Technological advancement provides more efficiency, accuracy, and preciseness in our work but not all things are wrapped in gold. This advancement also poses cyber threats to business, and understanding the need for cyber security culture allows us to avoid these threats. In this episode, Perry Carpenter, a Chief Evangelist and Strategy Officer for KnowBe4, shares his insights about cyber security culture, its failures, and how you can avoid them. Tune in to gather more information on protecting your business from cyber threats by building an effective cyber security culture in your organization!
How can you change behavior to achieve a conducive and tight cyber security culture?
What is the root cause of cyber security failures in an organization?
How can you start building a cyber security culture from the beginning?
 
GUEST
PERRY CARPENTER, C|CISO, MSIA, who currently serves as chief evangelist and strategy officer for KnowBe4, the world’s most popular security awareness and simulated phishing platform. A recognized thought leader on security awareness and the human factors of security, he’s provided security consulting and advisory services for the world’s best-known brands. His previous book, Transformational Security Awareness: What Neuroscientists, Storytellers, and Marketers Can Teach Us About Driving Secure Behaviors, quickly gained a reputation as the go-to guide for security awareness professionals worldwide, and, in 2021, he was inducted into the Cybersecurity Canon Hall of Fame. He’s the creator and host of the popular 8th Layer Insights podcast and co-author of the new book The Security Culture Playbook: An Executive Guide to Reducing Risk and Developing Your Human Defense Layer.
—
Building A Cyber Security Culture To Protect Your Organization From Cyber Threats With Perry Carpenter
Developing a cybersecurity culture in your business might sound like making sure your IT person has access to the latest patches and software updates. Our guest says that the best defense against cyber-attacks and protecting all your valuable business data is not technology. We’ll find out what they’re talking about and what you should be doing to beef up your cybersecurity culture.
—
I’m excited about our guest, Perry Carpenter. Perry is a cybersecurity expert. In our world, where more and more of our lives are plugged into internet-enabled devices at work and at home, having a cybersecurity culture mindset is important if we want to keep our information safe. Perry serves as the Chief Evangelist and Strategy Officer for KnowBe4, the world’s most popular security awareness, and simulated phishing platform. He’s a recognized thought leader on security awareness and the human factors of security, providing advice to some of the world’s best-known brands. Plus, he’s also the co-author of the book, The Security Culture Playbook: An Executive Guide To Reducing Risk and Developing Your Human Defense Layer. It is a privilege to have in with us. Welcome to the show, Perry.
Thank you so much for having me.
I am excited about this topic because everywhere you go, people are glued to their phones, iPads, and electronic devices of all sizes. Please help us all understand what you mean by a cybersecurity culture. How is that different from basic security awareness? I want to make sure we all have the same understanding of what a cybersecurity culture is. It sounds bigger, but you tell me.
Security awareness is a phrase that is loaded with baggage. It’s also inadequate to describe what we want and what we need. When somebody says security awareness, the follow through with that usually involves putting some form of information in front of somebody. I call that information dissemination. It’s usually information dissemination with the hope that as somebody reads that or views it, they’ll naturally change their behavior.
The Security Culture Playbook: An Executive Guide To Reducing Risk and Developing Your Human Defense Layer
Anybody that has been a teacher or a parent or has lived in the world for more than a few years knows that giving somebody information doesn’t always get the results you want. There’s a gap between knowing something and caring about that thing. There’s even a gap between caring about something and wanting to act in the right way and doing it. That’s why we have so many failed New Year’s resolution lists.
When we think about security culture, awareness may be a nucleus within that, but it’s so much more. The way we define security culture is that it is the ideas, customs, and social behaviors of a group that influences that group’s security overall. It’s this red throughline of security values that goes throughout an organization. We even break that up into seven different components that can be measured like attitude, behavior, cognition, communication, compliance, norms, and responsibilities.
It is the idea that from the perspective of an organization, the security culture is the way that things are done in that organization when it comes to security. It’s the things that people think, the things that they believe, the ways that they act, and then all of the unwritten rules and social pressures that come along with that as well.
