Leveraging culture and behavioral change to create a cybersafe organization

[Music]

[Music] so um hello everyone many of us here are cyber security professionals um coders hackers so to say or in the tech industry in some way or another maybe you're here because you want to know a bit more about cyber security i mean after all it's it is cyber security awareness month uh or perhaps you're maybe responsible for cyber security awareness in your organization or maybe it's something else uh but unlike most sessions on cyber security this session is a little bit less on tech and more about us as individuals and human behavior so this session is called know to know because security professionals are used to being told no when they're asking for things like

money or resources because they either couldn't properly enunciate their needs or weren't able to communicate the risk in the terms of the business and in this session we're really going to focus on human risk and the goal is able to to be able to really move that needle uh from hearing no with an n to having people be in the know and this really includes those responsible for security and security awareness and we're going to move that needle by focusing on the people side of change so when it comes to creating a cyber safe organization or ensuring you know you your friends or your family are really positioned to be in the first line of defense against cyber attacks

it's important to know that to change the outcome you first have to change the culture and that's really what this session is all about how can we have a better approach cyber security and specifically around security awareness through culture and behavioral change to get the results that we need so for those of you who don't know me i'm mike mellow i'm the chief information security officer of life labs i'm really happy to be here so thank you b-sides uh for hosting me on this platform i want to do a special thank you to the partners and sponsors for making this happen and thank you to all of you for joining this session so we'll start off by you know companies

have really spent decades really beefing up infrastructure technology but when you look at report after report or news stories on most cyber attacks the majority of incidents if not most breaches actually come from human error somebody's either clicked something and autocorrect data was left at risk misconfiguration etc so as someone who's been through a breach and has seen it on both sides i can tell you there is no golden image of security it just doesn't exist i can tell you that i've what i recommend to clients for security defenses it's not a one-size-fits-all cookie-cutter approach it just it isn't the way to go uh there are no two security programs that are alike even for your security awareness program

it really comes down to the threats specific to your organization industry your risk tolerance and also your appetite and your executive leadership and organization's appetite so what i'm going to talk to you about here is cold hard truths and before we get into you know all of the other elements that i'm going to talk about on culture and change there's a few things that i want to i want you as listeners to know when it comes to changing behaviors and i bring these up because these are really the foundations uh to whatever you're trying to do in culture or cybersecurity awareness and and i call them the courthou cold hard truths of change so number one change is deceivingly

difficult um our natural reaction to change as humans is resistance right we have neuroscience that tells us that it's tough to change behavior in fact we often need that light bulb or aha moment to generate insight before we change this can obviously explain why many organizations put security awareness on the back burner or keep it just compliance based you know of course until they've had a major incident or breach or a change in regulations then it becomes a priority there's actually even a quote when it comes to change and it goes like this even a baby with a wet diaper wants changing but even then it cries throughout the process and i think we've all maybe experienced

a bit of this especially when covet came out and how we really had to change and adapt our behaviors in order to facilitate very natural day-to-day items such as going grocery shopping so cold hard truth number two leaders often underestimate what is actually required to transform behaviors when it comes to focusing on culture and security awareness in an organization very often these types of behavioral changes and initiatives are given to an i.t manager a director or someone from a business unit and often it's treated like a project they minimize the importance of this by not necessarily setting people up for success and i've seen this on so many projects or where project managers really try to

manage change projects by but you know really there's an important distinction that you have to be mindful of so when it comes to projects the goal is always implementation when it comes to changing behavior our goal is adoption so these are two very different goals so that was cold hard truth number two now for cold hard truth number three watch this video really quick

so i i hope the audio came through there but uh if it didn't ultimately uh cold truth number three the right answer is just not enough so mispronunciation of achilles costed this gentleman uh the winning the winning bid at the wheel of fortune so you can have the biggest budget you can hire the best consultants have the best team and implement the best technology but of course it only takes one individual to pull out that piece of the jenga tower to make it all come crashing down people always think they have the right answer but if you implement every security tool out there but your people and culture don't promote a culture of individual responsibility and accountability

let me tell you your right answer is just not going to be right enough and in fact it's not that it's not right enough it's also that your investment becomes somewhat less valued or worthless cold hard truth number four organizations don't change it's actually the people that change so the fact is when it comes to how an organization changes it's important to recognize that the people inside are the ones who go through the change itself and unless they do and go through it successfully the organization simply won't change so when we talk about states of change any organization going through change there's generally three states so the first one is the current state this is

