Security ABCs Part 2: 8th Layer Insights and the Quest for Security Culture
Perry Carpenter: Hi. I'm Perry Carpenter, and you're listening to "8th Layer Insights."
Perry Carpenter: As I mentioned last time, today's episode is all about security culture. And so I've been thinking about it a lot. And understanding security culture's always been really important to me, but there's something that happens whenever you're writing an article or preparing for a presentation or putting a podcast like this one together. There's something that happens where that central idea tends to preoccupy your thoughts. And even when you aren't consciously thinking about the concepts, ideas are percolating in the back of your mind.
Perry Carpenter: So I guess I shouldn't have been surprised when thoughts of security culture began invading my dreams. They've been getting pretty weird. This last one that I had was the strangest. You see, this concept of security culture, it's like a mystery to people. It almost has a sense of wonder and a mythology around it. It's this thing that people talk about that they can't quite define. And in this dream, I think my mind took that idea and just ran with it.
Perry Carpenter: It was like I was living in a combination of a Dan Brown novel like "The Da Vinci Code" and an Indiana Jones movie. And I was on the hunt for this ancient artifact, something that was said to be a cross between a cipher and an idol. And this artifact would give people the power to understand the mysteries of security culture and more. It would give them the power to shape the very social fabric of their organization so that security values were woven into it.
Perry Carpenter: And like any other Dan Brown thriller or Indiana Jones adventure, I wasn't the only person on the hunt for this artifact. No, there were dark forces at work; shady organizations and global cabals that wanted this power for themselves to suppress it. So as part of this adventure, I was racing against the clock, traveling around the world, running through museums, exploring subterranean catacombs and ancient forgotten temples trying to locate this artifact before it fell into the wrong hands. And all the while, out of the corner of my eye, I swear I kept seeing this hooded figure pursuing me. But then every time I turned to look directly at it, there was nothing. It's like I was being chased by a ghost.
Perry Carpenter: And so here's the end of the dream. This was right before I woke up. This part was almost like an exact mirror of the opening scene of "Raiders of the Lost Ark." I'm trudging through this ancient temple, somehow managing to outwit booby trap after booby trap. And after encounters with spiders and weird, squirmy things with tentacles that I'm still trying to forget - so many tentacles - and then finally before me, shrouded in a shaft of light, was the artifact. It's really hard to describe, but if I had to, I'd say that it looked like a cross between the Rosetta stone and one of those big heads that they discovered on Easter Island. But also in certain parts, there were these inset areas that looked like they had cylinder ciphers embedded in them.
Perry Carpenter: Anyway, I snatched up the artifact, and that's when everything starts going downhill. I'm not sure what I did wrong, but I knew it was time to run. And just like in that Indiana Jones movie, there was this big boulder that started rolling through the tunnel behind me, threatening to crush me if I slowed down at all. And then all of a sudden, I'm out of the temple, into the sunlight, and I trip over a clump of tree roots. I plant face down, getting this really awful taste of the forest floor. And as soon as I get my bearings, I realize that I'm surrounded.
Perry Carpenter: There was this group of people in dark robes all around me holding various weapons. And then, one of the figure steps forward out of the circle and starts speaking. And I recognized the voice. It was the voice of Carl (ph), my sound engineer, trying to sound like this over-the-top movie villain. And he said, Dr. Carpenter. I cut him off. I said, Carl, what's going on? And you know that I don't have a doctorate. But you know, Carl. That doesn't stop Carl. He continues. He said...
Carl: As I've had to say in the past, zip it, podcast boy. Just go with it.
Perry Carpenter: OK.
Carl: Shh. I shall start again. Dr. Carpenter, again, we see there's nothing you can possess which I cannot take away. My buyer has been extremely anxious to get his hands on this. And you - you need to learn how to better cover your tracks. Seriously, you've been spilling clues all over the internet; posting pictures of your travels on LinkedIn, Twitter and Facebook, checking in on Foursquare. I mean, seriously, who even uses Foursquare anymore? You, sir, are pathetic.
Perry Carpenter: It all gets murky from there, but the last thing that I remember is Carl prying the artifact from my hand.
Carl: I'll take this.
Perry Carpenter: And then I woke up in a cold sweat. And now, I've got this podcast to do. And honestly, I'm having a really hard time looking at Carl over there in the sound booth happily drinking a Slurpee and doing whatever Carl stuff Carl always does. But I guess we need to keep going.
Perry Carpenter: And because that kind of magical security culture artifact doesn't exist, that means that we need to unlock the mysteries of security culture in whatever other ways we can. And so today, I've invited a few people to help. We'll be hearing from David Sturt, Kai Roer, Dr. Jessica Barker and Michael Leckie. Let's dive in.
David Sturt: Well, I think at a high level, there's just a lot of research that's been done over the years, and yet culture is still fairly ambiguous for a lot of people.
Michael Leckie: In a world of increased complexity and increased pace of change, I think we've realized that we have to respond to that in a much more human way.
Jessica Barker: Take a more human approach.
Kai Roer: One of the challenges with security culture is that it combines two abstracts. It takes culture, which everybody knows, but very few knows (ph) how to actually pinpoint it...
David Sturt: It's a bit amorphous. It's hard to wrap their hands around. It's hard to figure out how to see it and measure it and improve it.
Kai Roer: ...And it takes security, which again, everybody sort of knows but that - it is a lot of different things. So bringing these two together then becomes even more abstract.
Jessica Barker: Have a culture that is more focused on moving forwards rather than looking backwards.
Michael Leckie: Transformation is a capability that an organization builds, not a process or a project they go through. There has to be a capability. And that capability is the capability to transform or change.
