Get ready to challenge your assumptions about security awareness as Julie Haney, head of Human Centered Cybersecurity at NIST, reveals the hidden struggles and attitudes of security professionals and non-experts. Just when you think you understand the root causes of cybersecurity challenges, a shocking twist leaves everything in doubt.
Tune in to find out.
Julie Haney, an esteemed leader at the National Institute of Standards and Technology, heads the Human Centered Cybersecurity program. With a wealth of experience in computer science and over two decades in the field, Julie's expertise lies in understanding the human aspect of cybersecurity. She delves into the struggles, experiences, and attitudes of all participants within an organization, aiming to uncover the root causes of security issues rather than just addressing the surface symptoms. Julie's passion for bridging the gap between research and practice makes her a valuable resource for cybersecurity professionals looking to gain deeper insights into the human element of cybersecurity.
We need to give our professionals a taste of that so that they're at least thinking about it. They may not be experts in it, but they at least know that they need to think about it.
In this episode, you will be hear about:
Connect with Julie Haney
Connect with us
Website: securitymasterminds.buzzsprout.com
KnowBe4 Resources:
Show Notes created with Capsho - www.capsho.com
Sound Editing - James McQuiggan
Sound Engineering - Matthew Bliss, MB Podcasts.
If you'd like to ask Matt what he can do for your podcast, visit https://www.mbpod.com and schedule a consultation today!
Get ready to challenge your assumptions about security awareness as Julie Haney, head of Human Centered Cybersecurity at NIST, reveals the hidden struggles and attitudes of security professionals and non-experts. Just when you think you understand the root causes of cybersecurity challenges, a shocking twist leaves everything in doubt.
Tune in to find out.
Julie Haney, an esteemed leader at the National Institute of Standards and Technology, heads the Human Centered Cybersecurity program. With a wealth of experience in computer science and over two decades in the field, Julie's expertise lies in understanding the human aspect of cybersecurity. She delves into the struggles, experiences, and attitudes of all participants within an organization, aiming to uncover the root causes of security issues rather than just addressing the surface symptoms. Julie's passion for bridging the gap between research and practice makes her a valuable resource for cybersecurity professionals looking to gain deeper insights into the human element of cybersecurity.
We need to give our professionals a taste of that so that they're at least thinking about it. They may not be experts in it, but they at least know that they need to think about it.
In this episode, you will be hear about:
Connect with Julie Haney
Connect with us
Website: securitymasterminds.buzzsprout.com
KnowBe4 Resources:
Show Notes created with Capsho - www.capsho.com
Sound Editing - James McQuiggan
Sound Engineering - Matthew Bliss, MB Podcasts.
If you'd like to ask Matt what he can do for your podcast, visit https://www.mbpod.com and schedule a consultation today!
We have to remember that cybersecurity only exists because of that human, because of people. People built the technology and the services we're trying to protect. Cybersecurity is for the use and benefit of people. It's to protect us. It's to protect our information. Hi, I'm Julie Haney, and I lead the human centered cybersecurity program at the National Institute of Standards and Technology.
Announcer:Welcome to the Security Masterminds podcast.
Julie Haney:This podcast
Announcer:brings you The very best in all things cybersecurity. Taking an in-depth look at the most pressing issues and trends across the industry.
JJ:How do you empower non-experts in your organization to play a pivotal role in enhancing cybersecurity defenses? The human-centered approach strongly emphasizes understanding the experiences, struggles, and attitudes of all participants in an organization. It involves digging deeper into the root causes of security issues rather than just addressing the symptoms. Julie
James McQuiggan:Haney is a lead. Julie is a leading expert in human centered cybersecurity and the head of human centered cybersecurity program at the National Institute of Standards and Technology. With a background in computer science and over 22 years of experience in the field, Julie's expertise in bridging the gap between research and practice makes her a valuable resource for cybersecurity professionals looking to improve their understanding of the human side. This
Announcer:is episode 24, Beyond Technical Skills. The importance of the human element. cybersecurity and how to move past us versus them thinking with special guest Julie Haney.
Julie Haney:Okay, caveat, the opinions that I express are mine alone and don't necessarily represent those of NIST. Okay, so, but there's the caveat.
