Security Masterminds

Measure, Grow, and Strengthen Security Culture

January 14, 2022 Kai Roer Season 1 Episode 2
Security Masterminds
Measure, Grow, and Strengthen Security Culture
Show Notes Transcript

The Security Masterminds second guest is KnowBe4's Chief Research Officer Kai Roer, who founded CLTRe in 2015 to accurately answer the question, "how do you measure Security Culture?"

In this episode, Kai explains what got him interested in Culture and what we can all learn from it. In addition to understanding how we can measure our security culture, what steps can be taken to strengthen it, and grow it. 

We examine the journey organisations are taking along their ABC's. Awareness, behaviour, and culture. 

Kai Roer:

I called the culture plastic. What that means is that it is malleable. It changes the only constant of culture is that it changes. culture contains behaviors. Keep in mind that when we're talking about behaviors, we are not only talking about your specific behaviors in front of your computer clicking or not clicking on that, that phishing link or whatever it is. We are talking about what you do in the context of what you are doing And that context is cultural.

Erich Kron:

Hello, and welcome to security masterminds. The podcast that brings you the very best in all things, cybersecurity, taking an in-depth look at the most pressing issues and trends across the industry. I am Erich Kron.

Jelle Wieringa:

And I am Jelle Wierenga. We are your hosts for today's show. And in today's show, we're going to talk about security culture, a powerful tool that organizations use to influence their security posture., , it's a topic that for the last years has grown in popularity more and more organizations are looking into it. We're now talking to Kai Roer, who is the chief research officer here at KnowBe4. And he was also a co-founder for culture and an organization dedicated to helping organizations worldwide in assessing building and improving their security culture.

Erich Kron:

Well, that's awesome Jelle and, and I'm really excited about our guest today. Security culture has definitely become a forefront issue in organizations. As of recently in the last few years, it's really made a difference in how people look at their organization and understand a little bit more how security permeates. So I want to get right into it. And I asked him several questions about this so that we could learn a bit more. The first one I asked him is how do you define security culture?

Kai Roer:

If you use the term cyber security, that then obviously this tells us that it is about the technology. Over the past 10 years, and especially the past five years, a lot has been changing, not only in the industry, but also in the academic side of things. So for example, we've seen a huge amount of non-technical people being hired into security positions . especially then to take care of the awareness, the training and the, and the culture side of things, which is awesome because with those new people comes new perspectives and obviously other biases, . But with those new perspectives, we are challenged in the ways that we have been doing stuff. And then we need to come up with better ways of doing stuff going forward. And that is huge progress

Jelle Wieringa:

I actually, I love that because we're all about people, processes and technology and the people side is. far too often forgotten. So the fact that security culture focuses on this people element is just, enormous.

Erich Kron:

Yeah. I find that a lot of times as practitioners, we kind of get in the weeds in technology and forget about the other side. Now we are familiar with policies and procedures. But building a culture is a whole different thing. It's really a human based approach to things which I think that, , many times we don't necessarily even want to take on, but I think there's a lot of benefits to it.

Jelle Wieringa:

I think the benefits are immense. People are the most precious resource for any. People are there not only to be protected, but it can actually protect the organization itself. They can be a valuable asset in the security posture of any organization, but you have to train them. You have to make sure that you have to cultivate that right security culture. And that's not the easiest thing to do, but it's great to hear, Kai talk about it and educate us more.

Erich Kron:

I also asked Kai because Kai's been in this longer than anyone. I know he's been focusing on the security culture and that's not to say there aren't others that have been in longer, but he's the one that whenever I think security culture, I think of Kai and I think of it for years in the past in a very formal way of doing it. So I asked him, I said, you know, you've been doing this longer than anyone else. I know. What got you interested in this, and this is what he had to say.

Kai Roer:

What made me interested? Well, you know, 15 years ago give or take, I were deeply involved with, , working security at multinationals, out of, in Norway and one of the challenges we saw, the human side of things, the people, the employees, we generally neglected. Then of course, some of us were clever enough to realize that by giving them an annual one hour compliance-based training just to keep the lawyers happy, but figuring out what can we do to make the people actually secure the company instead of, you know, just doing the job..

