8th Layer Insights 4.19.22
Ep 19 | 4.19.22

The Next Evolution of Security Awareness

Transcript

Perry Carpenter: Hi. I'm Perry Carpenter, and you're listening to "8th Layer Insights." There's a commercial I remember from back in the 1980s. I think anyone who grew up in the U.S. during that time will remember this. The commercial opens in a dark room. There's a middle-age couple sleeping, and the alarm goes off. It's 3:30 a.m. A man, Fred the Baker, turns off the alarm and says in a sleep deprived voice, time to make the doughnuts. The message is clear. Fred is always working, always sleep deprived, continually having to make the doughnuts - not like those doughnuts that you get in a bag or the supermarket bakery section where apparently those slackers only bake doughnuts once a day. No, Fred and his crew are up before dawn to have freshly baked doughnut goodness ready for customers first thing in the morning. And then he does it all again later in the day to ensure that fresh doughnuts are on hand all day long. Because when you're living the doughnut life, freshness is the key to quality, and fresh doughnuts equal happy customers.

Perry Carpenter: There's a parallel here. I can guarantee that there are a lot of people running security awareness or security communication programs who feel like Fred the Baker. They constantly wake up thinking the security awareness equivalent of time to make the doughnuts. They have to figure out what message to put out, what new spin to put on the topic so that it's interesting. And as soon as they release that new video or newsletter or game or when the event is over, it's time to start all over again. It's time to make the doughnuts. 

Perry Carpenter: But here's the thing. It doesn't have to be that way. Yeah, good content and timely content and relevant content is all important, but it's not everything. And content alone - even great content - isn't the point of why security awareness programs exist in the first place. Today, we ask the question, what's the current state of the union for security awareness, and how do we need to evolve? And to help us explore all this, I've invited four experts. We'll hear from Dr. Jessica Barker, Cassie Clark, John Scott and Lance Spitzner. Let's dive in. 

Jessica Barker: In terms of security awareness, we're moving to this stage where we understand it's about so much more than awareness. 

Lance Spitzner: What we're seeing is a fundamental shift, a maturity. 

Jessica Barker: It's about turning that awareness into tangible action. 

Lance Spitzner: We need to be talking about risk. 

Jessica Barker: And how that contributes to security culture and how it fits in this wider picture of security culture. 

John Scott: We're not trying to put a new concept into people's minds. What we're trying to say is this thing that you've already agreed was important - guess what? Data is part of that. 

Cassie Clark: I want to see us shift from having started in this compliance area where we're little and our light was little and maximize our capability into this huge array of what I think are actually very interrelated things. 

John Scott: Treat it the same way. Then we're not asking anyone to do anything new. We're asking them to add a category to something that they've already bought into. 

Cassie Clark: We would absolutely still have core competencies of training, phishing, communications, engagement and things like that. Those don't ever go away because they're integral to what we do, and that's fine and that's great. But I think we have a huge opportunity to add in other areas that would make us even more impactful and influential and really help us reduce human risk. 

Jessica Barker: It's not just talking about awareness. We're talking about how we manage human risk. We're talking about the metrics. We're talking about getting stakeholder involvement. 

John Scott: So we work out what we are because that's what makes us a profession. 

Jessica Barker: And I think that is a fundamental step that we need to take as a discipline. 

Cassie Clark: I actually think we've got really good at talking about how we need to understand the behaviors that we have and we need to garner this data and we need to be able to show all of these various risk metrics to people. And we haven't really figured out how to then use that data. 

Lance Spitzner: How are we identifying our top human risks? How are we identifying the key behaviors that manage those risks? How are we measuring if we're having an impact, and how are we communicating that impact to leadership? 

Perry Carpenter: On today's show, we revisit the topic of security awareness, and we ask a critical question of security awareness leaders. That question is, what's the real purpose of security awareness in the first place? 

Perry Carpenter: Welcome to "8th Layer Insights." This podcast is a multidisciplinary exploration into the complexities of human nature and how those complexities impact everything from why we think the things that we think to why we do the things that we do and how we can all make better decisions every day. This is "8th Layer Insights," Season 2, Episode 9. I'm Perry Carpenter. 