James McQuiggan:Hello everyone and welcome to Security Masterminds. You're probably thinking this doesn't sound like Eric or Jelle, and you're right. So don't adjust your player or check your screen. Our usual hosts, Eric Krohn and Jelle Wielinka couldn't be with us this month. I'm James McQuiggan. I'm the producer of Security Masterminds, and I'm joined by someone who is no stranger to the show coming to us from the land down under, Miss Jacqueline Jane. Or jj as we affectionately call her. Welcome back
JJ:jj. G'day everybody from australia Gotta put that in there. It wouldn't be right if I didn't hello james It's awesome to be back on security masterminds one of my absolute favorite podcasts, of course
James McQuiggan:Oh, you're so kind. You're so kind. Okay. Checks in the mail. Believe it or not, we're coming to the end of our second season. I can't believe it with this episode. And we've got Julie Haney coming to us from NIST, the National Institute of Standards and Technology. And she was actually referred to us to be a guest by Martin Kramer, who is our German security awareness advocate. Eric got to chat with her. But JJ, today you and I, we're going to take everyone through the interview and provide some additional thought leadership perspectives to her comment stories and information. JJ, you probably have been in this boat before, but as a cyber security professional, there may have been times where we've been told to focus on the technical measures. To protect against cyber threats sometimes, and we know it's not enough, you know, despite investing organizations into the latest tech tools, technologies, you still have that sense of vulnerability. We still see organizations getting hit with cyber attacks. Julie's going to bring a very interesting perspective, one that we're familiar with, but one that we're gonna be able to dive in a little deeper and certainly help at looking at improving our organizations from that human centered cybersecurity. We're gonna kick off with Julie sharing with us about her background in computer science, how it's been able to work with cybersecurity roles based off of her research.
Julie Haney:So started off computer science, went to cybersecurity. Now there's a twist to my career the last seven or eight years looking at the human element and loving every minute of it. First of all, I had a lot of the firsthand experiences and saw a lot, the good, the bad, and the ugly of what happens in cybersecurity. Sometimes I've been a part of the problem, as I mentioned, sometimes I've been a part of the solution. Sometimes I've been an interested observer seeing that all unfold, but it really, in me, it instilled this deep interest and this passion for helping people to have better experiences with the cybersecurity because people are really struggling. And, you know, obviously we think of the quote unquote end users, like our employees, our general public people that aren't experts, but the security Experts, the I. T. People, the policymakers, they're struggling to because they have to keep up with all of this fast paced changing field. I think I saw some statistic about a typical organization employees, something like an average of 50 different security tools. So can you imagine like having to manage all of those? And they're not all interoperable. And so A part of what I do research about end users, definitely. I care about that. But I also have done a lot of research about security professionals because I want to help them. I can really empathize with them because I was a security professional. I might not have done exactly what they did, but I understand some of the pressures and the challenges. And so I've been always drawn to research about security professionals. So, you know, I've done some work with security awareness. From the perspective of the security awareness professionals themselves. I've done some work with people that develop products that use cryptography and understanding how challenging that is, even for experts, because a lot of the crypto API APIs are just not very usable. They don't really guide people in the right directions. So those types of things. I really enjoy doing, and I'm very passionate about doing, but even the things, the research projects that I do that are more kind of end user focused, my end goal is always to get it into the hands of practitioners, so people that can do something about it. And so I think my background, having been a security practitioner, it helps me, first of all, understand the language that they use, what they care about, and helps me to be able to translate the research Into something that's more actionable and valuable to them. That's a huge gap that we have now this research practice gap. There's a lot of great research on the human element out there. It doesn't get into the hands of practitioners very often because they have a job to do. They're too busy They can't be looking for it. Researchers have to push it more have to make sure that What they're providing practitioners is actionable. It's relevant. It's Understandable it appeals to what they care about and so I definitely have a passion for bringing those two communities together Because there's a lot that I wish I would have known when I was a practitioner that I didn't until I actually got a chance to study it and most people don't ever get that
James McQuiggan:Yeah, not a lot of people get the chance to be able to study People when it comes to cyber security and the research that they come along with, what do you take away from it, JJ?
JJ:It makes absolute sense to me, James, and interestingly enough, what dawned on me was back in the day when websites were first being created. I know it's a side quest, bear with me. Websites were created back in the day by geeks, by the IT people, and they were appalling. And why were they appalling? Because the user experience didn't sit with the designers of these websites as the people who were going to use them. There was a massive disconnect and when we see the evolution of websites and how now they have the marketing, advertising, user experience, bells, whistles, all the things that you see everywhere else. Yes, the IT geek, let's call them that for now with love, they still are the critical elements of the technology behind it. But when you need the human interface. There are skills required that just don't come naturally to the people who are the geeks. So, as I was listening to that for Julie talking, it's like, oh my goodness, that's just like website design. I know that might sound odd, but that's where my mind went with that, James.
James McQuiggan:That's awesome. Yeah, I mean, I can remember those old websites as well. Now, you know, one of the great things that Julie's done at Nest is she wrote this wonderful article that was titled, Users Are Not Stupid, Six Security Pitfalls Overturned. And the article offers the cyber security professionals a primer so they can be able to recognize six human element pitfalls that occur in cyber security. And one of them, she mentions that the cyber security field can be very technology focused. So we wanted to learn from Julie, how can we shift that mindset to be more human focused when addressing those challenges? And this is what she shared with us.
