Zwift Case Study

How to Make Security Awareness Training Fun – Even for Compliance

As startup technology companies scale, they will have to face any number of audits to ensure they meet compliance requirements. While this topic is as dry as toast, security awareness training doesn’t have to be boring for employees. At Zwift — a fitness company developing software for cyclists, runners, and triathletes that gamifies indoor training — their Legal & Compliance team knew information security had to be an essential part of their growing organizational culture. And just like the Zwift platform, which makes serious fitness training fun, their security training had to incorporate fun, too! In this case study, learn more about:

• Why Zwift was motivated to build a culture of security
• How they run their security awareness program across the organization, including simulated phishing training
• What a difference it makes when security awareness training fun for employees

We're keen on leveling up our infosec hygiene... I've been having fun bringing security awareness training into Zwift, and I'm grateful our employees get excited about Curricula's content.

Building a security awareness program from the ground up

Jacqueline Geller, MBA, CISA, helps manage data privacy and compliance initiatives at Zwift. She’s passionate about both software development, privacy law, and cybersecurity, and is the driving force for employee security training. As the company was ramping up for a period of rapid growth, starting the first official security awareness program at Zwift was part of Jacqueline’s initial scope of responsibilities when she joined the Legal & Compliance team. “We knew our employees had a wide range of security awareness and data privacy education,” Jacqueline said. “We were in the phase of scaling from a startup to becoming a bigger company with policies and processes, so we needed to solidify a lot of things, including getting a cybersecurity training platform to ensure a standard baseline and shared language across the organization.” Between working closely with the IT and Information Security teams, and her role working with data privacy, and compliance, Jacqueline knew the mantra all too well that good security equals good compliance, but compliance doesn’t necessarily equal competence.

“One of the things you need to ask yourself is, ‘what is your goal with your security awareness program?’ Do you really want to check those boxes for compliance, or do you actually want to improve your information security hygiene?”

It was important for everyone at Zwift to understand why going through security awareness training was essential for establishing good security. Zwift didn’t want to just check the compliance box. It was a priority that employees absorbed the content and applied it to their roles. Jacqueline described how her team needed to present this information to employees in a way that makes them think about security so it’s embedded in both their day-to-day work and everyday lives. “Your digital life doesn’t end when you log off at the end of the day. It extends to your personal life, and employees need to know the basic cyber hygiene of things like using unique passwords for all their accounts to both protect Zwift and themselves,” she shared. “We also want our employees to be educated on information security in order to better protect their personal accounts and personal information.”

How Zwift launched their security awareness and phishing training

At Zwift, they call their employees “Watopians,” named after the fictional Watopia island in their fitness app. One of Zwift’s core values is “Make It Fun,” and Curricula’s colorful, engaging content perfectly aligned with that value. Storytelling was already a big part of Zwift’s culture, so Jacqueline knew Curricula’s villain hacker DeeDee and her cast of fellow villains and heroes would be popular among her Watopian colleagues. Before rolling out the first security awareness training episode, Jacqueline sent out an email to the whole company, sharing the news about the launch of their security program. She also posted this news to the company’s Slack channel and had a set of DeeDee emojis added to Slack. It was the first company-wide training initiative at Zwift, and there was no precedent set on how to roll it out effectively across the organization. Once Zwift’s security awareness training efforts were underway, Jacqueline secretly launched the company’s first phishing simulation campaign. It was a valuable exercise to both train employees on how to report phishing emails and to understand where improvements could be made. Jacqueline prepared a clever phishing campaign recap presentation using various DeeDee images to share the results with the company at the end of the campaign. “I wrote a short story about how ‘The Zwift Information Security team has discovered that infamous hacker DeeDee launched a phishing campaign against Zwift. She must have seen a news article on LinkedIn about our highly successful Series C funding’ to help lighten the mood,” she explained. Jaqueline emphasized the importance of knowing what training would resonate with your employees and corporate culture to ensure buy-in across the organization. “Curricula really fits with our bright company culture and core value of keeping it fun with our energetic team,” she said. “It made sense that this was something that aligned with our brand and people would enjoy watching the content.”

“Not only do I now have employees telling me how much they enjoy the Curricula content, but I also see organic mentions of DeeDee and information security topics brought up in company conversations.”

Making security awareness training fun so it actually works

One of the biggest risks in your organization is actually internal — your employees. The focus is on how we can educate people and get them to start thinking about security awareness in a new way. “For us, Defending Against DeeDee means educating people about potential threats and expanding their mindset that security awareness is part of your daily routine and not just a video you watch then forget about,” Jacqueline said. Working with departments across the company was also an important part of ensuring success with this initiative. Jaqueline shared how she teamed up with People (HR) to make security awareness training part of every employee’s learning and development, including for new hire onboarding. “I work with everyone from IT, internal communications, new hire onboarding, and we have our executive leadership on board, which is super important for any security awareness program,” she explained. Other ways the Legal & Compliance team has spread the message of security include:

• Run quarterly phishing campaigns to reach everyone across the country, then share their phishing campaign results internally
• Send an internal newsletter covering different topics, such as data privacy vs. data security, with Zwift’s newsletter being titled ‘Risky Business’
• Clear and consistent communication on multiple channels such as Slack, the internal newsletter, and creating an FAQ anytime a new training is launched

It’s all about visibility and availability. “One of the things that helped our security awareness program is that we’re making sure security always has a voice in the conversation,” Jacqueline said. “I speak at the company all-hands meeting, there are automatic emails that go out from Curricula every week if someone hasn’t finished their training, we stagger training content releases every other month for more touchpoint opportunities — it’s a constant reminder that security is important and something to be constantly mindful of.”

“The least effective security awareness training program is the one that takes place on a random Tuesday in June and then fails to connect with employees the other 364 days of the year.”

And if an employee fails the phishing test, don’t give them a slap on the wrist. A phishing test is a safe space for employees to make mistakes and learn from them. Instead, find a way to remind them to be cautious when opening emails s and also give them the opportunity to ask questions.

“With the phishing simulations being from DeeDee, this makes it seem like it’s ‘her’ and not from the Compliance team. We’re giving everyone a safe place to learn.”

Key Takeaways

While cyber security is a serious subject, making training fun by leveraging animations, content, and storytelling uses concepts that are proven by behavioral science to not only make employee learning more engaging but ensure people actually retain this important information. Jacqueline shared that a secret to their success is about learning and making improvements – not just about finishing training by the end of the year to check a box. “It’s really rewarding to see how we’ve leveled up our security awareness training program over time,” she said, “Of course, I care about Zwift and making sure our organization is secure, but I care even more about keeping our employees safe at the end of the day.” Employees can be the weakest link or the biggest strength when it comes to cybersecurity. By making training fun and using gamification, you can get more people on board with the mission to defend against DeeDee!