8th Layer Insights 7.26.23
Ep 35 | 7.26.23

We are the Champions


Perry Carpenter: Hi. I'm Perry Carpenter and you're listening to "8th Layer Insights." The topic we're covering today is a concept that goes by many different names. In some organizations, it might be called a security liaison program. In other organizations, it might be security influencers. In others, security officers. And, most often, security champions. What we call it doesn't really matter other than that it is a reflection of some of the values in the way that an organization is going to approach this topic. But what are we talking about? So, I'll do something that I don't often do on this show. I'm going to read a couple paragraphs from my own work so that we can start to get an understanding of what we're talking about. So, on page 156 of "Transformational Security Awareness," the title line is "Go Viral: Unleash the Power of Culture Carriers." And I start it like this. I'd like to introduce you to a term that you may not already be familiar with, inculturation. Have a look at the following definitions. Inculturation, one, the process whereby individuals learn their group's culture through experience, observation and instruction, dictionary.com. And I love the nuances that the Oxford Dictionary adds to this idea. One, the gradual acquisition of the characteristics and norms of a culture or group by a person, another culture, et cetera, Oxford Dictionary. Here's where I'm going with this. We have a few different cultural forces that we need to consider. We have an inculturating force from the larger organization that is influencing each person within the organization and we have the inculturating force of your security program that is seeking to influence both the larger organization and the individuals within it. In other words, we have two targets to influence the larger organizational culture and to influence the people within the culture. To do this effectively, you have to work on the culture and in the culture simultaneously, a top-down, middle-out and bottom-up strategy all at the same time. You need to find ways to go viral. I've mentioned the need to have a force multiplier a few times now. It's some way to better distribute and reinforce the security related values and behaviors that you're hoping to build into your culture. For that, I'd like to introduce the concept of culture carriers. But, first, let me give you a quick analogy that I'm sure you can relate to. And, here, I give the analogy of a surround sound system. I'll read that little bit and then we can debrief. Surround sound, a culture analogy. Think about a stereo system. A stereo is relatively simple. It directs sound towards you from the front. There is separation in the left and right channels that can make things interesting and introduce distinction and clarity when needed, but it is all just coming from the front. A stereo is like working from the top down in an organization. With simple stereo, you can feel like the sound, the message or the content is just coming at you. But once you add additional components of a surround sound system, you get a richer experience. If you've ever listened to a great surround sound system, it doesn't just feel like the sound is coming at you, it feels like you are immersed, like you are part of the environment. Think about your culture carriers as surround sound speakers. When they are in place, your security messages aren't just emanating from stereo speakers from the security team or the corporate leadership, your messages, your values, your behaviors are now being reinforced from multiple points all around your people, creating an immersive experience that draws them in. Traditional information-based security awareness programs are like a simple stereo blasting your audience from the front. A transformational security awareness program is more like a surround sound system. It is immersive by design. What does that mean? There's a lot in that concept, a lot of questions that that starts to raise about how do you do that. It's great to have an analogy that talks about immersion and not just having things coming at people, but how do you do that? Well, that is something that very few people have really locked down as far as a good way, a repeatable way of successfully doing this, of making security an inculturating force within an organization. But today's guest is one of those people. Her name is Sarah Janes and she's the founder of Layer 8 Security, a security vendor focused on helping organizations around the world create and manage good, mature security champions programs. And, so, on today's show, the art, science and nuance of running security champions programs. Let's get to it. Welcome to "8th Layer Insights." This podcast is a multidisciplinary exploration into the complexities of human nature and how those complexities impact everything from why we think the things that we think to why we do the things that we do and how we can all make better decisions every day. This is "8th Layer Insights" Season 4, Episode 5. I'm Perry Carpenter. [ Music ] Welcome back. Before we get to today's interview, I want to take just a second and recognize the profound impact that Kevin Mitnick, who we recently lost, had on the cybersecurity community. I understand that Kevin was a complicated and controversial figure for a lot of people. He emerged in the '90s as somebody who was challenging many of the ways that networks worked and phone systems worked and was very mischievous and curious and it cost himself and others a lot of hardship, ultimately leading to a manhunt and his arrest. But he was in so many ways legendary because he pushed the field of cybersecurity, he pushed people to recognize that there were inherent flaws within systems that could be taken advantage of in fairly profound ways. And, at the same time, even more so than the technical complexity and the technical issues, there are huge issues around what we today call social engineering, the fact that we can get people to bypass and do things with these systems on our behalf, even when we don't have access. Kevin really bore the brunt of the fact that the field of law when it came to computer security was not really formed yet. People didn't realize what they were dealing with. And, so, he got some penalties that would be considered barbaric by today's standards. He was in solitary confinement for months because somehow a prosecutor convinced a judge that if he got a hold of a phone that he could just pick it up and then whistle and get a hold of NORAD and launch nuclear missiles. And, so, that resulted in isolation, that resulted in treatment that we would not give to anybody who did the same thing today. And, to his credit, everything that he did was really out of curiosity and puzzle solving. He never tried to monetize any of that. He did his time, he got out. And, since that time, he went on to try to be a solid citizen advocating for the advancement of security controls, advocating to help people understand the vulnerabilities within the human layer of security. And, yes, he did continue to do computer hacking. He did red teaming the way that we understand it today and engagements around all of that because that is the thing he was good at, that's the thing that he was passionate about. And he had paid the price, he had done his time. So, I realize that there are basically two camps when it comes to in the cybersecurity space. There are people who idolize Kevin and there are people who demonize Kevin. At the end of the day, Kevin was a human being. He was a complex person. He was somebody who I considered a great coworker and friend and I think will dearly be missed. And it's really, really encouraging to see on LinkedIn and on Twitter and other places all of these great stories of Kevin's kindness, his gentle quirkiness, his passion for understanding complex issues and the fact that he really was out there, yes, to solve puzzles, but even more than that to help people be better at security than before they met him. And, so, Kevin, thank you so much for your friendship, your contribution to the industry. And you will be missed. You made a big impact. [ Music ] So, as we get back into this, when we think about the concept of a security champion, we are talking about individuals. Again, you know, somebody like Kevin, a security champion, somebody like you in your organization, your passion for security. You are a security champion or what I call a culture carrier. You're out there bringing mindsets and values and trying to demonstrate behavior patterns all in order to really build up the security culture of an organization so that the behaviors, the mindsets, the values become self-sustaining because it is the expected cultural norm. So, that takes us into today's interview. Sarah Janes is the founder of Layer 8 Security. Layer 8 focuses on helping organizations around the world build security champions programs. And there's a lot of questions about how do you do that. It seems to be a bit of a dark art within our industry. And Sarah is somebody who lives this day in and day out. So, what she has to say, the way that she approaches this is extremely valuable. Let's get to the interview.