David Sturt: It's helpful to look through the lens of the employee.
Michael Leckie: It's not just about the process of the machine anymore, it's about actually the people in it.
David Sturt: And looking through that lens of the employee is really where we've spent a lot of our time and energy. And I find it's pretty insightful.
Michael Leckie: Behaviors change beliefs and not the other way around.
Kai Roer: A security culture can be defined as the ideas, the customs and the social behavior of a group and how those things influence that group's security.
Jessica Barker: Think about the values and the norms that an organization has and how those potentially influence behavior.
Michael Leckie: People don't change their beliefs. They have to have a reason to.
David Sturt: We all want the same core things, even though every organization has its own different personality and its own culture.
Michael Leckie: How do you change behaviors? For me, the simplest behaviors to change are the questions you ask.
Perry Carpenter: On today's show, we seek to unlock the mysteries of security culture so that we can measure it and shape it for the benefit of our organizations and our people. Stay with us.
Perry Carpenter: Hi there. My name is Perry Carpenter. Join me for a deep dive into what cybersecurity professionals refer to as the eighth layer of security - humans. This podcast is a multidisciplinary exploration into the complexities of human nature and how those complexities impact everything from why we think the things that we think to why we do the things that we do and how we can all make better decisions every day.
Perry Carpenter: Welcome to "8th Layer Insights." I'm your host, Perry Carpenter. We'll be right back after this message.
Perry Carpenter: Welcome back. Today's episode is Part 2 of our series covering the ABCs of cybersecurity. Last time, we covered awareness and behavior. And that leaves culture for today. This is also the last episode in Season 1 of "8th Layer Insights." My current plan is to be back with Season 2 in mid-December, so stay tuned. But for now, let's get into security culture.
Perry Carpenter: In November 2019, the company that I work for, which is a company named KnowBe4, commissioned Forrester Consulting to evaluate security culture across global enterprises. I'll put a link to the study in the show notes. It's actually pretty eye-opening. What Forrester did is they conducted an online survey with 1,161 respondents who all had managerial duties or higher in security and risk management. And the study found that 94% of respondents said that security culture is important for business success.
Perry Carpenter: So these security leaders know the value of having a strong security culture, but here's the thing. There was no agreement as to what a security culture actually is. In that study with 1,161 respondents, there were 758 unique definitions given for what security culture is. And what Forrester did is they broke these into five different categories based on the general message that was in each of those definitions.
Perry Carpenter: So here's the breakdown. Twenty-nine percent of respondents believe that security culture is compliance with security policies. Twenty-four percent said that it was having an awareness and an understanding of security issues. Twenty-two percent said that it was a recognition that security is a shared responsibility across the organization. Fourteen percent indicated that it had something to do with establishing formal groups of people that could help influence security decisions. And the last one - only 12% said that a good security culture meant that security was embedded into the organization. And respondents in this category made statements like, we put security in high regard throughout the company.
Perry Carpenter: Now, you probably know where I fall in with these definitions. I believe that the 12% of those who indicated that a good security culture means that security is embedded throughout the organization should get the gold star. And this was the smallest group.
Perry Carpenter: Eighty-eight percent of the other respondents had a different, more shallow understanding of security culture. And that means we've got a lot of work to do in making this understanding of security culture the de facto understanding. The study also found that security leaders are overconfident that they have a good security culture, and that's not good. Overconfidence means that they believe that they've got it. They've got a semblance of security in their mind, and yet they're leaving themselves extremely vulnerable.
Perry Carpenter: So here's the phrase that I've said for years - a security culture already lives and breathes in every organization. The question is really, how strong, intentional and sustainable is that security-related aspect of your organizational culture? And what do you need to do about it?
Perry Carpenter: There are already embedded security-related attitudes, beliefs and values and social norms in every organization. Our goal is to be intentional about how we pinpoint and measure security-related aspects of the culture and how we intentionally shape those aspects. And that means that we have to be proactive about security culture management. And we have to understand how that can become part of your larger organizational culture management initiatives. Ultimately, you want security beliefs and values and behaviors and social pressures woven all throughout the fabric of your larger organizational culture.
Perry Carpenter: So today, to help us get there, to help us have a better understanding of all the nuance involved in this, we have four guests. Two of those four guests are experts in organizational culture management and culture transformation initiatives, and our other two guests are recognized experts in security culture. So hopefully, as we try to synthesize ideas across these two disciplines, we'll come away with some practical insights. And so now let's go on a journey together. Let's explore and unlock the mysteries of security culture.
Jessica Barker: Awareness, I really see as the foundation.
Perry Carpenter: That's a voice you'll recognize if you listened to our last episode. That's Dr. Jessica Barker. Jessica is the co-CEO of Cygenta, author of "Confident Cyber Security" and co-author of "Cybersecurity ABCs."
Jessica Barker: This is about helping people become more familiar with cybersecurity, become more aware of the threats and the behaviors that you want them to engage in. It's then about following through on that awareness and encouraging people to behave in the way that you want, which isn't just about raising their awareness. It's also about making sure they've got the tools available to them, that they understand how to use those tools, that they are practical, that they are applicable for people.
Jessica Barker: And then it's about the culture that that operates in. For culture, I think it's interesting to draw back to organizational culture and think about the values and the norms that an organization has and how those potentially influence behavior. So the three are really interrelated to one another. For some time in cybersecurity, we focused a lot more on awareness, and I think there was a perception if we could just help people understand more about the threats, then we'll have solved the human issue. But of course, it is so much wider than that.