Perry Carpenter: OK. Before we go too much further, I'm going to do something I don't normally do. I have a few announcements and a few requests for you. The first announcement is that this is the next to the last episode in this season. In two weeks, I'll be releasing Episode 10, and then I'll take a short break and prep for Season 3. But - and this leads to the next announcement - just because I'm in between seasons doesn't mean that this podcast feed is going dark. I'm actually going to be releasing a few bonus episodes that I think you'll really enjoy, so stay tuned. The next announcement is, if you remember back to Episode 1 of this season, I mentioned that I was in the middle of a book project. Well, that book just dropped. In fact, I think the print version releases today, the same day as this podcast episode. This is a book that I wrote with my friend, colleague and security culture expert Kai Roer, and it's called "The Security Culture Playbook: An Executive Guide to Reducing Risk and Developing Your Human Defense Layer." I'll put a link to it in the show notes. 

Perry Carpenter: OK, announcements over. And now I've got two requests for you. And these only apply if you've been a listener to the show for a while and you feel like you've been receiving some value. My first request is that you take just a few seconds and rate and leave a review in whatever podcast player you use. That really helps me out as I'm working to establish the social presence of this show. I've actually been really lucky. Over the past three months, I've increased the listenership of this show by several orders of magnitude, but the reviews have been slow coming in. So I'd really love to at least double the number of reviews that I have right now. And the second request is, again, if you feel like you've been receiving value from the show and you want to do something to show support, please consider picking up a copy of "The Security Culture Playbook." Right now, it's available in both hardback and e-book version, including Kindle, and we also have an audiobook version of this in the works that I'll be reading. Again, there's a link to the book in the show notes for this episode that will take you to an Amazon page. But you don't have to buy it from Amazon. You can pick it up wherever fine books are sold, as they say. All right. That's enough administration. Let's get into the meat of today's show. 

Perry Carpenter: Security awareness is a topic that I think about every day. It's the market that I serve in my day job. It was the area that I did research and advisory services for back when I was a Gartner analyst, and I led security awareness efforts at a couple of large, multinational organizations. Security awareness is also a topic that I've covered before in this podcast. Episode 1 was all about Trojan horses for the mind. Episodes 9 and 10 of last season, we looked at what we call the ABCs of security - so awareness, behavior and culture. For the sake of time, I don't want to recap all the things we learned in those episodes, but I'll encourage you to go back and listen to those if you haven't already and you're interested in this topic. 

Perry Carpenter: One thing that stands out when you look at the discipline of security awareness as it exists now compared to, let's say, 10 years ago is that we've come a long way. We've gotten way better at creating engaging content. We actually consider human behavior now, and we're really starting to understand the importance and the intricacies of security culture. But we can't just stop here and celebrate and get complacent. No, we need to ask the next-level question of, how can we get better? How can we evolve? So what I did is - I was very intentional as I went out and tried to ask for guests for this episode. I wanted to talk to people who had diverse thoughts and opinions about this but who had also been in this industry for a while, who had seen the evolution and who were guiding multiple organizations along the way. One of the big questions I wanted to get to today is really where we are as an industry. What are we currently doing well? To answer that, let's introduce Dr. Jessica Barker. Jessica is the co-CEO of Cygenta and the author of "Confident Cyber Security" and a co-author of "Cybersecurity ABCs." 

Jessica Barker: I love the fact that in terms of security awareness, we have moved - or we're moving to this stage where we understand it's about so much more than awareness. It is also - it is about people's behavior. It is about turning that awareness into tangible action and how that contributes to security culture and how it fits in this wider picture of security culture. 

Perry Carpenter: So for the folks that are trying to do security awareness in their organization, what are the biggest misconceptions that security awareness leaders have right now? 

Jessica Barker: That's a good question - the biggest misconceptions. One misconception that I continually come up against - and I wouldn't say it is just confined to security awareness professionals. I would say it's beyond that. I particularly find this with CISOs and security leaders who feel like they struggle with putting metrics on the human side. They struggle with how to define security culture, how to measure it. And they will think, well, let's run some phishing simulations. That's what we do. 

