Welcome to the deep dive. We take source material and try to find the really interesting stuff, and today we are diving deep into security culture. We're looking at the Security Culture Playbook.
Great choice.
You're clearly interested in the human side of cybersecurity.
Absolutely, and it's a good.
Thing because technology alone can't really.
Secure anything right now, that is one hundred percent correct. It's people who use that technology. They make the decisions. Ultimately, they determine how secure an organization is.
The book starts with a pretty intriguing comparison. It says that security culture is a bit like Bigfoot. Okay, everyone's heard of it, some claim they've seen it, but it's pretty hard to define.
Yeah, that's such a great analogy. Security culture is this elusive concept that organizations struggle to define, let alone measure or improve. We talk about it, but do we really know what it is or how to cultivate it.
Yeah, and the authors Perry Carpenter and Chiro Roar, they should know what they're talking about. I mean, they've got over thirty five years of experience in this field for sure. And what's interesting is they point out a major flaw in traditional security programs.
Yeah, for a long time, we focus so much on the technology, on the firewalls and intrusion detection systems, we kind of forgot about the people using those systems, right, So it's.
Like we have all these fancy tools, but then somebody clicks a fishing link and boom, the whole networks confromise exactly. In the book sites some pretty alarming statistics. Yeah, did you know that by twenty thirty one, experts are predicting a ransomware attack will occur every two seconds.
That's that's a scary thought. It really kind of drives home the point that we need to get security culture right. There's a study by Noah Jay four. They found that employees and organizations with a weak security culture are fifty two times more likely to fall for phishing scams. Fifty two times fifty two times. Wow, that's a big difference.
That's huge. So clearly, building a strong security culture is not optional, right, It's not negotiable, it's essential. So how do we actually go about building this human firewall?
So the Security Culture Playbook provides a framework with seven dimensions of security culture, and I think it's really helpful to think of these dimensions as as interconnected gears in this complex machine.
Okay, I like that analogy. Let's break down these gears. Let's start with attitudes.
Okay, So attitudes are all about how employees feel about security. Do they see it as a priority or is it just another box they have to check.
I imagine a positive attitude goes a long way in shaping behavior. Yeah, and that leads us to the next dimension, right, behaviors exactly.
Behaviors are those actions that employees take. Are they following the protocols? Are they being careful about what they click on? What they download?
This is where it gets interesting. The book talks about cognition, which seems to go deeper than just knowing the rule right.
Cognition is about understanding. It's about having the mental models to make informed decisions, like recognizing a phishing email even if it's really well disguised, or knowing how to report a potential security incident.
So it's not enough to tell people what to do. They need to know the why behind.
The rules precisely. And that brings us to communication, which I think is the oil that keeps that security culture machine running smoothly.
Because if nobody understands what's going on or why it matters. How can they follow the rules?
Exactly? Communication needs to be clear, consistent, and engaging. It's not just sending out those occasional security awareness emails. It's about making security a part of the entire organization's communication strategy.
Okay, so we've got attitudes, behaviors, cognition, and communication. What's next.
Well, compliance is really important.
Okay.
It's about making sure people understand and follow security policies. But it's more than just having those policies right. It's making sure they make sense, that they're practical, easy to follow.
Because if there are one hundred pages long and written in legal ease, nobody's going to read them, let alone follow them, right.
Right, exactly. The goal is to create a culture of compliance where people understand the rules and they choose to follow them because they see the value.
Okay. Next up is norms, which sounds a bit more subtle than some of the other dimensions.
Norms are those unridden rules, those unspoken expectations about what's okay and what's not okay? Uh huh, Like is it normal to share passwords or leave your computer unlocked? These norms they can either help or hurt your security efforts.
Right, because if everyone's sharing castwords, it doesn't matter how strong your password policy.
Is, right exactly.
And finally, we have responsibilities, which seems pretty self explanatory.
It might seem that way, but this dimension is all about clarifying who's in charge of what. Okay, do employees know what their role is in protecting sensitive information? Do they know how to report an incident? And do they feel empowered to do so?
So it's about creating a culture of accountability where everyone's taking ownership of security.
Exactly. These seven dimensions they all work together to create this strong security culture where security is a part of the DNA of the organization.
Okay, so we've laid out the framework, but how do we know where to start? The book mentions shadow it as a potential red flag, right, what exactly is that?
Shadow it? Is? When people use unauthorized software or cloud services. Ok So, imagine an employee is storing sensitive company data on their own personal dropbox account because it's just more convenient than using the company system.
Uh huh, So it's kind of like going rogue with technology.
Yeah, kind of.