Sarah Janes: My name's Sarah Janes and I am owner of Layer 8, also director of Layer 8. I suppose it's a small business, so that means that I get to do the really cool exciting things and also do all the filing and put my own shelves up in my home office as well and everything in between. But, yeah, you know, the business Layer 8 is here to help people become champions of security culture.

Perry Carpenter: Awesome. Well, let's disambiguate a little bit, too. So, there is your business, Layer 8. There is a Layer 8 Security Conference. There is my podcast, "8th Layer Insights." All of these are three separate entities, but all coalescing around a single topic. So, can you talk a little bit about what makes Layer 8 so special to you as something that you wanted to focus your career on?

Sarah Janes: Yeah, absolutely. So, yeah, Layer 8, I mean, we came up with it probably like all of the people did with the - you know, the seven-layer OSI model and the piece around the sort of the in joke in the technical world that the 8th Layer was where the problems are. But, of course, you know, as we talk about a loss in the industry, we don't see people as problems, we see people as the solutions. It's really interesting because when I first moved away from my previous job, which was internal in BT, in fact, running their security awareness programs, and then later for some other consulting organizations, I thought when I set up Layer 8 that I could just talk about all of this interesting information that I knew about security culture change of which there are just thousands of things, as you know, Perry, and that I could sell that. But, obviously, you can't because it's way too complicated. And, actually, all that theoretical stuff just doesn't work when you apply it to an organization that's got its own challenges. So, the piece that became really interesting for me was around - well, two things, I guess, specifically around security champions, but also this concept that conversation is the catalyst for change. And there's a thousand different great tips and techniques and solutions and ways that you can change behavior, but conversation is such a great catalyst to put that lightbulb on in people's minds because, you know, you can ask questions if you're having a conversation, you can say, "I don't understand that" or "what does that mean to me" or "I don't care." So, for Layer 8, it's really about, you know, how can we enable those conversations right across the business so that they can be the catalyst for change, they can be the point where people say, "Now I'm interested," "now I get it," "now I want to do something about it." And I guess, from that, sprung the idea of, well, as a security department or team, you're really small and you can't have a good quality conversation with everybody in the business actually. One, because there's just not enough time in the day, but, also, you might not be the best person to have the conversation because you don't know as much about what's happening at an operational level as somebody in the finance team does or wherever they sit in the business.

