WEBVTT 1 00:00:00.080 --> 00:00:04.480 Welcome to the deep dive. We take source material and 2 00:00:05.040 --> 00:00:09.039 try to find the really interesting stuff, and today we 3 00:00:09.080 --> 00:00:12.320 are diving deep into security culture. We're looking at the 4 00:00:12.359 --> 00:00:13.880 Security Culture Playbook. 5 00:00:14.119 --> 00:00:15.039 Great choice. 6 00:00:15.240 --> 00:00:18.039 You're clearly interested in the human side of cybersecurity. 7 00:00:18.079 --> 00:00:20.320 Absolutely, and it's a good. 8 00:00:20.160 --> 00:00:22.359 Thing because technology alone can't really. 9 00:00:22.120 --> 00:00:24.600 Secure anything right now, that is one hundred percent correct. 10 00:00:24.879 --> 00:00:28.559 It's people who use that technology. They make the decisions. Ultimately, 11 00:00:28.600 --> 00:00:32.920 they determine how secure an organization is. 12 00:00:33.479 --> 00:00:36.799 The book starts with a pretty intriguing comparison. It says 13 00:00:36.799 --> 00:00:40.560 that security culture is a bit like Bigfoot. Okay, everyone's 14 00:00:40.560 --> 00:00:42.920 heard of it, some claim they've seen it, but it's 15 00:00:43.039 --> 00:00:45.159 pretty hard to define. 16 00:00:45.439 --> 00:00:47.520 Yeah, that's such a great analogy. Security culture is this 17 00:00:47.600 --> 00:00:52.159 elusive concept that organizations struggle to define, let alone measure 18 00:00:52.439 --> 00:00:55.119 or improve. We talk about it, but do we really 19 00:00:55.200 --> 00:00:57.439 know what it is or how to cultivate it. 20 00:00:57.640 --> 00:01:01.600 Yeah, and the authors Perry Carpenter and Chiro Roar, they 21 00:01:01.600 --> 00:01:03.200 should know what they're talking about. I mean, they've got 22 00:01:03.240 --> 00:01:05.920 over thirty five years of experience in this field for sure. 23 00:01:06.000 --> 00:01:08.959 And what's interesting is they point out a major flaw 24 00:01:09.040 --> 00:01:10.560 in traditional security programs. 25 00:01:10.680 --> 00:01:13.040 Yeah, for a long time, we focus so much on 26 00:01:13.079 --> 00:01:17.760 the technology, on the firewalls and intrusion detection systems, we 27 00:01:17.840 --> 00:01:20.560 kind of forgot about the people using those systems, right, 28 00:01:20.640 --> 00:01:21.159 So it's. 29 00:01:21.000 --> 00:01:23.159 Like we have all these fancy tools, but then somebody 30 00:01:23.159 --> 00:01:26.359 clicks a fishing link and boom, the whole networks confromise exactly. 31 00:01:26.719 --> 00:01:30.079 In the book sites some pretty alarming statistics. Yeah, did 32 00:01:30.120 --> 00:01:33.400 you know that by twenty thirty one, experts are predicting 33 00:01:33.879 --> 00:01:38.120 a ransomware attack will occur every two seconds. 34 00:01:37.719 --> 00:01:40.840 That's that's a scary thought. It really kind of drives 35 00:01:40.879 --> 00:01:43.599 home the point that we need to get security culture right. 36 00:01:43.920 --> 00:01:46.159 There's a study by Noah Jay four. They found that 37 00:01:46.239 --> 00:01:51.040 employees and organizations with a weak security culture are fifty 38 00:01:51.120 --> 00:01:54.799 two times more likely to fall for phishing scams. Fifty 39 00:01:54.840 --> 00:01:58.159 two times fifty two times. Wow, that's a big difference. 40 00:01:58.560 --> 00:02:03.200 That's huge. So clearly, building a strong security culture is 41 00:02:03.239 --> 00:02:06.239 not optional, right, It's not negotiable, it's essential. So how 42 00:02:06.280 --> 00:02:09.240 do we actually go about building this human firewall? 