Conversational Security Awareness: Putting Humanity into Your Human Risk Management Program
Perry Carpenter: Hi, I'm Perry Carpenter, and you're listening to "8th Layer Insights". If we really peel back the layers and ask ourselves a critical question, what is the answer? That question is, why do we do security awareness in the first place? What is the outcome that we're looking for? If you've ever asked that question, then today is the episode for you. What I'm bringing you today is a joint session that I did recently at the SANS Managing Human Risk Summit, alongside of Dr. Jessica Barker, who you've heard on this show before. In this session, we talk about the fact that security teams are beginning to appreciate the importance of building a strong human defense layer. As a result, most organizations have adopted some form of security awareness, behavior, and culture program, but there is a complication. In building these people-focused programs, security teams often forget that people are, by nature, relational beings. And this impacts everything, from executive support to the trust or apprehension employees associate with your security team. In this session, Jessica and I break down practical guidance for understanding, managing, and maturing programs to better foster a positive relationship and associated culture. This presentation is going to be about 30 minutes, and then be sure to hang on after the presentation, because right after that, I've also added a quick discussion between Dr. Jessica Barker, myself, and Lance Spitzner of SANS Security Awareness, where we discuss our takeaways from the different presentations, as well as what our hopes are for the discipline that we all find ourselves in. And so, on today's show, "Managing Human Risk", what is it? How do we do it? And how do we make it conversational and relational? Welcome to "8th Layer Insights". This podcast is a multidisciplinary exploration into the complexities of human nature and how those complexities impact everything, from why we think the things that we think, to why we do the things that we do, and how we can all make better decisions every day. This is "8th Layer Insights", Season 4, Episode 7. I'm Perry Carpenter. I hope that you enjoy this session from the SANS Managing Human Risk Summit. This first voice that you'll hear is Jeremy Treadwell. Jeremy is an amazing thinker, an amazing presenter, and a fantastic community member. Jeremy also introduced Jessica and I this year, and was the moderator for our Q&A session after the presentation. He is certainly someone to follow on social media if you're not doing that already, and so I'll make sure to put his information in the show notes of this episode as well. With that, let's go to the session.
Jeremy Treadwell: Hello, hello, everyone. What's funny is that I have the distinct pleasure of interrupting your conversations to talk about conversational security awareness. I have the distinct pleasure to introduce two security awareness rock stars, Perry and Jessica. They both are astounding, and one of the reasons why I have loved being a part of the advisory board this year is that I get a sneak peek into the talks and highlighting some valuable insights for this organization. And I truly believe that this talk is going to change completely how you think about humans, right? We're here talking about human risk. We're here talking about highlighting the value of helping individuals change their behavior to increase their confidentiality, availability, and integrity of our information security systems programs. But we haven't really talked much about how to bring people into that, right? We tend to be emotional. We tend to be conflicted. Like I said earlier, we make 35,000 decisions per day, right? So how do we start to think about that and bring some of these into our security awareness program so that we can truly understand the people in which we serve? So without further ado, I'd love to bring up Perry and Jessica. Thank you so very much.
Perry Carpenter: Thank you. No pressure, right?
Jessica Barker: Thank you, Jeremy.
Perry Carpenter: So it sounds like we're coming through. Let me set a couple expectations. My name is Perry Carpenter. This is Jessica Barker. As you can tell by the program, we are going to talk about something that we are super, super passionate about to a bunch of people who are also super, super passionate about this topic. That brings a certain level of anxiety and responsibility to it. The other thing is I have the distinct pleasure of sharing the stage today with one of my idols in this area.
Jessica Barker: That's what I have.
Perry Carpenter: I have a little bit of anxiety. But as we get going, we're going to kind of open up together a little bit. But then there's going to be two or three distinct parts of this. I'll take about 12 minutes and go through way too many slides. And then Jess is going to take about 12, 13 minutes and go through a much more reasonable number of slides for that amount of time. And then we are intentionally trying to leave time for questions at the end. That can be anything about this presentation or really anything about awareness, behavior, culture, our personal lives, anything else. It's fine. So to set the stage, I just want to forecast kind of where this is going. And when we think about the past several years in security awareness, the past several years in phishing, we've seen a lot of mistakes happen. We've seen a lot of times where people have kind of stepped outside of really realizing that there are faces, there are emotions, there are life circumstances to the receiving end of the phish that they send out or the communication that they send out. And the problem with that is, is that we don't often realize how bad of a situation we've created until we've done it, unless we reframe the conversation a little bit. And so that's what I'm hoping to bring to the table a little bit. And let's also talk a little bit of a prognostication about this industry that we find ourselves in. Jess, what do you want to get out of this?
Jessica Barker: So what I want to talk about kind of leading on from Perry's discussion is to touch on perceptions, which I think is one of the most important aspects of security culture, but also one of the most overlooked. So I'm going to be speaking about perceptions of us working on the human side within the industry of security, people's perceptions of themselves in relation to security, perceptions of leadership, and also how we can help shape perceptions to be more positive and more security conscious.