Jelle Wieringa:

I like that it's people that security organization,, involving people , that's just about everything we need to do in order to make organization safer.

Erich Kron:

Kai has taken it to this new level , and his love apparently of doing things in a very scientific manner shows through here. So the next question I had , for Kai was this, what can we gain from knowing more about our security culture?

Kai Roer:

What can you learn from culture?, you can learn so much., one of them is the biases that every single one I was saying. You know, the challenge with culture, if all you see is your own culture is that you never see culture, you are so embedded in it, that you don't even realize your own ways, your own thoughts were partners, your own behaviors. So, so one of the benefits of an organizations, to start looking into security culture and organizational culture, is that they get. Insight into what they actually do. They get to uncover those unknowns so that those blind spots, And by uncovering all these areas that we take for granted to such an extent that we don't even think about them. But uncovering them, we have to start thinking about them. And then we discover that, oh, maybe that, uh, that, that, you know, blind spot over there, maybe we should be actually doing something with it because if we don't, that is like a bond or Oprah directly to our organization. so covering the stuff you've done, no is obviously, very, tasked win, but other things is by knowing your culture, you are able to, put in place controls and programs to take you into that sort of culture you want to have. Right. So if you don't know the culture you have, how do you know if it is the one you want? Another benefit of looking into the culture, of your organizations, if you're using the same, way of measuring and describing it. So it's a common definition, for example, you will also allow yourself to compare your culture against other cultures. So, for example, if you're a bank, I'm pretty sure that your board, uh, and, uh, the XX of want to know if they are doing better or worse in the security culture compared to their peers. Right. And if you are a country, I'm pretty sure you want to know how do my, uh, government. How, how do the critical infrastructure services D uh, what about educational sector that, that in our measurements has been traditionally doing very poorly? do we see any change there? So, so that's another thing you want to know when it comes to culture, does it evolve? And if so, does it go in the direction you want to

Jelle Wieringa:

go so we're all about data driven, deep security, a data-driven defense here. So measuring to improve, knowing where your blind spots are, knowing where your weak spots are and then figuring out how you can address those. That's the cool thing about culture. Culture opens up a whole new vector at looking at your security. We're so used to looking at technology as the provider of metrics and data and statistics for us, that if we only look at that side, We kind of disregard everything that goes on with the human layer in security, by involving culture in today's by, by looking at how people are behaving, why people are behaving in that way, we broaden our perspective immensely. And that's a really cool thing about security culture.

Erich Kron:

Yeah, I think one of the things that's been missing on the culture discussions is a way to measure this. it's a key part of it that we're just getting into where we can actually measure this in a meaningful way. And as he mentioned, we can compare ourselves with other organizations. We can do things like that. but you're right. You know, it, it is such a key part of an organization that has honestly just been somewhat neglected as was mentioned. but I think. By being able to. Measure it and look at it, we're going to be able to improve it. We're going to be able to look at things. And like he said, see some of the blind spots we may have as an organization. Once we start measuring things, we go, oh wait, I didn't realize we were doing so poorly over here. It's kind of like what we get with the simulated phishing attacks, where you send those and you go, man, these people can't wait to click on stuff that's related to like free food. Right. We have a problem here. If you can identify that with your culture, that's going to be very powerful.

Jelle Wieringa:

Yeah, we're kind of at a, as a crossroads hair weight as an organization, you can choose to involve all the insights you get on your human layer, and make sure that you can, add them to the decisions you make on your security. Something that wasn't possible five years ago, when the, all of the security culture surveys were in dare you, weren't able to get all of that input and get all of that, those insights. But today you are. So, it acts as a great thing to increase security in your organization, taking into account, both the technology side and the human side.

Erich Kron:

Yeah, absolutely. I agree with you 100% there. So one of the things also that we, that we notice a lot, within organizations is. If you want to make changes to things, you typically have to have upper management support. It can help in a lot of ways. And I've been in positions where the upper management wasn't necessarily a hundred percent behind things and that it was so much tougher, just even in getting technology in place, getting budget for things. it was a. I think it's getting better in security. but I asked Kai, I said, how much, upper management support is needed or does it impact or shape the culture of an organization? And this is what he had to say about upper management support.