43 00:02:09.479 --> 00:02:14.599 So the Security Culture Playbook provides a framework with seven 44 00:02:14.680 --> 00:02:18.639 dimensions of security culture, and I think it's really helpful 45 00:02:18.719 --> 00:02:22.599 to think of these dimensions as as interconnected gears in 46 00:02:22.280 --> 00:02:24.080 this complex machine. 47 00:02:24.159 --> 00:02:26.560 Okay, I like that analogy. Let's break down these gears. 48 00:02:26.639 --> 00:02:28.159 Let's start with attitudes. 49 00:02:28.240 --> 00:02:33.000 Okay, So attitudes are all about how employees feel about security. 50 00:02:33.639 --> 00:02:35.840 Do they see it as a priority or is it 51 00:02:35.879 --> 00:02:37.199 just another box they have to check. 52 00:02:37.800 --> 00:02:40.360 I imagine a positive attitude goes a long way in 53 00:02:40.479 --> 00:02:43.960 shaping behavior. Yeah, and that leads us to the next dimension, right, 54 00:02:44.039 --> 00:02:45.280 behaviors exactly. 55 00:02:45.360 --> 00:02:49.400 Behaviors are those actions that employees take. Are they following 56 00:02:49.439 --> 00:02:51.840 the protocols? Are they being careful about what they click on? 57 00:02:51.919 --> 00:02:52.719 What they download? 58 00:02:52.960 --> 00:02:56.560 This is where it gets interesting. The book talks about cognition, 59 00:02:57.520 --> 00:03:00.719 which seems to go deeper than just knowing the rule right. 60 00:03:00.800 --> 00:03:04.479 Cognition is about understanding. It's about having the mental models 61 00:03:04.520 --> 00:03:10.520 to make informed decisions, like recognizing a phishing email even 62 00:03:10.560 --> 00:03:14.039 if it's really well disguised, or knowing how to report 63 00:03:14.080 --> 00:03:15.560 a potential security incident. 64 00:03:16.120 --> 00:03:18.520 So it's not enough to tell people what to do. 65 00:03:19.080 --> 00:03:21.000 They need to know the why behind. 66 00:03:20.680 --> 00:03:24.319 The rules precisely. And that brings us to communication, which 67 00:03:24.319 --> 00:03:27.719 I think is the oil that keeps that security culture 68 00:03:27.840 --> 00:03:30.000 machine running smoothly. 69 00:03:29.960 --> 00:03:33.080 Because if nobody understands what's going on or why it matters. 70 00:03:33.319 --> 00:03:34.560 How can they follow the rules? 71 00:03:34.960 --> 00:03:39.840 Exactly? Communication needs to be clear, consistent, and engaging. It's 72 00:03:39.879 --> 00:03:43.719 not just sending out those occasional security awareness emails. It's 73 00:03:43.719 --> 00:03:48.159 about making security a part of the entire organization's communication strategy. 74 00:03:48.240 --> 00:03:52.439 Okay, so we've got attitudes, behaviors, cognition, and communication. What's next. 75 00:03:52.560 --> 00:03:54.159 Well, compliance is really important. 76 00:03:54.400 --> 00:03:54.719 Okay. 77 00:03:55.080 --> 00:03:58.319 It's about making sure people understand and follow security policies. 78 00:03:58.800 --> 00:04:01.400 But it's more than just having those policies right. It's 79 00:04:01.439 --> 00:04:05.039 making sure they make sense, that they're practical, easy to follow. 80 00:04:05.240 --> 00:04:07.120 Because if there are one hundred pages long and written 81 00:04:07.120 --> 00:04:09.400 in legal ease, nobody's going to read them, let alone 82 00:04:09.400 --> 00:04:10.199 follow them, right. 83 00:04:10.199 --> 00:04:13.439 Right, exactly. The goal is to create a culture of 84 00:04:13.599 --> 00:04:17.160 compliance where people understand the rules and they choose to 85 00:04:17.199 --> 00:04:19.079 follow them because they see the value. 86 00:04:19.399 --> 00:04:22.920 Okay. Next up is norms, which sounds a bit more 87 00:04:24.160 --> 00:04:26.759 subtle than some of the other dimensions. 