Perry Carpenter: Awesome. So just a little bit about us, if you're not familiar with either of us, go ahead, Jess.
Jessica Barker: Thanks, Perry. So I've been working in security awareness, behavior, and culture for 12 or 13 years now. When I started out, if you had told me that my work would mean I could emigrate to the USA from the UK, in case you couldn't tell, that I would be working on my fourth book and that I would be receiving a medal from the King of the UK, I would not have believed you. It would have blown my mind, but somehow here we are, and I'm delighted to be speaking with you all today and sharing the stage with someone I truly admire.
Perry Carpenter: Thank you. And I have written a couple of books in this space. I've kind of lived in the awareness, behavior, culture space for between 15 and 20 years, depending on how you count it. I've been a receiver, a recipient of a lot of training. I've also run some large-scale training programs at global 1,000 companies. I've been a Gartner analyst covering the security awareness space and really working with all the vendors and the CISOs around the world, trying to figure out how to be effective at this. And then now I work for a security awareness vendor, trying to shape the future of where this goes. In this, I've also written a couple of books about the discipline of security awareness. I executive produced a show called "The Inside Man" and run a couple of podcasts that look at the intersection of humanity and technology through different lenses. And so that's really the mindset that I bring, is where does the human sit within the equation of anything? In any societal move, in any technology-based move, where does the human sit? And so with that, when we talk about -- and Lance gave a great forecast with this already -- the terms that we use, how we describe ourselves, how we describe our industry, we're kind of at this crossroads, right? You're hearing phrases like human risk management. You're hearing phrases like awareness, behavior, culture. You're hearing words like influence. And it all means that we have to take a step back and apply this critical question, is what is our intended purpose? If we think about first principles type of approach to this, we have to ask, why do we exist in the first place? What is our measure of success? How do we know when we've gotten there? Or are we just pushing information to people, putting butts in seats, eyeballs on screens, all those kind of things? And so as we've really thought through this over the past few years, a lot of us have been raising our hand and saying, you know what? What we do isn't really awareness because just because somebody is aware doesn't mean that they care. There's a human component in this. We have to really think about the individual. We have to think about our goals. But our discipline has this branding problem, right? What happens when somebody looks at the Verizon DBIR and they go, oh, my God, 74% of all data breaches come back to some kind of human-related issue? Well, we've, as a discipline, in all of security and through the vendor market, which I participate in, we've kind of conditioned people, the happy CISO, to type in security awareness, which then sets a false frame that awareness is about information. But vendors, and I've consulted with a lot of these, I even think about this in my own company, if you are to rebrand yourself away from security awareness, then you're a page three, page five Google result. You were never found and you go out of business. So you have to always start the conversation with awareness that reinforces the frame, but then move somebody off of that and say it's not really about awareness. It's about something else. And so we're at this flux point where even we've changed the name of this conference to try to set what the next 10 years is like. But it's uncomfortable, right? Because we have this definitional problem where we talk about awareness and behavior and culture and human risk management and human-layered defense and whatever other words we want to attach with this, this thing, whatever it is that we all do. And each of these has implications and each has some baggage. And so we have to understand the frames that we create so that we don't accidentally create another problem, right? Because somebody is going to say, when you talk about behavior, what do you mean? When you talk about managing human risk, what do you mean? When you talk about a human layer, what do you mean by that? And there's good and not so productive discussions that come across with any word that we choose. But as we think about this, ultimately, when I take that step back and say, what are we here for in the first place? It's these three things. And every good program is going to have these tenants with it. We are there to win hearts and minds. So that means that we're bringing the humans in. We're really trying to build a relationship with them. We're there to influence behaviors. That's the behavioral outcome. That's the action step in this. And then the ultimate goal, the why we exist in the first place, is reduction of risk in the organization. So you can get to something like human risk management with that, but you can also attach a lot of other words as well. But as long as we're doing these three things, I'm actually a happy person. I believe that we're serving the industry and we're doing good things. We are meeting the mandate that we have. So we also have to realize that, again, if there's issues that come up with words, we have to think about what conversations they cause. If the human goes, wait, you see me as a risk, well, then we're kind of back to, is the human the weakest link type of thing? And what we need to then start to move the conversation to is, no, everybody exists within an ecosystem. There are risks that come at you. We're there to help protect you and build resilience around that. There are also just risks that happen anytime something exists in the world. And we're there to help manage that and build a protective barrier so that you don't accidentally cause harm in any way. So we have to really think about these so we don't create the conversations from the past that have not been productive. So we also have to think about these phrases that we throw out like, well, you're the first line of defense and the best line of defense. You're