Perry Carpenter: So, then if we're going to make this crunchy, because I think a lot of people will probably hear, "All right, have good conversations," and then they're probably wondering two things. One you alluded to which is how do we make that scale. But then the other one is what are the right questions to ask, how do we even start that from a relational perspective to where people - when we say, "We want to hear your security talking points," or "we want to hear from you about what's working and what's not," how do you break the ice with that appropriately and get the ball rolling to where the relationship and reciprocity and rapport actually begins?

Sarah Janes: So, that's a good question. And the way that we always talk about it is you've got a thousand sort of security messages that you might want to talk about to an HR person or whoever, but, actually, let's forget about all that for the moment and find out about the person, because when you understand the person, you know what motivates them, you know what challenges they're trying to deal with in their area of the business, then, actually, it's much easier to have a good quality conversation about security. So, breaking the ice is really, you know, how would you go up to somebody and talk to them at a party? "Hey, how are you? What do you do? What sorts of things concern you?" And then, once you know and understand that person, you can start to filter in the pieces around security. So, breaking the ice, from our perspective, it's just about knowing the person and building a general relationship with them first before you go in with your own agenda.

Perry Carpenter: The scary thing I think for people with that is you're saying "once you get to know that person," so that now gets into how do I do that with the limited staff that I have and how can I scale that appropriately rather than having a spreadsheet with a thousand conversations that I need to have across a thousand people. If you can, make that really practical. How do we get down to doing that?

Sarah Janes: For me, that starts with, you know, there are going to be some key people that you want to have the conversation with that then can open up wider conversations. So, for example, if it is - I've used the example of the HR director before, but if it's the one conversation with the HR director that can then open up a conversation with the whole of the HR team, then -

Perry Carpenter: Yeah.

Sarah Janes: You're starting to sort of snowball that piece. And if you've got, you know, two or three or five people in your security team that can go and have two, three or five conversations and it's - it then starts to snowball. So, it is one conversation at a time. But I guess it's that sort of pyramid model that one good quality conversation can lead to that person having three good quality conversations -

Perry Carpenter: Yeah.

Sarah Janes: And so on and so forth.

Perry Carpenter: And from a conversational perspective, are these always verbal face-to-face conversations or there other tools and ways that you can facilitate that for people that may freeze up in verbal conversations or may feel like they don't have the time to participate? How does that work?

Sarah Janes: Yeah. So, I mean, face-to-face conversations, as we know, are always the best. And when I say "face-to-face conversations," I still consider a face-to-face conversation being, you know, over technology -

Perry Carpenter: Yeah.

Sarah Janes: As well because, you know, we have to in this day and age and people are all over the globe, et cetera. But I think they're always the best to begin with. But there are ways that you can use sort of white - online whiteboards, et cetera, so you can have conversations and still pick up information from people who are - you know, they don't want to switch their mics on, they want to perhaps -

Perry Carpenter: Right.

Sarah Janes: They're not quite sure, they're not comfortable about what they're going to say. And another thing that we do quite often is let's say, for example, we have got a big group of people that we're trying to collect ideas and have a conversation with, then actually break - you know, say there's 40 people, we ask a question, we can then break them down into smaller groups of about four or five people that they perhaps already know and they can have smaller, more local conversations.

Perry Carpenter: Yeah.

Sarah Janes: And then somebody in that group will feed back the results of the conversation. So, yeah, we've used lots of different sort of online whiteboards from things like Klaxoon to Kahoot!, et cetera, to facilitate those conversations and make them scalable.