88 00:04:26.959 --> 00:04:32.040 Norms are those unridden rules, those unspoken expectations about what's 89 00:04:32.079 --> 00:04:34.399 okay and what's not okay? Uh huh, Like is it 90 00:04:34.519 --> 00:04:38.759 normal to share passwords or leave your computer unlocked? These 91 00:04:38.800 --> 00:04:42.240 norms they can either help or hurt your security efforts. 92 00:04:42.040 --> 00:04:44.160 Right, because if everyone's sharing castwords, it doesn't matter how 93 00:04:44.199 --> 00:04:45.720 strong your password policy. 94 00:04:45.399 --> 00:04:46.279 Is, right exactly. 95 00:04:46.600 --> 00:04:50.959 And finally, we have responsibilities, which seems pretty self explanatory. 96 00:04:51.000 --> 00:04:53.079 It might seem that way, but this dimension is all 97 00:04:53.079 --> 00:04:56.439 about clarifying who's in charge of what. Okay, do employees 98 00:04:56.519 --> 00:04:59.480 know what their role is in protecting sensitive information? Do 99 00:04:59.519 --> 00:05:02.079 they know how to report an incident? And do they 100 00:05:02.120 --> 00:05:03.800 feel empowered to do so? 101 00:05:03.800 --> 00:05:07.199 So it's about creating a culture of accountability where everyone's 102 00:05:07.199 --> 00:05:08.600 taking ownership of security. 103 00:05:08.759 --> 00:05:13.000 Exactly. These seven dimensions they all work together to create 104 00:05:13.040 --> 00:05:16.199 this strong security culture where security is a part of 105 00:05:16.399 --> 00:05:18.439 the DNA of the organization. 106 00:05:18.800 --> 00:05:22.800 Okay, so we've laid out the framework, but how do 107 00:05:22.839 --> 00:05:26.759 we know where to start? The book mentions shadow it 108 00:05:27.759 --> 00:05:31.600 as a potential red flag, right, what exactly is that? 109 00:05:31.800 --> 00:05:37.720 Shadow it? Is? When people use unauthorized software or cloud services. 110 00:05:37.800 --> 00:05:42.279 Ok So, imagine an employee is storing sensitive company data 111 00:05:42.399 --> 00:05:46.360 on their own personal dropbox account because it's just more 112 00:05:46.399 --> 00:05:48.319 convenient than using the company system. 113 00:05:48.439 --> 00:05:50.879 Uh huh, So it's kind of like going rogue with technology. 114 00:05:51.079 --> 00:05:51.920 Yeah, kind of. 115 00:05:52.079 --> 00:05:54.199 And I can see how that would create security. 116 00:05:53.920 --> 00:05:56.920 Risks, Absolutely it can and what's surprising is how common 117 00:05:56.959 --> 00:05:59.360 it is. Yeah, studies have shown that like twenty to 118 00:05:59.399 --> 00:06:02.040 fifty four p sent of employees admit to using these 119 00:06:02.120 --> 00:06:03.639 unauthorized cloud services. 120 00:06:03.680 --> 00:06:06.199 Wow, I wouldn't guess the numbers were that high. So 121 00:06:06.199 --> 00:06:09.240 if we're seeing shadow it happening, that's a pretty clear 122 00:06:09.360 --> 00:06:12.160 sign that something's off with the security culture. 123 00:06:12.319 --> 00:06:14.560 It's a sign that we need to dig a little deeper. 124 00:06:14.920 --> 00:06:18.360 Why are employees bypassing the security measures? Is it because 125 00:06:18.439 --> 00:06:21.720 they don't know any better, or they find the tools 126 00:06:21.800 --> 00:06:25.040 to be clunky and hard to use, or is there 127 00:06:25.120 --> 00:06:29.160 just this cultural norm that needs to be addressed. Shadow 128 00:06:29.160 --> 00:06:32.759 it it's a symptom, not the disease itself. It's a 129 00:06:32.800 --> 00:06:37.360 sign that there's this disconnect between what the organization says 130 00:06:37.399 --> 00:06:39.800 about security and what's really happening. 131 00:06:40.199 --> 00:06:43.720 So we've identified these gaps. Maybe we see some shadow 132 00:06:43.759 --> 00:06:46.680 I tea going on, phishing attempts are getting through. How 133 00:06:46.680 --> 00:06:48.360 do we actually start to improve things? 