Perry Carpenter: Our next guest, Kai Roer, has been studying security culture since way before it was cool to do so. He is the creator of the Security Culture Framework and was the founder of a company named CLTRe that specialized in the scientific study of security culture. In 2019, the company that I work for, KnowBe4, acquired CLTRe. And Kai now serves as KnowBe4's chief research officer. As a result, Kai and his team get to play in the world's largest security culture data set.
Kai Roer: I think one of the challenges with security culture is that it combines two abstracts. It takes culture, which everybody knows, but very few knows how to actually pinpoint it, and it takes security, which, again, everybody sort of knows, but it is a lot of different things. So bringing these two together, then, becomes even more abstract.
Perry Carpenter: You have a working definition for security culture that you found useful in your work. What is that definition, and are there any interesting things about it that make that particularly useful?
Kai Roer: Security culture can be defined as the ideas, the customs and the social behavior of a group and how those things influence that group's security. This is a fairly simple and usable definition if you are a practitioner. It's easy to understand OK, ideas - that's something to do with the heads of people. Customs - it's all those things you do, but you may not actually realize you do them. And the social behavior is a key word here in the sense that it's the behavior that people put on in this particular group or at your organization where they work and all those three elements that influence the security not only of them individually, but also of their organization (ph).
Kai Roer: So this definition can be used to set up and drive and manage a security culture program. But from an academic perspective, it is not narrow enough. It's not detailed enough. Which is why we, a few years ago, came up with a different definition, which is more detailed or, from a practitioner perspective, more abstract, more, you know, removed from their reality.
Kai Roer: This academic definition consists of seven different dimensions. You have attitudes, you have behavior, you have cognition, you have communication, compliance, norms and responsibilities. Why did we need to break it up into these seven dimensions? It is because by doing so, we can look at academic research and look at what research tells us about measuring each one of those dimensions. And then we bring it all together and create a definition of security culture.
Kai Roer: Now the challenge with this detailed definition is that it's much harder to relate to as a practitioner, which is why I believe we also need the other definition - the customs, ideas and social behavior. But even that definition, it requires cognitive energy to digest it. So I actually think we should be aiming for an even higher-level definition that more people can relate to and understand, oh, yeah, of course, that's security culture. And then we can use that one to drag them in and start discussing, what does that mean to you and your organization? How can we apply that?
Perry Carpenter: What do you think the connection between security culture and organizational culture is? And does that fit within the definitional boundaries somewhere?
Kai Roer: Yes. So there is only one obvious answer here, and that is that security culture is a subset of organizational culture, which by itself is a subset of regional culture - or in your country, state culture - and then country culture and then in your and my case, Western culture. In other people's perspective, it may be part of Japanese culture, Southeast Asian culture. It may be Confucius kind of influenced culture.
Kai Roer: But each of these things are in a small group. That group is usually part of a bigger group, which again, is part of a bigger group. And all of these cultural artifacts are shared to some extent between those or through those layers, if you like.
Jessica Barker: It's about the kind of organizational culture you have in general. In cybersecurity, we could be learning so much more from fields that have done the work for us. We can take the learnings from those disciplines and apply them to be more effective.
Perry Carpenter: So we've spent some time talking about the complexity and defining what security culture is, but I think we can all agree that it has to do with security-related values and beliefs and behaviors and social norms that are embedded in a larger organizational culture. Security culture and organizational culture are inexorably linked. And that's actually good news for us because, as Jessica points out, we can learn a lot from other fields that have already done some work for us. And guess what? There's a field with a ton of great research and process around organizational culture management and transformation. And that brings us to our next two guests - David Sturt and Michael Leckie.
David Sturt: My name is David Sturt. I'm the executive vice president of The O.C. Tanner Institute. We do a ton of research on workplace culture. I've had a chance to speak to over 35,000 HR business leaders around the world. I write a regular column in Forbes and written a couple of books and just have a real passion around culture and helping people build thriving workplace cultures where people - you know, it brings out their best work and where they have some real meaning in their work.
Perry Carpenter: David, what have you learned over the past few years of studying culture?
David Sturt: You know, I think at a high level, there's a lot of research that's been done over the years, and yet culture is still fairly ambiguous for a lot of people. It's a bit amorphous. It's hard to wrap their hands around. It's hard to figure out how to see it and measure it and improve it.
David Sturt: And what I found is that it's helpful to look through the lens of the employee, somebody who joins an organization and has certain expectations around what they hope it provides to give them the best chances for success. And looking through that lens of the employee is really where we've spent a lot of our time and energy.
David Sturt: And I find it's pretty insightful because it's true for an entry-level hourly employee and it's true for the CEOs or board members. We all want the same core things. Even though every organization has its own different personality and its own culture, there are some common elements that we all need and want to work in a thriving workplace culture.
Perry Carpenter: Have you identified what those elements are?
David Sturt: Yeah, we found six things that appear again and again. First is around a shared sense of purpose that's meaningful. And people want to have a connection to that purpose. Second is around a sense of opportunity. We know a lot about what happens when people feel blocked from opportunities. It causes them to go elsewhere. It creates levels of frustration, and so a sense of a healthy opportunity and and not a bunch of impediments in front of those opportunities - not just to move up in an organization, but to grow and develop in their ability.
David Sturt: The third is around success. People just need to feel and taste success in their lives. It's important, and that needs to be at a smaller level, like at the job level, at a team level and then all the way up to the organization level. Feeling like they are actually making a difference and that there's progress is vital to a healthy culture.
David Sturt: The next area that we find that people really need is a sense of appreciation, a sense that they're - the work that they do is valued, that it actually matters, that it does, in fact, make a difference and that people know they're appreciated. And when they choose to dig deep and bring the - their best work and add some of that discretionary effort to their work, that it's, in fact, appreciated and valued.
