CyberWire Daily - Interview Select: Perry Carpenter on his new book "The Security Culture Playbook." [CW Pro]
Episode Date: November 25, 2022This interview is from June 3rd, 2022 originally aired as a shortened version on the CyberWire Daily Podcast. In this extended interview, Dave Bittner sits down Perry Carpenter, host of 8th Layer Insi...ghts to discuss his new book "The Security Culture Playbook: An Executive Guide To Reducing Risk and Developing Your Human Defense Layer." Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire book, The Security Culture Playbook, an executive guide to reducing risk and developing your human defense layer,
co-authored with Kai Rohr. Here's Perry. So first, my co-author Kai Rohr is an internationally well
known guy that has been studying security culture for most of his career. And so one of the things that we wanted to do with that is kind of merge our voices
because Kai is well known for his research into security culture.
I'm pretty well known in my research for awareness and behavior.
And as we come together, we can start to paint a lot more complete picture.
And as we come together, we can start to paint a lot more complete picture.
But the other thing that really prompted this is nuance that's in the subtitle of the book.
And I know it's a really, really long subtitle, but there are three critical things in it that we tried to pack in.
Number one is an executive guide. And so this is meant not necessarily for the practitioner, but for the audience of a board of directors or a CIO or a CEO that really needs to understand that
security culture is important. It's something that lives and breathes in every organization,
whether you know it or not. And so the question becomes, how intentional are you about the security culture
that you have? How sustainable is that? What do you need to do about it? And so that executive
piece is really critical. And our hope is that an executive picks that up, reads the first few
chapters, and then says, oh yeah, we need to do something intentional with this. And then they
hand it down to the person that can implement the vision that's
explained there. The second piece that's in the title is reducing risk. And that really comes down
to the fact that the entire reason that security exists isn't for the sake of security. And the
entire reason that security awareness exists isn't for the sake of security. It's actually to reduce risk in an organization
and make the risk tolerable so that the organization can go forward and do the
business that they've been formed to do. And so this is all about risk reduction and up-leveling
the conversation to that executive level or board of directors level. And then that last piece is
developing your human defense layer. And so this
is about the human side of things, because one of the charts that we show early on is that there's
a lot of spending that happens on the technology side of security. Every year we spend more and
more on that, but data breaches are still going up. And when you look at the Verizon DBIR and
other reports, the reason that we see the data
breaches continue to go up has to do with the human side of things. And so our argument is
that we need to put more intention on that so that we can then reduce risk. Can we take a quick step
back and talk about the notion of security culture itself? I mean, one of the things you explore in the book is this idea that
security culture has a specific set of dimensions. Yeah, you mentioned that we have different
dimensions that we break security culture up into, and this is drawn from the social sciences. So,
we believe that you can measure any type of culture with this, but specifically, we're looking
at the security-related nuance. And so we break
security culture into seven different dimensions, attitudes, behaviors, cognition, communication,
compliance, norms, and responsibilities. And one of the interesting things that we say in that is,
yeah, as we measure that, we can see whether you're strong or you're weak in different areas,
but that doesn't mean that all is lost or all is gained if you see one of those data points.
So if you look at your aggregated security culture score and you're concerned about that, you don't have to tackle all seven of those because each of these has a gravitational effect on the other. If you're influencing cognition
and giving people the right information
to make the right decisions at the right time,
you're probably also influencing their attitudes
and you're definitely influencing their behaviors
if you see that come to pass.
So you can strategically focus on one, two, or three of these
and you're going to be pulling the others along the way.
There's another key thing that comes out in this book,
and that is, and this is another reason behind why we created it in the first place,
is there's a lot of and has been a lot of talk about, quote-unquote, security culture for years.
And people are using that phrase in articles and journals and conference presentations and everything else.
The thing that was missing, though, is an actual definition of it.
And what we found, we actually, we at KnowBefore, so this is separate from Kai and I, our employer at KnowBefore, commissioned a study with Forrester a couple years ago.
before, commissioned a study with Forrester a couple years ago. And what we wanted to understand was, do people really know what security culture is and do they value it? And we found that 94%
of people value security culture. They believe that it's an important thing to reduce risk in
their organization. But then we started to ask the more nuanced question of what do you believe security culture
is and what we found was a shocking fragmentation of what people believe it actually is some people
believe security culture is following policies other people believe that it's the establishment
of a security awareness program other people believe that it's shared responsibility across an organization. So the funny thing is, is that somebody like me could stand on a stage and say security culture is important, and everybody in the room can be nodding their heads.
Everybody believes that they're agreeing to the same thing, but everybody actually having a different conclusion of what that means.
Are those things mutually exclusive?
I mean, can they – is there anything that keeps them from
coexisting? Now, there's not anything that keeps it from coexisting, but the thing that was shocking
in that is the segmentation that we saw in that somebody would believe that it's wholeheartedly
one thing, that it's, let's say, following policies. And so so if I believe a good security culture is following and mandating policies, I might go in pursuit of that in a way that is absent of empathy and maybe actually alienates my people in some way because I have this more authoritarian way of approaching it.
authoritarian way of approaching it. If I see it only as disseminating awareness-related information, I could do that in a way that potentially, again, gives me a false sense
of security because I'm getting the right information in front of people, but I might
not be seeing the behavior follow up with that. So again, there was this kind of shocking thing
that we noticed, which was people are using this phrase over and over and over again, but without any definition behind that.