And I can see how that would create security.
Risks, Absolutely it can and what's surprising is how common it is. Yeah, studies have shown that like twenty to fifty four p sent of employees admit to using these unauthorized cloud services.
Wow, I wouldn't guess the numbers were that high. So if we're seeing shadow it happening, that's a pretty clear sign that something's off with the security culture.
It's a sign that we need to dig a little deeper. Why are employees bypassing the security measures? Is it because they don't know any better, or they find the tools to be clunky and hard to use, or is there just this cultural norm that needs to be addressed. Shadow it it's a symptom, not the disease itself. It's a sign that there's this disconnect between what the organization says about security and what's really happening.
So we've identified these gaps. Maybe we see some shadow I tea going on, phishing attempts are getting through. How do we actually start to improve things?
Well, the playbook it lays out this three step process. Okay, measure, involve, engage.
Sounds like a good plan. I'm guessing it all starts with figuring out where we are, where we stand.
Currently exactly you can't fix what you can't measure. The book recommends using something called the Security Culture Survey to establish that baseline. This survey it assesses all those seven dimensions we talked about, and it gives organizations this clear picture of their security culture maturity.
So once we have the data, what's next we involve?
We involve the stakeholders. Yeah, and the key here is using the language of risk, which is something that business leaders understand. It's about connecting security culture to business outcomes.
Because at the end of the day, security is about protecting the business exactly right. So we need to show those stakeholders why a strong security culture is a good investment for sure.
And once you have buy in from those stakeholders, you move to engage where you actually put in place these activities and communication strategies to improve the culture.
Okay, so this is where the rubber meets the road. What kind of activities are we talking about?
Oh, it could be targeted training programs, It could be phish simulations to test employee awareness, or even gamification.
Gamification, Yeah, tell me more about that.
Gamification is about using game mechanics like points, badges, leader boards, things like that to encourage good behavior. Okay, it taps into our natural desire for competition and achievement, so it can be a really effective way to engage people.
Okay, I'm getting some ideas here. But beyond specific activities, the book also emphasizes the importance of storytelling. It even compares it to the transformation of safety culture in the oil and gas industry.
It's a fascinating comparison, isn't it. The oil and gas industry. I mean, they used to have a terrible safety record, but then they went through this major cultural shift and they made safety a top priority and they embedded it into everything they did, and storytelling was a big part of that.
Yeah, and I can see how a powerful personal story it makes the risks feel more real, much more immediate. Stories they resonate with us on a deeper level.
I think they do. They stick with you.
Yeah.
They're more memorable than just you know, drive facts and figures.
Right.
Imagine you share a story about a company that was that was hacked, right because they had weak passwords. That's a lot more impactful, right than just telling employees, hey, make sure you have a strong password.
Yeah, It's like, hey, this could happen to us.
Exactly.
But it's not just about scaring people right now.
It's also about about celebrating those successes, you know, highlighting positive security behaviors, recognizing people who are who are doing a good job. Right The book calls these people culture carriers.
The security champions, people who are like really passionate about security and they can get other people excited about it.
Yeah, they're your security evangelists. Yeah, the people who help spread the message and make it a priority for everyone.
Finding and empowering those seems really important.
Absolutely.
Now. It strikes me that we've been talking a lot about what organizations can do, but what about individuals. What role can they play in shaping security culture.
That's a great question. Individual responsibility is really important. Each person needs to be proactive to stay informed about the threats, to practice good cyber hygiene, to report anything that seems suspicious.
So it's about being security minded. Yeah, not just at work, but in all parts of our lives exactly. But they get a full understanding of security culture.
Yeah.
The book goes beyond these practical strategies, and it actually includes interviews with experts.
Yeah, they have a lot of really interesting perspectives in there.
What insights did you find particularly valuable.
Well, one recurring theme was that that culture change. It's an organization wide thing. It's not just a security issue. John Schulders from Pyxis Culture Technologies. He argues that that everything shapes culture, from hiring practices to leadership styles.
So it's not just about what the security team does, it's about how the whole organization operates.
Absolutely, and Michael Lecky from Silverback Partners he emphasizes the importance of aligning security culture with business goals security leaders. They need to articulate the value of security in a way that makes sense to business leaders.
So it's about making security and a nabler, not an obstacle.
Right. Another expert, doctor Jessica Barker, She highlighted how effective those security Champions programs can be. She argues that having those passionate advocates within teams right, can be incredibly powerful.
So it's like building a grassroots movement from the inside. Yeah. And these champions can then use storytelling exactly to connect with their colleagues.
On a personal level.