basically how the operation or organization runs today we have a transitional state which is of course the organization is now moving from current state to their eventual future state and they're still operating with some current state realities right and then finally once they're working as they're supposed to be they're now in the future state so similar to how organizations go through states of change so do individuals and let's talk you know if if we take learning through phishing as an example i can demonstrate this a bit easier so current state right how are we doing today perhaps we're opening a bunch of emails we're clicking on things no one knows what they're doing and they're not very hyper aware to

you know what not to do now that may seem very rudimentary to us as security professionals but to other people it doesn't because their day-to-day job just isn't about security so we look at the transitional state right we've now applied some security awareness training we've implemented maybe a fish button fish reporting button um and then you start having people adopting that behavior and they're starting to slowly recognize some of the signs of fishing and then of course as we achieve our future state this is where not only can we spot the signs of phishing but we're actively reporting those suspicious emails and now you're really reducing your human level risk in the fact that your baseline your click

rates are significantly dropping and reducing so for an organization to reach its future state and especially you know when it means people have to change it requires that all individuals go through their own individual transformations in fact organizational changes really only realized once the majority of individuals have actually gone through that change so through their current state their transition state and then they're operating in their future state so again the organization itself doesn't change it's the people inside who do and only once they've made personal transformation can the organization realize the benefits from that change and this is a cold hard truth because the people really for the people to do things differently they require learning new

behaviors so cold hard truth number five communication is not what you want people to know it's what you want them and how you want them to feel and by having your people feel a certain way you can have them take the necessary actions to adopt behavior so cyber security is a major concern for most enterprises right however using the same old approach which we see over and over again in trying to move people in one direction just doesn't work as it did decades ago right we already know that protecting your organization is really about minimizing your risk yet people's you know simply continue to focus on old school logic based communication in an attempt to move the behavioral

needle so the problem is that logic makes people think but emotions make people act and this is critically salient when today you have people who are influenced by instagram ticktalk snapchat any of these social media platforms and everything else essentially they've been conditioned to tune out when you give them content that is dry and boring and essentially when it's delivered in corporate speak right younger generations are now being more or i'd say being communicated um in a way that touches upon authenticity feeling uh needs and more so it's no longer just about what you need to know it's all about creating powerful engagement and having people see themselves in it so understanding that what's in it for them gamification

creating those aha moments i think you know if anything that you're going to take away from this is you really have to focus on what's the problem we're trying to solve and what is it what's in it for them to really be able to change that behavior right or you're not going to be able to generate that insight so this is especially important for cyber security because you have to work even harder to have people buy into something that up until recently they didn't think about because it wasn't necessarily a threat to them right so for the most part people take and think organizations do magic with security security is this magical layer of protection they don't

really realize the part that they play so for us to make people realize this we need to change how we relate to them and again it comes to comes really down to outcomes you know you have to change behavior and logic makes people think but emotion makes people act and so communication is no longer what you want people to know it's more about how you want them to feel and what you want them to do so that's that's cold hard truth number five so again i'll just really quickly hike uh highlight and recap the cold hard truths we got changes deceivingly difficult you know the leaders underestimate the change required for transforming behavior your right answer is just simply not

enough the organizations don't change it's the people who do and again when we talk about communications it's not what we want people to know it's how we want them to feel and the action we want them to take so recognizing these truths can be either accelerators or barriers to help you move your organization forward knowing that i sometimes get leaders often reaching out to me and saying mike this is great but i don't even know where to begin and very often when speaking to groups or other executives on the topic of security awareness there's always this i'd say for hyper-focused key questions and the questions i'm most often asked are um the following so first one being how do i gain

executive support for my initiatives so and this is really you know how do you gain that support when it comes to security awareness and changing the culture of how we do things and us in the field of cyber security recognize the value that our security awareness initiatives provide but those not in the field may not and so this being executive support is one of the first things people think of when they're either in a new role or become responsible for a security awareness program and when they need to have a ground zero starting point so for other lists other listeners who may be in leadership roles or you know influencers you know we all recognize that that

money doesn't come easy when you're going cap in hand to the board or an executive leadership team often times they think anything i.t related is an easy way to burn cash if they don't see the payoff or think that the benefit isn't worth the expense right and so getting them to think about it in a different way is very key and i'll explain something and the reason why i've been using the term cyber security versus infosec the the long debated question of our time um you know this is actually a reason why i refer to our security program as a cyber security program versus an infosec program there's this perception and a mystery to business people when