Julie Haney:The first thing is we have to remember that cyber security only exists because of that human, because of people, people built the technology and the services we're trying to protect. Cyber security is for the use and benefit of people. It's to protect us. It's to protect our information. We have people that are actually the one targeting our systems. So there's always a human in the loop somewhere. We can't separate people from cyber security, and we need people to make all this work. No matter what type of automation or AI we use in the future, there's always going to be that people element. Um, so we really need to care about that human and cyber security. And how can we shift that mindset? First, it's, you know, remembering cybersecurity is for people. And next, I think as a community, I think we need to be more self reflective. So taking a step back, thinking about, well, what's not going well right now from a cybersecurity perspective and really delving into the root cause of that. So I'm a big fan of root cause analysis of finding the root cause, right? Is it a people problem? Is it a policy problem? Is it a technology problem? Chances are, it's a combination of those. And you're probably going to have people somewhere in that equation. And so when we see these issues, when we see these problems, I like, kind of, like to think of them as kind of symptoms. We can kind of keep throwing temporary patches on those, but eventually they're going to come back or some other symptom or something else is going to happen if we don't get at the root cause of that, really, the why things are happening. Especially when it, when it comes to people again, taking a step back, why are people struggling with this? Why is this happening? Okay. So we see an increase in calls to the help desk about password resets, right? That's, you know, one of the kind of the quintessential issues, right? So that's the symptom. So we can either, we can blame the employee for not remembering their passwords. We could hire more help desk staff or. We could put it like an automated system so people could reset their passwords, or we can get at the root cause. What is it about the current password policy or the implementation of that that's really causing people problems? Is it an unusable process? Is it causing a lot of disruption? Does it require what we call a high cognitive load? So I have to remember a lot of things, you know, thinking about. You know, the why again, the self reflective what's going wrong now, what do we need to improve? And how do people fit into that? What's happening now? That's making it difficult for people to make these, you know, the right security decisions or to interact with these technologies. And so I think it's about that reflection, you know, in the first place.
James McQuiggan:Looking at what Julie is sharing with us with regards to the communities and looking at root problems, we have to be able to take a step back and look at what's causing those issues and then look at identifying solutions that can help those underlying problems. And that's going to help improve security for everyone. What do you think, JJ?
JJ:Yeah, look, it's really interesting and it's nice to see it's nothing new. So with the hundreds or thousands of people I talk to, in my personal opinion, the root cause is understanding and misunderstanding. People don't know what they don't know. And sometimes it's the communication, the way we go about explaining things in these non technical terms. Making it personal to the individual. That's when people have the aha moment and the root cause most of the time comes down to understanding. People have not taken the time from a non technology point of view to engage the end users, um, and even people in it outside of the business as well. IT can't work with finance unless they understand the issues finance is having and what's happening in their world. And it's same with cybersecurity. So it'd be a very refreshing to hear that looking at the root cause will always come down to communication.
James McQuiggan:Yep. Communication is the key. And when we look at us as cybersecurity professionals, you know, we were curious to hear what Julie wanted to talk about or what she had to say with regards to misconceptions with cybersecurity professionals when it comes to end users. How can we overcome the users are stupid mentality?
Julie Haney:I have this article that I wrote. Uh, the first part of the title is users are not stupid. And I think that that's one of the kind of misconceptions or less helpful attitudes. You know, we hear all the time users are the weakest link. I, you know, I have, having worked with some very sharp technical people for many years, you know, I heard all kinds of things like, Oh, if we could just eliminate people from the problem, then everything would be secure. Like people are the issue. And it's developing this false narrative that like, We're the security people, we're the heroes and, and we are trying to do the best thing and I mean, and they are, and I, and I do think security practitioners are heroes in a way, but it's like, we're the heroes and these other people are trying to undermine us. Right. That at every step, they, you know, they are the reason that we are not as successful and it really creates this antagonistic kind of us versus them type of scenario, you know, how can we eliminate them from the, from the equation instead of. How can we make them partners in security, right? Because as security people, we can't do it alone. We can't. We know that we can't do it. So, you know, why are we having these, you know, less these negative feelings toward the people that we need to help do our jobs? I think security people often have very unrealistic expectations. We expect people to always make the right security decisions, even though they are not experts in the field. We may not be giving them the information they need to make an informed decision or giving them information. That is in the right language, the language that they understand. Um, we're giving them unusable solutions that make it very difficult for them. You know, we're not providing enough explanation. We're making assumptions about what they know and don't know. Very unhelpful. We should be focusing more on empowering people. So instead of belittling people, being critical toward people, how can we empower them? Um, we know we need them. So how can we make them feel that they're valued and capable partners that they're part of the solution rather than just part of the problem? Um, and so it's this real shift in mindset. How do, how can we go about increasing people's confidence and security? Okay. So to do that, they need to understand what's expected of them. Okay. So, so we talk a lot about awareness and training, right? So awareness is just the, I know that this issue exists, but then we have to give them the tools and the instructions on, this is how you personally can address this risk, right? And we need to do that in a language that people understand and not always use kind of this deep technical jargon Yeah, I think it's definitely a shift in mindset instead of an us versus them It's a how can we all work together? How can we help each other?
