CSO Perspectives (Pro) 5.31.21
Ep 5551 | 5.31.21

Bonus: Cybersecurity Canon Hall of Fame interview with Perry Carpenter.


Rick Howard: The CyberWire is off this week, so we are interrupting our regularly scheduled programming of the CSO Perspectives podcast, but don't feel sad, we have a special treat for you instead. The Cybersecurity Canon Project has announced the author selectees for the Hall of Fame awards in 2021. You all know that I'm a huge advocate for reading in general. All kinds, really. I particularly like horror and fantasy, but specifically we all need to read more good cybersecurity books. And I emphasize the good there because there are a lot of published bad cybersecurity books out there. And I have been involved in the Cybersecurity Canon Project since the beginning in an attempt to find the books that all of us should have read by now. And the reason that I'm excited today is that I get to interview the author of one of the 2021 Hall of Fame awardees, Perry Carpenter, the author of "Transformational Security Awareness: What Neuroscientists, Storytellers and Marketers Can Tell Us About Driving Secure Behaviors." This is going to be great. But before we do that, as you all may or may not know, the secret underground lair of the CyberWire's recording studios is buried deep underwater somewhere at the bottom of the Chesapeake Bay in Maryland. It's a secret. Don't tell anybody. And as such, we are subject to the national holidays of the United States. And this week is Memorial Day week, a U.S. holiday that honors the soldiers who have died in American wars. And as President Lincoln said in his Gettysburg Address, "It is altogether fitting and proper that we should do this." As everybody here at the CyberWire takes a day off to mourn our servicemen and women who have given their last measure to the service of our country. I offer this quote to everybody in the audience from the movie Saving Private Ryan, where the actor Harve Presnell playing General George C. Marshall, the Army's chief of staff during World War II, reads President Lincoln's letter to Mrs. Lydia Bixby, who had lost five sons during the American Civil War.

Harve Presnell: I have a letter here written a long time ago to a Mrs. Bixby in Boston. Bear with me. Dear Madam. I've been shown in the files of the War Department, a statement by the Adjutant General of Massachusetts that you are the mother of five sons who have died gloriously on the field of battle. I feel how weak and fruitless must be any words of mine that would attempt to beguile you from the grief of a loss so overwhelming. But I cannot refrain from tendering to you the consolation that may be found in the thanks of the republic they died to save. I pray that our Heavenly Father may assuage the anguish of your bereavement and leave you only the cherished memory of the loved lost. The solemn pride that must be yours to have laid so costly a sacrifice upon the altar of freedom. Yours very sincerely and respectfully, Abraham Lincoln

Rick Howard: My name is Rick Howard. You're listening to CSO Perspectives, my podcast about the ideas, strategies and technologies that senior security executives wrestle with on a daily basis. This season, the Cybersecurity Canon Committee selected five books for the inclusion into the Hall of Fame. "Zero Trust Networks" by Evan Gilman and Doug Barth. "Code Girls" by Liza Mundy. "Like War" by Peter Singer and Emerson Brooking, and "Sandworm" by Andy Greenberg. I asked Perry about his reaction to being included in the stellar collection of must-read cybersecurity books.

Perry Carpenter: Man, this is not something that I expected when I wrote the book. I wrote words and threw them out into the wind, hoping that they would be accepted by the community. I've been super humbled by the fact that it's not only been accepted by the community, it's been embraced. And I hear stories every day about the impact that this book is having on people's lives and their programs. So I want to thank Rick, thank Ben and Ron for the nomination and the induction into this. And certainly, man, I want to thank the entire crew of folks that I work with at KnowBe4 that supported me on this project as I was giving a lot of my time and energy. So thank you so much. I am super humbled by this and I hope that I am able to continue to contribute in meaningful ways going forward.

