Security Masterminds
The podcast that brings you the very best in all things, cybersecurity, taking an in-depth look at the most pressing issues and trends across the industry.
Connect with us on our LinkedIn page! - https://www.linkedin.com/company/security-masterminds-podcast/
Security Masterminds
Human-Based Cyber Risk In Building Trust & Security For Organizations with Special Guest, Alexandra Panaretos
In this episode, Alex Panaretos bravely confronts the irony of trying to protect against what we don't know, challenging us to take an active role in building trust and security for organizations with a compassionate and humorous approach.
"You have to humanize yourself above the rest of the corporate noise. What are you saying that needs to make me pay attention?"
Alex Panaretos is a passionate sports broadcaster turned cybersecurity expert. She bridges the gap between the digital and physical world by connecting the intangible risk of cybersecurity to the emotions of her audience.
In this episode, you will learn the following:
1. How can humor be used to bridge the gap between security professionals and the general public?
2. What are the most effective ways to market security and behavior change to different generations in the workplace?
3. How can organizations assess the risk of malicious activities and assign a numerical value to them?
About Alexandra Panaretos
Connect with us:
Website: securitymasterminds.buzzsprout.com
LinkedIn: https://www.linkedin.com/company/security-masterminds-podcast/
KnowBe4 Resources:
- KnowBe4 Blog: https://blog.knowbe4.com
- Erich Kron - https://www.linkedin.com/in/erichkron
- Jelle Wieringa - https://www.linkedin.com/in/jellewieringa
- James McQuiggan - https://www.linkedin.com/in/jmcquiggan
- Javvad Malik: https://www.linkedin.com/in/javvad
- Music Composed by: Brian Sanyshyn - https://www.briansanyshynmusic.com
- Announcer: Sarah McQuiggan - https://www.sarahmcquiggan.com
This show's sound is edited by ProPodcastSolutions - https://propodcastsolutions.com/
ShowNotes created with Capsho (www.capsho.com)
And the one thing that I cannot tell security professionals enough is you cannot protect against what you don't know. Hello everyone. I am Alex Panaretos.
Announcer:Welcome to the Security Masterminds podcast. This podcast brings you the very best in all things cybersecurity. Taking an in-depth look at the most pressing issues and trends across the industry.
Jelle Wieringa Interview:Do you face the challenge of building effective and trustful connections between the people in your organization and your security awareness program? Alex talks with us and provides a solution to help you achieve globally applicable, locally relevant to bring about collaboration and understanding with the users in the organization.
Erich Kron Interview:Alexandra Panaretos has a passion for sports broadcasting, but her journey ultimately led her to a career in cybersecurity. She found a way to bridge the gap between the digital and physical world by connecting the intangible risks of cybersecurity to the emotions of her audience.
Announcer:This is episode 15, human-Based Cyber Risk in Building Trust and Security for Organizations with Special Guest Alexandra Panaretos.
Erich Kron Interview:All right, Jelle this is gonna be a very exciting episode, and I'll tell you, I really, really enjoyed the chat that we had with Alex here. It, it was a fantastic talk and I, I'm really excited about sharing this with our audience this month.
Jelle Wieringa Interview:I think it's gonna be a good one too. I, I too enjoyed the talk very much. She's a very intelligent woman with very clear mind on how to do security, and I think everybody in the audience will too.
Erich Kron Interview:Yeah, and we cover such a broad spectrum here about security awareness, even about sports, which I thought was really cool. And the sports thing comes into play because like so many of our other guests, she has a really interesting background and I always love getting the answer to this question. How did you get into cybersecurity in the security awareness and training industry?