Perry Carpenter: I think one of the biggest misconceptions that awareness leaders face is probably one that I helped create, which is content is everything, because I talk so much about excellence and content, and diversity and content, and grabbing attention and all of that. And I've trumpeted that so much that I think that - and even when I was at Gartner, you know, I think that's kind of where I really started moving that ball, and that's because stuff sucked back then. The vast majority of content across lots and lots of vendors has improved a lot. It mostly doesn't suck. And so I think that we need to move beyond the fact that content is everything. We've got to get into some of these other areas like culture and metrics and behavior as well. 

Jessica Barker: That's such a good point, actually. And I would agree. I have spoken a lot about improving engagement, making content that is more engaging, the language that we use, the visuals that we use, how we use design and I would agree actually, that, of course, we have to recognize there is way more to this than just content and engaging people. But for such a long time, you're right, that has been lacking. And I think there is still - there's certainly still organizations out there that are using content that is not inspiring. 

Perry Carpenter: Oh, yeah. Yeah. There's definitely horrible use cases out here. 

Lance Spitzner: The challenge we face is all these discussions in the past have been, hey we have to create fun engaging training. 

Perry Carpenter: That's the voice of Lance Spitzer. Lance is a familiar voice within the security awareness industry. He's a director at the SANS Institute, and he teaches security awareness and security culture training courses for SANS. He also runs the SANS Security Awareness User Conference. On top of that, he's involved in a ton of industry outreach related to security awareness and reducing human risk. 

Lance Spitzner: And the reason that was the conversation is five years ago, 10 years ago, what little awareness training out there, it was absolute boring crap. At best, it was PowerPoint slides with some really boring, badly recorded narration. And that was it. So people said, well, I'm going to create the funnest, most engaging awareness training possible. Yeah, we solved that problem. But the problem is the topics are random. It's a shotgun approach. We're covering everything possible. So yeah, we're more engaging, but we're still in the entertainment business. So what I think we need to start doing and it's starting to slowly happen is start talking in terms of risk management. 

Cassie Clark: I think we are above and beyond really good at engaging people. 

Perry Carpenter: That's the voice of Cassie Clark. 

Cassie Clark: I am a security awareness lead engineer at a company called Brex, which is a fintech company. I've been in the security readiness industry for six years now and really focusing on behavior and how to infuse that into security a little bit more adeptly. 

Perry Carpenter: So one of the things that I want to get at with this episode specifically is where we need to go with security awareness, I think a lot of us have been trumpeting things that are finally being taken seriously, like, you got to fix your content, you got to engage your people, you've got to add behavior science, you got to think about all these things and you got to bring metrics in. And we're starting to see the turning point on a lot of that. But I think we're also starting to see people stall out and not think about the next step. After all that preaching that we've been doing for several years on these fronts, what do you think that we're actually good at at this point? 

Cassie Clark: I think we are above and beyond really good at engaging people. I think sometimes our solutions need a little bit of tweaking. But I think the natural enthusiasm that people in this industry tend to bring to security is exactly the kind of thing that we need to draw people in and get them excited and engaged. And so if we even just shift a little bit the mediums that we use to engage people, I think that can make a huge difference over time. So I think that's one thing that's just the sort of the personality behind security awareness professionals is huge and it can lend itself a lot to really helping us move forward. 

Perry Carpenter: What do you think the biggest problem of our current state of security awareness is? And by that I don't mean maybe ignorance of the people that we're trying to speak to, but what are we doing wrong still? 

Cassie Clark: Yeah. I mean, there's only so much that you can do in terms of that external problem, right? So let's talk on what we can do first. I actually think we've gotten really good at talking about how we need to understand the behaviors that we have and we need to garner this data and we need to be able to show all of these various risk metrics to people. And we haven't really figured out how to then use that data. So for example, I think we're really good at identifying X number of people in our organization or using an insecure password or reusing their password. But we haven't gotten good at figuring out what the best mechanism for shifting that behavior actually is. 

Cassie Clark: So I see a lot of people who well-intendedly start with, say, a training. And they say, OK, so clearly we need to train people on how to create a better password or teach them to use a password manager without understanding that might not be the reason they're not doing those things in the first place. And so I think our big shift is that we need to move towards a behavior first mindset. So start from the challenge that the behavior is posing in the first place and then figure out what the best solution is to target that. The way that you should create a training is to start from learning objectives. So why are we not starting with behavior objectives and then finding our solutions from there? 