David Sturt: The next one is around well-being. People need to know that their organization cares about them as a whole person and not just as a unit of labor.
David Sturt: And then finally, last, but I think one of the most important, is leadership - a connection to leadership, that leadership is really about a shared endeavor, a shared responsibility and that people have a voice in their work and their organization.
David Sturt: And so those six areas are dimensions of culture that we found are really a framework that is a healthy framework for evaluating culture. And if you get good at those, you have a significant advantage over other organizations that don't pay attention to those.
Perry Carpenter: OK. Hopefully, you're starting to see why these kind of conversations with people outside of the cybersecurity domain can be really, really helpful - because they give us different ways of looking at the world that we find ourselves in.
Perry Carpenter: And so just to recap, those six pillars that David mentioned are purpose - so people need to feel a sense of purpose; opportunity - they need to know that they can succeed and that they can thrive, which brings us to the third one - success. We need to be able to make people feel successful. And then after they're successful, we need to appreciate. Appreciation is No. 4. We need to show them that what they do is valued, that it matters, that it makes a difference and that others know about it. And then well-being, that the organization wants to take care of them and they're not just a worker bee - they're not just a cog in the wheel. And then the last one is a connection to leadership, this idea that everybody is the same, there's a shared responsibility across the organization.
Perry Carpenter: I hope that you can see how that maps into the way that we might approach this from a security perspective. What are people's purpose? Are we giving them a real opportunity to be successful? Are we appreciating them when they are? Do we have the systems and processes in place that can help people feel successful? Do we appreciate them well when they do the right thing? And then, do we take care of them when maybe they stumble a little bit and we show that we care about them, they're not just about - it's not just about when they're doing the right thing. It's about picking them up when they've done something that could hurt them because, ultimately, the organization that everybody works for is a collection of people. And then this last one, leadership, is really, really important. We need to make sure that our leaders are espousing the same values, that they are appreciating people and that they are conveying the shared sense of responsibility.
Perry Carpenter: All right. We'll come back to these in just a few minutes, but let's first hear from Michael Leckie.
Michael Leckie: Hey. This is Michael Leckie, author of the new book "The Heart of Transformation: Build the Human Capabilities That Change Organizations for Good."
Perry Carpenter: OK. Michael, can you give us just a little thumbnail sketch of what the book is about? What's the purpose and the feel behind it?
Michael Leckie: Basically, what I'm looking at is in a world of increased complexity and increased pace of change, I think we've realized that we have to respond to that in a much more human way and that it's not just about the process of the machine anymore. It's about, actually, the people in it. So I start with saying that transformation is a capability that an organization builds, not a process or a project they go through. There can be processes or projects associated with it. But there has to be a capability, and that capability is the capability to transform or change.
Michael Leckie: And so a couple of points that are kind of key about the book - first one is behaviors change beliefs and not the other way around. And I've been in my entire life - in a professional life looking at organizations trying to change and shift and build culture. And it always starts with, this is who we are and our vision and our values and our why and our hows and all that sort of stuff, which is great. It's really good stuff. But we kind of get to a point where we say, and that's it. Let's just say the new belief system, and then everyone will, you know, get on board. It just doesn't happen. People don't change their beliefs. They have to have a reason to.
Michael Leckie: And so if you change behaviors, though - if you try out behaviors that are actually maybe a little bit misaligned with your beliefs or assumptions, even if you're not aware you have those assumptions, that's what can cause you to start to see them and to start to question them. So once you can see and question some of those assumptions, you might shift some beliefs. If that happens with enough people in an organization in a aligned way, then a culture shifts because a culture is merely just a set of beliefs that we share that we operate under, right? So that's one of the big premises.
Michael Leckie: And then it says, well, OK, how do you change behaviors? For me, the simplest behaviors to change are the questions you ask. And so if you ask some questions that are ones you might not normally ask, that are ones that might lead you to identify and then assess or reassess some of your own assumptions, that is a great behavior set to use to start to create change in yourself, which is asking different questions and then having a way to reflect upon what you heard and how that worked for you and what happened. And you can do that individually of yourself, you know, with others in a group at scale, whatever you want to do.
Michael Leckie: And so those are the two major premises of the book - right? - what culture is and how to change it and then what the behaviors are that drive the change. And then all throughout the book, I have six different capabilities that I explore.
Perry Carpenter: We'll be right back after the break.
Perry Carpenter: Welcome back. One of the things that you'll find whenever you start studying anything amorphous like culture is that people begin the definition process by listing attributes of what that thing is or what that thing is not. So guess what. Yeah, you'll be hearing a few more lists today, and I think that that's useful. These lists essentially become levers or guideposts for us.
Perry Carpenter: In just a minute, we'll get to Michael Leckie's six capabilities. But before that, let me throw another list at you. This one comes from organizational management and culture consultant John R. Childress. He has a book called "Culture Rules!" that I'm pulling these from, and I'll put a link to the book in the show notes.
Perry Carpenter: Here's what I think makes John Childress' list useful for us. I think we've all heard that Peter Drucker quote that culture eats strategy for breakfast. We've probably heard it so much that it just feels trite. It's still true. It's a great quote, but people are numb to it. And I think that John Childress' book has a ton of great new quotes that are just as powerful seasoned throughout it that people haven't yet become tired of.
Perry Carpenter: The quote that really drew me to this book was, "you get the culture you ignore." And that's so true. If we aren't actively working on our culture, it will drift. And that drift, for most organizations, probably doesn't favor security.
