There is such a disconnect between employees and effective cyber security awareness training.
Before founding Curricula, I spent several years protecting our nation’s power grid from hackers. I was a cybersecurity specialist in Critical Infrastructure Protection (CIP) for the North American Electric Reliability Corporation (NERC) — I know that’s a mouthful. My career was focused on working with utilities across North America to educate them on how to keep their infrastructure safe from the bad guys. Most of my time was consumed by working on regulatory compliance audits, advisory, and other cyber investigations. Keeping the lights on is no small task.
The NERC CIP standards were designed to protect our grid from cyber attacks. It was my job to explain to organizations how and why they could get hacked, and if there was an event — like a data breach or outage — to learn how it happened and what impact it had.
There was one audit when we were all sitting in this underground control room, kind of like the stuff you see in the movies, with a dim light shining over someone’s head as they were being “interviewed.” Part of the audit was to understand if employees recalled their annual training and talk a little bit about it.
One employee was asked, “Can you tell me anything you learned from your training about Critical Cyber Assets or CCAs?” This is a pretty basic question for anyone who works in the utility industry, similar to a mechanic knowing what a wrench is and what it’s used for.
This guy’s boss was glaring at him hoping he didn’t say the wrong thing. The auditors were staring at him, hoping he knew something; and I was staring at him, just hoping he said anything. Finally, the employee acknowledged he knew of the term “CCA” but didn’t know what it was or what it did. In reality, his entire career of several years at this company was to operate a CCA every day!
This was a multi-billion dollar utility with tens of millions invested in cyber security.
How could this employee not answer this basic question from his training? This was the main focus of the entire cyber security compliance program.
I thought, “How could there be such a disconnect between employees and the cyber security standards they were trying to implement?
So I flew back home to New Jersey for Christmas and met with my long-time friend, Joe Rucci, to tell him this story and we both laughed in disbelief. Almost jokingly, I asked Joe, “What if we were the ones who taught people about NERC CIP cybersecurity regulations? What if we just made it fun so people actually understood why these security regulations were put in place?” After all, the NERC CIP regulations were designed to keep the lights on for every citizen in North America. This seemed like it was an important problem to solve.
This was the beginning of Curricula.
Our goal was to tell a story about why these rules for cyber security were put in place, and to visualize how they worked. Most of this compliance training was ‘Death by PowerPoint’ with 100+ slides. Maybe we could make their experience more enjoyable so employees could actually learn from the training. This initial conversation started in December of 2013, knowing a new NERC CIP regulation would become enforceable by April 2016.
But this was all just a dream. I mean, how could we really give up our stable careers to launch into the unknown? I would have to leave my job at NERC to make this a reality. For the next few years, we kept thinking more and more about this idea of fun cyber security training. Until one day, on March 9, 2015, we decided to make that dream a reality. I remember waking up that morning and thinking to myself, ‘so now what do I do?’
The plan was simple: build a NERC CIP training program that utilities would be required to implement once the new CIP regulations became enforceable on April 1, 2016. Our mission was to make the content really fun so employees got excited about their role in protecting our nation’s infrastructure.
We brought on Daniel Abbruzzesi, who Joe had worked with at the same experience design agency in NYC, to help bring our content to life with storytelling. Our foundational team was rounded out with Juan Camarero helping to get us off the ground with operations and sales.
We realized all of the competition and other training choices were really bad… like, really bad. Their annual security awareness training was boring, employees hated the content, and no one learned anything. Funny enough, that is still true today.
Employees feel disconnected, disrespected, and like their time is being wasted. It wasn’t doing anyone any good. Just because security awareness training is serious doesn’t mean it can’t be fun. So our goal was to personally connect to employees. Using this approach, they would be investing in their own careers and not just checking a compliance box for their company. We called this concept: learning how to speak the language of NERC CIP.
At some point early on, we realized what we were doing for regulated utilities could be expanded to everyone. We can help every employee across the globe learn how to speak the language of cyber security. From that moment, we realized the Curricula platform would become a cyber security awareness toolkit. Instead of just selling a product, we were helping IT executives sell the idea of security to their employees.
I believed in our mission so much I literally put everything I had on the line to continue the growth of Curricula. So I cashed out my 401K and sold my condo here in Atlanta. No one believed in Curricula more than me and no one ever will.
And unlike the majority of other SaaS founders, we did not have angel investors or seed funding. We actually tried and hated it. We met with a few groups and were turned off by the fact we would have to give away so much of our idea, control, and vision that early on.
So our journey continued and along the way we just kept building. Keeping our heads up and listening, which most founders don’t do enough because they are so heads down working on the product. But we aren’t like most founders. We knew the direction we were heading in, but just didn’t know exactly how to get there.
The problem we thought we could solve for security training was real, and organizations of all sizes and industries were looking for help. We wore a lot of hats with a foundational team of four, which I think that’s the definition of being resourceful. We were the scrappiest as they come and had the knowledge, grit, and insight to impact this industry for the better.
Fast forward to 2018. We were scaling our security awareness training platform, and were ready to launch our phishing simulation training integration
Based on the feedback we had from our early customers, what they liked about Curricula was our fun training content. That’s what got employees to buy into the idea of security. That’s what made this work. So we brought our first and most beloved character to life: DeeDee. DeeDee was going to be the face of our phishing simulation experience.
Employees love DeeDee, our 5-year-old AI hacker prodigy. We wanted to gamify this concept, as DeeDee would be the one responsible for sending phishing tests to employees. She’s the one hacking people, not IT admins. Employees resonated with DeeDee so much and didn’t want to ‘get caught’ by her.
Curricula was officially a fun security awareness training platform with DeeDee.
One of the problems we saw with other phishing simulators is they lack a personal experience for employees. There’s a complete absence of emotional intelligence. Everything is focused on the IT admin instead of the employee. Additionally, the IT manager also gets ridiculed for just doing their job trying to keep everyone safe yet employees hate them for doing it.
So instead of an IT manager administering phishing tests, ‘DeeDee’ helps schedule and send the phishing emails on their behalf. Instead of IT being the villain, information security managers could hide behind DeeDee. This concept works so well, and allows IT and employees to finally come together on the concept of security. This relationship is critical to the success of any powerful cyber security program and we are so happy to be helping.
The last few years have been a wild ride. Curricula recently celebrated our 5th year in business helping employees fight back against hackers. We’ve learned so much over the years about our industry, our customers, and ourselves. We have started a global shift towards the future of cyber security awareness training.
2020 has been a game-changer. We quadrupled our team and are scaling quickly, protecting new customers all around the world. Before the Coronavirus pandemic, we had just closed our first strategic round of funding with a $3 million Series A investment with RCP Equity. We found a partner who really cared about our business, who knew our customers came first, and clearly understood the problem we were trying to solve from their previous work at AppRiver. As one of our investors, said…
What we see in Curricula is an opportunity to completely change this industry by creating a fun security awareness training experience for employees.Joel Smith, RCP Equity
The Curricula founding story has been slower than most startups, and that’s okay for me because we took our time to make sure we got this right. It’s been an honest journey fueled by hard work and the desired focus to change the norm. I can’t describe how excited I am every time we sign a new customer because it’s a new opportunity to protect another organization.
We are clearly resonating across our industry in desperate need of change. We know we’re on to something really big now. Our ‘Curriculoos’ make me smile every day because I can feel that same energy from them as they are helping build the future of Curricula.
Thank you for being part of our story. This is just the start of a much bigger adventure.