Kai Roer:

I come with facts. So let me also your question with. They have a very recently published research paper by, distinguished researchers, including Stephen, for Nella of the London. and I wouldn't be happy to share this so you can share it with the listeners to the podcast. the factors that most often are regarded as important to build and maintain a cybersecurity code. The first one is top management support, leadership or involvement. so basically the most important, and this is academia and similar to the pro to the industry. Academia has, has a tremendous surge in research the past five years. which means that we today know stuff that just five years ago we had the opinions about, and yes, I used to have opinions too, but now I can support them by facts. but yeah, leadership report or leadership support and driving it from the leadership is crucial. and for my American friends, I can give you two examples. one, is an insurance company in the Nordics. So that is not, not Northern Europe. they have been doing security culture and trainings for, great many years and their CEO and precedent is running. It doesn't mean that he does it every single day, because he has a team doing that. Right. You see? So, which is, um, amazing. And, and his team that he's built there. But the point here is that the CEO goes on stage and on the video cameras and everywhere talks about the importance to their organization. That cybersecurity is, and this, this is top level engagement. Okay. Now, They do very well when it comes to cybersecurity. How do I know it? Well, I may have measured their security culture. now the second, , example. Is, , also a Nordic company and, , it is multi-national, but in a different sector in this company, they have just like the first one, an amazing CSO or acting CSO because you don't even have the title. See, so his title is it director. and we've been working with them just as long as with the insurance company, but the results are very, very. And so basically they actually reduce their security culture score over a couple of years, which is not really nice. And of course we want to know why, and that simple answer is lack of leadership engagement. They don't even answer the security culture survey. they do tell their employees that it's a good idea to do so, but they don't do it themselves. And that sends kind of strong signal. So yes, leadership, academia, and, practitioners agree. Leadership matters.

Jelle Wieringa:

And I definitely agree as well. Leadership is crucial for building a good security culture. and let's face it. Leaders have the final responsibility when it comes to risk that they want to, or their risk appetite in their organization. So it's in their best interest to include a healthy security culture, to build a healthy security culture, it's in their best interest to reduce the risk to the organization. they have to see that their users are the most precious, the most valuable resource within their organization. So on the one hand, you want to use those users to build your security posture. On the other hand, you want to make them feel involved because you don't want to lose them. You want to retain them. Security culture offers this to a C level. It offers a way for C level to engage with end users to engage with their employees, make them feel wanted, but also at the same time, give them an active component in the security of their organism.

Erich Kron:

That's a really good point. a lot of people don't necessarily realize that security is everybody's role, and we've got to get past that. So accounting, marketing, they all have a role in security, whether we like it or not, this is the modern world. It's not going anywhere. But unfortunately, there's still kind of the mindset out there in some places that say, if the company doesn't want me to go to this website, they would block it. And that's a, that's a sign of a, a bad security culture when they think like,

Jelle Wieringa:

It isn't even if you're looking. Physical security. Think about the receptionist who sits at the entrance of a building. Physical security is just as important as digital security. So things like tailgating, things that that happened right in front of the eyes of the receptionist, they need to be involved as well. Every level from the receptionist all the way up to C level where C-level takes its own responsibility and understands what cyber risk and physical risk the organization, has. So they can make the right decisions to mitigate that risk. If they don't understand cyber security themselves, how can they make the correct decisions in, accepting risk and looking at risk appetite, Fort Hare organism. It's crucial that they're there it's crucial that they participate, but it's also crucial that they're their advocates to security culture, to security in general.

Erich Kron:

Yeah. And that means openly demonstrating that they're doing the same things that they're asking other people to do, as opposed to just saying it kind of like he said it, you can say something. But if you don't do it, if you don't follow up, if you're that person that says everybody needs training in the organization, but then you're the first one to say, I'm too busy for it. You're demonstrating that. It's not really that important. And I think that has more weight than just the words that somebody.

Jelle Wieringa:

It's truly all about lead by example.

Erich Kron:

Yeah, absolutely. I would agree with you on that. So as we continued our discussion here, I asked Chi what is the most misunderstood or what is most misunderstood about security culture?