James McQuiggan:Yeah, definitely want to be working together based off her article We know users aren't stupid but there is that misconception and she certainly takes us through some good information with regards to kind of Get rid of that myth.
JJ:The interesting thing that dawned on me, but we know that 85 to 95 percent of cyber incidents are because of human error. And we've got an idea that cyber in general, IT in general, are looking at around 3 to 5 percent spending on that element to educate the people. And here's the frustration. People, if you think about it this way, if burglars were breaking into your front door every day, You would decide to protect your windows more, wouldn't you? You would put more security on your windows because they're trying to break into the front door. That is what we're seeing. It makes no logical sense. So rather than, because technology is doing a brilliant job, but let's come back to what is the, this human part. If humans are clearly not understanding, they're not stupid, they don't understand. So what do we actually do? Let's do something to bridge the gap. Let's educate, let's train them. Let's give them opportunities to apply their learning with simulations in whatever that looks like. That's the only way to shift it. There is no other way to
James McQuiggan:shift it. Shifting that mindset, getting them to keep security top of mind. We put to her about thinking whether or not cybersecurity experts can do a better job explaining to people why they should care about security, because that is a big challenge that we all have, especially to our private and our professional lives as well. And this is what she shared with us.
Julie Haney:You know, making that connection. It's part of the motivation piece. Motivation is huge. So you need to communicate to people why they should care. So there's this issue. This is how it impacts you, your organization, your family, and you have a personal responsibility in this as well. Because there's a lot of people that think, well, security, that's like, Those it people, right? That's their job. Like that's not my job. I don't have a role in that. Um, so making that personal connection is Really important and we often fail to do that as security people. We tell them, you know, the sky is falling There's this risk now do this Right, not the in between about this is why you should care. Yeah, I, I mean, I think a lot of that comes down to empathy. So trying to put yourself in someone else's shoes and it can be hard. But like you just said, like realizing these people, they don't have the expertise in security that maybe you do. So how do we have empathy? How do we? Practice active listening so that we can understand more about where people were coming from instead of just quickly judging them that it's just because they don't care or they're, you know, they didn't pay attention to their latest security awareness training or, or what have you. So again, taking a step back and, and just building those relationships, trying to put yourself in other people's shoes.
James McQuiggan:Certainly the secret sauce, empathy, we don't want to be pointing fingers and we're all human and we want to make sure that we treat people as humanly possible with regards to this. Yeah, it's
JJ:when you think about how we can do a better job and on explaining these things to humans outside of IT, this comes down to what's in it for them. Being human. We respond to what's in it for me, and it's a natural thing that every human does, whether we like it or not, even if you're training a dog, even if you've got a kid. They need to know what's in it for them. So for training an animal, it's going to be pets, preys, or a treat. And maybe a very similar thing for kids. And when it comes to security, or cyber security, making it about them, their family, their friends, their children, is the key. I've noticed over the last couple of years, a session I do is keeping yourself and your family safe online. What has that got to do with security awareness training? Everything. Because it increases engagement. People think, Oh, my goodness, I need to know all these things about cyber and surprise, surprise. It's exactly what you apply at work. What I've found is, is like people say, there's no silver bullet. There's, there's no, um, big thing. Well, this is one of those things. It really is. If you want to increase that engagement, making it about people, the motivation, people care about themselves. Yes, they care about others, but make it personal and you shift the dial
James McQuiggan:completely. And I got to imagine for users. They go through security fatigue where they are not dealing with security every day. So from Julie, looking at the human centered cyber security aspects, we wanted to find out from her what strategies organizations can do to help reduce this security fatigue because we know we want to keep it frequent. But at the same time, we don't want to have security fatigue with our users. So we had Julie share with us her tips on how to reduce that and then also empower our users to be active in security. And this is what she shared with us.