134 00:06:48.439 --> 00:06:54.040 Well, the playbook it lays out this three step process. Okay, measure, involve, engage. 135 00:06:54.079 --> 00:06:56.360 Sounds like a good plan. I'm guessing it all starts 136 00:06:56.360 --> 00:06:59.120 with figuring out where we are, where we stand. 137 00:06:58.800 --> 00:07:02.360 Currently exactly you can't fix what you can't measure. The 138 00:07:02.360 --> 00:07:05.759 book recommends using something called the Security Culture Survey to 139 00:07:05.959 --> 00:07:10.319 establish that baseline. This survey it assesses all those seven 140 00:07:10.360 --> 00:07:13.959 dimensions we talked about, and it gives organizations this clear 141 00:07:14.079 --> 00:07:17.160 picture of their security culture maturity. 142 00:07:17.319 --> 00:07:19.680 So once we have the data, what's next we involve? 143 00:07:19.839 --> 00:07:22.800 We involve the stakeholders. Yeah, and the key here is 144 00:07:23.079 --> 00:07:26.879 using the language of risk, which is something that business 145 00:07:26.959 --> 00:07:31.920 leaders understand. It's about connecting security culture to business outcomes. 146 00:07:31.519 --> 00:07:33.199 Because at the end of the day, security is about 147 00:07:33.199 --> 00:07:36.680 protecting the business exactly right. So we need to show 148 00:07:36.720 --> 00:07:40.839 those stakeholders why a strong security culture is a good 149 00:07:40.879 --> 00:07:41.920 investment for sure. 150 00:07:42.079 --> 00:07:44.519 And once you have buy in from those stakeholders, you 151 00:07:44.639 --> 00:07:47.399 move to engage where you actually put in place these 152 00:07:47.399 --> 00:07:50.519 activities and communication strategies to improve the culture. 153 00:07:50.639 --> 00:07:52.399 Okay, so this is where the rubber meets the road. 154 00:07:52.759 --> 00:07:54.600 What kind of activities are we talking about? 155 00:07:54.680 --> 00:07:58.360 Oh, it could be targeted training programs, It could be 156 00:07:59.680 --> 00:08:05.480 phish simulations to test employee awareness, or even gamification. 157 00:08:05.639 --> 00:08:07.639 Gamification, Yeah, tell me more about that. 158 00:08:07.839 --> 00:08:14.600 Gamification is about using game mechanics like points, badges, leader boards, 159 00:08:14.639 --> 00:08:18.839 things like that to encourage good behavior. Okay, it taps 160 00:08:18.879 --> 00:08:22.560 into our natural desire for competition and achievement, so it 161 00:08:22.560 --> 00:08:25.399 can be a really effective way to engage people. 162 00:08:25.439 --> 00:08:30.040 Okay, I'm getting some ideas here. But beyond specific activities, 163 00:08:30.040 --> 00:08:33.679 the book also emphasizes the importance of storytelling. It even 164 00:08:33.720 --> 00:08:37.919 compares it to the transformation of safety culture in the 165 00:08:38.159 --> 00:08:39.360 oil and gas industry. 166 00:08:39.440 --> 00:08:42.360 It's a fascinating comparison, isn't it. The oil and gas industry. 167 00:08:42.399 --> 00:08:45.279 I mean, they used to have a terrible safety record, 168 00:08:45.840 --> 00:08:49.200 but then they went through this major cultural shift and 169 00:08:49.240 --> 00:08:51.840 they made safety a top priority and they embedded it 170 00:08:51.879 --> 00:08:54.519 into everything they did, and storytelling was a big part 171 00:08:54.519 --> 00:08:54.720 of that. 172 00:08:54.960 --> 00:08:58.240 Yeah, and I can see how a powerful personal story 173 00:08:58.799 --> 00:09:02.759 it makes the risks feel more real, much more immediate. 174 00:09:03.039 --> 00:09:06.240 Stories they resonate with us on a deeper level. 