Alexandra Panaretos:I believe I started about as far away from cybersecurity as you could start with, back in the late nineties, early two thousands in sports broadcasting. So I was working for local CBS and NBC affiliates, working sports broadcasts for the SEC with ESPN, Fox Jefferson Pilot, a lot of the other regional networks. Working on the graphics that showed up at the bottom of live sporting events. So when you are looking at the screen and trying to figure out if that was a two or three point shot in basketball, since that is the current season for most of the world, I was that person who was waiting for a referee on the court to tell me if it was a two or three with no pressure of hitting the wrong button. So that was where I started at that point, children happened, and married into the military. The base was having a lot of difficulty with military families and deployment information, leaking out sort of all of that non-classified intelligence and, and indicators that they try so hard to protect. And so this was really a social media was coming up through the younger population on the base and through a series of events I identified something on a Facebook page, which then led me to become one of the first military spouses at the time to go through the joint Information Operations Warfare Center Operations security management program. And then ended up helping the Air Force on a joint base, write an opposite guide for military families. Fast forward through a series of life events later and divorce the military. And a friend of mine from university and he had kind of been following what I'd been doing with this people aspect to cyber and we got involved in a conversation. He said, I really think you can bring an interesting perspective, so seven years later here I am preaching to the world about how people matter and really all the different ways that it is risk reduction and far and away as a whole. What I see with a lot of the people I work with is the focus is on the wrong aspect of people, process, technology. It was a great time because I think the skillset that I brought was the ability to tell the story, to bring that emotional connection to something that either had a physical distance from you or just was a piece of life you ordinarily would not connect with. So why were you going to listen to this story? What were you going to learn from it? Who was the hero? Who was the villain? what piece of information, could you glean from that? And so in cyber now, what I find myself doing is illustrating a story to build that emotional intrinsic connection to a risk that, for most people is very intangible. All of the risks we talk about, don't click on this, don't do that. The vast majority of our life right now is lived in a way that we can't see it or touch it. It's this digital space where we have no tactile association with what happens there. And so to build that bridge, you have to tell the story. You have to all of a sudden give someone that emotional connection to not do something or to change their behavior, to ultimately reduce risk, whether it's to them personally or to an organization.
Erich Kron Interview:I think that's really cool. From network sports to military and then of course the OPSEC piece, which being ex-military myself, OPSEC was always a big thing, operational security. And of course, even in my time as a civilian working for the Army, that was during that same kind of time where social media was coming out, there was a lot of misunderstandings about how much information about troop movements and stuff could be given away through just social media posts.
Jelle Wieringa Interview:She talks about organizations are focusing on the wrong thing and I think that's something we also see a lot, right? People process technology and organizations. Companies focus on technology first processes because they need to be compliant. And oh, hey, hang on. There's a people aspect there. I like the fact that she tries to turn that around by talking to her clients and going like, Hey, that human is important in your organization, is important to risk, is important to security in general. She does that very well, and I love the fact that she does it through storytelling. Storytelling is what can change our industry. It actually makes us the bridge towards security for the rest of the organization, and that's so cool.
Erich Kron Interview:Yeah, I see with the storytelling piece, it makes it very relevant to them. They're, they see themselves in as part of the story, which ironically is something that really helps shape behavior and ultimately what you want being a good, strong security culture. We asked her, how do you associate yourself with cybersecurity and learning in education and build trust with your users because trust is an important piece, right?
Alexandra Panaretos:So when it comes to learning and education, there was a point in each of our lives where someone had to teach us how to eat with a spoon, right? Fairly basic life skill that at some point in our life, someone had to take the time to teach us. Someone had to take the time to be patient, to clean up the mess because we didn't always hit our target. Someone had to be patient with us to make the food, to put it in front of us so that we could practice. And then eventually, for the most part, We all learned how to feed ourselves but at the end of the day, it's that similar illustration of we all had to start from that place of zero and someone has to be patient to teach you the basics of how you do something. They have to be alongside you when you fail. They have to be alongside you to clap and cheer, not literally. Although if you wanna do that, that's a great culture aspect. When things go very, very well and then you learn how to do it, and then you become a teacher in that area of where you are. What we forget is we have five generations in the workplace right now that all have a different understanding and trust level with technology. When you think about the older generations in the workforce, when you think about. Gen Xers like myself, and then you, you know, you go down to millennials, gen Z, et cetera. There were people who had social media profiles in utero. There were people who saw the invention of the microwave and they are all working alongside each other right now. And at no point did anyone in any of these generations sit down and say, here is how we operate safely in a digital world. And here's where the nuances of how to teach and build trust are formed. It's the language that you use. Because if I tell you, I want to show you how to keep yourself, your family, your children safe in their digital activity. That has a much different emotional intrinsic response than if I tell you, I'm going to teach you how to be secure because I can teach you how to be secure and you're still not safe. But if I can take that step back and teach you, these are all of the ways the connected devices in your home can pose a physical danger to you. You now listen and experience what I'm trying to teach you in a much different way than if I tell you here's how to secure your WiFI. It's a completely different conversation. It builds that relationship, it builds that trust because it doesn't matter what relationship you have in life, if you don't have good communication and somebody doesn't trust you, you will not be successful in anything that you do. And trust is built over time. So when people come to help desk, when people engage with security, There has to be a level of patience and I would rather take an extra five minute and show you the right way to do things, let you ask questions without making you feel ignorant or embarrassing you because you don't know and you're afraid to ask, and then build enough of a relationship where on a personal level or on a department level, you then go back and say, security took a great, you know, five minutes and walked me through the issue I was having on my computer that is going to stay with that person to where when they have some sort of potential malicious activity or when they've made that mistake, they are that much more likely to then engage with you and tell you something happened versus hiding it because they don't trust you of what you're gonna do with that information, how you're going to make them feel. Or what potential consequences or punishment could come out of admitting I made a mistake and I don't know what to do.