Perry Carpenter: Here are a few more principles from that book. This is Childress' 10 Core Principles of Corporate Culture. Principle 1 - every organization has a culture. Principle 2 - culture impacts performance. Principle 3 - culture can be a significant business risk. Principle 4 - culture works on human logic, not business logic. Principle 5 - organizations are shadows of their leaders. Principle 6 - cultural drift; Principle 7 - policies drive culture more than we realize. Principle 8 - you get the culture you ignore. Principle 9 - there is no perfect corporate culture. Principle 10 - leaders and employees change cultures, not consultants.
Perry Carpenter: Hopefully, that list provoked a few thoughts. If it did, then I encourage you to check out the book "Culture Rules!" so that you can get the full details. I'll put a link in the show notes.
Perry Carpenter: Now let's turn back to the interview with Michael Leckie. We're going to explore a few of the behavior-based questions that he has within the book and then turn to his six capabilities. After that, we'll move to David Sturt's six pillars, and then we'll end off today by talking about how we can measure security culture using seven different dimensions of culture.
Michael Leckie: When it comes to these questions, these behaviors that are questions, what I really start with is giving them some questions to use. There's 30 - 31 of them, actually. There's a bonus one in one of the chapters. But I also talk about how you ask the questions, the tone or assumptions you have to make - so how to best deploy them.
Michael Leckie: So maybe a couple of questions to give you an example - the one I call the keep digging question is, what's your third-best idea? I've used this in groups a lot where people are coming in. We're trying to solve a problem. So, OK, what do we think? You know, what's our best idea here? So we'll say, well, that's this. Great. What's our next best idea? Oh, well, we could do it this way, which is usually just a bit of a knockoff version of the first best idea. Great. What's your third-best idea? Hold on. Then they have to think it through.
Michael Leckie: But it's the kind of question that keeps people going and not just giving you the surface answer or the easiest answer, which is what they often do. It really pushes. It also creates a habit of saying, let's just not stop with the first thing that comes to mind. Let's actually push through and dig a little bit deeper.
Michael Leckie: Another question might be something like, what's the worst that could happen? This is kind of the put-a-name-on-your-fears question. So we'll be saying, oh, well, we can't do that. Why? Well, it could all go wrong. OK. So what could really go wrong about it? How bad could it be? Oftentimes, I find as a consultant using that question, people walk it through, and it's like, yeah, there's actually not a really big danger to trying this, except I might look wrong or like I don't fully know everything. It's like, OK, so is it important to you to never be wrong and to know everything all the time? And that's the first time people come face-to-face with, yeah, it kind of is. And that's really not going to help me to learn or to be a learner or to grow. If I have to already know everything, I just spend time kind of defending my position.
Michael Leckie: One of the questions I have in there is, what's the cost of staying safe? - which is interesting because if you're in a security space, it's like, that's the whole reason for what we do, you know, staying safe. But there are some costs for that, as well.
Michael Leckie: I mean, there are processes or things that we put up. And I think that, you know, what I've started to learn - and this certainly is your field so much more than mine - but that security is an intensely human subject nowadays. It's not just about the passwords or the level of security or brute-force attacks. I mean, it's really about - it's getting through to the human beings. And most people that are able to hack into something are hacking through finding a weakness in the human element or a way to get information that people don't realize they're getting information that might be, you know, what allows them into the system.
Michael Leckie: So when I think about what the cost of staying safe is, there's a number of ways to look at that. One of the costs of staying safe is you never grow and learn and innovate. But the other is to kind of look literally at what the cost is. The cost to stay safe is we have to invest more in people's understanding of how unsafe happens.
Perry Carpenter: So we need to be willing and able to ask these kinds of questions and have thought-provoking quests that help us uncover what may be hidden truths or motivations or constraints. Can we quickly shift gears and run through the six capabilities that you cover in your book?
Michael Leckie: Yeah, sure. So the six capabilities - I put a name to them, but these are not things we haven't seen before. So exploring before executing is simply saying, are we continue to execute on yesterday's great idea that's not so great anymore? Is the idea still as good? Is the decision still is good? So it's not saying you stop executing on your plans or your strategies. It's just saying that you kind of wake up in the morning and have that question in your head of, is there something that's no longer true today? And if so, what might that be, and how might I find that out before I just kind of blithely go along? Learning before knowing is really just saying that the era of knowing is over and the era of learning is here. And that's kind of a practical matter because there's too much to know, and it's changing too fast.
Michael Leckie: And the next one's changing before protecting. And what that's really about is having that willingness to go ahead and change and see things change as opposed to just protect what's there. Now, I'm not saying we don't want to protect anything. Obviously, you know, especially in your field, there's a lot of things we want to protect. But we can't sacrifice the ability to change and move forward just for the protection, right? So that's when we ask those questions like, what's the worst that could happen? What's the cost of staying safe? What am I afraid to do? When did I last ask for help? I mean, these are the questions that help you move into a place of being able to change when the time is right to change.
Michael Leckie: So again, when I when I talk about, like, changing before protecting, it's not that protecting is wrong. Like, it's no longer sufficient. And so changing sort of wraps a bubble around it. And it's like, OK - but before we protect, let's see if there's some changing that needs to happen, and then we can protect that for a little while until it needs to change again.
Michael Leckie: The fourth one is pathfinding before path following, and this simply is just reflecting the fact that we no longer have the capabilities in the leadership suite of an organization to lay out every step of the process and then just manage people through those steps. We have to allow for the steps to change because the ways to get to our goals are changing as the technology improves, as other things come online. Whatever it may be, starting with, here's the outcome we're looking for, how we're impacting customers, what we're doing in the world, whatever it may be and then saying to everyone now, we know what we value; we know where we're really going; we know who we are. So let's then work together to get there.