And so that was leading to, I think, a lot of false assumptions with people in good faith believing that they're pursuing, quote unquote, security culture, but they were doing it in a more narrow focus than really they needed to.
more narrow focus than really they needed to. And so, they're putting all their faith in this one thing that they believe it to be, but kind of potentially ignoring a number of other things
that it should be and that would have that gravitational effect to kind of move the
culture where it needs to be. And so, when we define security culture, we pull it from social
science, very similar to the way that we pulled those seven different dimensions of culture.
And so we say security culture is the ideas, the customs, and the social behaviors of an organization that influence its security.
And that's deceptively simple, but within that you do hear a few key terms, your ideas. So, these are not just
information, but things that permeate the people in the organization itself related to that
security aspect of things. The customs, so that's the lived out behaviors and the ritualized
behaviors, the things that are caught rather than taught by people. So, the things that you'll see
and bring on through peer pressure or through
on-the-job training that may not even be codified in a policy and the social behaviors, very,
very similar in that. Again, the things that kind of the unwritten rules of the organization
that are just dictating the way that people live their security in that organization.
That can be positive or negative.
So we're not being prescriptive in that.
But your security culture is in each of those things
and in each of those seven dimensions, positive or negative, across that.
Again, the idea there is you have that security culture whether you want it or not.
It's do you have the one that you want
or not? You know, you pointed out that in the subtitle of the book, you say this is an executive
guide. How important is it that this comes from the top in an organization? I think it's vitally
important because if people don't feel like they are being consistent with the leadership of an organization in their values and their beliefs and their lived out behaviors, then there's a cognitive dissonance that comes in.
Number one, they always want to know that they're going to be supported in the decisions that they make and the actions that they take.
So that being valued from the top naturally starts to resonate down.
The other thing is people don't like class systems,
especially in the age that we're growing into right now and post-COVID.
People do not like to see class systems in their organizations.
So if there's one standard of behavior related to security
that is pushed down to everybody else but not lived out within the executive ranks, people are going to rebel in different ways against that.
So I think setting tone at the top is for sure really important.
But there's also some nuance that you can add by finding people in the middle of the organization and even at the very bottom of the organization that have loud and clear voices
within their social group and you want to tap into them as well. You know, I often, I like to think
in analogies. It helps me to, you know, figure things out in my own mind sometimes. And sometimes
when I'm thinking about security, I think about, you know, the people who have a retail shop or
something like that. And you'll sometimes see the person
behind the cash register will say, well, it's not my job to stop people from stealing things
off the shelf. That's the security guard's job. And I have enough to do. I'm busy.
My job is hard enough without having to deal with those things. And we've got people who we've hired just to do
that. So why should I take my time to do that? How do we fight that mindset within other
organizations? That's a good question. So if you go into that seven dimensions that we mentioned,
there's two that come to mind there. One is attitudes, and then another one is cognition.
And then of course, norms is there too. So,
you can build that in as a norm. And that goes into one of the definitions that people were
given security culture before, which is when I talked about that fragmentation and the way that
people understood it, one of those was security is a shared responsibility. Yeah, it is that,
but it's not only that. But when you talk about the thing that you were wanting to get to,
that shared responsibility piece of that, as expressed in norms and is understood in cognition
and is rightly taken on in the attitude dimension, becomes really, really important because,
yeah, I don't want the cashier to just wash their hands of something that's dangerous. Or I don't want the cashier to just wash their hands of something that's dangerous.
Or I don't want in my, let's say we're physically in an office and somebody comes in without a badge or somebody tries to tailgate behind me through the door.
We don't want employees to wash their hands of that.
So one of the things that you have to do is find ways to instill that social norm of the way that we do things here is we all take responsibility.
And you have to model that out from the top, also in the middle and at the bottom of the organization through people that have social standing.
And so you model that, you build that into your norms.
At a cognitive level, you teach people why it's really important that they step up
and take that. You also have to make them feel really, really safe in doing that. Let's say
everybody's on board and they believe that security is the right thing for the organization.
They want to help manage risk. At that point, you have to empower them and you have to reduce fear. And empowering is saying,
if you get this wrong and you challenge somebody that's maybe important, maybe it's a regional
vice president that comes in, they just don't have their badge that day, and you challenge them and
say, I'm sorry, you don't have your badge. We're going to have to take you down to security and
make sure that you have clearance, that you're not going to get punished for doing that step. So you have to empower them,
you have to reduce fear of punishment. And then you also, let's say there's fear of
that person's own physical safety in that. I've seen somebody that's suspicious.
I want to tell somebody, but I'm also afraid to do something about it because I'm afraid that
that person is going to come after me. So I'm not going to physically go stop them. How do I do it? So
at that point, you kind of go back to the see something, say something mentality.
But the one thing that's always missing in see something, say something is here's the way to do
that. So you have to follow up with here's the phone number to call. Here's the way to do that. So you have to follow up with, here's the phone number to call,
here's the person to contact.
At that moment, maybe it is somebody else's job
to put themselves physically in the way
of that other threat that they see.
And so it's not your job to be,
to take on the potential for physical harm.
It is your job to say,
oh, there is a potential for harm there. Let me contact the
right person and do my part that way.