Erich Kron Interview:I like what I got out of this and, and something that we have to remember is that for a lot of us, especially in the security and these fields, technology is second nature to us. But it's not necessarily for people that are doing these other jobs, that's not necessarily what they've been surrounded by throughout their careers. And so it is an unknown for them. And so when we get into things that are so simple for us to do and we get frustrated that they're not at the same level yet, somebody had to feed us at one point in time. I always remember back to the first time I was at a DOS 6.1 screen and had no idea what to start with, right? That was a long time ago. Everybody starts that way.
Jelle Wieringa Interview:We chose technology that's inherent to our job and I made a conscious decision to want to work in technology with technology, but for the rest of the world that's not in IT or any other tech related job, it kind of snuck up on them. It snuck up on their personal lives and well, you have to deal with it. I've got a real big friend who's realtor and even though everybody in his office works with Excel computers and he still has just pen and paper and he's not going to ditch that because there's now fancy computer and he can do things much quicker. It's not that he doesn't want to, but he's used to pen and paper. He trusts in pen and paper way more than he does in the machine. I think that's something that we also have to realize and understand if we work with other people, we to them sometimes speak Russian or Chinese or whatever language you wanna make it, but they don't speak that language. It's foreign, it's a different language and then it comes back to us in IT to translate, to take into account that, hey, we know something, or we understand something that they don't. So it's onto us to make sure they do because otherwise things just won't work out.
Erich Kron Interview:One of the things we wanted to ask her too, because she's so very involved in this, is when it comes to a security awareness program. Did she have any tips or tricks for running a successful one within an organization? And this is what she shared with us.
Alexandra Panaretos:You have to humanize yourself above the rest of the corporate noise. What are you saying that needs to make me pay attention? And humor is a fantastic way to do that One of the best campaigns that I have run came along with the tagline."Finally, something security wants you to click on." And it was so tongue in cheek because for the longest time we've told them Don't click, don't click, don't click, don't click. Well, now we're telling you to click. Hang on. Is this a trick? Number one? So that always gets eyes. And then number two, it's, wait. These are people, they're poking fun at the impression or, or the way that I think that they are. And that's your bridge. How can you design things? How can you interject your messaging where it's not expected? You know, I wish we would stop using the term awareness. It's not awareness of an issue, it's applicability and relevance. Is this relevant to me? If it's not, I tune it out. Parenting 1 0 1. So how do you get your audience if you have a large group of people in a building, if you're not fully remote, find unusual real estate. And I will many times say in the la vatories you have spaces on the back of doors, you have a captive audience. That's where you put things that people need to read, not drive by messaging in a hallway that or a campaign. If you're doing what we would traditionally call an awareness campaign, that tagline, better be less than seven words, because if it's not, I'm not paying attention to it. You have six seconds to get my attention, and if you can't do that with an image or with an unexpected placement, you've lost me. So we have to market security. We have to market behavior the way most companies market a product. How do I get you to buy and use what I'm selling?
Erich Kron Interview:That's interesting. I actually like , one piece out there that really stands out to me is having the short little taglines, it's something that does kind of come up and I, I love the captive audience idea of the restroom., we can learn a lot from the safety folks,, especially in manufacturing areas and things like that, and how they brought safety into the culture of organizations over the years, through these kinds of campaigns, through signage, through constant reminders of this sort of thing. And that's what it makes me think of when we're talking about doing campaigns. And that's not always, something that's natural for technologists.
