Why Altisource leadership gives security awareness prime real estate in its corporate culture
About
Altisource Portfolio Solutions S.A. (NASDAQ: ASPS) is an integrated service provider and marketplace for the real estate and mortgage industries. Combining operational excellence with a suite of innovative products and technologies, Altisource helps solve the demands of the ever-changing market.
Industry: Real estate and mortgage
# Employees: 2,500
Headquarters: Luxembourg
Challenge
In 2019, Altisource sought a cultural shift from sticks to carrots in security training to improve participation rates and enable behavior-changing awareness that would lower risk and decrease the infosec team’s workload.
Solution
From the CEO down, Altisource achieved unprecedented participation improvement and phishing risk reduction with Hoxhunt, while lifting cybersecurity culture to new heights with a gamified security training platform applauded for its automation and effectiveness.
Measurable progress has been outstanding. The baseline phishing simulation failure rate was over 46% with their previous training tool in 2020. Failure rates plunged to 8.5% over 2021 and are sitting at 3.5% in 2022.
“The switch to gamification and a carrot approach was really well embraced. And along with the broader education on real-world threats and insights into our own real threat reporting, I think the Hoxhunt training program has been received incredibly well.”
“The Hoxhunt phishing emails themselves are just so clever and sophisticated you can tell that someone has put a lot of time into creating them.” -- Rose Lally, Chief Information Security Officer, VP Governance & Controls at Altisource
RESULTS
Information security is now widely embraced as a cultural touchstone at Altisource, and the results have been transformational.
- Active C-suite participation and healthy security competition: frequent status updates requested by executive leadership on their Hoxhunt leaderboard positions with relation to one another
- Security culture boosted
- Dramatic improvement in security awareness metrics across the board: failure rate, success rate, engagement rate, real threat reporting
Building a security culture from the topdown
In 2019, CISO Rose Lally achieved full and enthusiastic C-suite support to revamp the Altisource security culture. The time she’d spent educating executive leadership on the risks of phishing was paying off. The security awareness transformation she’d begun a few years prior was accelerated with top-down buy-in.
She started upgrading the awareness program with a mostly-manual phishing template-based training solution. It got awareness moving in the right direction, but the solution was too cumbersome to scale up beyond one or two simulations per quarter. Moreover, its consequence-based focus on failure was off-putting; it made cybersecurity a bad experience.
Rose’s team believed in education, not punishment. They were building an awareness program that would boost security culture in a positive direction. They sought a training solution that would reflect that philosophy and amplify their goals.
“I consider the biggest security risk to be unintentional human errors, so what we have to do is educate them on how to spot a phishing email.”
Culture of carrots, not sticks, from the top down
Information security is now widely embraced as a cultural touchstone at Altisource. Hoxhunt fit well with Rose and her team’s vision of security awareness as a positive experience confronting a serious topic. Hoxhunt integrated not only with their existing systems, but also with Rose’s educational philosophy of talking directly to leadership and employees about cybersecurity.
As a result, cybersecurity performance is a point of pride for leadership and employees. They enjoy the gamified journey of receiving stars and other rewards for successfully reporting a phishing simulation and, of course, a real threat. They frequently ask her how they can achieve more stars in order to climb the Hoxhunt leaderboards.
Leading a vibrant security culture
Progress in terms of security awareness metrics has been outstanding. Starting from a baseline phishing simulation failure rate of over 46% with their previous training tool in 2020, Altisource phishing simulation failure rates plunged to 8.5% over the course of 2021. They are sitting at 3.5% after the first two months of 2022.
Rose directs loads of credit to the Altisource leadership team for modeling excellent security behavior. And indeed, their Hoxhunt phishing performance statistics are outstanding. But they’re a competitive bunch, and they would all like to outperform each other on security.
Rose presented a Hoxhunt leaderboard with the leadership team’s individual performance metrics. It was a hit. Throughout the meeting, they ribbed one another about their success and fail rates. And guess who came out on top? The CEO, who Rose called “a strong supporter of all things information security, and I’m very lucky to have that.”
“This leadership team, the C-suite, actually has the best numbers of any team in the company. They really are leading by example. In fact, this is a true story, the the CFO has asked me: ‘What do I have to do to get more stars and climb the leaderboard?'”
Low-maintenance security culture via top-level buy-in
Hoxhunt helps Rose keep leadership and employees in a state of heightened cybersecurity awareness. Like the Hoxhunt hybrid model of automated training simulations combined with a dedicated customer success team, Rose combines a vendor training solution with her own awareness-and-relationship-building direct communications.
“One of my main jobs is to keep the C level just scared enough, just paranoid enough, that they really are mindful of the attack emails coming in. I provide white glove education with those folks and then that trickles down. From the bottom up, we have emails and team meetings all the time.”
She’s glad to have moved awareness training beyond punishing people into compliance. The Hoxhunt phishing simulations are a positive experience, which supplements her own outreach efforts. It helps key stakeholders stay current with the threat landscape, which reminds everyone of the very real threat for which Hoxhunt is training them.
“The switch to gamification and a carrot approach was really well embraced. And along with the broader education on real-world threats and insights into our own real threat reporting, I think the Hoxhunt training program has been received incredibly well. It comes down to the fact that we’re not doing this because we’re all henny pennies, running around saying that the sky is falling. We’re doing this because it’s really happening and people know they need to be prepared.”
Table of contents