175 00:09:06.279 --> 00:09:07.799 I think they do. They stick with you. 176 00:09:07.919 --> 00:09:08.360 Yeah. 177 00:09:08.399 --> 00:09:11.519 They're more memorable than just you know, drive facts and figures. 178 00:09:11.799 --> 00:09:12.000 Right. 179 00:09:12.480 --> 00:09:17.039 Imagine you share a story about a company that was 180 00:09:17.840 --> 00:09:21.080 that was hacked, right because they had weak passwords. That's 181 00:09:21.120 --> 00:09:24.159 a lot more impactful, right than just telling employees, hey, 182 00:09:24.240 --> 00:09:25.960 make sure you have a strong password. 183 00:09:26.159 --> 00:09:28.159 Yeah, It's like, hey, this could happen to us. 184 00:09:28.360 --> 00:09:28.840 Exactly. 185 00:09:29.240 --> 00:09:31.759 But it's not just about scaring people right now. 186 00:09:31.879 --> 00:09:37.639 It's also about about celebrating those successes, you know, highlighting 187 00:09:38.039 --> 00:09:42.919 positive security behaviors, recognizing people who are who are doing 188 00:09:42.960 --> 00:09:47.200 a good job. Right The book calls these people culture carriers. 189 00:09:46.879 --> 00:09:50.600 The security champions, people who are like really passionate about 190 00:09:50.600 --> 00:09:52.720 security and they can get other people excited about it. 191 00:09:52.799 --> 00:09:55.679 Yeah, they're your security evangelists. Yeah, the people who help 192 00:09:55.759 --> 00:09:58.240 spread the message and make it a priority for everyone. 193 00:09:58.600 --> 00:10:01.600 Finding and empowering those seems really important. 194 00:10:01.679 --> 00:10:02.279 Absolutely. 195 00:10:02.519 --> 00:10:04.960 Now. It strikes me that we've been talking a lot 196 00:10:04.960 --> 00:10:08.399 about what organizations can do, but what about individuals. What 197 00:10:08.600 --> 00:10:11.799 role can they play in shaping security culture. 198 00:10:12.080 --> 00:10:16.639 That's a great question. Individual responsibility is really important. Each 199 00:10:16.679 --> 00:10:20.519 person needs to be proactive to stay informed about the threats, 200 00:10:20.840 --> 00:10:25.919 to practice good cyber hygiene, to report anything that seems suspicious. 201 00:10:26.039 --> 00:10:29.360 So it's about being security minded. Yeah, not just at work, 202 00:10:29.399 --> 00:10:32.000 but in all parts of our lives exactly. But they 203 00:10:32.039 --> 00:10:34.279 get a full understanding of security culture. 204 00:10:34.559 --> 00:10:34.919 Yeah. 205 00:10:34.960 --> 00:10:38.799 The book goes beyond these practical strategies, and it actually 206 00:10:39.120 --> 00:10:41.600 includes interviews with experts. 207 00:10:41.840 --> 00:10:44.639 Yeah, they have a lot of really interesting perspectives in there. 208 00:10:44.720 --> 00:10:47.159 What insights did you find particularly valuable. 209 00:10:47.600 --> 00:10:51.039 Well, one recurring theme was that that culture change. It's 210 00:10:51.039 --> 00:10:54.080 an organization wide thing. It's not just a security issue. 211 00:10:54.519 --> 00:10:58.879 John Schulders from Pyxis Culture Technologies. He argues that that 212 00:10:59.120 --> 00:11:04.240 everything shapes culture, from hiring practices to leadership styles. 213 00:11:04.320 --> 00:11:06.440 So it's not just about what the security team does, 214 00:11:06.519 --> 00:11:08.759 it's about how the whole organization operates. 215 00:11:09.159 --> 00:11:14.080 Absolutely, and Michael Lecky from Silverback Partners he emphasizes the 216 00:11:14.120 --> 00:11:19.200 importance of aligning security culture with business goals security leaders. 217 00:11:19.320 --> 00:11:21.840 They need to articulate the value of security in a 218 00:11:21.879 --> 00:11:24.480 way that makes sense to business leaders. 