Stash Case Study

How this fast-growing FinTech company creates a fun culture of security

Stash is a leading subscription platform empowering middle-class Americans to invest and build wealth. The company now counts 300+ employees and more than six million users*. When it came time to select a vendor for employee security awareness training, they wanted to do something different instead of just meeting compliance requirements. In this case study, learn firsthand from Stash’s leadership team about…

• Why their security team chose to do something better for employee training beyond checking the box
• How IT and People Operations teams work together to intentionally scale their company culture around cybersecurity
• The importance of having a CEO who will encourage everyone to participate in their training

My job is serious enough—my background is in defense and financial services. As such, it’s always exciting to stretch my creative muscles, and Curricula is a fun, positive way to talk about the important risks that could drastically impact our business.

When it comes to being in compliance, the team at Stash is ensuring requirements for SOC 2, PCI, ISO, you name it, not to mention fulfilling their fiduciary responsibility to their customers. Gavin Grisamore oversees information security (infosec) at Stash. His career has spanned across multiple industries before he joined the team at Stash in 2018 after the company raised its Series D in funding. Without a massive security team behind him, Gavin needed a security training platform that was simple to set up and fun to deliver for the entire organization. “One of our goals was to do more frequent training with each department; for example, here’s a plan for marketing, engineering, etc. to take security awareness and make it feel relevant to everyone in their day-to-day roles,” Gavin explained. “Doing training once a year isn’t enough.” Information security leaders like Gavin recognize the importance of training and how it can’t fall by the wayside to be only an annual compliance exercise, like a fire drill. That’s why the Stash team uses security awareness content not only to train their employees but to also revamp their internal processes.

Rallying the Whole Organization Around Cybersecurity

As a growing company, the leadership team at Stash recognizes that building a culture of security is equally important as building a culture for the whole organization. So when it comes to employee security training, the leadership team is heavily involved to rally the whole company around recognizing the danger of these very real cyber threats. “We’ve found it to be more successful for employees to have positive reinforcement for training,” Gavin said. “Ultimately, that approach is what helps to build a security culture.” One way Stash leverages positivity in creating a culture of security is by integrating Curricula’s cast of characters as part of their company culture. At Stash, we’re making sure everyone knows DeeDee.” DeeDee is Curricula’s villain hacker who appears in the majority of Curricula’s training episodes, and she’s also the AI behind Curricula’s phishing simulator attempting to phish employees to see who is most likely to give up their credentials. Even the team in charge of security gets excited about employee training. “I’m just an everyday engineer so it’s fun to do this stuff,” said Steve Weintraub, Engineering Lead at Stash.

“The first time we used Curricula, DeeDee stuck.”

To date, Stash has been using Curricula for security training for two years. The entire company has gone through several training sessions, including watching episodes on phishing, social engineering, passwords, multi-factor authentication, secure browsing, and many more (check out Curricula’s training library here). The infosec team has also used Curricula’s LMS content authoring tool to create their own training modules on AppSec and InfoSec. “We like to use the same eLearning tool that our folks are already familiar with,” Gavin said.

Having Leadership Support Security Training

One secret to Stash’s success with employee training is to have multiple departments involved. Alison Turen is in charge of “all the fun stuff for company morale” and working in tandem with IT and people operations helps to reinforce the importance of security but in a positive way. “We all love DeeDee, and when our CEO started talking her up, everyone wanted to participate,” Alison said. As part of the employee onboarding experience, Stash puts their new hires through an assignment of three (3) training episodes with an intro to cybersecurity, phishing, and social engineering — all starring DeeDee. “DeeDee is a big hit around here—especially for newer team members who just went through the Curricula training during their onboarding,” Steve explained. Steve said, “Anytime there’s a security chat, or anything remotely related to security, DeeDee comes up in our Slack. Even our CEO loves the training.” Security awareness shouldn’t be ignored or handed off by CEOs; it should be embraced and championed throughout the entire organization. Gavin agreed, saying, “Our staff comments about how much they like the content—it’s memorable. We’re constantly getting all the departments involved.” High-growth startups and scaling companies like Stash are well aware of how detrimental a cyber attack could be to their organization. We’re all in this together to ‘defend against DeeDee!’ and the first line of defense is to train your employees. *This is not an endorsement or a statement of satisfaction by any Stash client and is defined by the number of clients who have e-signed.