Julie Haney:First, maybe because I I'm very cognizant of let's define the term and explain what we mean by security fatigue. So this is actually it's a term it was coined by a couple UK researchers a number of years ago deep for now and Carrie Lynn Thompson and then actually some folks in my group. Did a study where they popularized the term because they found it actually existing in the real world. They did a series of interviews with a number of just general public people asking about their security and privacy perceptions and experiences. And what it is, is it's this sense of resignation, weariness, frustration, loss of control in people's interactions with cyber security. And it happens for a few different reasons. And so one of the things was that cyber security is not most people's primary task. When they sit down at a computer, it's not to do cyber security. They have something else that they're trying to accomplish. They have another job to do, another area of expertise. And so cyber security can be very disruptive to that or appear to be very disruptive to that, right? So we, oh, we have to go through this long login process or I'm getting these security warnings. You know, it's just messing up my day. It might be seen as someone else's job, which I mentioned before as well. And so people are coping by doing these less secure workarounds, password reuse, and so on. So that's one thing, this is not their primary task. The other is, you know, very related to that is that they're not experts in this. Security can be pretty complicated if you don't understand it, and especially the way that we present it to people. People make errors. They make the wrong decision. They don't know what they don't know. Um, and it can be very overwhelming to people, um, and so that contributes to fatigue. And then back to these things that make us all human is that we have our own cognitive biases. We all have biases because of the experiences that we've had. Things like optimism bias. We see that a lot in our research where people think. Oh, you know, no one's going to target me. Why would want anyone want to target me? I'm not that interesting. I'm not doing anything illegal. You know, I don't have that much money. Why would anyone go after me? So things like that, that kind of lull us into this. Either sense of apathy or just being overwhelmed, all kinds of, you know, negative feelings that we can have about cyber security. Anxiety is another thing that we see a lot. It doesn't matter what I do, someone's gonna, someone's gonna get my stuff. And so there's this underlying fear all of the time. So that's a little bit about security fatigue, why it's caused. So now your real question is, What are some strategies organizations can employ to reduce that one of them is decreasing the burden on people and increasing usability. When we think about usability, we often tack it on at the end. So, oh, we've developed this product or, you know, this process and we've decided on it. And, you know, maybe we'll have a few people take a look at it at the end. And, you know, a security folks. Thanks. Have always been frustrated when security was tacked on at the end, things are getting better now where security is more kind of built in from the beginning, built in this private design process, but usability is still that tacked on at the end thing. So we have all of these solutions that get pushed out that don't consider usability cause people all of these issues as we already talked about. So one of the things that we can do as organizations. Is to consider that more upfront. So when we're looking for a solution, looking into the usability of that, when we're developing a process, talking to the people that it will impact, there might be some unintended consequences when we push a certain policy down or create a certain process. So involving people in the beginning, who's going to be impacted by this. What are their thoughts about it? You know, and even doing some like basic, you know, usability testing. We can do usability testing of technologies, but also policies communications, giving it to a small group of representative users and getting their feedback. You know, how is this working for you? What are you confused about? How can we make this better for you? You don't have to be a usability expert. You could just do 5 to 9 people. You'll find most of the problems. That's definitely one thing. And then of course, offloading the burden as much as possible. So we all know that there are things that computers can do better than people. How do we keep a phishing email from getting to people in the first place? Are there things that we can do from a technology perspective so that they don't have to make decisions about all of these emails when they, they get to them, that they never get to them in the first place, so those types of things. I also think as a community, we really need to work on improving our communication. You know, I, I've already mentioned about how we need to do a better job of translating these highly technical concepts into terms that our audience understands that, that our users and our shared stakeholders understand. It's very difficult for people who are expert in the field to explain something to a non expert because we make assumptions about. What people know and oh, this is obvious to me, right? So it should be obvious to other people. Again, taking a step back, understanding the context of our users. What's their skill level? What's their role? What kind of language do they understand? How can I communicate this in a way that will motivate them? And give them the level of detail that they need so that they can actually take action on it. There's all different ways to do that. Different formats. Trying to be more engaging with the techniques that we use. It's not always just an email that you send to people. You know, how do you reach people? How do you communicate that? And then I think lastly is for people to feel empowered. They need to have some kind of positive reinforcement and feel like they are included in the process. We want them to feel good about security and their role in it. Um, so we see a lot of organizations that kind of take a very punitive approach. Very fear based. I was reading about some organizations have got three fishing clicks and you're fired type of policy. There was one that had like a wall of shame. If you like clicked on a fishing email, your name would be posted like the common, you know, kitchen area. I think those things are not not helpful. Um, and so we have these kind of fear based tactic. Perhaps they can work in the short term. But in the long term, it really dampens people's feelings about cyber security. It doesn't motivate them. It doesn't make them want to be part of the solution. Um, and so how do we move from kind of this punitive stance to one that's More focused on positive reinforcement, simple things like a thank you. Thank you for reporting this. We really appreciate this. Like you did this great security thing. You were a model for your coworkers. Thank you. Here's a recognition. And you know, we don't want to overdo it because then it becomes meaningless. But that type of positive reinforcement. And also the inclusive part, right? So people want to feel like their input matters. And so that involving people, like we said, involving them and like doing some basic usability testing or running some draft communications by people, especially I've seen this in a lot of security awareness programs, not a lot, but the ones that tend to be more effective is that they are reaching out to their employees and saying, What do you want to see? What do you need? What are you struggling with? What kinds of topics can we address? I'm getting feedback. Okay, so we had this event. Like, was this helpful to you? There are other things that other things we can be doing. So involving people makes them feel like they matter, you know, building more of that kind of positive energy towards cybersecurity.