the last line of defense. You're the weakest link. All of these, again, cause other big problems, right, because each has an implication. For me, I don't use any of those anymore, even though I have in the past. And I just say humans are a critical line of defense because if a human is the first line of defense, maybe then they're in the wrong place. If the human is the reason that an organization has a breach, then I'm sorry, that's a technology failure. At the end of the day, if a human is your last line of defense, you've not properly segmented the network. You've not properly put in other controls. You've not really thought about all these other things that can and should be done. And so the human should not be in the position of being the last line of defense, but they are a critical layer. And if you neglect them, you're missing out on some resilience. So with this then, let me kind of get to the one thing that I want you to think about. If we're doing this well, what does a program look like? We already talked about when hearts and minds influence behaviors, reduce risk. Well, we do that through some things that look pretty traditional. Outreach, this is me talking to other people, getting messages out. This is newsletters. This is all the kind of stuff that you typically associate with security, quote, unquote, awareness. Newsletters, videos, signs, all of that kind of stuff. And then you have training and simulations. The key thing here is that there is a participatory piece of action that happens. If it's a phishing simulation, somebody can interact with that. If it's a tabletop simulation, somebody can interact with that. If it's the latest VR, AR, cool whiz-bang thing that you do, somebody has the ability to participate in that and affect an outcome. If it's an escape room, somebody has the ability to participate. So outreach, training, and simulations. And then the last thing is where the industry is going more and more. That's all the cool AI, ML, building in tons of other APIs so you understand what else is going on in the environment and delivering just the right bit of training or behavioral conditioning at the right time for the right person at the right location. You know, all of these cascading areas of rightness. So what then does that look like? Well, I think each of these express themselves in three other things. And content, so we don't get rid of content. Outreach has content, right? You send out a newsletter. You put out a poster. Training and simulations, if it's a phishing simulation, your template is a piece of content. If you do a tabletop exercise, the instructions and the engagement pieces are the content. If you do a human detection response, the injection that you put and saying, hey, we noticed that you were trying to do that, that is a piece of content. So you have to think about that. And you have to think about how that creates or messes up an experience for someone. What are they feeling on the other end of that? What is their experience? How are they engaged? Or how are you missing the possibility of engaging them? And then the last thing is, and this is foundational, that's why I put it at the bottom of the pyramid, relationships. Because everything you do in this program, from the content that you choose to the emotions that somebody feels, will build, maintain, or destroy a relationship. So if your goal with this is win hearts and minds, influence behaviors, reduce risk, if part of that is getting people to report, to get people to engage, to become security champions, all that, and you're tearing down the relationship because you're sending really poorly thought out phishing simulations or other bits of engagement, well, then you're kind of losing that battle. So for me, relationship is the primary thing that I want to focus on and then build everything out from that. Because that emotional impact is super, super, super important. We also have to think about the way that we view everybody around us. So, you know, we tend to think about, and security people tend to kind of classify to us versus them. Right? We have the us that is the security team, and then we have the them, the cyber criminals. And what we need to get away from is the them, which is the other people on the side of the screen, viewing them as this opposing force or this thing that we have to manage. That's not really the way to think about it. And we see this reinforced over and over and over by the imagery that people put out there, by the memes that they create. This does not win hearts and minds. This creates enemies. This gets people frustrated and say, they don't see me as me. They see me as a problem. Well, I'll show them. I won't take their training. I'll click on things just for fun to see what happens. So we have to realize that our content is the face and the voice of our CISO and team. And we have to tailor things to that human, really, response cycle that is there and the emotion that we want to create. And if we're not tailoring our messages to create the emotion that we want, then we're just taking a chance on the way that somebody is going to receive that. The other thing is we have to think about our engagement. It's great to have programs that reward people externally, like gift cards and all that, but the effectiveness of that degrades over time, dramatically. We need to build intrinsic motivation, and that takes a long amount of time. We have to think about if we're going to give something away, should it be a $20 Starbucks gift card or should it be something that reflects the brand of the security team so that they get buy-in? Because what we've seen over and over and over, and here's a meta-study that shows 128 different experiments, show the conclusion that tangible rewards like gift cards and things like that that do not associate somebody with an identity or that do not really meet a need that somebody has in a real way, have a negative impact on intrinsic motivation. If we're out to build relationships, win hearts and minds, we have to be aware of that. We have to think about the social signaling that we can create. There's a ton of great science in this, and I would encourage you to look at a book called Mixed Signals by Yuri Gneezy, the hero economist. Does a fantastic job breaking this out because, again, it all comes down to relationships. With that, I'll hand it off to Jess.