Kai Roer:

so I think it is very important to look at security in a completionist way. Right? security does not exist in a vacuum just like your organization does not exist in. which means that looking at security is, should not only be an internal kind of exercise. It needs to also take a look at, external factors, uh, on a policy side and, and, uh, or a cultural size, but also threat actors like, and the same is true internally. If you treat security just as. Yeah, it's technology or yeah, it's policies or, oh, we had a breach. Let's do something. not really important. What we do, as long as we document what we do or internal controls or governance has to be sometimes refer to those activities. That's if you do just that and only one of those things, well, that's not really going to help, but those things needs to be PC. In the complete, machine, just like training, just like assessments, just like, working with your culture, just like setting goals. You're just like knowing where you are today, comparing yourself to your peers and figuring out are, be happy with this. Can we accept this risk or do we need to mitigate it somehow? And if so, how do we do.

Jelle Wieringa:

Security is like a puzzle. If you have a missing piece, it's not a complete puzzle. It simply doesn't work as it should. It doesn't look the way it should look like. and security is just like that. You can focus on one thing and neglect the other thing and it, it simply will leave you exposed.

Erich Kron:

Yeah. And one of my big takeaways from that was that it is part of the bigger picture. It's not a standalone thing. Security culture is not a standalone thing. It permeates every. Of your organization, security, how you do your day-to-day tasks, all of that, we can't treat it as just, you know, this is the thing that we do on Tuesdays. Tuesdays, we have a good security culture. The rest of the week, we're just focused on doing other things. It's gotta be every day in everything you do all the time. It is part of that bigger

Jelle Wieringa:

Well, it definitely shouldn't become like patch Tuesday, right? Where we just focus on it on that one day and be done with it. That would be a disaster. Security culture is like any other culture. It should be interwoven into everything into the Viber of your organization, into what you do, what you stand for. only then will it be truly successful? The beauty about security culture is, and you already talked about this, this it's a tangible thing you can actually have. You actually have tools to implement security culture, to measure it, to make it work. Things that tell you it's it's, it's a framework. So it becomes something that you can actually attain. You can actually get to that point where you can control and manage your security culture as an organization. That makes it very powerful. I do see that that's one of the points that it's very much misunderstood because Hey, it's not something that's as easy as switching on a device and Hey, Presto. It takes time a culture. You need to cultivate it. Cultivation takes time, takes effort, it's blood, sweat, and tears, but it is something that if you do it right, it over so many benefits for an organism.

Erich Kron:

Absolutely. And something I've noticed about organizations as they build their security culture is it's tougher to get the ball rolling in the beginning, to get everyone going the same direction in this kind of thing. But once that's happening, once the organization has a strong security culture and people are doing things in secure manners, they. Feel in the organization, when you bring on new employees, the first thing they're going to do is look around and say, what's expected and what's accepted here. And by having other people, doing things, uh, with security, top of mind, that's going to automatically bring them into the fold much, much faster. So the, the hard part is getting the ship in the right direction. After that, the payoff for that is, is huge. And it's a lot easier to maintain.

Jelle Wieringa:

Basically the weight start, start working on security culture right now. It's definitely, it's not as hard as you think. And every step, even if they're baby steps, there were something in this.

Erich Kron:

Absolutely. So. I asked him, you know, this kind of came back to the why put effort into this. And I asked him, given the crazy increase in cyber crime, especially email phishing, which we all know is kind of the number one way that initial network access typically happens in cyber attacks is that how does a good versus bad security culture help? And this is what he had to say.

Kai Roer:

when it comes to the difference between organizational culture and the quality of that culture. So as a bad or good quality culture, we have done some very fascinating research. what are the things that I get to do is, is to look through numbers and not only on culture or awareness, we also have data on behaviors, right? So, so we see what kind of behavior the specific employees have. And we also have this, cultural reporting data on those same employees. So, so one of the things my team did, I think a year ago, looked at. How do, um, organizations with good security culture compared to organizations with bad security culture when it comes to sharing credentials. Right? we know that if you, Eric type in your credentials in a phishing email, the hacker one, they own your inbox. And with that, they can make stuff. So, so, so basically we don't want you to share your credentials to the hacker or anyone instead, we want you to stop, um, um, before or discover that this is a, an attempt to trick here before that happens now in, in good organization with good security culture, roughly one out of 1000 email or a phishing email we're successfully harvesting, So that's one out of the 1000 fishing, emails. Now I believe that that is awful. I mean, that's really, really bad. It's still one out the 1000. How many emails do you receive every single day and maybe not as many phishing emails, but still it's, it's, it's huge. So this is, we need to improve it. but the somewhat goodness or the badness, is that if you have a poor security culture in your area, It's a longer one in 1000 email level, successful harvest credentials is one out of 20 phishing emails that will successfully harvest credentials. That is immense. And, when you also know that it doesn't take that much. Effort and training and the investment to lift your organization. The problem pour into at least mediocre where the numbers are already half, I mean, like start there or actually very neat to start this measure. You have security culture. So, you know, if you have a poor culture or a mediocre one or a good one, but never stop you, you will never be perfect.

Erich Kron:

With respect to the, the good versus bad and strong versus weak. That was something that I'm really used to using the term a strong security culture, but it really made me think about the fact that yes, you can have a strong. Security culture, any bad way where people are not going to move, this is their, their horrible security culture, but it's very strongly embedded in the organization that this is how it's done, as opposed to, I would almost rather see. You know, a security culture, that's weak and bad cause you could change that more than you can. A strong, bad security culture. Ultimately you want a strong, good security culture so that it's harder to change. The way that, that works. In other words, it can stay longer as a good one with less work. I think with the weak ones, you're going to have to put a little bit more work in doing it. I love the fact that he mentioned mediocre because we're, we're not always going to hit the end game, but like he said, it doesn't take that much to get into mediocre and that's improvement over one in 20 by, by a big means any.

Jelle Wieringa:

Yeah, it w it's a bit like security awareness training, where we focus on training people with new skills, and then giving them exams in the hopes of changing their actual behavior and being, becoming more. To your point. I don't really care if people fail the exam, as long as they actually showcase secure behavior, the exam is part of the whole it's. It gives them an achievement and it's an important part of what we do. But in the end, it's all about behavior. It's all about actually keeping us safe.

Erich Kron:

All right. So. I asked Kai, to give us the top three things you can do to actually improve or influence your organization's culture, make it a little bit more on the good side, even if it's just towards a mediocre and this is what he had.

Kai Roer:

so, so they're never top tree things there because these things, various, depending on who you are, where you are in the industry you are in and what kind of maturity you have. but let, let's just for the case of arguments, say that you do nothing, then you start by assessing, you need to figure out where are you today. and then number of ways you can do that. Obviously I am biased. So I will suggest to you, you run the security survey and also do some behavioral testing, like for example, phishing assessments. but if you don't measure anything yet, that's where you stop. because you need to know where on the map you are and then you can use the same kind of metrics to figure out how can we, I describe the future state where I want or need to be, because only when you use those kinds of scent terms, will it be able to measure that you actually got to go? so if, if you're not doing that, that's where you see. When you have done mesh rings and do that, then put in place regular follow-ups and trainings. today we live in 2021, which means that is a broad catalog of training content available around the world. Not only from no before, but from everywhere. It's a huge opportunity. Now, more importantly, In 2021, we can do something called automation and automation means that you normally need one specific person to run full time just to adjust your content and stuff to the needs of your. Instead, you can let the system do that by setting up some parameters. and then, for example, something that happened to me sometime ago, I accidentally, uh, were tricked into, to, clicking on a phishing link. and, uh, then automatically I were, assigned to some training. That taught me how to avoid that specific kind of fish in the future, because it was a very specific thing that I got hooked on. and because I got trained only on that thing, because I didn't need the other stuff, I actually enjoyed it. I didn't get bored. I didn't get annoyed or having to do all these kind of trainings that, that were not relevant later. So automation is, is the second tip and third, learn from your peers and share your results. we are in this fight together. This is not something that you have to do by yourself and by sharing what you do and what your experience and the results and learning from the others. we, as an industry can grow together and that I believe is really we, the impact.