John Scott: Don't take a compliance focus. Obviously, they were compliance-based tools that we have to, you know, we have to say everyone has taken security awareness training at least once this year - blah, blah, blah, blah, blah. Check box, check box, check box. But we know that won't actually move the culture. That doesn't move the needle at all. 

Perry Carpenter: That's the voice of John Scott. 

John Scott: I work for the Bank of England, which is the United Kingdom Central Bank. So if you're from the U.S., very similar to the Federal Reserve. I run the security education program there, which covers physical, personnel, cyber and information, security awareness, behavior and culture change. I've been doing that 6 1/2 years now. 

Perry Carpenter: When you think about your mandate for delivering awareness and shaping culture, what's your philosophy with that? 

John Scott: So I think first and foremost, it's that it's a sell, not a tell. So we have to think about it from an engaging perspective. We have to think about how are we selling security in a positive way, not telling people what to do. I think the second strand is seeing the education teams function as being advocates. So we're not just telling people, we're not even just selling. But then if somebody comes back to us and says, hey, but your rules make this happen, and this is not a good thing, then we can actually go back to the technical teams, to the policy teams and say, can we look at this please because our colleague in the business might not know who to talk to, but then they know that they can come and talk to us and we will find either an explanation - it has to be that way because X, Y or Z or actually, do you know what? That's a really good point. Let's see what we can do to modify that. 

John Scott: Because ultimately - and I think this is the thing which ties it all together - I have a job - I know you know this from everything I've heard about you speaking - our job is not to tell the business what to do. It's how to do the things that they want to do safely and securely. And so there's going to be times when there's a no, but that's when they've given us the power to say no. We think that you've got a right to say no in this circumstance. As the security division, what do you say? Actually, this is a no. And there are certain circumstances where we have to do that. But we try and make those as few and far between, almost and - almost all the time what we want is security to be an enabler. How do I do this safely? 

Perry Carpenter: Right. 

John Scott: This is how we can help you. And this is where I start ranting a little bit. If you as a security team are trying to do something that's in opposition to the culture of your organization, you'll fail. It's as simple as that. If you can align your messaging, your behaviors, et cetera, et cetera, to the culture, then you've got much more chance of success. 

Perry Carpenter: So I think there's always a lot of talk about matching program to organizational culture, but what does that look like? Do you have an example at Bank of England? 

John Scott: We're an old organization. We've been running 325 years, and one of the things that we've done for a very long time is we look after the gold vaults So we have the second largest gold reserve in the world after Fort Knox. We have never lost a bar of gold - 325 years - we have never lost a bar of gold. There's never been a successful burglary for our gold. So when we started our Information Security Campaign back in 2015, one of the first things we've said is we have not lost a nation's assets. We have not lost the gold in 325 years. Don't be the first. Because, you know, it's all well and good saying, oh yeah, be careful what you click on and so on and so forth. But the underlying thing is we are trusted with the nation's assets, and data is part of those assets. 

Perry Carpenter: When you make a statement like that - don't be the first - are you connecting the dots to say that there's the digital equivalent of a bar of gold? 

John Scott: Yeah. I mean, as with all these things, there's the quick banding line, which is don't lose the gold and everyone goes, oh, OK, that's, you know, and that's like - I'm loving it or just do it or whatever. But that's your branding tag. But then the in depth is they just need gold, they just need oil, whatever you want to, you know, whichever metaphor you want to use - for us, they just need gold. Why? Because gold is something that we do. And this is what I mean about making sure that your messaging is aligned with the underlying culture. We're not trying to put a new concept into people's minds then. What we're trying to say is this thing which you've already agreed was important. Don't lose the gold. Guess what? Data is part of that. So just treat it the same way you would the gold bar (inaudible) lying around. You know what I mean? But treat it the same way. Then we're not asking anybody to anything new. We're asking them to add a category to something that they've already bought into. 

Lance Spitzner: Instead of trying to dump every behavior possible on your workforce, take a step back, prioritize. What are the fewest behaviors that are going to have the biggest impact? An impact - Perry, you mentioned you're interviewing John Scott. He has the best quantitative story about how every behavior has a cost. So this is all public, and this has come from John Scott, the Bank of England. So I'm not sharing any secrets here. But one of the things I want to emphasize - every behavior has a cost. So quite often the security team - and this is where the security awareness officer can act as the filter - the security team quite often wants perfect security. And as a result, they want to teach people every single behavior possible to be secure. 