219 00:11:24.559 --> 00:11:28.000 So it's about making security and a nabler, not an obstacle. 220 00:11:28.159 --> 00:11:33.559 Right. Another expert, doctor Jessica Barker, She highlighted how effective 221 00:11:33.600 --> 00:11:38.559 those security Champions programs can be. She argues that having 222 00:11:38.600 --> 00:11:43.639 those passionate advocates within teams right, can be incredibly powerful. 223 00:11:43.679 --> 00:11:47.720 So it's like building a grassroots movement from the inside. Yeah. 224 00:11:47.960 --> 00:11:51.080 And these champions can then use storytelling exactly to connect 225 00:11:51.080 --> 00:11:52.200 with their colleagues. 226 00:11:51.879 --> 00:11:52.919 On a personal level. 227 00:11:53.039 --> 00:11:56.159 Yeah. But while storytelling is important, the experts also said 228 00:11:56.159 --> 00:11:58.039 that data and measurement are important too. 229 00:11:58.159 --> 00:12:00.279 Right, how do we know if what we're doing is 230 00:12:00.320 --> 00:12:01.200 actually working. 231 00:12:01.679 --> 00:12:04.919 Yeah, that's a key point. It's one thing to talk 232 00:12:04.919 --> 00:12:07.320 about security culture, but how do we know if it's 233 00:12:07.360 --> 00:12:08.080 really effective. 234 00:12:08.720 --> 00:12:12.440 Several experts recommend focusing on metrics that are tied to 235 00:12:12.600 --> 00:12:16.240 those business outcomes. So are we seeing a reduction in 236 00:12:16.320 --> 00:12:23.159 phishing attacks? Are we seeing less shadow it? Fewer security 237 00:12:23.159 --> 00:12:24.159 incidents overall? 238 00:12:24.320 --> 00:12:26.559 So it's not just about tracking how many people finish 239 00:12:26.639 --> 00:12:29.360 the training course, it's about seeing if it's actually making 240 00:12:29.399 --> 00:12:30.559 a difference exactly. 241 00:12:30.720 --> 00:12:35.159 Mark Macjefski, he's an information security evangelist. He suggests going 242 00:12:35.200 --> 00:12:39.840 a little deeper with those security culture surveys. He proposes 243 00:12:39.960 --> 00:12:45.559 questions like is protecting client data a priority in your company? 244 00:12:45.600 --> 00:12:49.440 These types of questions they get at those underlying values 245 00:12:49.600 --> 00:12:51.360 and norms that shape behavior. 246 00:12:51.480 --> 00:12:53.799 It's like getting the real story. Yeah, not just what 247 00:12:53.840 --> 00:12:55.440 people say on the surface exactly. 248 00:12:55.679 --> 00:12:59.960 But even with the best data and strategies, they're always challenging. 249 00:13:00.159 --> 00:13:02.960 Of course, what were some of the sticking points the 250 00:13:03.120 --> 00:13:04.000 experts brought up. 251 00:13:04.360 --> 00:13:07.960 Well, one of the biggest was this knowledge intention behavior gap. 252 00:13:08.559 --> 00:13:10.519 Just because someone knows the right thing to do doesn't 253 00:13:10.559 --> 00:13:13.879 mean they'll actually do it. Yeah, we've all been there Exactly. 254 00:13:14.120 --> 00:13:16.080 We might know we need to make a strong password, 255 00:13:16.080 --> 00:13:18.320 but then we end up just reusing an old one 256 00:13:18.360 --> 00:13:21.600 because it's easier, right. Or we know we shouldn't click 257 00:13:21.679 --> 00:13:25.039 those suspicious links, but you know, we get curious. 258 00:13:25.200 --> 00:13:28.039 Yeah. The book suggests that security leaders they need to 259 00:13:28.080 --> 00:13:31.159 design their programs with these biases in mind. Right. 260 00:13:31.200 --> 00:13:34.679 Absolutely, it's not enough to just give people information, right. 261 00:13:34.799 --> 00:13:36.600 We need to make it easy for them to make 262 00:13:36.639 --> 00:13:37.759 those secure choices. 