Tampa Bay, FL-based security awareness and simulated phishing firm KnowBe4 has acquired Oslo, Norway-based security culture measurement company CLTRe for an undisclosed sum.
KnowBe4 is best-known for its simulated phishing awareness training program. One of the attractions of such platforms is that staff awareness improvements can be measured and accurately reported to the board.
CLTRe is focused on measuring its customers’ overall cybersecurity culture (hence the name of the firm). Effective cybersecurity cultures lead to stronger cybersecurity postures. Weak postures leave a firm open to social engineering such as successful BEC attacks, and explain the hundreds of large databases with personal information stored insecurely on cloud servers (the latest being details of 50 million Instagram users left exposed by Mumbai-based social media marketing firm Chtrbox).
According to an ISACA/CMMI Institute Cybersecurity Culture Report published in late 2018, 32% of organizations recognize a significant gap between their culture aspiration and their culture achievement — with a further 63% noting a minor gap. However, understanding exactly where, why and how the gap exists without detailed metrics is difficult.
On May 1, 2109, CLTRe published a report on the Security Culture Framework, which is defined as, “the ideas, customs, and social behavior of a particular people or society [i.e. employees in an organization] that allow them to be free from danger or threats.” Its own culture model comprises seven elements: attitudes, behaviors, cognition, communication, compliance, norms, and responsibilities.
CLTRe offers a Security Culture Toolkit that delivers metrics on the customer’s security culture. The service is provided as SaaS, and has been endorsed by ENISA (the EU Agency for Network and Information Security).
The synergy between a phishing awareness training platform with inbuilt metrics, and a wider security awareness metrics capability is clear. Stu Sjouwerman, founder & CEO of KnowBe4, told SecurityWeek, “With the acquisition of CLTRe, we’re widening our scope as we’ve always intended. As the security market evolves, we want to expand from simulated phishing and security awareness training to helping our customers improve their organization’s overall security culture.”
Training alone is not enough. CISOs need metrics that can be repeated over time to present to the board. Executive management understands figures better than arguments, and accurate measurement of the firm’s security culture can help focus minds and budgets where they are most required. “Today’s announcement brings KnowBe4 very valuable tools to help our customers measure what matters — their security culture — so they can make decisions about how to improve.”
Sjouwerman told SecurityWeek that CLTRe will remain in Norway. “However,” he added, “CLTRe’s assessments are being integrated into KnowBe4’s platform as we speak, and this will be made available to all customers at all levels for no additional fee by or before the end of the year.” All CLTRe’s existing staff will be retained.
KnowBe4 announced a Series C funding round of $50 million, led by global investment firm KKR, with participation from Ten Eleven Ventures, on 4 March 2019. This brings the total raised by the firm $93.5 million.