Perry Carpenter: If you would, kind of paint a picture of a success story that either you've had or you've heard about taking this approach in an organization and maybe what the before and the after was like.

Sarah Janes: There was one organization I remember we worked with, they started off - they'd had a whole group of engineers that had been sort of seconded into the security team. And they started off in this room saying to us, "Nobody does what they're supposed to with regards to security. Everybody's flouting the security rules." And what we do is we go out with our list of everything they've done wrong and we start telling them all these things that they've done wrong and we start telling them what they need to do right. And they're really difficult conversations and we don't like doing them and they don't like us having those conversations. So, we investigated sort of a flipped change approach and we asked them to think about times where they had felt alive, engaged and completely committed to the business. So, we were challenging them. Instead of looking at all the things that were going wrong is to start to find just one thing that was going right -

Perry Carpenter: Yeah.

Sarah Janes: Because if we can find one thing that's going right, we can start to ask, "Why did that go right? What were the special things that in that situation meant there was a really positive outcome? And how can we replicate that and use that again and again and again?" And, actually, that then means that people are much more engaged because when we're talking to people about things that they feel comfortable and confident with, when we're talking to people in a way that they can understand, then suddenly people say, "Okay, well, I get this ask of me. I feel confident that I'm already good at this, I'm just applying it to a new area." So, this particular organization, they went out and this group of 40 engineers started having positive conversations with people, asking them about protecting their business, asking them about protecting their teams. And, so, this does relate to security champions. But, in six months, they had 300 security champions. They hadn't defined how a champion program -

Perry Carpenter: Right.

Sarah Janes: Would work. They hadn't done anything like that. They had just found people that wanted to protect the business. They didn't know why, they didn't know how, but they knew that they felt passionate about protecting the business and the people that were in it because of the positive, focused conversations that they'd had.

Perry Carpenter: More of our interview with Sarah Janes after this. [ Music ] Welcome back. When it comes to the security champion model, what led you into deciding that that was one of the areas that you wanted to provide value to the industry in? Because I know security awareness, the way that we think it - thought about it has had several little evolutionary steps over the past decade or two. Kind of trace your perspective on the journey of security awareness and where you think the champions piece fits.

Sarah Janes: Oh, Perry, that is such a good question. So, I suppose I started very young and early in the security awareness industry just creating e-learning packages, developing posters. I worked for an organization that back in the late '90s had an extraordinary-large security awareness team. It had five of us. And I never really thought about what I was doing. I had a job, I was producing stuff. I never asked the question, "Is it actually having an effect on behavior change," until I sort of moved on, got a little bit wiser and somebody asked me once, "Sarah, how is this actually changing behavior?" Well, in fact, actually, I'm going to re - I'm going to step back a stage.

Perry Carpenter: Sure.

Sarah Janes: It was - I'd done all these sort of posters and awareness materials. And then somebody actually said to me, "It doesn't matter what you tell people, people will never change behavior. You just have to lock everything down. You know, everything that you do in the security awareness industry, it's just fluffy, it doesn't actually do anything." And it was at that point that, having studied a little bit about psychology and human behavior at university, I just thought, "No, this can't be true."

Perry Carpenter: Right.

Sarah Janes: "It can't be true that we can just cut people, our best asset, off and say, 'We can't change people. They're always going to do dumb or stupid things.' There has to be a different way of looking at it." And that's when I think almost accidentally in that room with those 40 engineers that we asked that question about times that they protected the business and saw this absolute flip in dynamic from a team of people that really were completely disinterested and quite offended that I'd ask them to have a conversation with each other to a team of people that were standing up saying, "We're going to go out and we're going to have conversations right across the business, and we" -

Perry Carpenter: Nice.

Sarah Janes: "Really want to make a difference." And that was a risk. It was sort of something that we tested out. We didn't know if it would work, if we'd come out at this conference, this - and everybody would just think, "What on Earth was that?" So, I think it was at that point that I thought, "Yeah, this is making - this is making a difference. How can we build this into something that is actually making a difference for other businesses as well? It's having an impact on culture change."

Perry Carpenter: From a Layer 8 perspective, and, by that, talking about your business now, what ways do you engage the industry? How do you help companies, how do you help organizations be successful?