263 00:13:37.960 --> 00:13:40.320 Right. If the tools are hard to use, people are 264 00:13:40.320 --> 00:13:41.399 going to find workarounds. 265 00:13:41.559 --> 00:13:44.399 Exactly. People they want to do things the easy way. 266 00:13:44.559 --> 00:13:44.919 Yeah. 267 00:13:45.039 --> 00:13:50.559 Another sticking point was this tendency to view security culture 268 00:13:50.600 --> 00:13:54.840 through the lens of our own experiences. It professionals, they 269 00:13:54.919 --> 00:13:58.399 might assume that everyone understands how important security is, right 270 00:13:58.759 --> 00:14:01.240 while other departments so they might be more focused on 271 00:14:01.279 --> 00:14:03.679 productivity getting things done. 272 00:14:04.200 --> 00:14:06.000 So we need to get out of our bubbles and 273 00:14:06.039 --> 00:14:08.480 realize that different people have different priorities. 274 00:14:08.960 --> 00:14:12.679 Absolutely, the book encourages security leaders to get input from 275 00:14:12.679 --> 00:14:15.879 different people and really challenge their own assumptions. 276 00:14:16.080 --> 00:14:18.360 It's about understanding where other people are coming from. 277 00:14:18.759 --> 00:14:22.360 Yeah, we need to recognize that what seems obvious to 278 00:14:22.440 --> 00:14:25.919 one person might not be so clear to someone else, right, And. 279 00:14:25.879 --> 00:14:29.480 This brings us back to that idea of measurement. The 280 00:14:29.559 --> 00:14:33.080 Security Culture Playbook goes pretty deep on the Security Culture 281 00:14:33.120 --> 00:14:38.799 survey sees. This tool is designed to assess those seven 282 00:14:38.840 --> 00:14:42.279 dimensions we talked about before, and it's really interesting how 283 00:14:42.279 --> 00:14:45.600 they developed it. It started with this huge pool of questions, 284 00:14:46.279 --> 00:14:50.399 and over the years they refined it and now it's 285 00:14:50.440 --> 00:14:53.240 this concise and effective tool. 286 00:14:53.559 --> 00:14:55.879 It's powerful because it gives us a way to actually 287 00:14:55.919 --> 00:14:58.960 measure security culture, so we can track our progress and 288 00:14:59.000 --> 00:14:59.960 see what we need to work on. 289 00:15:00.360 --> 00:15:02.480 The book has some really good examples of how to 290 00:15:03.919 --> 00:15:07.960 use data to improve security culture, like this idea of 291 00:15:07.960 --> 00:15:10.519 connecting awareness, behavior and culture right. 292 00:15:10.919 --> 00:15:13.960 Research has shown that that there's a correlation between knowledge 293 00:15:13.960 --> 00:15:19.120 and behavior. When employees understand the threats and the best practices, 294 00:15:19.559 --> 00:15:20.960 they're more likely to be careful. 295 00:15:21.480 --> 00:15:24.840 But the book says, don't assume that one clauses the other. 296 00:15:25.240 --> 00:15:28.120 Yeah, it's not that simple. Just because someone knows what 297 00:15:28.200 --> 00:15:30.360 to do doesn't guarantee they'll do it right. 298 00:15:30.360 --> 00:15:35.519 There are other factors are like attitudes and norms and 299 00:15:35.600 --> 00:15:39.720 even pressure at work Exactly all those things can affect behavior, 300 00:15:39.879 --> 00:15:40.399 so it's. 301 00:15:40.200 --> 00:15:42.799 Not as easy as, let's train everyone and then magically 302 00:15:42.960 --> 00:15:44.320 they'll be security minded. 303 00:15:44.600 --> 00:15:47.639 Right. We need to create an environment that supports good 304 00:15:47.679 --> 00:15:49.360 security habits exactly. 