Jelle Wieringa:

I love this about Chi. He gives down to her practical advice on how you can actually do this. It's a freestyle program, basically on how to get started with security culture. You meet. Which is right. You need to know where you stand today in order to know where you want to go and to figure out what you want to do and how you do it. You put in place follow-ups to that automation being something where you can make it easier, more effective and more powerful. And that's good because you, as an it admin already get thousands of emails a day that you have to analyze you as a user, or to get a bunch of different trainings that you have to do. And he, he mentioned a very powerful word as well. Make training fun. If people don't have fun, if it's not relevant to them, they're not going to be motivated to partake in a security culture. So that's a really powerful thing to do, make sure that it's. And then lastly, he said, collaborate. Well, we in the security industry should collaborate on anything because otherwise we're losing the battle here. The cyber criminals out there have the resources, have the time, Tom, that we don't have a resources that we don't have. We do have each other, we do need to collaborate. We do need to share our experience and make sure that we learn from one another and don't make mistakes that others already made. So we can, we can basically do.

Erich Kron:

Yeah. The measurement part, I think is a very overlooked piece of a lot of security programs, especially when you're starting out. So if you don't have something quantitative down and you're just doing kind of qualitative. Oh, I think we do. Okay here. I think we do. Okay. There, that can be a big challenge for folks. And the way that I thought about this, when we're talking about measuring and security culture is. You don't want to waste time on things that are already at an acceptable level. In other words, some organizations already have a good security culture around the physical side of things they know to lock the back door after they've taken the trash out, they know to question people that don't have a badge on, and that's all good and great. But if you continue to just focus on that, you're probably not going to make huge improvements. If you do an assessment and you find out, you know what, we're already really strong in this, but we're really lacking in something else over here, you can then put your resources towards those things that you need to get a better security culture with. And the one that's already very good and strong. Isn't going to need as much babying. So it helps you focus your resources on things that are going to make the biggest difference in the organization. And I think, again, that's a big thing we miss is where people don't measure what's going on within their organization.

Jelle Wieringa:

Yeah. And on the other end of the spectrum, measuring where you stand today, also prevent you from becoming overconfidence in your skills where you have a, basically a false sense of what you can do as an organization, figuring out where you actually are today. Make sure that you, well, as you said, you focus on the right.

Erich Kron:

How many years, or how many times in the years of doing the security awareness side of things, have we heard that leaders are like, no, no, my company is pretty good. And then we do like a phishing assessment and they realized just how bad it really is. That can be a real eye-opener.

Jelle Wieringa:

Oh, yeah. Yeah, definitely. That happens a lot. it's actually fun, but.

Erich Kron:

Yeah, only sometimes if you're not on the other end of things.

Jelle Wieringa:

Oh, yeah, that's true. Yeah, but for, from our perspective, it can be fun to see that, but it is true. It is. You do see a lot of organizations where, leadership and that's, by the way, that's one of the reasons why leadership should be involved. It's because. Such an important part of the organization, both has the Africa for security, but also you're a primary attack factor for cyber criminals. So that's why they need, they would be valuable to the organization to have a lot of information, a lot of access to information. They need to be able to protect themselves.

Erich Kron:

All right. Well, , I've learned so much in this episode, like hearing from Kai and it always leaves me with new things to think about. If you had to sum up the conversation today, what key points would you pull out?

Jelle Wieringa:

The most important thing is if you haven't started managing your security culture yet start doing so today. Yes. Really gives you a benefit. It's not as hard as you think there's tangible things, real practical things you can do. So , that would be the first one., another thing, what stands out to me is the impact of having a good versus is a bad security culture. It's immense. It is such a reduction in risk to your organization. If you work on a properly good security culture. really no reason not to actually it's a benefit all around. And the third thing, , what stood out to me today is that there's a lot that we can learn from security culture in the sense that if we only look at our own organization, if we're stuck in that little bubble, we don't look outside of the box, , we don't do justice to security. There's so much we can learn from how other people, , look at security culture. How do people build their security culture? That sort of collaboration part comes in. Look at other organizations, learn from them pick the right things for you and just go do it.

Erich Kron:

Excellent. And on those awesome, inspiring words. We'll go ahead and close this out. You've been listening to security masterminds episode two, remember to subscribe and leave us review if there's things that you want to hear about, let us know as well. So until next time folks, bye for now.