Lance Spitzner: So, for example, if you ask the security team to create a tip sheet on how to create a secure, cybersecure home, they'll create a tip sheet with 25 different steps. Nobody has time to do all that, and every step has a cost. So instead, you need - hey, what are the top three - what are the top five easiest behaviors that will have the biggest impact? Partly because people can only learn so much. Partly because as an awareness officer, you can teach so much. But partly also - even if you could teach every behavior, at some point, those behaviors cost more than the risk. Favorite example from John Scott - the Bank of England. Before Brexit happened, at Bank of England they did a classified study on what would happen to the British pound if Brexit happened, as we know it did. 

Lance Spitzner: So they created this highly classified study, documented it, and then emailed it to senior leadership. But because of autocomplete in email, one of the email addresses was wrong. And instead of being a senior leader, it was actually copying one of the top journalists at The Guardian. So, of course, The Guardian went totally public with this, and this is known as a bad thing at the Bank of England. So senior leadership at Bank of England feeling great pain and sense of urgency said, we will put a stop to this risk and disabled autocomplete for all Bank of England's workforce. As a result, every employee at the Bank of England for every single email had to manually type in every email address. And they did this for a year, helping reduce the risk of accidentally emailing the wrong person. 

Lance Spitzner: After one year, the Bank of England - they have a lot of financial bean counters - one of the researchers did an analysis of lost employee time because of typing in every email address, and they came up with the number - it was costing the Bank of England over 5 million British pounds every year. And they realized, well, this is silly. So they actually re-enabled autocomplete and then used the saved money to buy a DLP - data loss prevention solution and in the end saved money. But I love this because here we changed a single behavior, and we actually have a quantitative cost - 5 million British pounds, which when you translate into American dollars, is, like, a billion dollars. 

Lance Spitzner: So what ends up happening here is we have to remember every behavior has a cost. And that's why we go back to things like changing passwords every 90 days - hugely painful, high-cost behavior that maybe 20 years ago had value. Nowadays, does far more harm than good. And that's one of the problems technology people forget is they implement all of these processes, policies, technologies, tips and tricks, forgetting that every single one of them has a cost. So that's what's great is the security awareness officer works with the security team to help prioritize them and then translates that into something simple that people can understand and follow. 

Perry Carpenter: Welcome back. One of the things that we've been hearing is that many security awareness leaders have been focusing on audience engagement. And that's great, but that's not really the whole picture of what we should be focusing on. It misses a critical point. Engagement is just one piece of a much larger puzzle, and maybe people focus so much on engagement because in the early days of boring PowerPoints and badly produced videos, content was the single biggest glaring issue when it came to security awareness. And so lots of people put lots of time and energy into rectifying that glaring issue, but potentially forgetting to ask a critical question. 

Perry Carpenter: So what is that question? The only way to know is to perform a bit of a regression analysis. We need to start at the beginning. For a long time, the major focus of security awareness has been around communication methods, special events and audience engagement. And that makes sense. We were trying to improve a lot of the bad, ineffective messaging of the past. But here's a question for you. Have we made security awareness too much about the flashy things that grab attention? In other words, have we prioritized form over function? And what I want to get into is really the idea of first principles. First principles is when you reduce all of the fluff and all of the other assumptions and go back to the very basic reason that something exists. You strip away all the artifacts and get back to the core principle. What is the first principle for security awareness. 

Perry Carpenter: To strip everything back and to get to the first principle of security awareness? I want to draw on a model that was first popularized by Simon Sinek, and it's called Start With Why. Now, if you imagine a target in your mind - so basically three concentric rings, all nested within each other. There's the outer ring, the middle ring, and then the inner circle, the bullseye. That bullseye is why. That is the core principle, the foundation, the reason that something exists, or that is the goal state. That is your why. And then that middle ring is the how - how you accomplish that. That is the strategy. And then the outermost circle is the what. Those are the tactics, the things that you do. 