I love the way that you have fleshed that out. That sounds comprehensive. It’s impressive. When you’re talking about an organization, and you’re not starting from scratch, you’re going into an organization where people have certain behaviors, certain customs, and certain habits that may not necessarily be the most conducive to having a type of cybersecurity culture, how do you go about changing behavior? I like what you said about going from caring to doing. It’s one thing to nod your head and say, ”Yes. That makes sense. That’s good,” but it’s another thing to actually do it. Where do you start, Perry?
Where I usually advise that people start is measuring what’s there because only after you have a baseline can you show whether you’re improving or hurting yourself. That’s where the practicality of those seven different dimensions comes in. I can ask certain questions. I can deploy surveys. I can also look at operational data from logs and other data that we’re able to collect electronically and get indicators about where everybody is across those things, and where they believe the organization is as a whole.
We can also see if there are disconnects between where people think that they are and where they are. After we understand all of that, then we can start to chart a way to address any gaps between where we want to be and where we are. There’s also some good news in that. When people hear about seven dimensions, they get a little bit overwhelmed because they’re like, “What if I’m bad across all of those? What if I’m not where I want to be across all of those? I have to develop this comprehensive plan to address seven different things. I don’t know how to do that.”
There's a gap between knowing something and caring about it and caring about something and wanting to act right and actually doing it. Click To Tweet
There’s good news in that each of these has a gravitational effect on the others. If I start to work on communication, maybe that affects attitudes. If I work on communication, maybe that affects norms a little bit. If I decide that I’ve got a big deficit in attitudes, I work on that specifically. I start to see a lift across some of the others as well. Not all of them affect the others equally, but there are specific orbits in which each of those tends to operate in. If I work on one, it tends to pull some of the others along with it.
That’s good to know because I can imagine some people like, “Seven things like my plate is not full enough already. Now I got to do some more here.” It’s good that there’s a little bit of a domino effect that goes on. A little bit can go a long way. I am curious. In your experience, what is the root of most cybersecurity failures in an organization?
From a failure perspective, the evidence is clear. It comes down to some form of a human being tricked, making a mistake, or intentionally doing something to bypass a process, whether that’s intentional or negligent. The Verizon data breach investigation report tends to prove that over and over every year. The 2022 report says that 82% of data breaches can be traced back to some form of human error. That’s why we need to focus on the security culture piece.
We need to focus on the ABCs of security. I say that like I invented the ABCs. I did not. This phrase has been used for a while, but it has been used by a few people. I’m one of those that use that. ABC is Awareness or the communication piece, Behavior or the modeling and shaping of behavior, and picking technology based on the behavior patterns that it can encourage or prevent, and then Culture is social norms, social values, pressure, and so on. When you’re focusing on all three of those, you can start to reduce the likelihood that human error will become the major factor of a breach, or you’ll be able to start to see some improvement in those areas.
Unfortunately, when you look at the past couple of decades of security, what you see is that encouraged by the vendor community in a lot of ways, organizations everywhere continue to put their faith and their money in technology-based security products that say, “We can take care of that. Humans don’t need to be trained. They don’t need to be part of the answer to this because we know they’re always going to make mistakes so we’ll fix it.”
What we’ve seen over and over again is that technology doesn’t fix it. It changes where the problem occurs. The last thing I’ll say before I’ll let you react to that is that when we look at the spending piece of that, we see that over 95% of security spending over the past several years has been focused on those technology-laden types of tools and not tipping any hat towards the human side of things, and less than 5% has been focused on human.
Cyber Security Culture: Over the past several years, over 95% of security spending has focused on that technology-laden types of tools and not tipping any hat towards the human side. And less than 5% has been focused on humans.
What’s the best place to start in focusing on the human side if you’re looking to create a cybersecurity culture? It’s one thing to get your baseline and do these measurements but still, on the human part, where’s a good starting point?
Number one, you do have to take the temperature of your organization. You need to know exactly what’s going on and where your biggest problem points are. You can start to ask some interesting questions of the executive team. No matter what, you’re always dealing with the culture. I can say I’m going to do a security culture program, but if my current culture within the executive suite won’t tolerate that, my security culture program won’t go anywhere because the organizational culture won’t allow it to.
I need to understand where I want to go from a security perspective and where I am organizationally because my security culture is always going to be a sub-component of that organizational culture. Once I understand where I can be organizationally, then I can start to have some executive-level conversations and position this in the right way.