Jessica Barker: Thank you, Perry. To follow on from what Perry's been speaking about, about emotions, about how we make people feel, about how we engage with people, how we see them, it's also thinking about how do people see us and how can we positively influence that? One question I have that I would love everybody to think about, I would love to speak about over the course of the next couple of days is how we can elevate the perceptions of those of us working on the human side in the eyes of others, and that can be others in the security industry and beyond. How do we communicate to people the value that we bring? Because I see this paradox where, as Perry rightly highlighted, you see research like the Verizon Data Breach Investigation Report highlighting the importance and the impact of people when it comes to cybersecurity. And yet, at the same time, and I know other people feel this too based on conversations that I have, there can be this sense that the human side, that awareness, behavior, and culture is added on. We don't get the budget. We don't get the buy-in. And that has increased, that has improved in the last few years, from my perception. But I feel like we still can be elevated in the industry. So I think it's something to think about of what can we do to positively influence that, to have a higher seat at the table. Now, moving on to perceptions and perceptions of security, one thing I wanted to touch on was about how the human brain is different to a computer. Of course, we're all thinking a lot lately about how we can make computers more like the human brain. And we've got some great talks looking at the agenda on AI coming up. We had a great keynote touching on that this morning. But of course, we can also look at that the other way around and think of the ways in which a brain is different to a computer. We don't have perfect memory, perfect recall, and we interpret data. Something we're looking to try and teach machines to do better is something that actually we need to be aware of when it comes to awareness, that we take in data and we interpret it in a volatile way. We perceive things differently depending on where we're coming from and the subcultures we exist within. So to illustrate this, I am going to try an experiment and I'm going to play an audio clip. You're about to hear my voice saying some words transformed by a computer to sound like gibberish. And I'd like you to listen carefully and then I'm going to ask you some questions. Based on it. Okay, so who heard the noise? Who heard the gibberish? Hands up, hands up. Hopefully everyone, most people. Keep your hands up, keep your hands up. Only put your hands down if you could make sense of what was being said. So keep your hand up if you couldn't make sense of the words. And I know at least one, two people, in the room could. Okay, everyone with your hands up, who could make no sense or very little sense of any word? Fantastic. Okay, I am going to leave that there. I'm going to ask you to put your hands down. Thank you so much. Keep that in mind. And if you think you could make out a word or more, please write it down. I'm going to come back to it in a few minutes. When your perceptions should have shifted to such a way that it makes sense to you. It may still sound like a computer, but you should be able to understand the message. So we're going to play that game as we move on. But before we get to that, I am going to touch a little bit more on what perceptions mean in terms of cybersecurity culture. Because I think we often talk about awareness. We often talk about behaviors. We're increasingly talking about values. How we can tie the values of the security cultures we're developing with the values of the organization. But something I think we don't talk about as much is perceptions. And they're hugely impactful. I actually just shared my video of the week. I share a video a week on YouTube, often put it on LinkedIn as well. And this week, it's all about perceptions. So I'm talking about slightly different things today, but it seems to be my theme of the day. So perceptions are influential in a few different ways, a few different layers. And one of the most influential, of course, is whether there is a perception in the organization that senior leadership endorses security, promotes security, values security. And I wanted to share some statistics with you from Club CISO. I'm on the advisory board of Club CISO, a membership of about 600 security leaders around the world. And the data this year, we asked what's been most effective at fostering a security culture over the last 12 months. And I find the feedback fascinating because the overwhelming majority answer was leadership endorsement. This perception that there is that active, not just tone from the top, but that championing from the top of security. And that is seen as way more influential than whether there's even a reported culture of no blame. That perception that there is psychological safety if something goes wrong, hugely important. But what we're hearing from CISOs is actually having leadership endorse is more important. And then we can look at other things, security champions, training, targeted training, giveaways, swag. These things that sometimes we can focus on in a security program actually bringing less value to the development of a security culture than the perception of leadership being involved. And another perception I want to draw your attention to is the statistic that the majority of these security leaders, 62% this year, feel that their security culture is an ongoing priority and is making progress. Now, if we compare this with the other graph that I was just running through, it seems that only 21% are measuring their security culture. So where is that perception coming from that the security culture is getting better? I don't have the answer for that. Maybe it's from some data. Maybe it's from a gut feel. But it doesn't seem to be coming from rigorous measurement of the culture. Just leaving that one out there. Now, one of the most important perceptions in security culture and in security behavior is arguably how people perceive themselves. Self-efficacy. So going back to seminal work of Bandura around self-efficacy, a person's perception that they are able to practice the behavior that is required for a specific outcome. And the research suggests that this is far more important than, say, raising the threat, than scaring people. In fact, fear can actually undermine a person's sense of self-efficacy, meaning that they perform more poorly. And I gave my 2020 RSA keynote on the psychology of fear and talked about that in much more detail. But I wanted us all to think about what do we do to raise the perception of the people we work with where they feel that they are able to engage in what we are recommending. And some of this is about our communications, but it's also providing the right tools and the guidance and the support to use those tools. Because we can help people understand why they need good passwords. We can say whatever we want to