Perry Carpenter: Now, very often we focus on that outer circle, the tactics. Some people, if they're a little bit more perceptive, they get to the how. They get to the strategy, and then they build tactics out of that. But if we want to get things right, if we want to ensure that everything is having a great impact, then we start with why. And so when it comes to security awareness, we have to ask the question - why does security awareness exist? Why should it exist? Is it just to get engagement, or is it to do something greater? And that doing something greater is more than just getting people's attention. It's more than just driving engagement and forming relationships. 

Perry Carpenter: The ultimate goal of security awareness is to stop bad things from happening and encourage good things to happen. In other words, this is about managing risk and encouraging positive security behavior. That's what security awareness is about, not solely about grabbing attention and not solely about doing events. All those are artifacts that point back to a purpose. But if our purpose is not stated right, if we're not thinking about that in the right way, then we are doing things for the sake of doing things. And ultimately, there may be no payoff. But if we start with why and then we build our strategy from that, well, then what that does is it encourages us to measure our success against that why. That's super important. 

Lance Spitzner: So at a very strategic level, we need to get away from just the entertainment side. That is key, but we need to get more into the risk side. And we need to have those conversations. 

Jessica Barker: And I think that is a fundamental step that we need to take as a discipline. It needs to be acknowledged that what we do on the human side is absolutely as fundamental and as vital to the work on the more technical side of security. 

Lance Spitzner: How are we identifying our top human risks? How are we identifying the key behaviors that manage those risks? How are we measuring if we're having an impact, and how are we communicating that impact to leadership? If we add all of that, then we truly are in the managing human risk business, and then we are truly aligned with leadership, and then we're going to get the resources, the funding and ultimately the support we need. So it's not that we're in a bad spot. It's just we're in the crawl phase. We need now to pump up the volume and go into the walk and run phase. 

Cassie Clark: I have a big dream for security awareness. I want to see us shift from having started in this compliance area where we're little and our light was little and maximize our capability into this huge array of what I think are actually very interrelated things. So, for example, we would absolutely still have core competencies of training, phishing, communications, engagement, things like that. Those don't ever go away because they're integral to what we do. And that's fine, and that's great. But I think we have a huge opportunity to add in other areas that would make us even more impactful and influential and really help us reduce human risk - so things like we can drive ways that we identify behavior and motivation and, to some degree, elements of culture in a much more in-depth and comprehensive way. 

Cassie Clark: So we can do things like perception audits or employee personas, and that helps us get more granular with our approach and more likely that we'll actually access people when they're in a place to be receptive and absorb the information that we're trying to get them to absorb and then actually make a behavior change. We can incorporate things like technical nudges or try to put automation in place, so we're bringing security to people and not expecting people to stop and use that very small bit of deliberative brain but really let them keep going on their way, and it's just automatically happening for them. So we can be people who sort of pave the road for that. 

Cassie Clark: And none of this is easy work. It's all very challenging and complex, but I think we're in a good place as the liaison between all of the employees out there, whoever they are, and our security team - to be able to bridge that gap and provide guidance. But I don't think we can do any of that without understanding things like - what are the behaviors we're seeing? Why are we seeing them? What are some behavior science things that are at play here? - and really start to understand why humans behave the way they do. 

Perry Carpenter: OK. So here's a question for you. We've been focusing on phishing as an industry for about 10 years now, and one of the things that we're saying that we need to evolve to is really maximizing our impact on human risk. So if we're taking a behavior-based approach to really working on human risk, what is the next behavior, past phishing, that we need to be working on? 

John Scott: Oh, that's a really good question. I think there's - if I can cheat horribly... 

Perry Carpenter: Yeah. 

John Scott: ...And just broaden it out, I think there's the broader reporting of incidents because, you know, your reporting of your phishing emails is, I've just clicked on a button. Didn't I do a good job? One of the things we look at sometimes is how many people fall for a phishing report anyway because I always think that there's a continuum of behavior, right? You've got the didn't fall for it, didn't report it; didn't fall for it, did report it; fell for it, didn't report it; fell for it, did report it. And your worst case is the fell for it, didn't report it because now you've got a potential - you know, if we're talking about a real phish rather than a simulated one, now you've got a real problem. 

Perry Carpenter: Yeah. 