The reason I’m doing all of this in the first place is not security for the sake of security. It is to reduce human-based risk throughout the organization. Every organizational executive understands the language of risk. I’m going to start to uplevel the conversation to risk. I’m going to then start to say, “What risks am I impacting?”
It’s the risk of breach related to ransomware, the risk of intrusion based on somebody losing passwords as part of a phishing scam, the risk of a bad actor making it into the building through tailgating, or the risk of somebody inappropriately sending out confidential data to somebody that doesn’t need that. It’s reducing all of those risks, and then you get into the actual, “How does that happen?” That comes down to some of the more traditional awareness pieces, but also technology that can help with that and shape the behavior that you want. It’s understanding where you are, upleveling the conversation, and then pushing back down into the practical things you can do.
One of the things that I love to do with the CISO or the executive team is asking the question. If you could wave a magic wand and three behaviors within your organization are addressed from a security perspective, what would those behaviors be? It usually comes down to something related to phishing, something related to password management, and something related to incident reporting. You start to develop your plans based on that because those are very attainable things to be able to address.
We've seen over and over again that technology doesn't fix cyber security threats. It just changes where the problem occurs. Click To TweetThe way you’ve narrowed it down is great. These are attainable goals to address clearly the things that senior management would want. Going back to what you said earlier about having conversations with senior management to find out what the culture of the organization is so that you can dovetail being able to implement a more cyber-secure culture, could you give us an example of where there was maybe a disconnect or a conflict where it’s like, “We’re not going to be able to take this tech. We have to take another.” Leveling up the conversation to talk about where the human-based risks seem to be so reasonable and so smart. How could something like that get crosswise with an existing culture or of an organization? Can you give me an example?
Where security leaders tend to have issues with any implementation of any program like this is always going to be competing priorities, fear or misunderstanding. Let’s say you don’t even frame it with risk. Let’s say we’re going to deal with phishing because everybody knows that phishing is a problem. Your executive team might not fully know that, but most CISOs say, “We have to deal with the phishing problem. We’re going to do phishing training. We’re going to release these videos and do an event.” Now you got five other executives that are saying, “You’re taking time away from my employees. That affects productivity.”
You’re sending out phishing simulations. When somebody clicks on something, they might feel bad about that when you do training. You’re now affecting morale. You get shut down before you’re even able to start in a lot of those things. But when you uplevel the conversation and start to address this in a way that resonates and is in tune with the culture of your organization, then you can start to get buy-in. You can also understand where those objections are, and what those fears and concerns are so that you can work around those.
You can directly address those in the way that you develop this and have good conversations with the executive team on what their priorities, beliefs, and goals are for the rest of the year. You can use all the different levers that matter for the organization, and then use those as reasons why your security program, security training program, culture program, or whatever you decide to call it is important.
If it’s a profit lever, our profit is not going to be all that great if we got a data breach and we’re having to spend a lot of money on investigation and response with that. Our profit is not going to be that great if we’re not hitting this regulatory bar. Now we’re having to pay fines and deal with all that. Everybody’s productivity is going out the window because they’re having to be babysitters to auditors.
You can start to find lots of reasons why doing the right thing from a security perspective aligns with several other priorities and goals that other organizational leaders have. We have to be willing to understand what those priorities, goals, and fears are so that we can back our argument but not in a bad way, or better set our rationale into something that resonates with something that they’re going to care about.
Cyber Security Culture: We believe that protecting the customer information of our internal processes, controls and everything else is one of the most important things we can do as an organization. We try to infuse that value in everybody.
It’s all about the persuasion factor, which is awesome. Put it on their wavelength. I appreciate that. Thank you for that.
In The Security Culture Playbook that we wrote, I have a few worksheets in there that I go through and help people figure out those lines of rationale and the conversations that people should have as they’re getting by in with all these different departmental leaders and so on. There are ways that you can pre-think through all that. You’re not taken off guard the moment whenever somebody says, “In our call center, we need X amount of productivity.” What now happens whenever you ask for some training time?
That’s good to know. It’s nice to have that resource. Some of our readers have smaller businesses. They don’t have a lot of departments. They may not have call centers. Some of them may even be startups. What advice do you have for someone in that position that’s small and growing? Maybe they have great plans for the future in terms of size, but they’re not there yet. How can they start building a cybersecurity culture from the beginning?