Jelle Wieringa Interview:Well, she talks about humor and that's actually, it's the perfect weapon for us cuz humor actually has an impact on the brain. Basically, your brain is searching for patterns all along and it loves doing that. So humor, it kind of takes the attention of the brain goes like, Hey, come on, this is fun. This is something that excites you. It releases neurotransmitters. So, it has a actual effect on you. And once you get that brain to go like, Hey, this is something I need to pay attention to, then you switch from information processing and you get an emotional response. And that's what you want. Because that's what intrigues people. That's when you capture your audience, is your attention. So humor is, I think, in our line of work, one of the most powerful tools out there.
Erich Kron Interview:I, I think it's, it is a great tool, but it is one that we have to be cautious with. So we know that it's important to have leadership driving a lot of these programs, or at least showing that they're fully committed to it. So I wanted to find out what was the best way she thinks to get upper management commitment for security awareness programs, and this was her thoughts on that.
Alexandra Panaretos:Can you tell your story five different ways? Because what's important to the CFO is not gonna be the same lens of what's important to a CISO. It's not gonna be the same lens of what's important to a board. It is not going to be the same lens of what is important to factory line worker 12. So can you take., the who, what, when, where, why, how, and adapt that to the audience who will be listening. What is important to them, and this is where research comes in handy. Every department, every single one, I've yet to meet an organization that does not have their human version of Google. If you don't know who to talk to, go to Jill. If you don't know who to talk to, go to Abdullah. There's always that person who knows something and is the great connector within the organization. If you don't know where to start, go to that person you feel comfortable with and say, I need to do this. Who would you recommend I talk to and do your reconnaissance? What is a business priority that I can tie this activity to? What is a business goal that I can tie the need to make this purchase to? And then go answer those questions. Who is affected by this? What are we doing? Why are we doing it? When are we doing it? How are we doing it, et cetera. And then from there, assign a risk and put a number to it. If we don't do X, the likelihood of this sort of compromise happening has a potential impact of fifteen million dollars. From a CFO's perspective I now have a number to associate with an activity that I can then look and say, risk benefit analysis. Does it make sense? And then the conversation becomes, if we don't do this. I need you to understand that you are now owning and accepting the risk of not doing it, and as soon as you have that responsibility and accountability on the table, the conversation changes. Now, there's a lot of times where they'll say, we can't give you a hundred thousand dollars, but we can give you thirty. Okay, great. Then you go back and say, of my 10 priorities, what can I do quickly to demonstrate ROI and then come back and say, I did this. Now I need X Again, it's that story. Put them in this center of a situation and say, if we don't do this, we might be on the ticker of global news one day, and it's probably not an if, it's a when in how bad. And then say, here is the cost. Here are, if you're dealing with vendors, here are three vendors with a matrix of how much it's gonna cost and the benefits of each. If we do nothing, this is a potential risk, consequence. Outcome. Are you willing to assume ownership of it. It's a different conversation.
Erich Kron Interview:This is something that, that we've talked about for a while. I did years ago, I was on a panel at RSA about this and communicating with leadership, but it's a good point. They do speak different languages and it's something that we don't always think about is it's not one common language for every person in that room.
Jelle Wieringa Interview:I speak to many CISOs and one of the key things they all tell me is that understand who you've got in front of you and what their role is and what the impact is of what you're doing on that role and on that position that they have. And yes, they do speak different languages. We all work at the same company. We all wanna make the business thrive, but we all do this in our own way, for our own department, for our own role. And that's where you have to diversify and understanding all of these different business roles and languages that are associated to it. That's key to getting commitment from upper management.
Erich Kron Interview:I agree a hundred percent. So when it comes to awareness, you know, we talked earlier about awareness not necessarily being the key. It's gotta be relevance, it's gotta be that kind of thing and it's gotta be a goal of ours, not just to make people aware, but to change their behavior. So I wanted to find out from her, in her experience, what was the biggest struggles about changing people's behavior And this is what she told us.