Rick Howard: Perry has been in the industry for a long time. He started out as a coder and then transitioned into IT and network management, that led him to cybersecurity, where he eventually found himself as a Gartner analyst covering several different areas of information security. And it's there that he picked up his passion for security awareness training. Since then, he has run the security awareness programs for several large multinational organizations and ended up on the vendor side as the Chief Evangelist and Strategy Officer for KnowBe4, a security awareness training company. I asked him why he thought he needed to write this book now.

Perry Carpenter: I wanted to create the thing that I wish that I had along the way. There's so much interesting information about the intersection between cybersecurity and psychology that is is talked about within the community, but it's not really represented in print. I wanted to bring a lot of those interesting conversations into print so that somebody that's just starting this journey can have a really good jumping off point and not just see all the conversations, but I was extremely meticulous in finding the roots for each of those pieces of conversation, not just saying, here's what Perry has learned, but giving the back story behind that and then pointing to the original research that, quite frankly, exists outside of the cybersecurity discipline. If you're not looking for that stuff, you're not going to find it. Once you start to realize that that whole other world is open and that this is actually a multidisciplinary kind of liberal arts approach of doing things, then well, then your mind starts going in all of these different directions and you start seeing ways to adjust programs in ways that are much more robust than just trying to throw policies at people or something like that.

Rick Howard: One of the things I really liked about this book is the underlying assertion that maybe the cybersecurity field is not the only place to seek ideas about how to improve security awareness in your organization. I mean, we're talking about influencing people here. There may be other fields of study that could help us.

Perry Carpenter: We have this bootstrap way of thinking where we see a problem and we assume that we're the ones that have all the ingenuity and mindset to try to address that. When we do it ourselves and we don't look outside of the IT discipline or the security discipline, what we end up creating is really myopic ways of approaching things that are ill-informed and take us a lot longer to accomplish the thing that we're trying to do than if we actually had the humility to look outside. In so many ways, it's a soft skills book because I think that as security people, we tend to really love things with blinking lights and things that we can do on a three year depreciation cycle whenever we buy. We're always doing more and better things when it comes to technology, but the thing that we've neglected for so long has been these other disciplines that just help us to understand and connect with humans.

Rick Howard: Perry's great insight is that awareness training is not just about providing information to your employees and hoping that they remember to do the right thing. When the time comes, it's more about changing their behavior.

Perry Carpenter: We give people information and information alone, never moves the needle enough over to the intention to act on that information. We have to have a catalyst there in order to make somebody care about it. But even after we care about something, there's something interesting about human nature that even when we know the right information and we care enough to plan to do the right thing whenever the time comes, so often we don't. If you were to look at maybe all of the New Year's resolutions that you've done over your lifetime, you'll see that just because you've wanted to do things doesn't mean that those things have actually happened in your life. In the moment, we make all of these little internal risk calculations. Well, even though I want to lose weight, I can eat that now or even though I want to get in shape, I can skip today at the gym because I've got this other thing. Even though I know the statistics say that you're much more likely to have an accident if you're texting while driving, I have to, you know, respond to this right now and it won't be me. We're always doing that is as humans.

Rick Howard: This book is not so much about security awareness training as it is a leadership book in a marketing book that will give you techniques to help you implement your security awareness program. It provides little guidance on what exactly to put into your program in terms of curriculum. But it does provide insight into how to implement it once you decide what you want your organization to be aware of.

Perry Carpenter: When it comes to curriculum, I'm not saying that you should have this, you know, policy X, Y and Z and you should have 20 percent of it as in-person training and 20 percent of it is online training and, you know, gamefy this much. But what I do is, to the best of my ability, is I lay out all the different things that somebody can do. And I talk about the pros and cons of where each of those might slot in.

Rick Howard: Perry has a theme running through the book that he calls the Knowledge, Intention and Behavior Gap.