they hear the term cyber and cyber security versus infosec they've also been conditioned by mainstream media to understand that cyber security has somewhat of a negative connotation because people are being breached all the time and if you really think about infosec is still very i.t focused in the lens of executives so cyber almost creates its own element and mystery to business representatives and it's because it's becoming more mainstream we need to talk in terms that they understand so that's at least my positioning as to why we reference our program as a cyber security program but here are two ways you can ensure to work on in getting your message across first and foremost build a business case right you have to

illustrate the need your reasons a cost and most importantly the why you have to be sure to articulate what's in it for them or you're not going to get the support and then two once you get the support create a stakeholder engagement spreadsheet this is a great way to ensure that you're engaging your stakeholders on a regular cadence to ensure that they are in the know another question i'm often asked is if i'm going to build a program how do i know what metrics to use for decision making and of course this obviously leads to the question what does success look like right this is often an area that people get wrong they think of success in terms

of well we implemented something so we're good but implementation and adoption are two very different things as i said earlier right it's projects are very focused on delivery change is all about behavioral adoption right so you can implement the best security program but if the people don't adopt your behaviors you're just not going to be successful and then if you're not successful in that regard what have you really achieved right so for most programs they're usually focusing around fishing metrics while this can be a great start this doesn't really touch on the human risk side and i'll touch on this just in a little bit in some upcoming slides so the next one what should my security

awareness program look like now this is a very common question and i have to say it's a bit ironic because there are so many who never actually even ask this question because in their mind they have it all figured out even before they get the funding they know exactly what their security awareness program should look like and really at the same time have no idea what their risks are or what they're trying to truly solve for you know i've had people responsible for security awareness and culture programs tell me about the great fishing tools that they use and how they do this or that and yet it's it's very often that they're not even 100 sure

of why they're doing it and so finally the most common question i get is how do i how do i get my transformation to happen how do i get my program to be transformative how do i change minds and hearts and how can i position my people to be a powerful front line shield in my company's security posture right and so these are all really great questions in fact there are questions you should never well actually they're questions that you should be asking how they also lead into a larger trend and you know this trend that i'm seeing out there is really a focus on tools and activities so the focus on security awareness and security culture

tends to either be activity or deliverable based but it's rarely cohesive and often lacks that that big picture and direction so if you have ever asked one of these questions or currently thinking about one of them in your head just know you're not alone and so with that let's put forward a question as a starting point of where should you begin so when it comes to organizations that have had success in dealing with significant change and especially ones involving the people side of change research really tells us that using a structure is the best approach in getting this done and succeeding as well you want to keep your focus lens on technology or individual separate components

and more on an initiative front that allows you to make informed decisions on what tools and components that you need so to be able to know how to ask for money versus you know just justifying asking for it right to be able to know what metrics to consider or to be able to know what your program should look like or how to make it transformational you need to have an approach that leverages both the perspective required to understand your threats and vulnerabilities and most importantly your human risk perspective but one also that aligns with the natural flow of change and how and how you can really use organizational levers to support that so earlier this year

i was working alongside an expert in behavioral change and and we adopted this foundational model it's a it's a framework of sorts and really it balances behavioral change and that is really how people go through change with how one can develop or structure security awareness and we call it the cybersafe accelerator so the cybersafe accelerator is a five-stage approach that puts specific tasks mechanisms and actions in five key stages so with the accelerator framework there isn't just one starting point in an end point you can begin at any point really depending on where you are in your program however there is this logical beginning if you're just beginning a new program right but each phase is focused on a

fundamental area for success where there are different goals and objectives and each phase also makes you ask and answer those critical questions right um which will not only guide you in your approach but also make it so you have a sense for your organizational direction right so in a moment what i'll do is i'll highlight the key phases and some of the questions in those phases and you'll specifically notice we're not going to be very focused in just one area of security awareness this accelerator allows you to organically determine your path forward and what we'll cover here is just a high level snapshot of the accelerator framework but it's a great starting point nonetheless so in the accelerator we have the five

phases the first one we're gonna assess risk right this is really about you understanding where you currently are as an organization in terms of your risk level and then once you've assessed that risk and defined your top risks and behavior then you need to assess your targets and by targets we're actually talking about your people your groups your teams um you know and once you've assessed your targets and essentially understood your audience it's now time to develop the plan and this is where you put together all your roadmaps your tactics strategies and then naturally you would execute the plan and kick off and engage and train and then of course you measure and evaluate how you're