Alexandra Panaretos:So I would actually argue that people still don't understand what awareness is. I have to have conversations that it's not posters and sunshine and handing out Swedish fish for a fishing tournament. It's not kindergarten, snack time. And in a corporate realm, that's not what awareness is. Awareness has had an identity crisis where it was misnamed from the beginning. Awareness was intended to be, how do we notify people of a risk? So that they don't do something. It always stemmed from risk reduction and behavior management. It just was never articulated clearly because you can't put feelings into a black and white world and get the same outcome every time. And in order to connect the dots of risk, action, consequence, you have to see the dots. And awareness was built to help people see the dots. Security has failed in connecting them. We've told people about hundreds of thousands of different risks they might encounter, but we have not connected them to the activities in their daily life to where there is motivation to change. Or to continue doing what they are doing. Security has failed at the story of how to safely navigate the digital world we're in, and it goes back to again that primal instinct. If my house is on fire, I can see flames, I can smell smoke, those senses of protection and survival are activated. We have not done a good job of how to activate those senses in an operational world that we can't see. We can't touch, we can't smell. So we have to build those connection points. We have to build those emotional ties to the material because if I tell you, using the same password on everything is a bad idea. Uhhuh.. Okay, mom. Thanks. See you. Great. When you make me sign on to the same thing 18 different times, guess what I'm going to do? It's the same password. Exclamation 0.2, exclamation 0.3, exclamation point. Have we really made anything more safe or secure? No. But if we take a step back and say, if all of your devices are operating on the same password, and I use the illustration of the home because your home is something you can instantly visualize. If every single lock and window in your home is opened by the same key and you give everyone, you encounter that key, can you sleep safely at night? Because your doors and windows are locked. Hang on a second. What do you mean? Passwords are the keys to your information. They're the keys to access. They are your privacy, et cetera. So if you are using the same key for everything, do you feel safe now of a sudden they can visualize in a different way what you are trying to tell. In a world they can't see.
Erich Kron Interview:So I something that stood out to me. There is the emotional ties to the material. And I think that's why I'm such a fan of our Inside Man series, because you actually grow an emotional tie to that material and it stands out. I think that's why that type of education and training is so popular. It brings people into the story itself.
Jelle Wieringa Interview:Yeah. Making the intangible tangible and connecting it to something that you, you really well, you care for. And I think that's when security starts to matter with people. If they start caring for it, if it goes from a rational thing into an emotional thing that motivates people. It's an intrinsic motivation. It gets from extrinsic to intrinsic real quickly. And that's what we want. That's what we want to achieve. We need to start doing this more and more. And let's face it, that's difficult to do. It's hard. It's the hardest thing to get to weave into your story, to get that emotion in there and make people care.
Erich Kron Interview:I think it's especially hard if we're not purposeful with what we're doing, and that's something that we oftentimes don't look at, is we're, we're not purposeful about what we're trying to accomplish there. So I think with a little bit of effort, we can start moving that a little bit more, and I think that'll make a difference. Now, another challenge we always have when it comes to this is, Cultures, especially in organizations that are spread across, different parts of the globe. Now, I did ask her, I wanted to know within these global organizations, what is a recommendation for working with these various cultures in the different countries around the world? And this is what she had to say.
Alexandra Panaretos:So that's where you go to what I affectionately call my crowd sourcing and focus groups. Where when I'm working with a global organization, I always have two or three people and I make sure that they are very different people, different generations as well, different genders, religions. You pick a category, I make sure that I don't have two people that are similar. And I put it in front of them and I make sure to show them imagery without text. What do you think when you see this? Is there anything that you would recommend? I change then text alone, then the image and text together and I pay attention. I then also take it back home and put it to my 17, 15 and 12 year olds to see if I get a snicker or if I get an eye roll or whatever it may be like, oh mom, stop. But that is a good way to at least say, I did my due diligence. Make a friend in human resources. Because there is always a cultural sensitivity person on that staff who can say, this is a concern. We might not be able to use this in X place. Can we have an alternative? And in general, honestly, I think that's good guidance for life even we're not talking about security. Is when you're posting something, when you're saying something, if I don't have context for it, and all I see is a picture without a caption, or all I hear is a snippet of a sentence, because we're seeing this more and more and more without context, do I now have a different impression of what you are trying to convey? And if that's the case, you wanna make sure that whoever is eventually going to publish this, sign something that says, I did review this and I approve, because you might need that email later. But you've also put it in front of multi-generational, multicultural people across your organization to say, this isn't a tunnel view of this particular humor or topic. It's not always perfect, but you try to hit the majority most of the time.