Michael Leckie: The next one is innovating before replicating. That's just, do I have this ability to step away from replicating what's safe and learning from my failures, you know? And do I have a stomach for a longer game here? And can I disrupt myself? One of my favorite questions innovating before replicating is, how do I stop being the center of the universe? Right? (Laughter) And so how do I go back and say - wait a minute - me just saying, let's do this and then, you know, pushing to just scale this success because I think that it's the right thing, how do I step out of that and say, let's see it from a different perspective and see if there's something I'm missing? Where are the cracks of replicating?
Michael Leckie: And the last one is my personal favorite is humanizing before organizing. And for me, this is all about stepping away from an organization in which we value the roles that we're in and moving into which we value the people that are in the roles. And I will admit, I lean heavily on one of my academic heroes, Edgar Schein, who talks about this. He calls it personizing. But it's fascinating.
Michael Leckie: And he talks about how that when we treat each other like a role - when we say that the human being is fungible, the role is what matters. So, you know, evangelists for cybersecurity - well, then that means that they could, you know - and I'm sure I got your title wrong. But they could just get somebody new to do that. But that new person's going to do it entirely differently, is going to have entirely different relationships with the team, is going to know different things. It's not going to be the same.
Michael Leckie: Well, that's the same even at any level role because it's not about the role; it's about the human beings and how they can work together. Now, in the days where you might go do that job, the job is stable, it never changed, the problems the company were solving was stable, they just needed somebody to grind out numbers day in and day out, fine. You really didn't have to worry about humanizing it, and we didn't. But a lot of the tasks that were done like that have now been automated. And so more and more, the tasks that are left to the human beings are the ones that are a little more vague, where we have to figure things out.
Michael Leckie: And so we have to be able to know the people on our team that we're working with. We have to figure out who's going to do what best. And that might not just be who has the right experience or skill set, but whose, you know, child care schedule will allow for them to show up at that meeting and do that work late; you know, whose love of this area says that even though they're not the expert in it, we got to pull them in because they'll contribute a lot with enthusiasm. They'll really grow, and we'll develop an asset. All of that, all those questions about the human beings are ones that we're not used to asking, but they're the ones that we have to ask in order to organize to do the work better.
Perry Carpenter: Let's quickly revisit David Sturt's six pillars of culture. They were purpose, opportunity, success, appreciation, well-being and leadership. And when you think about it, there are some of these that we could tie back to earlier episodes, like our episode on behavior science with BJ Fogg. He talks about one of the ways that we can get better habits and behavior from people is when they feel incredibly successful. That feeling of success locks in a behavior and makes it easily repeatable. Now, one of the ways that we can make people feel successful is through appreciation. So we have purpose, opportunity, success, appreciation, well-being and leadership.
Perry Carpenter: I wanted to get David Sturt to specifically take a deep dive into appreciation for a minute because that's one of the areas that we tend to struggle with in cybersecurity. And luckily for us, David wrote a book called "Appreciate: Celebrating People Inspiring Greatness." So let's quickly hear from David.
David Sturt: Appreciation is one of those things that I think innately we all understand how important that is. Because people ultimately want to do things that create value. And appreciation and recognition is the expression of appreciation for that value that's created. And I find that in most organizations that I interact with and consult with around the world, this notion of problem orientation seems to be the dominant characteristic.
David Sturt: People are looking for problems to fix. And it tends to be, where are the problems? Let's go to work on fixing them. And it doesn't tend to focus on the opposite, which is on the actual accomplishment of the value that's created. And I think this is true as well in all manner of change management elements. And that is if you help people see the value in what they did, it's much more powerful than just trying to sort of, you know, goad them in by threats and by, you've got to do this and sort of managing to compliance. We all get the value. You've got to comply across a wide range of things in your work, especially when it comes to something as sensitive as security. But people respond so well.
David Sturt: Think about the best leaders that you've worked with across your career. There's some that you'll go through brick walls for. And typically, it's because of their ability to call out and notice the value that you're creating and help encourage that. And simply by calling out, hey, let me share an experience that somebody had recently that could have been a security problem and let me highlight and show you what steps they took to avoid that ransomware attack or to be smart about calling up somebody who they thought had sent them an email that ended up being a phishing attempt, calling it - that out, talking about it, thanking them for what they did and using that as a way to model the behavior, I think, is often far more memorable and powerful than just talking about the person who had the problem and didn't pay attention and clicked on the link and had all of these nightmares that came out of it.
David Sturt: I think that fear strategy for change management, it's - it works. It's - it doesn't not work. But man, an appreciative orientation tends to draw people. And then they look to model their behavior after the example that's been set and for the appreciation that was expressed. Because of that, it points people to the value, not just away from the threat.
Perry Carpenter: It's getting close to time to wrap up. But before we do so, there are a couple other things to explore. First, if you remember, I mentioned that cybersecurity leaders know that security culture is important, but they really struggled to define what a security culture actually is. I thought it would be useful to use some concepts from organizational culture in order to frame how we think about security culture. So why don't we hear from our organizational culture experts about what culture is and then think about how to apply that to security culture.
David Sturt: Somebody did a study a few years ago on how many different definitions were out there. And they found 134 definitions. And so your point's well-taken that it's pretty ambiguous. They all share very, very similar themes. And those themes are that culture is essentially found in any group and every group when you get people together. And it's really around those shared beliefs, shared norms, behaviors, ways of interacting that some are overt and seen, and others are more deeper and more assumptive elements as part of the culture.
David Sturt: But I think that's it. To me, the simplest way of thinking about culture is it's a combination of connections. It's essentially the social operating system of an organization that accounts for how people interact, how they think, what they believe.