John Scott: You've also got a problem with the didn't fall for it, didn't report it because they - maybe they just deleted it because they weren't interested. But if they actually thought it was suspicious and went, I'm not falling for that, but then didn't tell you - that's a different thing. So, yeah, there's - I think there's nuance in the reporting. But I think you broaden it out more widely then - and this especially comes in to when you start thinking about insider risk. How many people make a mistake and then stick their hand up and say, I've just made a mistake? Because that's incredibly positive, right? That's somebody saying, I might be about to get into trouble for this, but it's important that I do this. And we actually have a line. We have - our acceptable use policy has a line which says that coming forward will always be positively taken into account because that's the aspect of that culture that we want. We want people to say, I feel safe coming forward, even if I know I did something stupid. So, yeah, the next big thing for me, which we've been working on a while now, is that broader - will people tell you when they've made a mistake? Because if they don't, how are you going to find that mistake? 

Perry Carpenter: OK. And there's our throughline and our circle back to culture. 

John Scott: Yeah. 

Perry Carpenter: Because security culture is not something that exists on its own. 

John Scott: Yeah. 

Perry Carpenter: It's a - it's another convenience phrase, kind of like security awareness. 

John Scott: Totally. 

Perry Carpenter: I don't think you build a security culture. I think you strengthen and brighten the thread of culture that's already woven through everything else. 

John Scott: Exactly. 

Perry Carpenter: And I always say you have a security culture whether you want one or not, or whether you know about it or not. The question is, what are you going to do about the one that's there? 

John Scott: Exactly. 

Perry Carpenter: How strong, how intentional and how sustainable is that, and what do you need to do about it? 

John Scott: So can I just add something on that? 

Perry Carpenter: Go on. 

John Scott: The other thing... 

Perry Carpenter: Yeah. 

John Scott: ...I would say - because I 100% agree with what you've just said. I think the other thing - and this is something we try and make out - is that culture is going to change anyway. You know, if we all just sit still and let it happen, the culture will shift. 

Perry Carpenter: Yeah. 

John Scott: You know, the Bank of England is quite a conservative organization, unless you compare us with ourselves 20 years ago, in which case we're a very liberal organization just because of the way that things - society's changed and we - you know, those external pressures. Your security culture is going to change no matter what you do. All we're doing is trying to steer it in the direction that we think is to the greatest benefit of the organization. 

Cassie Clark: I think security culture is - whatever culture your company already has, security culture aligns itself to that culture. So if you have a fun, playful culture, that is also the culture that you have with security. It's just, how do you relay these difficult, serious concepts in a way that still embraces that? If your culture is much more serious, you align it to that, as well. But it's people who are understanding that paranoid is not a bad thing. They listen to their gut because their gut is telling them something for a reason. That subconscious information we've learned somewhere along the way - it's not always accurate, but it's telling us that for a reason - that something is wrong, and we need to pay attention to it. And so, for example, what we train is if something feels off, report it. We would rather have 99 things that are fine and one thing that's malicious than miss the one malicious thing, so really trying to help embrace that. 

Cassie Clark: And I think it's people who really want to do the right thing. They may not know what it is. They may not agree with the solution. They may get frustrated. But at the end of the day, they still want to do the right thing, and that is what drives them to do it. Otherwise, they won't go through the effort. They won't take the training. They won't undergo the process. Whatever it is, they - they're not motivated to change their behavior. So I think if you had to pull it into one snippet, it would be a security culture is employees who want to do the right thing. 

Jessica Barker: The challenge that I would want to give is to really think about how you're measuring security awareness. What metrics do you have in place? And are they metrics that are just looking at kind of the more superficial elements of awareness and behavior, or are you really getting to that point where you feel like you're measuring culture or you're moving towards that point of measuring culture? 

Lance Spitzner: I just keep harping on human risk because if we're talking to the security team, hey, we want to help you manage human risk - what are the top human risks? If we're talking to them in their language, they see the value. That's where the collaboration happens. That's where the leadership support happens. That's where the raises and pay happen. Once again, I want to emphasize, it's not that engagement is bad. That is key. It's just - that can't be the only discussion. If all we're talking about is human psychology, storytelling, interaction, gamification, we're doing a disservice to ourselves and our organization. 