Erich Kron Interview:That's awesome. Put it in front of other people. Ask them to look at it out of context sometimes, cuz it's amazing when we're close to something we don't always see the other stuff out there.
Jelle Wieringa Interview:In Europe, we have many, many cultures, many different countries here, and I have to present in all of them. It's our job to figure out what makes people tick. And culture is an important part of what makes people tick. Yes. The focus group. I love that. But it's also about just some self-study study up on it.
Erich Kron Interview:Yeah. You know, and we've talked before about the difference between translation and localization when it comes to things, because sometimes you just gotta throw out the whole thing when it comes to translations, it just is not gonna translate well. It's gotta be in a more local type format. And I think that's an important distinction that people need to remember when dealing at the global level is it's not always just about translation. Talking about the people side of things, I was kind of wondering, knowing that human risk and attack vectors are prevalent to our users, are people really all that bad at cybersecurity?
Alexandra Panaretos:I believe people on the topic of cybersecurity, information, security, whatever your variation on the term is, people as a whole know much more than we give each other credit for. Everything that we are trying to do for an organization, for an individual to keep them safe and secure, boils down to very basic, simple activities. We make life harder than it should be. And that goes for a lot of things that we do in life. And so many of the issues security teams face, so many of the issues organizations face could be solved in a five minute conversation. And we have to stop being afraid to talk to each other again. There is a beauty in connection that has been disconnected. We were more connected as a world when the phone had a wire than when we became wireless. And I think the opportunity to connect offline, to connect, to write a handwritten letter, to be intentional with our time is something that has been lost. And is ultimately the key to our success in both protecting ourselves and the company that we work for. Go back to the basics, relationships, communication, and trust. The rest will come when those three are solid.
Erich Kron Interview:were connected more as a world when our phones had cords. I think that's actually pretty interesting the way that we put that. But what this means is we start building relationships with people that we really don't know. And unfortunately the internet, it doesn't allow for very good identity and access management. So these people can pretend to be whoever they want to be, and of course that can be a problem in the long run.
Jelle Wieringa Interview:Yes. I, I think it's true. The internet in its current form and identity don't mix very well. It is simply very hard to figure out who the other person really is that you're communicating with. And this is taken advantage of by a lot of scammers. And I agree with Alexandra that people as a whole know much more than we give them credit for. The thing is, how do you help someone to make this knowledge actionable? And the trick to this is to teach people how to behave correctly. Giving a certain situation, take fi phishing, for instance. Most people know what it is, and they know how they should behave when they encounter a phishing email. But that knowledge alone doesn't guarantee that they will apply this knowledge when the time comes. It's a combination of knowledge and actual behavior that counts.
Erich Kron Interview:One of the other things we're asking, I mean we're talking about all this stuff, but is it kind of making a difference? So what I wanted to find out was, did she see that users or people are embracing cybersecurity more than before?
Alexandra Panaretos:I do. And I think the legitimacy that came, unfortunately with the pandemic accelerated that. I joke oftentimes, and I wish I knew who to attribute this quote to because it is a perfect illustration "that security and drug dealers are the only people who refer to their customers as users." and it's the perfect illustration. We are working with people. People who will behave differently moment to moment, day to day, based on anything from how much sleep they had to how much caffeine they had to what other competing priority is front of mind for them. When you put a face to something, you look at it differently. It's no longer I'm going to talk to the help desk. It's, I've had a great experience with Eric. I'm not sure what to do here. Let me reach out to Eric and see what he says. You've built a relationship. You've built a communication channel that did not exist prior. And the one thing that I cannot tell security professionals enough is you cannot protect against what you don't know. So knowing you are having people circumventing security control X because it's impeding the workflow, there's an alternative to be found. There's always an alternative to be found . But are you listening to the people that you are designing for? It goes back to ux, ui, all of these user experiences. Am I making your life harder or am I blending into your daily work to where you don't even know that I'm there? And the organizations who have been able to not only improve their understanding of the business, but integrate seamlessly into business operations are some of the most secure.
Erich Kron Interview:I think we're making progress here too, but I liked her point about not calling people users and perhaps, maybe we can make a concerted effort of not calling people, users. I do like her rationale behind that and the comparison to drug dealers. That's kind of an interesting one.