Sarah Janes: So, we - obviously, we run champions programs for people. However, it's not just about coming in and setting up a champions program. It's, first, about understanding, you know, what is the business trying to do and what is the point in having a champions program, how can champions facilitate the behaviors right across the business that make the business be even more successful at what they do. And often we find, particularly in today's environment, that it's about helping organizations with digital transformation or automation. And, actually, people across the business are really nervous about how to apply the new skills that may be being asked of them to work in a different way. They need somebody just to hold their hand and show them, "This is how you," I don't know, "set up your Wi-Fi. This is how you can make your home network secure. This is how you can protect the information that you're working on." So, it's sort of holding organizations' and people's hands along that journey of things are new, things are scary and

Perry Carpenter: Yeah, yeah.

Sarah Janes: I actually need somebody to show me how to do this as well as tell me it's important.

Perry Carpenter: As we think about the security awareness industry, which is a weird phrase to use, but, you know, there are lots of vendors, lots of groups trying to all champion doing the right thing - actually, before I go there, let me ask you one really I think critical question that I haven't asked yet. What is a champions program? How do you define that? I skipped past the thing that most people probably have fuzziness in their head about. They hear this phrase used a lot, but I don't think that they ever hear it really concretely described. And there's so many different phrases for it, security champion, security liaison, security officer programs. I call them culture carrier programs. And each of those I think has a different nuance to it. So, how do you describe this thing that we're trying to get to?

Sarah Janes: So, we describe a security champions program as a - or a security champions network, actually, forget the program for the moment -

Perry Carpenter: Sure.

Sarah Janes: Security champions network as a group of people who are passionate about protecting the business, who can assess risk at the grassroots of the business, who can make changes to processes and behaviors at the grassroots of the business where it really matters. So, it's about engaging a team of people that have a drive and a passion that are not security experts. Actually, their human skills are way more important than their security skills to begin with because they need to be people who can actively engage and talk to the business. They can learn about the organizational risks and threats. They can disseminate and depart information about those key risks and threats in a way that their part of the business can understand. So, there's the context, there's the questioning. They can show people how to behave more securely. And, really importantly, they can also collect information about what is and isn't working in terms of process and policy. And they should be able to feed that back up into security so it is influencing security process, security policy, security tools so that the security department can be designing those interventions in a way that the organization can use and can improve their business.

Perry Carpenter: Okay, great. Yeah, that was a critical thing that I had left out of the conversation before. I'm just kind of assuming that we're all preaching to the converted in a lot of ways. All right. So, when we think about security awareness as a discipline then, what encouraging changes have you seen over the past few years?

Sarah Janes: So, I've seen - I started in the late '90s. And I think the first thing that I've noticed is I used to go into organizations and talk about the human side of security or people and probably two out of 10 would say, "What are you talking about? It's not important." I guess, over the years, that's changed to a point where people started to understand people are important, but I have no clue what to do about it. So, the problem was still being ignored because the solution wasn't easy. And I think now we're in a place where, you know, security leaders, they do understand the importance of people security, mostly. They do understand that there are ways of changing behavior. And they're starting to do that. The other thing that I see in terms of - because, obviously, I talk to end users, people in the organization every day, security champions every day, and I think there are certain things that have happened that have made people more aware. So, I used to be a bit like Chandler in "Friends." With my friends, people always - would always say to me, "I don't know what you do." My friends and family did not understand -

Perry Carpenter: Yeah.

Sarah Janes: My job at all. And I think there's two things that have helped that. One, in the - in UK - Europe GDPR, nobody liked the introduction of that because it caused them a lot of pain. But, all of a sudden, awareness was being raised of the need to protect personal data. And that made people think a little bit more and have a bit more understanding. And, of course, the really awful stories of cybercrime. So, I - actually, today, I've been dealing with a situation for a friend of mine whose school got hit with ransomware and double extortion. So, they've also emailed all of the children in the school telling them, "We've got your data. The school aren't behaving so we're going to publish this to everybody." And the children are absolutely freaking out. You know, you forget that side of it actually, don't you? And, unfortunately, situations like that have meant that when you go and talk to people in organizations, people actually really do care about information, they want -

Perry Carpenter: Right.