James McQuiggan:Not one person can save the world. It's a team sport and we need to make sure that we can get our users engaged and not hit them with that security
JJ:fatigue. And you know, I was thinking, I love my analogies and I was thinking about what else in life do we know about without having to know every single thing. And a couple came to mind, keeping yourself healthy and safe and basic first aid. We're not medical professionals, we're not doctors or nurses, but we know the basic things that we need because we do a first aid course sometimes, or it's just something we're taught from a very young age and we take it through life. So if you've got awareness running already, if people are aware of red flags, if their critical mind and their individual thoughts and independent brains are working, they will be able to pick it. And if you've done nothing, that's where it's overwhelming. But if you're doing these things along the way, security fatigue. can be avoided if we understand we can't teach them everything. It's more the little things that we can understand and not to overwhelm the end user, because it can be overwhelming. Break it down to what's relevant to them, so that when something new happens, They already know the red flags to look for, and you're topping up their knowledge rather than overwhelming
James McQuiggan:them. Now, we've been talking about users not being in cybersecurity, but in our discussions with Julie, we got on the topic of cybersecurity professionals. And we were curious about what skills do future cybersecurity professionals need to have so they can be effective.
Julie Haney:There's a lot of emphasis on building technical skill and not enough on building the business skill, building what we call professional skills as well. You know, that communication, how do you communicate to different audiences? What do people in an organization care about? How do you link security to other parts of the business? I also think of like business skills as like relationship building and our personal skills. How do you go about persuading people that that sounds slimy in some respect, but it is, it's about you're going in and you're persuading people. You're not trying to manipulate, you're trying to persuade and hopefully you're trying to persuade them to do something that's good for them. That's good for the organization. So how do you go about doing all that? And so I think that Doing a disservice to a lot of our security professionals now by not providing them that type of training, especially early on, because the computer science curriculum, the cyber security curriculum does not focus on those aspects at all. It's all about the technical skills.
James McQuiggan:I know from personal experience and as an educator as well with the new cyber security professionals coming up, it's one of the things I share with them is not the aspect of tech. That you're going to learn definitely, but you want to be able to learn those core skills. Look at focusing on those other core communication skills. Public speaking, writing, it's not always about the technical. A lot of people think that, but it's important that they work on those core skills
JJ:as well. Yeah, when I think six years ago, when I started in my journey of security awareness training, I was called the cyber security awareness lead from memory. And now I'm seeing security culture. I'm seeing security awareness lead, those type of words coming into play and they're not IT people. And the interesting thing is, and one element that I would say is if we're talking about security awareness practitioners specifically, or those who are influencing that room, change management principles are key, which. If I've just jumped into Google and hit that search, the application of a structured process and set of tools for leading people's side of change to an active and desired outcome. So it focuses on how to help people engage, adopt, and use and change something in their day to day work. So if there's one skill That those people in the world of security awareness training programs, understanding change management is, is critical. If you are an IT person in the world of IT, and you've been tasked with security awareness training, then step out and look in your organization and say, who can play in this world already? Who can I lean on and work with? Because this actually has nothing to do with cyber knowledge or tech skills at all. This is about people and not all people in it. And I say this with absolute respect, have those skills and vice versa. And it's something we just need to, okay, we're different, but we know what we have to do, so let's make a change and make that happen. And yeah, communication is probably equal with change management, that's for
James McQuiggan:sure. Yeah, and, and they go hand in hand, definitely. And as we talk about students, we wanted to gain her insights on what we can do to better prepare those students about considering careers or coming into the career into this industry of cybersecurity. And this is what she shared with us regarding formal education.
Julie Haney:I'd be remiss, especially in my position, not to say that I think there needs to be more about the human element in kind of these formal education curriculum as well. Like I know that there's some computer science programs that maybe they have like a usability type. Course maybe as an elective. Why is that an elective? If you are, you know, doing all these programming projects or designing all these products, why not incorporate kind of the usability and user needs and things like that into the user testing? And why not incorporate that? And just about, you know, all the things that we've talked about people's relationships with technology and trying to just understand them a little more. You know, not everyone has to work with people. Like there's always people that want to sit in the corner with the lights out and, you know, them and the computer. And that's great. And that there's a place for them in cybersecurity. And we need those people, but we also need people that are people, people, right. That can talk to people that can relate to that can communicate. And so we need to give our professionals the taste of that. Um, so that they're, they're at least thinking about it. They may not be experts in it, but they, they at least know that. That they need to think about it to some degree.