Michael Leckie: I would start with Ed Schein's work again. He says basically that culture has three components to it. The first one essentially - artifacts. Artifacts are the things that we see and can touch. We have the free snacks and we're wearing, you know, flip-flops and hoodies. We're wearing suits to the office, those things that we can see and touch.
Michael Leckie: The next level is our stated values or beliefs. This is who we say we are. This is what's on, you know, the poster or the screensaver. This is who we are, our values, our mission.
Michael Leckie: And the third level is what he calls tacit beliefs, or tacit assumptions, which is basically a way of saying how we know what really works around here. And those things can be aligned and misaligned, but you have to be thinking about all of them. But tacit beliefs drive the actual culture. And if you have stated beliefs or assumptions that don't line up, then you're going to have cynicism, mistrust and things like that. And if they do line up, they're only going to line up and continue to line up because you're talking about, is what we say actually what we do? And you're having that bold conversation.
Michael Leckie: Then I think the other thing is that culture is something that comes from individuals but happens in a group. The group has a huge impact on what we do or say. Social pressures are immense for everyone, and the pressures change based upon who's in that society or micro society around us.
Perry Carpenter: I'm sure you noticed some similarities in David and Michael's description of culture. There were mentions of beliefs and behaviors and norms, values and connection and social pressures. And that's a good segue back into our discussion of security culture.
Perry Carpenter: I really think that, in general, there's nothing special about, quote-unquote "security culture." In essence, it's just the security-related aspects of all the greater facets of an organizational culture. And you know what? That aligns pretty well with Kai Roer's research. Kai measures security culture across seven different dimensions. They are attitudes, behaviors, cognition, communication, compliance, norms and responsibilities. And he and his team spent several years refining the process of how to accurately and practically measure across each of these. I'll put a link to a document outlining the seven dimensions of security culture in the show notes.
Perry Carpenter: But for now, let's turn to Kai Roer and hear some of his journey of the process that he went through to create an instrument to accurately measure the security aspects of culture.
Kai Roer: In 2015, I decided to build a tool to measure culture. The need arose based on the Security Culture Framework that I created five, six years earlier, where it says that you need to measure in order to know where you are and to document your progress. Based on that step, I started to receive a number of questions from all over the world - so Kai, how do you measure culture? And back then, everything was much simpler. So I typically said, you know, well, look at your log files. Take a look at your support requests. Take a look at your breaches. You know, you have a lot of data. You just need to utilize them.
Kai Roer: But people didn't want to listen to me, so instead they came back again and again. So, yeah, Kai, I know that we can do that. But how do you measure culture? I teamed up with Dr. Gregor Petric, a professor at the University of Ljubljana, where he runs their institute for social informatics. And when I met this guy, I was like, oh, wait a second - social informatics - so basically how people play with computers and how computers play with people. And by playing, I mean influence, obviously. And I'm like, that must be, like, a match in heaven. It also turns out that Gregor is a specialist in online survey creation and tools - very accomplished published researcher in that field. And together we decided that, OK, let's figure this out.
Kai Roer: So we created a survey tool. We started with a hundred and - I think the very first set we had 190-something items, basically questions. And there were two very important things when those came to me.
Kai Roer: No. 1, I had to tell Gregor that, you know, we are not doing this from an academic perspective. We are trying to make this available to most organizations out there, and they don't have two hour per employee per year to measure security culture, which means that 190-something items is way too much. We need to shorten it.
Kai Roer: The other important perspective that we brought to the table here was a focus on culture, not on technology. A lot of research in the space prior to our work had focused on technology, which makes sense from a security perspective, but makes very little sense from a culture perspective. After we had the initial set of items, we did an internal review and brought it down to 140 something - 139, I think actually - what was actual number. Then we did a peer review, so we might add a number of security professionals, both in the U.S. and Europe. And I think, actually, we brought on someone from Asia as well, if I recall correctly. And we did a selection out of those initials and ended up in 96 items. These 96 items were still too much, but it was good enough for us to pilot it. We received enough data for Gregor to do his initial analytics, reducing it first to a set of 72 items. When again we reviewed it and peer reviewed it, I made a few changes to it, and then ended up with the first publicly commercially available measurement instrument of 42 items. And this was in 2016.
Kai Roer: With these 42 items, employees spent eight minutes and 50 seconds in average, which was much, much better than the couple of hours they would have spent on almost 200, but still a little bit too much. But with those 42, we measured almost 12,000 employees over the course of two years, and that gave us a whole new dataset. By this time, we were the largest measured security culture tools in the world, and we published that work, of course. And the more important thing we did with those 12,000 employees - we were able to further refine the items that measure security culture and reduce the time.
Kai Roer: So in 2017 or '18, we moved from 42 items to 28 items, which is the current set that is used by KnowBe4. And today, we are not measuring employees on security culture in the tens of thousands, but in the hundreds of thousands. And it looks like we will pass 1 million employees being measured on security culture this year, which not only makes us, again, the largest. We've always been that. But a huge step forward in our ability to understand how security culture influences security, how we can change it, how we can improve it. But you know, all of these things are things we are able to do just because we decided to figure out how to do it back in 2015.
Perry Carpenter: Fun fact - each year, Kai and his team publish an annual security culture report that analyzes and compares data from his security culture survey. It looks at maturity and aggregate across the seven dimensions, also by industry, vertical and by region. I'll put a link to the most recent report in the show notes.
Perry Carpenter: So then the last question that I wanted to ask Kai was around the value of measurement itself. I mean, we all know that measuring gives us an understanding of where our gaps are, and it shows us where we need to improve. But what's the real value in having a measurement that says, oh, you have a bad security culture, or you have a good security culture? What does that really tell us? Can that measurement translate into anything concrete? Here's Kai's answer.