Yeah. But while storytelling is important, the experts also said that data and measurement are important too.
Right, how do we know if what we're doing is actually working.
Yeah, that's a key point. It's one thing to talk about security culture, but how do we know if it's really effective.
Several experts recommend focusing on metrics that are tied to those business outcomes. So are we seeing a reduction in phishing attacks? Are we seeing less shadow it? Fewer security incidents overall?
So it's not just about tracking how many people finish the training course, it's about seeing if it's actually making a difference exactly.
Mark Macjefski, he's an information security evangelist. He suggests going a little deeper with those security culture surveys. He proposes questions like is protecting client data a priority in your company? These types of questions they get at those underlying values and norms that shape behavior.
It's like getting the real story. Yeah, not just what people say on the surface exactly.
But even with the best data and strategies, they're always challenging.
Of course, what were some of the sticking points the experts brought up.
Well, one of the biggest was this knowledge intention behavior gap. Just because someone knows the right thing to do doesn't mean they'll actually do it. Yeah, we've all been there Exactly. We might know we need to make a strong password, but then we end up just reusing an old one because it's easier, right. Or we know we shouldn't click those suspicious links, but you know, we get curious.
Yeah. The book suggests that security leaders they need to design their programs with these biases in mind. Right.
Absolutely, it's not enough to just give people information, right. We need to make it easy for them to make those secure choices.
Right. If the tools are hard to use, people are going to find workarounds.
Exactly. People they want to do things the easy way.
Yeah.
Another sticking point was this tendency to view security culture through the lens of our own experiences. It professionals, they might assume that everyone understands how important security is, right while other departments so they might be more focused on productivity getting things done.
So we need to get out of our bubbles and realize that different people have different priorities.
Absolutely, the book encourages security leaders to get input from different people and really challenge their own assumptions.
It's about understanding where other people are coming from.
Yeah, we need to recognize that what seems obvious to one person might not be so clear to someone else, right, And.
This brings us back to that idea of measurement. The Security Culture Playbook goes pretty deep on the Security Culture survey sees. This tool is designed to assess those seven dimensions we talked about before, and it's really interesting how they developed it. It started with this huge pool of questions, and over the years they refined it and now it's this concise and effective tool.
It's powerful because it gives us a way to actually measure security culture, so we can track our progress and see what we need to work on.
The book has some really good examples of how to use data to improve security culture, like this idea of connecting awareness, behavior and culture right.
Research has shown that that there's a correlation between knowledge and behavior. When employees understand the threats and the best practices, they're more likely to be careful.
But the book says, don't assume that one clauses the other.
Yeah, it's not that simple. Just because someone knows what to do doesn't guarantee they'll do it right.
There are other factors are like attitudes and norms and even pressure at work Exactly all those things can affect behavior, so it's.
Not as easy as, let's train everyone and then magically they'll be security minded.
Right. We need to create an environment that supports good security habits exactly.
We can also use data that we already have to measure security culture. We can look at incident reports to see if there are any patterns, see if there are any areas where maybe people need more training.
It's like we're detect is looking for clues. Yeah, trying to figure out the story of the organization's security culture.
And speaking of stories, the playbook suggests using something called ab testing. Okay, this technique comes from marketing. Basically, instead of just guessing what will work, we can try out different approaches, right and see what works best.
So, like an organization could could test two different security awareness modules, right, and see which one leads to people being better at spotting phishing emails.
Exactly. We want to use data to guide our decisions, right, to make sure we're having the impact that we want, and.
It's important to use metrics from different sources, right.
Just relying on one metric can be misleading.
It's like judging someone's health just by looking at how much they weigh, right, It doesn't give you the whole picture.
So we want to combine data from those security assessments, the phishing simulations, the incident reports, employee surveys. Right, all of that together gives us a much better understanding of the culture and.
Then that really fix the problems exactly.
You need to be able to identify those root causes.
Building a good security culture.
It's a journey, it is.
Yeah, it takes time, it does.
We're constantly learning and adapting. We need to be open to feedback, willing to experiment.
The Security Culture Playbook has given us a lot to think about. It has It's like a guide to making security a part of who the organization is.
It's about making security part of everyday conversations, decisions, part of the values that drive the organization.
As we wrap up this deep dive, we encourage you to think about how you can apply these ideas to your own organization. What's one small step you can take today to make a difference.
Maybe share a security tip with your team or talk to your manager about security culture. Every little bit helps, it does we can all contribute to a more secure digital world.
Thank you for joining us on this deep dive into the Security Culture Playbook. We hope you've found it insightful. Until next time, stay curious, stay engaged, and stay secure.