Perry Carpenter: The first one of those is just because I'm aware doesn't mean that I care. The second one is if we try to work against human nature, we will fail. That's what most of our policies in the security field try to do. They try to build some kind of practice and say that we have to do things and they don't take human nature into account. Ultimately, we just end up frustrated as security leaders because our people aren't doing the things that we've printed on the page and we don't understand why. And that leads us to number three, which is that what our employees do is way more important than what they know. I'll say it as bluntly as I can. What somebody has known has never stopped a breach. It's the behavior in the moment, regardless of what somebody knows.

Rick Howard: The key here is the realization that cybersecurity awareness training is much more than just explaining the tech side. You have to be a communicator. You have to be a marketer. This is completely in line with another Cybersecurity Canon Hall of Fame book called "Winning as a CISO". Written in 2005, Rich Baich was well ahead of his time by recommending that CXOs should be highly competent marketers.

Perry Carpenter: You have to become a little bit of the detective within your organization and approach it with that marketing mindset. If I was a marketer and I wanted to sell my new widget out there, what I would start to do would look at different populations. What is my target audience? What do they actually think and believe? What are their current buying patterns? What influences them? What does their peer group talk about and think about? And then I would start to understand all the different levers within that so that I can fit into that framework and either intentionally disrupt it If that's my position that I want to do, and say this is so great, so new, that you need to throw out all your old thinking and do this thing. I might do that as a marketer, but I also might say here's how this slots in perfectly within your lifestyle and here's how that benefits you as a person. Here's how that benefits you within your organization or within your family structure. There was a book that I read on secure coding back when I was a developer. I think it was Michael Howard over at Microsoft and he was talking about threat modeling, all of this great stuff that you can do. He put an idea in there that I stole and I've replicated within the book and I give credit to him. That is this matrix view of an organization and says, all right, if you're going to try to get people bought in on your project, then you need to understand what each of these departments values. So if you're going to marketing, you need to understand who's the head of marketing, the things that they value, the things that they're going to be afraid of, what their business levers are, so that you can pre-anticipate the discussion that you're going to have, pre-anticipate any objections that they're going to have, and then also counter with all the reasons why this is good for them. If you go to, let's say, call center, you need to understand all those same things with them and then you build all that into a matrix, get that in your head. And that's a sheet you never showed to anybody outside your team. But you pre-prepare for all the objections. You understand how to communicate the value of your thing through the lens of the person that you're speaking to. I took that with me to this day, and I think that that was one of the best piece of pieces of advice that I've ever read in a technical book.

Rick Howard: One of my pet peeves as a security practitioner is our communities insistence that we train employees how to spot attacks from the likes of Cozy Bear and Ricochet Chollima and AridViper just to name three. That they should be able to spot a phishing attack in progress and somehow be the last line of defense if my security stack completely fails. It's an admirable idea, but really dumb. I've been doing this stuff for 25 years and I still get fooled by phishing attacks. If I still make those mistakes, how can we expect the grandpas and grandmas in the world, valued employees for sure, but probably not hired for their technical savvy, to figure it out? But that's not what Perry is talking about here.

Perry Carpenter: Unless you are in the discipline, you're not going to understand how to pull apart your URLs to the degree that somebody that really lives here. The critical thing about that is I can develop really good hygiene on one context in my life. Like at my PC where I'm sitting down at a desk and I've got a big screen in front of me and a keyboard in front of me and everything else, my cyber hygiene is completely different than it is on a mobile device. What are the things that we have to always realize is that even when we build somebody's cyber hygiene or cyber strength to a really good level in one context of life, it doesn't necessarily always translate unless the thing that we're evangelizing is the core principles under that. I'm not necessarily interested in somebody becoming an expert in URL forensics or something like that or even email forensics in general. What I am interested in is somebody understanding the root concepts that we're talking about, which is the way that our mind works, the traps that we might fall into whenever somebody is pulling an emotional lever or an authority lever or something like that.

