Perry Carpenter - The Security Culture Playbook

Humans decide what technologies to purchase.

Humans decide what risks to focus on and how to gain visibility into those risks.

Humans determine the need for new processes.

Humans review and tweak the settings of business technologies.

Humans are in charge of running, patching, and maintaining your security technologies.

Humans design and code the applications you develop in-house.

Humans review your third-party risk.

Humans decide how they will respond to something that looks suspicious.

Humans decide (both consciously and unconsciously) how they will react to the systems and information they interact with each day.

Everyone you hire, contract, interact with, or sell to is human.

Everything you design, sell, or develop business from is ultimately in service of humans.

Everything and everyone in your organization is impacted by the decisions, behaviors, and expectations of other humans.

Your people and your security culture are the heart of your cybersecurity program. In this book, we'll share a number of interesting (and maybe even shocking) insights related to how your security culture will either be a net benefit or a huge liability for your organization. Here's an example.

While evaluating our security culture dataset, Kai's team recently made an interesting discovery. They took a sample of just over 1,100 organizations and nearly 100,000 employees and looked at employee susceptibility to phishing (measured via a simulated phishing test) as it relates to an organization's overall security culture (as measured by our Security Culture Survey) (Eriksen, 2021). There was one obvious correlation, which you are probably already anticipating: Organizations with a “poor” security culture had more employees who opened and interacted with phishing emails in various ways than employees in organizations with a “good” security culture. Yeah, we would expect that. But here's what we didn't expect: Employees of organizations rated as having a “poor” security culture were 52 times more likely to enter credentials as part of a phishing scam than organizations with a “good” security culture.

Let's put that into raw numbers. In organizations with a “good” security culture, one employee out of 1,000 is likely to be tricked into giving away their credentials or entering other sensitive data as part of a phishing scam. But, in organizations with a “poor” security culture, that number jumps to 1 out of 20.

Our data shows that, in organizations with a “poor” security culture, 1 employee out of 20 is likely to be tricked into giving away credentials or entering other sensitive data as part of a phishing scam. That's in stark contrast to organizations with a “good” security culture, where that number is reduced to 1 out of 1,000.

That's just one stat and one way of measuring the benefit of having a good security culture, but it makes the point: Focusing on your security culture is critical to your overall cybersecurity program and critical to the overall risk posture of your organization.

Executive teams and boards of directors need to view security culture as a critical priority. While cybersecurity is a top-of-mind issue for many companies, it can be difficult to ensure that the right information is being shared at the top levels of the organization. To an extent, that's understandable; cybersecurity can seem like an abstract concept. It requires technical knowledge and expertise that can be difficult to translate into business-speak. And, when you don't know how to ask about or measure something, it's easy to ignore it altogether.

Traditionally, the board of directors required reporting based on an increasing risk to the business. For example, back in the early 2000s, the threat of computer viruses wasn't on the radar at the board level; it rarely rose higher than senior IT leadership. However, as the impact of data breaches, destruction of complete networks, and direct monetary theft became a reality, corporate boards took notice. They ramped up the reporting requirements, wanting increased visibility into their defenses. They even created new roles, such as CISO, that often had direct reporting to the CEO or even the board.

Ransomware, social engineering, and human error have proven to be an existential threat to businesses of all sizes.

Ransomware, social engineering, and human error have proven to be an existential threat to businesses of all sizes.

Intellectual property theft, multi-step extortion, customer and employee data theft, multimillion dollar ransom payoffs, brand and reputation damage via released emails, and other public shaming are all taking a toll; and boards of directors are looking for visibility into how vulnerable their organization is and what needs to be done to decrease risk and increase resilience.

Organizations must address ransomware as one of the primary overall risks to the business that must be mitigated, similar to natural disasters. The most common (and easiest path) for ransomware infection is through social engineering attacks on an organization's employees. So, social engineering, which is mitigated only by a mature security culture, deserves board-level attention.

Boards of directors need transparency and accuracy (Internet Security Alliance, 2020). To that end, we'll show you how to accurately measure your security culture. Further, we'll give you the information and tools you need to actively begin strengthening the weak areas and fostering sustainability in the areas where your people are already doing well.

Measuring security culture with the tools and methods we'll show you provides the board a very objective measurement for the company's proactive security measures for the company's largest vulnerability: attacks that succeed by exploiting your human layer.

We know that traditional technology-centric approaches to cybersecurity haven't proven effective, and the traditional information-centric approach to security awareness hasn't adequately prepared employees for the onslaught of social engineering attacks targeting them. If 85 percent of breaches are being caused by social engineering or human error, and less than 3 percent of spending is focused on the human layer, then it is clearly time to put more focus on the human side.

Information-centric security awareness isn't sufficient. We need a broader approach. We need to focus on the ABCs of cybersecurity: awareness, behavior, and culture. In Chapter 3, we'll discuss key reasons why traditional security awareness programs have fallen short and show how you can transform your program, making it truly effective. You'll learn how principles from marketing, behavior science, and organizational culture management can all be used to drive secure behaviors and foster a workforce that values security.

Human-layer defenses and your organization's security culture should be key conversation topics within the executive team and board of directors.

If you aren't clearly telling your own story and articulating what your data and details imply, then your audience is left to interpret things for themselves.

Ransomware, social engineering, and human error have proven to be an existential threat to businesses of all sizes.

Less than 3 percent of security spending is focused on the human layer, but over 85 percent of breaches are traced back to humans. It's time to invest more time, money, and effort in the human layer.

Human knowledge, beliefs, values, behaviors, expectations, and social pressures are involved in everything that matters within your organization.