progressing how you're doing and this is where you start making more informed decisions on how do i see continuous improvement in my program right and really all of these c3 things are underpinned in this triangle in the in the framework with a focus of people leaders and culture so let's dive a bit deeper on this so i'm going to walk through each one of the phases we begin by assessing the risk and really assessing risk focuses on understanding where you are as an organization right every organizational risk sorry every organization has its own risk level right and it will be depending on different functions of your business your industry um who is determining your risk levels

etc and the types of threats that you're going to see in in things like retail industry versus what you may see in a healthcare industry for instance are you know it's important to really assess those risks and understand how they kind of map to your threat sphere um and then when you're doing this you still always have to remember what is the goal of the program like what are you trying to solve here sure you can approach it in a compliance only perspective as i mentioned you know many organizations do but i'm not really convinced that doing the bare minimum is often the best approach so also when we talk about assessing risk it isn't just about technology or how we

use that technology it's also about data and privacy so threat actors they want our data generally whether they want that for exploitation selling it whatever the case may be that's generally their intent and so when assessing risk here are some questions you may want to consider one what is our level of risk right both with technology safeguards without it so we're talking inherent residual risks you know what are those potential impacts what does our company handle right and this is this is super important right because this allows us to identify risks as it relates to the data our crown jewels who's handling that data right do we have frontline staff handling this is this back office

is this you know i.t who has access um and then we get into the you know where is it stored accessed handled and is there risk there right is it risky if someone is handling pi and they're using dropbox well maybe that's an issue if your corporate standard is to use sharepoint right what's the company's history when it comes to breaches and incidents now so i want you to think of them as behaviors so the act of storing data um someone clicking a link because security awareness is about people right and so once you've assessed your risk and defined your top risks and behaviors then we move again to that natural transition to you assessing our

targets and again by targets i'm referring to our people right who are we targeting for change and that have to change their behavior so assessing targets this recognizes a one-size-fit-all approach isn't the way to go right and here you really want to consider asking yourself who needs to change who may be impacted by our awareness program you know what's their current level of knowledge in relation to security awareness and or even their need to change right so what's the appetite for it and and you can get some of these by conducting surveys internally in your organization and then what targets handle what data and this is really important because this is where we can now

correlate and and we've done this in our organization around a behavioral risk assessment put out a survey we understand who touches what types of data where it's stored and now you can cross-correlate all of those pieces and come up with an individual risk scoring on it at the human level not the organizational business unit level another important part is you know what targets are in the highest risk category so again once you have that information now you can establish you know what most people call like a vip or your vip program who are the people you want to ensure have additional training how do we prioritize that right um how are they currently communicated with but even more importantly how do

they like to be communicated too right think of whatever the company does and then take it up a few steps right so if maybe you're in oil and gas right and for instance you have people working in an office and then you have people who are working in the field you know different groups are going to have different approaches on how they interact with technology how they need to be communicated with and they may need their own unique approach so now that you've assessed the risk and you understand your audience now it's time to develop your plan and this is really this is where we develop the initial roadmap right and we develop our approaches our tactics strategy for

minimizing the risks and it's here that we focus on our overall strategy and approach we have set defined goals for the program we're defining what that success looks like and again not just from a metric point of view but what's the transformation that an individual needs to go through right so solidifying and confirming what are the types of key behaviors we need to focus on and based on the risks and understanding of our targets and then applicable change streams right so often we need a stream for training one for communication and engagement and often one for leadership and we often overlook the fact that leader-led training can be a key to success right so train the trainer uh

and allow them to engage their staff and work directly with them uh but don't forget you know because most employees look towards their leaders right for advice for answers and so when you want to ensure that all leaders across the organization are consistent in the messaging they gave um it's important that you take a train the trainer approach what are our reasons for the change so again it's it's not just an organizational perspective but it's for individuals right so have we defined that what's in it for them peace and how will we handle resistance so again like i mentioned change our natural instinct is to resist it right we had to line up a certain way in a grocery store

we had to wear our masks we have to sanitize like there's there's lots of things that happen during cova that are very applicable and things that happen in your mainstream day-to-day that are very applicable to the security awareness change situation right and then what roles do leaders play you know what role does the culture play and how can we leverage leadership sponsors and culture to really drive us to success so one of my change streams is often leadership development to ensure leaders walk the talk and lead by example right i often spend a lot of time coaching leaders on how to bring security awareness into weekly meetings or part of their dealings with employees um

how are we measuring the change journey and mapping our activities to the change and you know this is really important but you have to recognize how people go through change and align your communication to where they are in their journey right it's change isn't an event it's it's a process so again really focusing on developing the plan how can we leverage leadership to help deliver our our objective and then the next one is engage and train right so we've identified risks we've identified our target group and now we've developed a plan so now it's time to enact on it right and and it's all about executing that plan so this is part content and part delivery and