305 00:15:49.519 --> 00:15:51.679 We can also use data that we already have to 306 00:15:51.759 --> 00:15:54.799 measure security culture. We can look at incident reports to 307 00:15:54.799 --> 00:15:56.440 see if there are any patterns, see if there are 308 00:15:56.440 --> 00:15:58.879 any areas where maybe people need more training. 309 00:15:59.200 --> 00:16:01.799 It's like we're detect is looking for clues. Yeah, trying 310 00:16:01.840 --> 00:16:04.320 to figure out the story of the organization's security culture. 311 00:16:04.480 --> 00:16:08.120 And speaking of stories, the playbook suggests using something called 312 00:16:08.200 --> 00:16:13.279 ab testing. Okay, this technique comes from marketing. Basically, instead 313 00:16:13.320 --> 00:16:15.799 of just guessing what will work, we can try out 314 00:16:15.840 --> 00:16:19.080 different approaches, right and see what works best. 315 00:16:19.399 --> 00:16:23.799 So, like an organization could could test two different security 316 00:16:23.840 --> 00:16:27.240 awareness modules, right, and see which one leads to people 317 00:16:27.279 --> 00:16:29.720 being better at spotting phishing emails. 318 00:16:29.840 --> 00:16:33.519 Exactly. We want to use data to guide our decisions, right, 319 00:16:33.639 --> 00:16:36.240 to make sure we're having the impact that we want, and. 320 00:16:36.200 --> 00:16:38.519 It's important to use metrics from different sources, right. 321 00:16:39.480 --> 00:16:41.799 Just relying on one metric can be misleading. 322 00:16:42.200 --> 00:16:44.639 It's like judging someone's health just by looking at how 323 00:16:44.679 --> 00:16:47.279 much they weigh, right, It doesn't give you the whole picture. 324 00:16:47.399 --> 00:16:50.879 So we want to combine data from those security assessments, 325 00:16:50.919 --> 00:16:55.440 the phishing simulations, the incident reports, employee surveys. Right, all 326 00:16:55.480 --> 00:16:58.519 of that together gives us a much better understanding of 327 00:16:58.559 --> 00:16:59.399 the culture and. 328 00:16:59.320 --> 00:17:02.519 Then that really fix the problems exactly. 329 00:17:02.879 --> 00:17:05.599 You need to be able to identify those root causes. 330 00:17:05.839 --> 00:17:07.279 Building a good security culture. 331 00:17:07.440 --> 00:17:08.880 It's a journey, it is. 332 00:17:09.000 --> 00:17:10.920 Yeah, it takes time, it does. 333 00:17:11.000 --> 00:17:14.640 We're constantly learning and adapting. We need to be open 334 00:17:14.680 --> 00:17:17.440 to feedback, willing to experiment. 335 00:17:17.960 --> 00:17:20.119 The Security Culture Playbook has given us a lot to 336 00:17:20.160 --> 00:17:22.880 think about. It has It's like a guide to making 337 00:17:22.920 --> 00:17:25.039 security a part of who the organization is. 338 00:17:25.160 --> 00:17:29.640 It's about making security part of everyday conversations, decisions, part 339 00:17:29.680 --> 00:17:32.319 of the values that drive the organization. 340 00:17:33.839 --> 00:17:36.599 As we wrap up this deep dive, we encourage you 341 00:17:36.640 --> 00:17:39.119 to think about how you can apply these ideas to 342 00:17:39.200 --> 00:17:42.799 your own organization. What's one small step you can take 343 00:17:42.839 --> 00:17:44.000 today to make a difference. 344 00:17:44.759 --> 00:17:47.720 Maybe share a security tip with your team or talk 345 00:17:47.759 --> 00:17:50.839 to your manager about security culture. Every little bit helps, 346 00:17:51.000 --> 00:17:53.759 it does we can all contribute to a more secure 347 00:17:53.880 --> 00:17:55.000 digital world. 348 00:17:56.000 --> 00:17:57.920 Thank you for joining us on this deep dive into 349 00:17:57.960 --> 00:18:00.880 the Security Culture Playbook. We hope you've found it insightful. 350 00:18:01.400 --> 00:18:05.480 Until next time, stay curious, stay engaged, and stay secure.