Perry Carpenter: And there's still value and expertise and storytelling and gamification and all that. But it's knowing when to pull the tool out and when to use it and then the focus of that. If I have a hammer, I need to be swinging that hammer in the right direction. Otherwise, I'm just going to cause chaos and pain. 

Lance Spitzner: And I'm in no way saying to the security awareness world, you have to become risk management experts. No, but you have an entire team of risk management experts on standby. Talk to them. Learn from them. Partner with them. So if you're a communications engagement expert, that's fantastic because your security team is not. But you need to partner with them so you know what to engage on. 

Perry Carpenter: Well, it looks like we're about out of time for today's show. I'm going to give John Scott the last word, and then I'll be back to wrap up with a few closing thoughts. 

John Scott: Human error is inevitable. It's going to happen. That's just the nature of who we are. So if we know it's inevitable, surely we should be saying, hey, we're seeing a lot of human errors over here. How do we retool things to reduce that? That's what the safety industry does, you know, and that's what we've got a lot to learn from. That's my soapbox at the moment. Let's look at the safety industry. Let's actually start having proper post-incident reviews, and let's talk about, what sort of human error was it? Because once we know that, we'll know what we need to do to fix it. 

Perry Carpenter: And that's the end of today's show. I really hope that you enjoyed this conversation about where security awareness should be going. You know, one of the things that I want us to think about as we close out is that I have a fear when it comes to security awareness and the market for security awareness, and that fear can be captured in the phrase blinky light syndrome. This is something that we have accused the technologists of falling victim to time and time again, where they look at something, some kind of technology-based solution, and they see, you know, the nice blinky lights. They hear the advertising pitch, and all of a sudden, they believe that that will solve all of their problems. This big security thing that they're worried about will just go away. It will be solved just like that. And of course, we know that that never happens. But I think in the security awareness world, we have the tendency to do the same thing. We criticize other people for it, but I think that we do it ourselves when we look at new, interesting things, whether that's a new form of content or video or whether that's a new form of gamification or something like escape rooms or augmented reality and virtual reality. Whatever the new thing is, we put all of our hope in that. And when we look at all of those things that we can do, we get wrapped up in the things rather than the purpose. 

Perry Carpenter: And I'll say it like this - if we're doing all of the things, if we're doing all of the activity, but we're not attaching that to a strategy that goes back to that core principle, the reason why we exist that has measurable impact within an organization, then all of that activity is just that - it's activity. It is frenetic. It is grabbing attention. It may be driving engagement, but you don't know if it's achieving the actual goal that you want. So my encouragement for us would be, yes, let's do all of those cool things, but let's make sure we're tying it back to the purpose for which security awareness exists. And that is to manage risk. And so we need to be thinking about how all of these things can drive the right engagement so that our humans are able to make better decisions within our organizations every day to reduce risk and to build up the security posture of the organization. 

Perry Carpenter: And with that, thank you so much for listening. And thank you to my guests - Dr. Jessica Barker, Cassie Clark, John Scott and Lance Spitzner. I've loaded up the show notes with more information about today's guests, as well as all the relevant links and references to all the information that we covered today. So be sure to check those out. If you've been enjoying "8th Layer Insights" and you want to know how you can help make the show successful, there are two big ways that you can do so, and both are super important. First, if you haven't yet, go ahead and take just a couple seconds to give us five stars and to leave a short review on Apple Podcasts or Spotify or any other podcast platform that allows you to do so. That helps other people who stumble on the show have the confidence that this show is worth their most valuable resource - their time. And the second big way that you can help is by telling someone else about the show. Word-of-mouth referrals are priceless. They are really the lifeblood of helping people find good podcasts. If you haven't yet, please go ahead and subscribe or follow wherever you like to get your podcasts. And if you want to connect with me, feel free to do so. You'll find my contact information at the very bottom of the show notes for this episode. 

Perry Carpenter: This show was written, recorded, sound designed and edited by me, Perry Carpenter. Artwork for "8th Layer Insights" was designed by Chris Machowski at ransomwear.net - that's W-E-A-R - and Mia Rune at miarune.com. The "8th Layer Insights" theme song was composed and performed by Marcus Moscat. Until next time, I'm Perry Carpenter signing off.