help them feel more confident. But unless we give people the tools and the guidance, they can't practice that behavior. And it is also about the language that we use. And you will note my part of the presentation, apologies, is sponsored by Will Ferrell memes. But, you know, who can resist? So soft skills, right? So-called soft skills. On the one hand, I am delighted to see that we're talking more about empathy, about communication, about psychological safety, about compassion more than I have ever seen in my time in the industry. And I think that's great. And I think it's something we should continue to promote. However, I'm also intrigued by why are we still calling them soft skills when we all know they are anything but soft? They're really hard. And how much does this influence or undermine the perception of the value that we bring? Now, who here has been to Lake Wobegon? Right. Okay. I knew a couple of people would know of the fictional town of Lake Wobegon. Lake Wobegon effect or illusory superiority. And the truth is we've probably all been there. It's this tendency that we all have as human beings to think that we maybe are above average with certain things. So the classic example is if you survey a portion of people and you ask them whether they have good driving skills, the majority of people will say they have above average driving skills. A majority cannot have above average skills. That's impossible. And this is a trap that I see us falling into in the security community as well of thinking that we are immune, that overconfidence. And this applies to us, but it also applies to our more technical colleagues in security and the developers and the engineers that we're working with. So this is a really challenging perception to overcome because nobody wants to admit that they have inflated their sense of skill or importance. But it really comes down often to how we approach people and the language that we use. And as Perry said, tailoring that language for different audiences and groups and helping people in security understand not just in terms of illusory superiority, but also in terms of empathy and compassion that the right fish at the wrong time can catch anyone. And I even have a sticker on my water bottle. I've got some spare if anyone wants the sticker that says the right fish at the wrong time can catch anyone. So with that, let's see what happens if I play this again. Who heard it now? Yes, majority in the room. You can now hear once I have used that language, I've translated it for you, you can hear me saying the right fish at the wrong time can catch anyone. What's fascinating is that my friend Tracy, my friend Perry have heard the translation. So they knew they could hear that just like I could. And it's quite terrifying standing up here and expecting you all not to hear it. I already have the curse of knowledge. I'm already thinking, come on, surely you can hear it too. And that's a reminder for all of us that we have to keep in touch with communicating in a jargon-free way and in a way that is translated and understandable depending on our different audiences. So with that, we've got time for questions. We do.
Jeremy Treadwell: That was fantastic. Well, thank you so much. I mean, that was amazing. So that's raise your hands for questions. We have a couple on the online. I think the moderators are coming through. But I see you right here with your hand up, sir, in the front. Go ahead and ask your question. I'll repeat it.
Jessica Barker: So the question was a great question. I spoke about illusory superiority. What about the kind of mirror opposite of that, which can be so-called imposter syndrome or imposter phenomenon where we can feel like we don't know enough and we're a fraud? I have spoken about that, written blog posts and things about it before, because that's certainly something. I think everybody working in security more or less has that sense of imposter syndrome, at least sometimes. And I found that working on the human side, I would feel that and I would say I'm not technical. And I would hold that up as an apology and a defense to more technical people. And I've now stopped doing that, actually. And I would encourage everybody in this room and everybody joining us virtually, if you find yourself saying I'm not technical, to actually embrace the fact that you bring a lot of other skills and that you are technical just in a different way. And also you're translating technical messages, so don't underestimate your amount of technical knowledge. But when it comes to imposter syndrome, I think it's inevitable that we have a sense of that in this industry because it's so broad and it's so deep. And we can speak to someone else and discover they have so much knowledge. We can forget how much we know as well. So I could talk about it all day. But I think it's interesting that we're battling both overconfidence and imposter syndrome, often at the same time and in different aspects of our lives.
Perry Carpenter: Yeah, I would just add to that real quick. And I had this when I started my role at Gartner, standing on stages in front of thousands of people. You can feel pretty inadequate, but then you have to realize a couple of things. Number one, most people do not want you to fail. So the vast majority of people do not want you to fail. So they're rooting for you. The other thing is you're in a position where you're thinking about this every day, most of the minutes of that day. So that already makes you an expert in the thing that you're bringing to the table. And so once you start to realize that, most people don't want you to fail, and you're probably the expert in the room on that, you can always learn more. But at the same time, you have a lot of value that you can bring. So find a way to bring that value.
Jessica Barker: And speaking about imposter syndrome, if you're in a safe, trusted space and you know you can do that, and you have that psychological safety, I found that can be one of the best ways of actually overcoming it because you will often hear back, me too. I feel like that too. I felt like that too.
Jeremy Treadwell: Yeah. I love it. I mean, I will say your audio example is crucial. I mean, coming from the background I come from, from technology, I understand that recognition is more powerful than recall. So the idea that when we know something and are familiar with it, we feel much more obliged to engage, to feel more connected. I use this example all the time when I'm teaching courses around UI UX. It's like that gear that we all use for settings, before you've seen that, you would never associate a gear with settings. But once you learn that behavioral pattern, then it's able to be more likely to continue. So to bring that up into a question that was brought up online, as you talked about the transition from extrinsic motivation, gifts, swag, things of that nature towards intrinsic motivation, what are your thoughts for how individuals can bring that into the organization and kind of highlight the value set that you want to highlight in the organization?