approach and really all about your people being engaged so this is where your content should address your risks but really done in a way that aligns with where your people are in their change journey and when we talk about change journey it's it's about recognizing that change is a process and not an event as i mentioned so we know from research that people go through different phases of change from awareness to buy-in to knowledge etc and when you're engaging in training you can do many different things and of course depending on the audience right so micro e-learnings um you know computer-based training long-term phishing campaigns uh we actually implemented something called uh cyber moments so it's driving

cultural awareness through key concept trainings at every meeting so we provided pre-canned material on certain topics and we trained our leadership team in order to help them deliver that message at the beginning of every meeting it takes about one to three minutes and they're delivering or playing a video a message a newsletter a picture uh anything and really this allows us to keep this in the forefront of our mind and expose our teams to new techniques and new things uh all throughout the year right and obviously we have other pieces like our security awareness events again it's october um security awareness month is happening right now uh we have role-based training you know even i suggest you know

leveraging your your intranet site your uh or even maybe making you know hiring a guest speaker to come in and talk to your leadership team about this right so some of the questions you're going to ask yourself when you want to engage and train they're going to include you know how are we leveraging initiatives um or sorry innovative approaches and tools so that we stand out right how do we how do we create aha moments are we solely focusing on logic or are we using emotion right what are the specific actions that we want and what can we do to embed security awareness in daily culture and then finally you know the what's in it for them piece right again i i stress

the importance of this if you don't make them see that light go off you're gonna have a very difficult time changing behavior so finally execute your plan based on where they are in your pers in their personal change journey right so it all has to be very logical however you know you have to have a strategic approach into how you're going to really engage with your people and then finally we're going to measure and evaluate so this is all about ensuring that you have first a baseline of data you know so lots of people start off with an initial baseline fishing campaign you know there's a million things that you can do here to measure from

fish fishing click rates to you know who's reporting fishing employees who prevent social engineering but as well this is also where you can evaluate the effectiveness of your program so you develop the beginning of a metrics program to really develop the plan throughout your goals and this is where you look at them right and it's either of course correct or you know begin to celebrate success and then reinforce and improve so metrics kind of allow you to establish your journey and help you set it forward and move through it so in this phase some of the questions you may ask are how important are metrics to us right have we established our baselines what behaviors have numbers behind them

and then we can talk about cultural metrics and then also engage stakeholder partners right hr is a great stakeholder that you should definitely have involved in your security awareness program are we seeing pause you know pockets of uh resistance where do we need to focus more of our attention again going through that vip program you know where are your vips um are they doing well maybe you have resistance pockets and now that risk is elevating right um where are we succeeding and why why are people doing what they're doing right so understanding here's a great one you conduct a phishing assessment and you send a post click survey right someone clicks on a link send them a

survey after ask them what they were doing during their day were they rushing were they in between meetings um you know did they just not see the signs of a fish right all of these things are very important in helping us understand why people are doing what they're doing right so there you have it a quick overview of the cyber safe change accelerator and in the center again you have the model is encompassed around people culture and leadership and those are three levers you can always use to support your efforts through targeted activities and process focused on these key areas of change so before we end i want to show you this number and i don't want to try and keep this

you know kind of interesting and you know there isn't this isn't a special number in fact there's nothing remarkable about this this isn't like some version of pi or you know some prime number that's kind of sitting out there however if you look at it closely there's a pattern here and in the next 30 seconds if you can guess what that pattern is type it into the chat so i'll give you some time here and actually i don't even know if i can see the chat in this view but let me just uh quickly exit that and i'll see if anybody has any uh guesses phone numbers looks like a pager yeah so um let me just uh re-share the screen here

all right okay so what it is is i'm gonna spell it out for you so we have the eight five four nine one seven six three two zero well if you haven't guessed all the numbers are alphabetical so obviously e b comes before f and comes before zero or o and so on and so forth right so again nothing complicated it's just alphabetical but we are so conditioned to doing things in a certain way and looking at things in a certain way but sometimes we just need to take a step back and look at them from a different perspective to really help us get to where we need to go so that's all i have for you today um i

just wanted to thank everybody for attending the session going from no to no and i hope you have some really great takeaways here and can really apply these strategies and even ask these questions in your organization to try and lead by example and deliver organizational level change in cyber security so i think we're at time now but i really just want to thank everybody again for listening in asking your questions really appreciate it and i hope you enjoy the rest of uh besides