The answer is way easier than you would think. Let’s talk about it. Make cybersecurity, risk management, and understanding the threats that come against an organization like yours a frequent topic of conversation, so it’s top of mind. You can deploy training and everything else. Your number one step is to make it a priority of things that you talk about so that it is something that your small team or whoever in your organization knows that doing the right thing from a security perspective and being aware of the things that can happen is part of what your company and organization are about, and how you approach business.
The other thing is you add on that. That way, when you decide to do some more formal training, people go, “That’s part of the DNA of this organization. We’re concerned or even prideful about the way that we approach security and the protection of our customer’s information or our intellectual property. It’s who we are.” You then do the next thing. It’s who you are. You hire five more people.
The people in your organization are now reflecting the values that you’ve already espoused and put into them. They’re reflecting that out to other people before they even have the chance to receive all that formal training. They’re showing them the way things are done in your organization. You have the chance as a small organization to build the right culture from the ground up as you grow, which is a good place to be.
You have the chance as a small organization to build the right culture from the ground up as you grow. Click To TweetIt also sounds like a cybersecurity culture can be a real competitive advantage.
If you’re doing the right thing to protect your customer data and your intellectual property, it’s something that you should talk about. I’ll put a caveat on that. You don’t want to talk about it in a boastful way because, at that point, you’re inviting somebody to try to prove you wrong in a malicious way. You don’t want to boast about it, put down all your competitors and everything else and say, “We’re the best.” You can stand up proudly and say, “We take this seriously. We bake it into our culture. We believe that the protection of our customer information, our internal processes, controls, and everything else is one of the most important things that we can do as an organization. We try to infuse that value in everybody we hire, every process we develop and so on.” You can talk about that well.
Let’s say you deploy a piece of technology or a process that puts in a little speed bump for your customers. They now have to register for something or got to add a more complex password or something else. You can flip that something that they may have taken as a negative because in their mind, maybe it’s inconvenient to do that.
You can say, “This is one more sign of the importance that we take on doing the right thing with your data. Every time you feel that little bit of friction, you’re feeling us doing the right thing for your data. The fact that we value you as our customer is something that shines through some of these other things.” You can take something that might be seen as a negative to some people, and you can talk about it in a positive way.
There are lots of advantages to having a cybersecurity culture. Thank you so much for joining me, Perry, your time and your generous advice to help us learn more about cybersecurity culture. That it is more than just cyber awareness. It is important for businesses to get this under control, especially as there is going to be more opportunity with technology for our data and our intellectual property to be attacked and possibly stolen. If you know someone who would like to increase their cybersecurity culture or should increase their cybersecurity culture, please tell them about this episode. Share the link and leave a positive review so others can find out about it too. You can do that on your podcast app or over at LoveThePodcast.com/BusinessConfidential. Thank you so much for reading. Have a great day and an even better and more cyber-secure tomorrow.
If you liked this interview you might also like these Risk Management & Law episodes
Join, Rate and Review:
Rating and reviewing the show helps us grow our audience and allows us to bring you more of the rich information you need to succeed from our high powered guests. Leave a review at Lovethepodcast.com/BusinessConfidential
Joining the Business Confidential Now family is easy and lets you have instant access to the latest tactics, strategies and tips to make your business more successful.
OR e-mail feedback(at)BusinessConfidentialRadio.com
Disclosure:
This post may contain links to products to products on Amazon.com with which I have an affiliate relationship. I may receive commissions or bonuses from your actions on such links, AT NO ADDITIONAL COST TO YOU.
PERRY CARPENTER, C|CISO, MSIA, who currently serves as chief evangelist and strategy officer for KnowBe4, the world’s most popular security awareness and simulated phishing platform. A recognized thought leader on security awareness and the human factors of security, he’s provided security consulting and advisory services for the world’s best-known brands. His previous book, Transformational Security Awareness: What Neuroscientists, Storytellers, and Marketers Can Teach Us About Driving Secure Behaviors, quickly gained a reputation as the go-to guide for security awareness professionals worldwide, and, in 2021, he was inducted into the Cybersecurity Canon Hall of Fame. He’s the creator and host of the popular 8th Layer Insights podcast and co-author of the new book The Security Culture Playbook: An Executive Guide to Reducing Risk and Developing Your Human Defense Layer.