Kai Roer: So one of the very fascinating things that Gregor and our research team discovered last year - it's actually a year ago now - was very stunning to us. In the beginning, we didn't even believe the results. So he reran the analytics a number of times, and then I had some other people on our team review it, and then we sat down and discussed. And we were still, like, blown away.
Kai Roer: Now, what was he blown away about? What we had done then was to take the security culture data that we had and compare it to the phishing behavioral data that they also have access to. And not just any phishing data and security culture data - we were able to follow the same employees and their behavior based on the actual phishing behavior and how they rated the security culture in their organizations. This is a first - to my knowledge, the first kind of this kind of research ever been done, which, again, means a huge benefit for the industry. We are starting to figure out if things work and how things work.
Kai Roer: But why did we feel the need to review the numbers so much? Well, one of the findings that we did see was that poor security culture is not a good thing. That in itself is not really surprising. We started measuring culture because we believe that. But we didn't have much evidence until we started looking at actual behavioral data.
Kai Roer: Now, the shocking thing for us is the rate at which poor or bad security culture is bad for an organization compared to good security culture. There is a 52 times increased risk or likelihood that people in poor security culture will share their credentials in the phishing attack compared to organization with a good security culture.
Kai Roer: Now, let's take those numbers and make them less abstract. I mean, 52 times - what is that, really, in this context? Well, I have that answer. In a good security culture, one phishing email out of 1,000 phishing emails will successfully harvest credentials. So that means one out of 1,000 phishing emails will be successful if you have a good security culture. Obviously, that's not good. But we know the number. And I did say that the poor culture was worse. In fact, I think I said it was much worse - 52 times worse, which means that in a poor security culture, 52 phishing emails out of 1,000 phishing emails will successfully harvest credentials. Now, imagine what that means if you want to avoid ransomware or business email compromise or any other kind of unauthorized access to your systems.
Perry Carpenter: OK. We could spend a lot more time exploring security culture and organizational culture and really the anthropology of security. But unfortunately, we're running out of time very quickly. So I'm going to give Dr. Jessica Barker the last word, and then I'll be back to summarize with a few closing thoughts.
Jessica Barker: It's about the kind of organizational culture you have in general. If you have an organization that focuses so much on productivity and that doesn't empower people to have secure behaviors and has a culture of pointing the finger when there's an incident and blaming people, then you can raise awareness as much as you want, but the cultural norms will go against the kind of behaviors that you maybe want to engender.
Jessica Barker: Dekker's work on a just culture is really fascinating in this, speaking about having a culture that is more focused on moving forwards rather than looking backwards. So when there's an incident, not so much looking at who is to blame, but what is to blame? You know, what factors may there be around the systems that are in place, the rewards that are in place, the punishments that are in place. It can be all of these factors that can influence whether somebody behaves in the right way or not.
Perry Carpenter: That brings us to the end of today's episode. I hope that you found the conversation interesting and useful. I think it's important for us to realize that security culture really isn't its own thing. Yes, we can measure and improve specific aspects of security culture. But security knowledge and values, beliefs, behaviors, norms and pressures are actually a fundamental part of any larger organizational culture. And that means that we can't approach security in a compartmentalized way. We must make our approach to security culture part of our overall approach to organizational culture, or else things will feel out of step and create confusion at best or distrust and cynicism at worst. In the end, our quest for a security culture is really all about our quest for an organizational culture with security values woven through its fabric.
Perry Carpenter: Oh, yeah. And if you notice that my voice sounded a little bit different in several parts of this episode, you're right. I went on my first work trip since the start of the pandemic last week and ended up getting sick. I've been doing my best to spare you from the worst of the overly congested sound, but I know I wasn't able to hide it completely.
Perry Carpenter: As I mentioned at the beginning of the episode, this is the end of Season 1 of "8th Layer Insights." I'll be taking a couple of months' break, and we'll be back before you know it with Season 2. And I've got a lot of cool stuff planned for that season, so stay tuned.
Perry Carpenter: If you're connected with me on social media, please be on the lookout for a quick survey that I'm going to be sending out. I'm really interested to know your thoughts on the show and how best to plan for Season 2. I'll be asking questions about which topics most resonate with you, which things are most useful to you, optimal episode length, show format and more. I really want to give you the best show possible, so your input and feedback is super important to me.
Perry Carpenter: Thanks so much for listening, and thank you to my guests, David Sturt, Dr. Jessica Barker, Kai Roer and Michael Leckie. I've loaded up the show notes with links to the references that we mentioned today and a ton of other relevant information related to security awareness, behavior and culture.
Perry Carpenter: If you've been enjoying "8th Layer Insights," please go ahead and take just a couple of seconds to head over to Apple Podcasts and rate and consider leaving a review. That does a ton to help. You can also help by posting about the show on social media and maybe even finding an episode to recommend to a friend or a family member. And if you haven't yet, go ahead and subscribe or follow wherever you like to get your podcasts.
Perry Carpenter: Lastly, if you want to connect with me, feel free to reach out on LinkedIn or Twitter or Clubhouse. I'd be happy to connect with you. Until next time, thank you so much. I'm Perry Carpenter signing off.
Perry Carpenter: Hey, Carl. Not so fast. Guess what. I just realized something - I control whether you exist next season. The artifact - yeah. Hand it over. Thank you. Do you have anything to say for yourself?
Carl: Sorry, boss.
Perry Carpenter: Don't worry, Carl. We can actually share the artifact. The secrets to security culture should really be for everyone. And of course, I wouldn't get rid of you. I mean, after all, you're my sound guy. So I'll see you next season.