Perry Carpenter: Yeah. So if you look at the research, you're trying to create a shared identity with these things. And so we need to take our cues from organizations like the Red Cross, you know, people that are doing blood donations. There's two ways you can do that, right? One is you can have somebody go in and give blood or give plasma, and you give them $50. But they don't really feel a sense of belonging to that organization. They feel like they've served themselves, not a greater good. Or you can do a volunteer type of thing, and you give them a sticker and a T-shirt. But now they wear that with a sense of pride because they are identifying themselves with the greater thing that's out there. So we need to be asking ourselves in our program, how do we do that? We saw some really good examples with Cisco, with like the little monster swag and stuff like that. Which would you rather have, a $20 Starbucks gift card or something like that that's cute, that's always this reminder of how you did well and how you contributed to the overall organizational good?
Jessica Barker: Yeah, fantastic answer. And just a couple of extra thoughts from me. You mentioned Cisco, that great session we had earlier. And one thing that came through there was the trust that comes from transparency and showing that you are trustworthy and people can trust you can really help people to feel more engaged, feel more belonging. And the other angle I think is really important is around values. Often I work with security teams who will be trying to build a security program and a culture that has a messaging which can be opposed to the wider organizational culture. So it can be more of a negative security messaging coming out and maybe the wider organization is much more positive. We are never going to change the wider culture. We need to find ways to move with it and frame our messaging and tap into those more intrinsic values that people have, both at work and at home.
Jeremy Treadwell: I've heard that analogy before in thinking about a stream. Does the water shape the rock or does the rock shape the water? So it's a good way to think about that. I think we have one final question in the back.
Hope Barr: Hi, Hope Barr here from US Bank, super nerd. I actually have two questions there for Perry. The first one is, do you have any advice on how financial institutions can adapt your security awareness best practices? And number two, if any super nerds here, myself included, have one of your books, would you be willing to sign it?
Perry Carpenter: So I'll answer the second question first because that's easiest. Yes, I'll happily do that. I actually have a couple copies of other books with me too. So feel free to grab one before they're gone. And then the other one is financial institutions. How do you start to bring that in? That's a long, complicated question, right? So I'll go back to the Gartner thing is it depends because there is a culture that already exists in your organization. You have to realize that you have a critical decision. Do you play into that culture if it's good or do you pull against it? Again, Cisco example, they had to create something that was other than their culture to start to build that trusted avenue. So sometimes that's the right answer. Sometimes that's a death sentence. You have to really kind of thread that needle right. But it goes back to the chart that Jess showed as well. In any organization, this is a bad answer, but it's a CISSP answer too. What's the right thing to get first? Executive support, because once they're starting to fall in line and really create mantras around the things that are going to reduce risk in your organization, then that starts to really affect how everything else works.
Jeremy Treadwell: Perfect. Thank you so very much, both of you. I want to say one thing. I want to take a picture with the two rock stars.
Perry Carpenter: Okay, don't run away just yet. If you remember, as I was doing the intro of this, I mentioned we have a short discussion between myself, Dr. Jessica Barker, and Lance Spitzner from SANS. This was a fun discussion during lunchtime of the last day of the summit. So everyone was tired, but we had a lot to reflect on. So I hope you enjoy this short discussion. Start off with a general question. So Lance, for you, when you think about the Human Risk Management Summit, what do you really hope to see in the type of engagement that you get?
Lance Spitzner: Well, good question. The big thing is not so much the engagement. I would say the conversation. So at these events three, five, ten years ago, it was all about training, engagement, being edgy. Whereas this, we want to mature the field. So instead of just going above and beyond that, more about human risk. So, for example, Aj was just talking about his free database on behaviors and things like that. How to measure risk. What behaviors do you want to change? So it's not so much -- the goal is, can we change the conversation so we're at a more mature level? And we're definitely headed that direction. It's just taking a lot longer than I had hoped.
Perry Carpenter: From the attendees that are here, it seems like an incredible turnout. So people are ready to hear the message.
Lance Spitzner: Yes. Yeah, absolutely. And I had people coming up to me asking, so if awareness isn't the term, what is the term? And things like that. And my discussion always is, I'm less concerned, do you call it culture, behavior, influence, engagement? It's more of the why, ultimately, to help us better manage human risk.
Perry Carpenter: Yeah, that's kind of what I talked about a little bit in mine, too. It's like we have the word salad that everybody's using. But at the same time, if you just go back to why awareness was created in the first place, it's kind of when hearts and minds influence behavior for the purpose of reduction of risk. And if you're doing those three things and putting that on mission, you're probably going to be headed in the right direction. So Jess, for you then, when you come into this and see a group of peers and a group of people that want to hear from you, what responsibility do you feel and what message do you feel you need to get out there?
Jessica Barker: So I think, Perry, maybe both of us felt the same getting up and giving that presentation together.
Perry Carpenter: Yeah.
Jessica Barker: A lot of people saying they were very excited to hear from the two of us sharing a stage. And I find that both very exciting and quite terrifying because we're with our peers. The summit has been full of fantastic, really focused sessions where we've heard about a diversity of really interesting topics. For me, I was very keen to talk about how we can change conversations and change our influence, increase our influence by understanding more about perceptions, how people perceive us in security in general, how they perceive us working in the human side and how perceptions can play into the security cultures that we're looking to influence.
