NINJIO – The Netflix Model of Security Awareness Training
NINJIO – The Netflix Model of Security Awareness Training
Expert Insights spoke to Zack Schuler, Founder and CEO of NINJIO, about why their content first approach is the best way for companies to protect their employees from cyber threats.
Expert Insights / Apr 23, 2019By Joel Witts
NINJIO, founded in 2015, has taken a different approach to security awareness training than many other vendors. They are heavily focused on content, aiming to create high quality and engaging stories.
These are delivered in three-to-four-minute episodes in a
unique art style format, to help users learn about security issues and how to
protect themselves against them.
Zack Schuler founded NINJIO after identifying a gap in the
growing Security Awareness market.
“I saw that most security awareness training appeared to be
highly ineffective,” Schuler tells us.
“All of the training that I saw out there, was clearly being used as a “check the box” exercise- we wanted to create something that actually worked. We saw an opportunity for building something memorable, and entertaining, based on topical news stories that people remember,” remarked Schuler. For this they have chosen a visually striking anime approach, which is hugely popular with end users, and admired by other security awareness training vendors.
Netflix model of Security Awareness Training
NINJIO has a content first approach. They deliver training
in 3-4-minute long episodes delivered every month as part of their subscription. Companies can either consume their content
from NINJIO’s own Learning Management System (LMS) or companies can distribute
their content via their own LMS or other content delivery system.
This is similar to the methods streaming platforms like
Netflix use to distribute content, but the similarities don’t end there. Just
as Netflix uses the wealth of data it has on its users to create more engaging
content, NINJIO is doing the same.
“We have really strong data on how people are interacting
with our content. In addition, we know
how quickly they watch after an episode has been released, what types of
content people are interacting more with. We have data scientists using this
data to score individual risk profiles of users, which then translate to the
risk profile of the organisation the company works for.” Schuler says.
In development is a system whereby NINJIO identifies specific
issues their employees need more help with and they will then prescribe
specific training for those issues. It will help them to target specific weaknesses
within the organisation.
Testing and Training Employees
NINJIO has taken a different approach to phishing training
than many other vendors in the SAT market. Most vendors take the approach of
conducting a simulated phishing campaign, after which they provide training and
Schuler remarked, “Eighty percent of Security Awareness
Training companies are what I refer to as “phishing first companies.” They
start with testing (phishing) and then perform training. Think back to your
days in school- when have you ever walked in on day one, been given a test, and
then received training after the fact, that’s the reverse of the what’s normal,
Schuler sees this as being more about giving companies peace
of mind they have taken steps to protect themselves with a proactive “training
first” methodology. He says NINJIO is concerned about “protecting the end user
and giving them the tools to protect themselves, and in-turn they will protect
those organizations that they work for.”
Working with vendors across the market
NINJIO has shaken up the SAT market with this approach. Due
to the content first style, the content has flexible deployment options.
“We have a new approach of selling to other tech companies.” Schuler says. NINJIO is licensing its content to other vendors, such as Cofense, IronScales, Terra Nova, Sophos, and about 50 managed services providers. They use NINJIO content, while using their own testing or phishing protection methods.
This is helping to separate the testing and training of
employees. Schuler argues this is a good thing, as too often when one vendor
does both, the testing is too similar to the training, which does not reflect
the real world. This means that employees are less likely to spot real phishing
Family Use Rights
Part of every subscription, NINJIO includes what they call
“Family Use Rights.” This gives each
employee of each NINJIO client the ability to sign up their family members to
receive content at no additional cost.
After asking Schuler about this, he says “If the spouse watches NINJIO
at work and comes homes to a family who has also consumed the content, you create
and opportunity for the family to have a dinner table conversation about being
more secure, or what I call “Secure Living.”
Creating this security aware culture within the family unit, makes the
spouse that much more invested in security, thus protecting their organization
exponentially more than if they simply viewed NINJIO as training mandated by
A new corporate focus?
NINJIO has a unique art style which is popular with
customers. “Flexible content styles mean
that we are more likely to be liked by businesses of all sizes.” Schuler says.
“We have a sole focus on high quality production.”
“Our anime style is popular with customers of all sizes but
isn’t always a fit within a particular corporate culture. We have developed a
new content style that fits better with more conservative environments. Being this
is flexible, we they are seeing organisations using both styles. CXO’s may use
the corporate training format, while younger end users may prefer the original
What sets NINJIO apart?
The security awareness training market is crowded and there
are a lot of vendors vying for attention in this space. We asked Schuler what
made NINJIO the best vendor in this space.
“Other vendors in the security awareness training market put
testing before training. Then they train
users toward the next phishing attack.
Their solution not only provides simulated phishing, but also simulated
results,” remarked Schuler.
“Other vendors also don’t reflect the real world. Our training emotionally engages viewers in the first scene of every episode, is based on real companies suffering significant breaches, and we focus on a single current attack vector, thus not confusing the viewer with too many technical terms. Not to mention, each episode is written by Bill Haynes, a member of the Writer’s Guild of America, and a former writer for CSI-NY and Hawaii 5-0 with more than 71 episodes under his belt. This makes for some great storytelling” Schuler says.