James McQuiggan:Certainly when we look at an education, that human element is key, but also I think it'd be great if colleges and universities would be fishing their students. Uh, I think that is kind of something that is missed. Get that awareness in there, that security culture, that human element of all of it. It would certainly help them when they got into the real world, they were already familiar
JJ:with it. Look, I go one step further and take it back to school and say it like math. Treat cyber and digital citizenship as a topic where by the time you're old enough to get yourself a social media page, it's normally 13 is the age, you should know all the pitfalls and issues and things to be aware of. When you leave school, you should know and already have been fished. In university, every topic talks about how to reference, how to write assignments, also cyber life skills needs to be part of that. And to add complexity to it, when people say to me, Oh, I want to join cyber security. My next question is, if you're a doctor and said you want to be a doctor or you want to be in the world of medical, I would say, what specifically do you want to do? There's so much in cyber security. And if your role requires human interaction, as in influence, change management, communication, then you need those extra skills. Otherwise, it's the ability to influence and understand. It is really, it's a complex issue when people say we don't have the skills in cyber. My next thing is, what skills are we looking for? Because they're there. We just have to actually look a little bit sometimes outside of
James McQuiggan:cyber. We had a very similar discussion with Naomi Buckwalter in the last episode, dealing with making sure we've got the right skill sets mentioned and putting that out there. It's a matter of bringing that awareness to them of what the different roles are. We've both been in the industry a number of years, and we find that we learn from either errors, mistakes, failures, whatever it may be. And it's always something we like to find out from our guests. And with Julie, she shared with us her lesson learned with regards to the Human Center and her career.
Julie Haney:So still learning from the experience. But more about unhealthy perception or attitude I had that I wish that I didn't, I wish that I recognized earlier about myself, specifically, so not, you know, not some of these unhealthy attitudes we have about users, but about myself. And so, especially, you know, early in my career, even like into my mid career, feeling, This sense of inadequacy. I think we call it now imposter syndrome. It is very prevalent in cybersecurity, especially among people that belong in groups that are underrepresented in cybersecurity. Women are one of those groups. So we think about kind of the abysmal percentage of cybersecurity professionals that are women today. And think about 25 years ago when I started. But was not a, I would call myself not a deeply technical person, so I was technical to a certain degree, but I wasn't into operating system internals, and I worked with people that were into those that were good at those things. I just never had an interest in doing that. You know, I liked my job fine when I left I left I didn't want to do any more of it and I always felt Like I was behind That I always kind of felt inadequate that I didn't have All of this, you know deep technical expertise maybe that a lot of my co workers did And so there were, you know, there's this sense of insecurity and all of that. And what I wish I would have recognized was that I should have been focusing on the gifts and the strengths and the talents that I was bringing to cybersecurity that maybe other people didn't have as much. So I, you know, I'm a decent communicator, you know, better in writing. I think I'm empathetic. I'm curious. I'm a, like I mentioned, I'm a root cause type of person. I'm service oriented. Like I want to help people. I want to make a positive impact. I was bringing all of these good things into the field, but I was focusing on the things that I did not have. You know, as I've become more, I'll say seasoned instead of older, you know, I've come to grips that there's always going to be people that are better at certain things than me, and that's okay. I don't have to be those other people. I don't have to compare myself. I bring my own gifts to cybersecurity. I am still an asset to the field of cybersecurity. And I think that there's a lot of people That feel this way. And I, and I've talked with, um, several young people, undergraduates, or even like beginning graduate beginning their, their career, especially women who feel very similarly, like, yeah, I like computer science, but I'm not like that into it that I want to do it all the time, or I'm not deeply technical. Like, can I make it, you know, am I going to be any good in this? And, and just saying, look, you're bringing in. Other things that other people aren't having, you know There's a lot of people that feel this way because maybe they don't see other people that look like them in cyber security Or think like them or have the same Major, right? We have a lot of people from like Non technical majors that are coming to cyber security and doing great things um, and so we you know, a lot of us feel insecure about that, but We are bringing our strength into cyber security cyber security needs all of that There is a place for all of us in cyber security, but we need good communicators. We, we need people that are good at other types of problem solving and they're creative. And so I think that's kind of like the unhealthy attitude that I held on to for so long until I just realized, look, I belong here. And I can do something good in the world. I can contribute.