Perry Carpenter: Well, and you've kind of been on a mission to give people good information about security and good information about mindset for awareness for a while. So YouTube and you're doing a lot of stuff on LinkedIn, even some of the messages that you put on stickers. So when you think about the people on the other side of an awareness program, there's those of us that are putting those together and then there are people on the receiving end. What do you want them to feel when they are the recipient of this type of program?
Jessica Barker: I love the way you described it yesterday as well. People on the other side of the screen, people on the other side of what we're putting out. You're not using the word users, for example, which can have negative connotations. And that ties into something I look to influence as well, which is going out there with compassionate empathy, trying to encourage people to feel a sense of psychological safety, to feel empowered and engaged, to feel that they're not just being talked at, but also listened to. Because when we want to positively influence behaviors, we need people to feel that actually they're in a safe space. If they need to report an incident or ask a question that they can do so without being judged. And historically, cybersecurity can make people feel judged, intimidated, like they don't know enough or like the question they are going to ask is not educated enough. So I'm really looking at trying to break down those barriers and create a more inclusive, friendly space for learning.
Perry Carpenter: Great. So we talked about words for a second. And we've started to talk about the managing human risk as one of the ways that we really frame what the next stage of awareness maturity is. When it comes to like if someone were to ask you to define what managing human risk is, how would you define that for people who are trying to really sharpen their pen and really understand some of the nuance there?
Lance Spitzner: So to define the solution, I always like to start with the problem.
Perry Carpenter: Yeah.
Lance Spitzner: So most breaches, 80% involve the human element. So if we want to address cybersecurity, we can no longer just approach it from a technical perspective. We have to address it from a human perspective also. It's not one or the other. It's the two combined.
Perry Carpenter: Yeah.
Lance Spitzner: So the whole idea of human risk or managing human risk is reducing that human element to an acceptable level. Not eliminating that risk, but reducing it to an acceptable level. So human risk is all about really changing people's behavior so they are not the drivers of those breaches. And the one thing I always like to add in human risk is it's not just cyber threat actors targeting people, but also just people themselves being their own threat because of human error and accident and things like that. But it's all about managing the human side to an acceptable level, and you do that by changing behavior.
Perry Carpenter: I want to tackle this because it's a conversation that happens on Twitter all the time, and I think we need a unified response. When somebody on the other side of that hears human risk, they might be thinking it's a replay of humans are the weakest link type of thing.
Lance Spitzner: Yeah, which is a term we don't like.
Perry Carpenter: Yeah, what's the conversation that we need to have around how to appropriately use a phrase like managing human risk to the people who are receiving this kind of program?
Lance Spitzner: This kind of aligns with what Jessica was saying. I would say it's more about enabling.
Perry Carpenter: Yeah.
Lance Spitzner: Enabling people so they can be secure.
Perry Carpenter: Right.
Lance Spitzner: And when I say enabling, make security simpler for them.
Perry Carpenter: Yeah.
Lance Spitzner: Communicating in their terms. And I love how Jessica always does everything through the lens of empathy.
Perry Carpenter: Right, right, yeah. And I think that makes sense. And that wasn't trying to be a gotcha question.
Lance Spitzner: No, no, it's a really good question.
Perry Carpenter: It's just something that I see come up over and over because we don't want to replay the things where we've accidentally fractured relationships in our past.
Lance Spitzner: So I would rephrase it based on that discussion.
Perry Carpenter: Yeah.
Lance Spitzner: If you ask me, Lance, what's human risk? I would say enabling people to be more secure.
Perry Carpenter: I like that. There we go. So then I'm also interested from your perspective as somebody who is kind of floating in and out of all of these, what little bits of conversation have you maybe heard in the hallway where it's like, oh, we're getting through. We're doing the right thing. And then where do you maybe feel like we're still stuck?
Lance Spitzner: We're making progress in that we see these teams are getting bigger and things like that. But I think where it is we get stuck is still one of perception, where awareness is still too often perceived as compliance, training, the annual once-a-year training. Once again, that's why I'm trying to make this push to change the conversation about human risk because now that aligns more with the CISO's priorities, you're speaking the security team's language.
Perry Carpenter: Yeah.
Lance Spitzner: So ultimately, I think our problem is a credibility problem. Security teams perceive us as just that once-a-year computer-based training, but really we're a partner here to help them manage risk.
Perry Carpenter: Yeah, yeah. And then when you look through the agenda, and I'm not sure how much you really thought about all the different people that have been presenting and all the different topics that are there, but it seems really, really like on a different level this year. And what do you ascribe that to? And then maybe is there a favorite talk that you've heard?
