actually enjoyed.” Andrew realized the opportunity window of switching to Curricula was now open and was able to demonstrate value to his team on the difference that Curricula’s content will bring to the entire CEPC team. Andrew shared three main reasons why he chose to switch to Curricula for security awareness training.
- Navigation and reporting: From an admin point of view “my biggest gripe with our former vendor was that you couldn’t get to anything easily.” Andrew continued, “Whereas with Curricula, everything is easily laid out and administration is simple — which is fantastic.” On the reporting side, maintaining compliance is a requirement for anyone in the NERC CIP industry. “With Curricula, you can create your own custom reports and easily download anything you could need for an audit in a few clicks.”
- Memorable and stickiness of training: Despite our previous vendor’s training content quantity, Andrew pointed out “the quality of the training lacked memorability and focus.” The purpose of a security awareness training program is to effectively educate employees; therefore, the quality of that education should be prioritized. “Curricula’s lessons stick, which ensures our employees are positively engaged in cybersecurity. That was reason enough to switch.”
- Customer service: “Another issue I had with our former vendor was continually being blown off when requesting support. Even when they did get around to me, my tickets were closed before asking me if the solution worked.” Curricula’s dedicated support team cares about every organization and individual they interact with. “To most vendors, you’re just an account number, but to Curricula they truly care about getting to know the customers they serve. There’s not another company I know that treats their customers like their friends.”
Getting buy-in from executive managementIn 2019, Andrew was hired to be a Compliance Coordinator because CEPC was falling under NERC CIP regulations. When he joined, the organization already had a security awareness contract in place, but he wanted the entire organization to do something better. Andrew’s manager, Justin Luebbert, showed him Curricula and he “instantly fell in love with it.” The hardest part of Andrew and CEPC’s journey with Curricula was gaining the buy-in needed to switch from KnowBe4 to Curricula. This is one of the most time-consuming and frustrating parts of switching security awareness platforms for an IT leader who wants to do something better for their organization. Andrew’s job was now to convince everyone else why they needed a change. “When our contract with KnowBe4 was coming to an end, it was my opportunity to switch to Curricula.”
“After years of both my boss and I pushing for Curricula, I had formed a relationship with our CEO and was able to speak from a personal level on Curricula’s benefits. It was clear that our employees weren’t being educated well enough and it showed. I shared my concerns that the lack of employee motivation could lead to a major security incident very soon.”It wasn’t until May 2021 that Andrew was finally able to get buy-in from management to trade in their previous vendor for Curricula.
Changing our security culture
“It’s CEPC’s employees who benefited the most from our transition to Curricula. Our previous security awareness program wasn’t hated by the employees, but almost just as bad it was ignored by them all. Because of the lack of emotional investment, they were indifferent to anything they learned and didn’t care about the program”After switching to Curricula, “Our security culture exploded in a positive way that I’d never seen before,” Andrew said, “It’s a lot of fun and as the admin, I had employees coming up to me for the first time to talk about security. I could see the shift happen, where employees felt more comfortable to talk about security.”