James McQuiggan:We all contribute to cyber security. And certainly what Julie is doing is extremely commendable and with regards to human centered cyber security. But imposter syndrome is a real thing. And I, you know, I know a lot of us deal with that, but she also brings it back around. And I love the fact about communicators. We need communicators. You'd be able to talk through, explain it, the non technical aspect, explain it in a technical aspect. So yeah, that's what keeps us busy.
JJ:Absolutely. I've always been between people and technology as that conduit between both. So I'd get angry at it for just pushing things out and not considering the human. And then I get angry at people and users because they had no thought for what they were doing and how complex the world of it was. So I was stuck between two, which turns out I'm a good conduit between people and technology and vice versa. Anyone listening to this podcast who knows someone outside of cyber who's good at communicating, influencing, has those change management skills, has real passion to help, get them to listen to this podcast. I implore you to do so because they might actually shift their whole focus and move into the world of cyber and become a little bit more human centric in this world. And, uh, help the people. Definitely.
James McQuiggan:And that's what we're all about is, is helping the people. But we also know that we're dealing with threats on a daily basis. And we wanted to see from Julie's perspective, what does she see as the biggest security threat to organizations for the next 10 years? And this is what she shared with us.
Julie Haney:I wish I knew for certain I'd make a lot of money. I will come in through my kind of human centered lens and you know, we talked about it already today. Some social engineering, it has been an issue. It is an issue and it will be an issue and it's getting harder for people to detect. It's becoming more sophisticated. Now, you know, AI has been employed to generate these things. It's coming at us in all different directions, it's email, it's text messages, it's phone calls. Gone are the days if we think about like phishing, like gone are the days where we had like these very obvious phishing emails with spelling and grammatical errors and implausible scenarios where the Nigerian prince is asking me for help, you know. Like those are history. Now. You know, these social engineering attempts are very targeted at us. They're very specific to our context a lot of times. They're difficult to discern whether or not this is real or not. So I think that's probably one of, that is going to continue to be a huge challenge, especially as we have these systems that can automate believable messages at a much bigger scale than we've ever seen.
James McQuiggan:Social engineering, it's not going away anytime soon. And with the use of AI, generative AI, it's making the job that much easier for the cyber criminals, even for entry level script kiddies. It is going to make it a lot easier as long as there are humans in control. We're going to be dealing with social engineering.
JJ:Exactly. People often ask me, JJ, you know, there's so much to think about. Oh my goodness, I've got to check this and change my passwords and MFA and all these things. How do I avoid it? I say, get offline. Uh, and they said, well, I can't do that. It's like, well, this is if you choose to be online and you choose to be a digital citizen. We used to grow up with our doors open in our homes and no fear of people walking in. And as society progressed, now we have alarms. We have. Double locks and it's really hard to get into your own home. You can't just walk in. It takes you sometimes five minutes to find the keys to get into your own home. And it's the same with cyber. Um, we need to understand these things are happening. It increases our login times and access times. It's frustrating. But if you want to be safe online and have those digital life skills or cyber life skills, whatever you want to call it, that's what we have to do. Because in my opinion, we're two generations away. of kids coming into the world with a mindset of how to be safe online and make those good decisions naturally. Because adults are making the same mistakes their kids are right now. It's not a negative. It's something we just need to accept, work with, and make the adjustments we need to. There's no doubt that over the last two years I've seen a big shift in people understanding that cyber security is a business risk, not an IT responsibility. And just that shift alone, James, I don't know about you, but that is making these conversations more palatable than they've ever been before.
James McQuiggan:It is. It was a great chat with her and really glad that she shared a lot of information. Everything from how she got into computers with her computer science and what she's doing at NIST with her article with users are not stupid, but also looking at how to help the next generation. How do we. even help our own current cybersecurity professionals dealing with security fatigue. And on that day to day basis of dealing with imposter syndrome and getting the word out to our users and treating them with empathy. So yes, definitely a informative episode. We're glad to have Julie on and glad to have her as part of our security mastermind series.
JJ:Very interesting from Julie today. Great session.
James McQuiggan:So for myself, James McQuiggan. I want to thank my, uh, guest host today for joining me, providing her excellent thought leadership and insights, uh, into our guest's responses. So, say goodbye, JJ. Goodbye, JJ.
Announcer:You've been listening to the Security Masterminds podcast,
Julie Haney:sponsored by
Announcer:KnowBe4. For more information, please visit KnowBe4. com. This podcast is produced by James McQuiggan and Javad Malek, with music by Brian Sanishan. We invite you to share this podcast with your friends and colleagues. And, of course, you can subscribe to the podcast on your favorite platform. Come back next month as we bring you another security mastermind sharing their expertise and knowledge with you from the world of cyber security.