Rick Howard: There is a famous book called "Thinking, Fast and Slow" that was published in 2011. It won the National Academy of Sciences Best Book Award in 2012. It was on Best Books of the Year lists from The New York Times, The Economist and The Wall Street Journal. The author, Daniel Kahneman, presents a binary model of how humans think and make decisions.

Perry Carpenter: Kahneman's fundamental principle that echoes throughout a lot of his work is that that we have two modes of thinking and there's a fast mode and a slow mode. The fast mode is referred to as System 1. It takes shortcuts. It's emotion driven, saves us a lot of time and effort. But the downside is that it's error-prone. If you've ever started to read something and you've jumped to a conclusion or you thought you saw something one way and then you look at it again and you realize it's completely different, you understand what happens with System 1. An example that I give in the book is sometimes you even do things without thinking like if you've ever had a pen start to roll off your desk and you reach out and grab it without even realizing that that's what you were doing. And maybe in the process of it, you've knocked over your coffee cup or something. You realize that System 1 can hijack your mind and make you act in ways that you never even intended it to act. System 2, on the other hand, is much slower. It's more methodical. You have to intentionally engage in it. In fact, your mind rebels against it the entire time that you're there because it wants to go back to the energy efficiency that comes with System 1. But it's not as error prone. It's much more reliable. The critical ratio that he talks about is that System 1 governs about 95 percent of our thinking and behaviors, and System 2 is only five percent. 95 percent of the time, our thinking is subject to being hijacked or misused or bringing us to the wrong conclusions.

Rick Howard: This is precisely the reason that we all should read outside of our chosen knowledge domain. Herea Perry has studied literature in marketing and leadership in general and specifically behavioral science, and applied the current state of the art thinking to the security domain.

Perry Carpenter: The ability of pulling out of System 1, which is that knee jerk reaction, and moving intentionally into a System 2 which is a more logical way of processing things can be the thing that saves somebody. Even if they can't detangle the URL, they can have enough suspicion to say, I don't feel right about that. Maybe I can go to somebody that's going to answer that question or I'm just going to leave that alone. Just to have that check within ourselves and approach life with a little bit more skepticism and a little bit more slowly so that then they can start to ask a little bit more critical questions about what's in front of them or the thing that they're about to do. When I'm talking about messaging, I'm weaving a little bit of System 1 and System 2 in that. I talk about the fact that even in our messaging, one of the things that we have to do is really understand human nature at its core. One of the things that people are searching for is psychological safety. We tend to throw out pithy messages like see something, say something, and we leave it at that.

Perry Carpenter: But there's a huge psychological bubble that opens up in the person's mind when they see that. They understand that, yeah, there's some responsibility and they probably do want to do the right thing. But then they wonder, what if. What are the repercussions against me? Or OK, I saw something, I want to say something. I don't even know where to go right now. Think about how to adjust messages. Those simple core messages of security like that by saying something like see something, say something. It's easy and safe and here's how. If we just append those other pieces to it, well, then we have a much more psychologically complete message for the end user, because you're saying, yeah, you've got this responsibility and you want to help in some way. Now we're going to alleviate your psychological pressure and say it's easy. So it's not going to take up too much time. It's safe. You're not going to be in danger of doing it. And here's exactly where you go in order to do that.

Rick Howard: The book is called "Transformational Security Awareness: What Neuroscientists, Storytellers and Marketers Can Teach Us About Driving Secure Behaviors". The author is Perry Carpenter, and he is the newest addition to the Cybersecurity Canon Hall of Fame. Congratulations, Perry.

Rick Howard: And that's a wrap. Next week, we will be returning to our standard scheduled programming, I'm inviting experts to the Hash Table to discuss how they buy security products. You don't want to miss that. The CyberWire CSO Perspectives is edited by John Petrik, an executive produced by Peter Kilpe. Our theme song is by Blue Dot Sessions, remixed by the insanely talented Elliott Peltzman, who also does the shows mixing, sound design, and original score. And I am Rick Howard. Thanks for listening.