Lance Spitzner: So, yeah, just a couple. We tried to mix things up. So first of all, you'll notice the advisory board. All 15 members are brand new because we wanted to bring in new perspective. We tried to make it as diverse as possible. So we're trying to get all these different perspectives. We don't want to talk just about just how to engage or just about risk. We don't want everything in between. So we are kind of all over the map on purpose. I think one discussion that really resonated well was the team from Cisco because they were very open and honest. You know, hey, we had an incident. Here's what we can learn from it and from the human perspective. And what made that so valuable is too often organizations said, oh, hey, we had an incident. Let's do everything possible to hide it.
Perry Carpenter: Yeah.
Lance Spitzner: So people had that very valuable because we not only want to learn from what people did right, but from their mistakes and lessons learned.
Perry Carpenter: And then Jess, for you, which talk has stood out the most?
Lance Spitzner: I would echo Lance in terms of the session from Cisco was extremely powerful.
Perry Carpenter: Yeah.
Lance Spitzner: And I think is leading the way in terms of that transparency. So that was fantastic to see. But I've also been struck by the diversity of sessions and the depth of sessions. So hearing Princess and Felicia from Southwest Airlines talking about how you can grow a team, how you can go from a team of one to a bigger awareness team and using different approaches in an organization to make that happen. So that's a really practical, really engaging session. Then we've been hearing about AI and ChatGPT, what that means in terms of awareness. And that's going to become an even more hot topic over the next year. So I think that's been super helpful to people. What I've taken away from this is a really rounded view of where we are as an industry and what we're looking at in the not-too-distant future.
Perry Carpenter: Okay. And then I think last question. I think we've gone long enough. I will give you two options for a last question. One is an encouraging word for anybody that's listening. Or two, if there's a question you wish that I had thought to ask but I was just too boneheaded to ask, give me a question and I'll ask that. Or phrase it to yourself and answer it.
Lance Spitzner: What was the first question again?
Perry Carpenter: Is there something that you would want to say just to encourage people who are starting out right now or who are kind of in the daily grind of doing?
Lance Spitzner: I think I'm going to go with that one.
Jessica Barker: Me too.
Lance Spitzner: You know, a couple of days, your brain is so fried.
Jessica Barker: My brain is fried, so I can't imagine.
Perry Carpenter: Yeah.
Lance Spitzner: So I would just say, get involved in that. Don't be concerned about what your background is. So I was just talking to some people who are coming from education. And they're like, well, we're not sure what we can bring to the table. I'm like, my God, education. You're all about training, enabling and learning. Yeah. So I would say regardless of what your background is, you bring something special and unique to this field because this field is one of the hardest and requires so many different skill sets. So regardless of your background, if this is something that really interests you and you're passionate about it, we want you.
Perry Carpenter: Yeah. So you don't have to be super technical, hacker, CISSP.
Lance Spitzner: No. In one of the talks, we're talking about the concept of curse of knowledge and the idea that the more technical you are, in some ways, the more you may struggle because your background is so different from others that you're going to have a hard time connecting to them.
Perry Carpenter: Yeah. All right. And Jess?
Jessica Barker: Conversations I've had over the last couple of days have returned often to imposter syndrome or imposter phenomenon. It's a question we were asked, Perry, at the end of our presentation. And so I would encourage people to understand that most of us in this industry feel that at one point or another, if not regularly. Our industry in terms of cybersecurity as a whole is very broad and very deep. We can't know everything. So if you want to advance in your career, if you want to network more, if you want to come to a conference or speak at a conference like this, I would encourage you to feel the fear and do it anyway, not to a point where it causes you stress or deteriorates your mental health, but just stretching your comfort zone can be a really great way of stretching your confidence.
Perry Carpenter: Awesome.
Lance Spitzner: By the way, that's one of the reasons, like for example we have Mel introducing the speakers this afternoon. She's a gal from TikTok. She said one of the reasons she wants to -- she asked as an advisor, can I introduce people so I can develop my speaking skills and really, really push?
Perry Carpenter: Wow.
Jessica Barker: That's very cool.
Lance Spitzner: Yeah, absolutely.
Perry Carpenter: Well, I think that's it. Music will come in at this point and everybody will sound amazing. And with that, thanks so much for listening and thank you to Dr. Jessica Barker for being such a fantastic co-presenter, to Jeremy Treadwell and to Lance Spitzner. I've loaded up the show notes with a ton of resources and links to everything that we mentioned today, social media profiles for everybody's voice that you heard on the show and a lot more. If you've been enjoying "8th Layer Insights" and you want to know what you can do to help make the show successful, really just two things. First, go to your favorite podcast platform that allows you to do so, leave a five-star rating and where possible, leave a review. That really helps other people understand that the show is worth their most valuable resource, their time. Which brings me to the second thing that you can do. Tell someone else about the show, a friend, a family member, somebody else in your network, anybody. Word of mouth references are really the lifeblood of helping people find good podcasts and helping good podcasts grow. The show was written, recorded, edited, and sound designed by me, Perry Carpenter. Cover art for "8th Layer Insights" was designed by Chris Machowski at Ransomwear.Net -- that's W-E-A-R. And our theme song was composed and performed by Marcus Moskett. Until next time, I'm Perry Carpenter, signing off.