Sarah Janes: To be a security champion, they want to protect their colleagues, their team, the business. And that is very different to what it was like when I first started.

Perry Carpenter: Okay, so the natural follow-up question, "What still haven't we gotten right? And where do you want the discipline to go in the next three to five years?"

Sarah Janes: What we still haven't got right? So, I think, as an industry, we still don't have an accepted method of doing things. So, we know that if we want to protect an organization physically or logically with firewalls and networks, we have a way - an accepted way of doing that that people will apply. I think the industry could do with having some real clarity on the - this is the way that is agreed that we can change behavior and we can change culture. The other thing I think we need a lot more of is measures. We do not measure very well what people are doing right. We measure all the time the gaps in the network, the vulnerabilities, the risks. Which, of course, are valid. But, as an industry, I don't feel that we measure what people are doing right very well, which means it's really difficult to articulate the value and return on investment for a culture change program if we don't actually know what people are doing right.

Perry Carpenter: Right, right.

Sarah Janes: So, I'd like to see those two things changing in the future, that when an organization knows and understands that they need to educate and upskill their workforce, there is an accepted way of doing that that can be measured. The last thing that I'd like to see, and this is maybe a bit way off, is we often find with organizations that we are educating colleagues on really basics of security. And I think the question is, "Should that really be the role of an organization to educate on security as a whole?" Or should we expect a level of security understanding globally? And the education process when people join an organization is, "This is how it relates to our organization, this is how it relates to our policies and processes." I think we're a way off that. I have a 10-year-old daughter, I know that cybersecurity is still not taught at an acceptable level at schools. So, how long are we going to take till we get to a place where there is that general level of understanding right across the globe?

Perry Carpenter: Okay.

Sarah Janes: I don't know, it could be a long time.

Perry Carpenter: Yeah, yeah. That - well, that's interesting, too, because the technology changes, so you have to teach principles and philosophies of ways to view the world. All right. So, then, let's say somebody listens to your words today and you have the chance to help them take one action right after listening to this or tomorrow or whenever they get back to work, what would be the one thing that you hope people would do differently or be encouraged in?

Sarah Janes: One thing that people can do differently, I would say go and find an example, just one really powerful story in your organization of something that people are doing right to protect the business, to protect themselves. And if you can articulate that and show that, that's the real basis for change. You know, if you can find a story like we have in some organizations about people just questioning an email from a senior leader and saying, "Is this you actually changing the pay details," or reporting something quickly, I think they're great places to start. Small actions, small conversations, finding stories of what really works can actually really change behavior.

Perry Carpenter: That's fantastic. Well, that's about all the time that we have today. I hope that you enjoyed this discussion with Sarah Janes of Layer 8 Security about the importance of security champions programs. And, of course, I hope that you were able to pick up a few great hints and tips about how you can begin to start one of your own. When it comes to security culture, it is of the utmost importance that we get all the help that we can. And, with that, thanks so much for listening. And thank you to my guest, Sarah Janes of Layer 8 Security. I've loaded up the show notes all the relevant links and references for things that we talked about today, and a little bit more that you can dig into just for fun. If you've been enjoying "8th Layer Insights" and you want to know how to help, it's actually pretty easy. Just comment and leave a review on any podcast platform that allows you do so. That lets other people know that this show is worth their time. And their time is super important so we want to point people in the right direction with these kinds of things. The other really important thing that you can do is to tell somebody else about the show. Podcasts are really difficult to find because there are so many of them and there's not a lot of great advertising out there. So, telling somebody, giving that word of mouth recommendation is super important. Please do so for this show. I really appreciate it. Oh, and if you're ever interested in reaching out to me, feel free to do so. You can find my contact information at the very bottom of the show notes for this episode. And, while you're at it, feel free to check out my other show, "Digital Folklore." It's a fun dive into the quirky and sometimes dark nature of online culture. This episode was written, recorded, sound designed and edited by me, Perry Carpenter. The cover art for "8th Layer Insights" was designed by Chris Michalski at ransomware.net and Mia Rune at miarune.com. The "8th Layer Insights" theme song was written and recorded by Marcus Moskat. Until next time, I'm Perry Carpenter signing off. [ Music ]