Jelle Wieringa Interview:Also, she's talking about shadow IT in this? So IT, that is happening down deep in the shadows because basically the IT department isn't enabling the business. And that often in my experience, starts with not listening, not understanding what the business needs. And it's all to do with empathy. In the end, it's all to do with relating to the business, in this case, to your customer. That might be a better word, your customer, because you always want to make sure that your customer is king. But shadow IT is actually very dangerous in organizations because it's uncontrollable. And often I see IT lashing out to the business going like, hang on, you're not allowed to use that tool. You're not allowed to use that software because we haven't tested it. We don't know if it's secure. There's so many reasons why you wouldn't allow it. But the question that we often forget to ask is, okay, but why are you using it in the first place and how can I enable you by supplying you with something that does the same thing and allows you to do your job very well? That should be the first question, and after that, well shadow IT will slowly disappear on it's own and you don't have to have all that negativity and, IT is an enabler. They're our customers. We want our customer to feel and be king.
Erich Kron Interview:You're right. What is it that we haven't provided that's making them go out and do this sort of thing? You mentioned a word in there, which is empathy. And it's one that we actually asked her about where empathy should rank for a cybersecurity professional and this is what she thought.
Alexandra Panaretos:I think it starts with you. Each of us in our roles at work have a department or a function that we absolutely dread in any capacity having to touch. It's human nature. So looking at yourself, what frustrates you in your role? Is there too much bureaucracy and you just can't get something done? Are there too many steps, too many approvals to get something done that are redundant? Look at what you do and how can you improve your process? How can you improve what you're doing just in your own role, and then extend that to the people that you immediately work with? If it's a particular team, if it's a particular leader, if it's a business function, how can I improve what we are already doing? I jokingly say change starts at home, but that's where it starts. What frustrates you, because I promise you, you're not the only one in the organization frustrated by that. And then you look at the other side of the coin and go, this is probably how much of our organization feels about us. And sometimes we really don't like looking in that mirror.
Erich Kron Interview:It is definitely something that we need to think about and consider.
Jelle Wieringa Interview:I used to work for a CEO and he had , one rule. And I still operate by that today. It's like, treat others like you want to be treated yourself. He did understand how you want to treat your customers. He did understand what service looks like and what service levels look like and how you can make other people feel as if they're being treated well and how would you like to be treated? When are you satisfied? When are you happy? And keep that in mind when you talk to other people. When you deal with other people. It's the number one rule for sales reps. Listen more than you talk.
Erich Kron Interview:Yeah. I've found that it's, it's not always about even agreeing with other people, but a lot of times people just want to be heard and they want to know that you've heard their complaint, even if you don't change things because of it. I found that that's a key thing that sometimes we overlook. Well, this has been a fascinating discussion with Alex and I gotta say, I learned a lot of things I hadn't really thought about across the board, and her perspectives are so unique. If you enjoyed this episode, please be sure to like and subscribe to this in your favorite podcast platform.
Jelle Wieringa Interview:Like many other guests, she, she's talking about how communication has become so important to our role. It's important to not only understand the technical side of cybersecurity, but nowadays you need to be able to communicate with the business with people and that is something that is new to a lot of cybersecurity practitioners out there. And it makes me wonder what's next for our role? What skills are the future skills that we need in order to stay successful in cybersecurity? Where is our field evolving to? Maybe we can tackle that in the next episode.
Erich Kron Interview:If there's a topic you'd like to hear about, reach out to Jelle or myself on LinkedIn and let us know what you'd like to hear, maybe who you'd like to hear from, and we can work towards that. Thank you for joining us. Thank you for your time. And Jelle say goodbye Jelle.
Jelle Wieringa Interview:Goodbye Jelle.
Announcer:Coming up on our next episode of Security Masterminds,
joanna_burkey:You could give the CISO all the money in the world. It's not going to ensure that the right things happen, so we more and more are becoming that enterprise ambassador to articulate and push for what governance needs to happen across the entire enterprise.
Announcer:We invite you to join us with our special guest, Joanna Burkey CISO for HP. You've been listening to the Security Masterminds podcast sponsored by KnowBe4. For more information, please visit knowbe4.com. This podcast is produced by James McQuiggan and Javvad Malik with music by Brian Sanyshyn. We invite you to share this podcast with your friends and colleagues, and of course, you can subscribe to the podcast on your favorite podcasting platform. Come back next month as we bring you another security mastermind, sharing their expertise and knowledge with you from the world of cybersecurity.