How do you create a positive security culture? It’s rarely the first concept anyone wants to embrace, yet it’s important everyone understands their responsibility. So what do you do, and how do you overcome inevitable roadblocks?
Check out this post and this post for the discussion that is the basis of our conversation on this week’s episode co-hosted by me, David Spark (@dspark), the producer of CISO Series, and Geoff Belknap (@geoffbelknap), CISO, LinkedIn. We welcome our sponsored guest, Jadee Hanson, CISO/CIO for Code42.
Got feedback? Join the conversation on LinkedIn.
Thanks to our sponsor, Code42
Full transcript
Intro
0:00.000
[David Spark] How do you create a positive security culture? It’s really the first concept anyone wants to embrace, yet it’s important everyone understands their responsibility. So, what do you do, and how do you overcome inevitable roadblocks?
[Voiceover] You’re listening to Defense in Depth.
[David Spark] Welcome to Defense in Depth. My name is David Spark. I am the producer of the CISO Series. And joining me on this very episode, we learned last time that he was a child actor, his name is Geoff Belknap, CISO for LinkedIn.
[Geoff Belknap] Which is 100% accurate, and I defy you to prove me a liar.
[David Spark] Yes, please Google his name, child actor and see what comes up, if literally anything.
[Geoff Belknap] Or use your favorite AI tool and add me to your favorite TV show growing up.
[David Spark] I worked with a gentleman who was a child actor on “The Waltons” many years ago.
[Geoff Belknap] Oh, fancy.
[David Spark] He played the boyfriend of a little girl on the show. He actually gave me a whole sort of rundown of the history of child actors. Which he said the turning point, believe it or not, Rick Schroeder or at the time Ricky Schroeder. He was the turning point from the movie, “The Champ.”
[Geoff Belknap] I derived inspiration from your appearance on the history channel.
[David Spark] But I was not a child actor there.
[Geoff Belknap] You’re somebody’s child.
[David Spark] Okay, everyone just type in “Apollo 13, David Spark,” and you’ll see exactly what Geoff means. Type it into YouTube, that is. All right, let’s get into the show.
[Geoff Belknap] [Laughs]
[David Spark] We’re available at cisoseries.com. Our sponsor for today’s episode, who has been just absolutely a phenomenal sponsor of the CISO Series, and that is Code42, reimagine enterprise data protection for insider risk. And let’s get to the topic for today’s show, and that’s a question you asked on LinkedIn, Geoff.
And that was, “Where have you run into struggles when trying to create a positive security culture, and how have you overcome it?” Now, I can’t imagine even with all of your charisma, Geoff, that you just tell your staff to be secure, and ta-da, everyone behaves appropriately. Does that happen?
[Geoff Belknap] 100%. That’s why we have these conversations. Literally every podcast is us reminding you to just tell everyone to be secure, and that’s all you have to do. No. No, obviously it’s much more complicated than that. But in reality, I think you can extrapolate this out and go you really are asking people to change their behaviors by informing them what positive behaviors are, why you’re trying to change their behavior, what you’re trying to get towards.
And I think at the end of the day… And I’m sure we’ll get into this today with our fantastic guest – that what we’re going to find out is we just need different ways to reach people.
[David Spark] Yes, and it is about behavior change. That is not easy. Just think about ourselves. Like how do we even change our own personal behaviors. It isn’t just because someone told us to do something. It’s more involved than that. And yes, we have a phenomenal sponsored guest for today’s episode from Code42.
We have her on the other show and thrilled to have her here. It is the CIO and CISO, double bill right there, Jadee Hansen. Jadee, thank you so much for joining us.
[Jadee Hanson] Thanks for having me.
What’s the optimal approach?
3:19.760
[David Spark] Lisa Ackerman, GSK, said, “Cyber needs to become second nature like looking both ways before you cross the street. It will take more than once a year cyber training or a monthly phishing test and better training modules with real examples that show real impact.” Gabe S., the CISO over at PDC Technologies, said, “Giving users actionable education related to their homes, family, and friends has been helpful in showing them they are a part of the security team.
I’ve had them come up after a security awareness training and ask questions about home networks, VPNs, password managers, authentication apps, etc., for personal use. Now they are thinking about security and understand the why.” I’ve heard this also from our other cohost, Mike Johnson. If you get them concerned about their personal security, that’s kind of the first step.
Is that really the best place to start, Geoff?
[Geoff Belknap] I don’t know if it’s always the best place to start, but I find it to be really helpful. I agree with Gabe. I think you have to start with the why. You have to start with why do you need to care about cyber security.
[David Spark] And it’s not just because I told you so.
[Geoff Belknap] It is absolutely not because I told you so. I think you can certainly start with yelling at people and trying to scare them. But the reality is you need to convince them that there is a compelling reason that they should care at all about making their work more secure, about anything you say before you can get them to change behaviors that you might want to adjust.
And I think a lot of times, it’s just a matter of connect it to their jobs. Connect it to success for their jobs. If you are in finance and you don’t protect what you’re doing, someone can make off with your financial models. Someone can adjust your accounting records. Those are things that really impact the outcomes that those people care about.
I think all of that is really valuable, and I think this kind of signal that people are interested in…what about in their home, what about their personal lives…that means you’re starting to reach them. That is a great sign.
[David Spark] So, Jadee, where do you start? Is it personal, or is it getting them to personally be successful, the why? Or it’s a combination of the two I’m assuming?
[Jadee Hanson] I think it’s a combination of the two. I do love that in Gabe’s company people are interested in security and asking for advice, how to protect themselves at home. That said, it’s a slipper slope when you start supporting at home setups as the CIO, too. So, it’s a little bit scary in the sense that you…
[David Spark] Have you run into that problem when you’re doing home security?
[Jadee Hanson] Absolutely. Yeah. And in the IT world, we can never know the exact set up of the at home, so it’s a good indication that the company is interested in security. But I have a little bit of caution there, I guess. And I actually really love Lisa’s comment, too, on the so what. So, if you think about all the different things that we have to deal with in security, we expect everyone to care about security as much as we do without the in depth knowledge that we actually have.
That is not going to happen. And so we have to figure out how do we provide people that we work with, people in our companies the right information at the right time so that they do care, so that they understand how it relates to the things that they’re worried about within their business line – what is that real impact.
[David Spark] And I also want to just double down on one more quick comment, again, from you, Jadee, about that this is a long-term play. I’ve heard it likened to sort of the antismoking campaign or wearing a seatbelt campaign. These things don’t happen overnight. Is there a way to see incremental success?
[Jadee Hanson] I love that question. I’ll give kind of my own experience. I’ve started a company where the culture around security was really bad. And I remember we got in a room, and we started talking about like, “Well, how do we want people to perceive security at Code42 even?” And we kind of came up with a brand statement, and we’re like, “Okay, well, this is exactly how we want people talking about security when we’re not there.
This is what we want them…how to react when they have a situation that comes up.” And we laid all that out, and then we sort of measured ourselves. Like, “Is this happening in the organization? Are people raising their hands when things go wrong? Are people ultimately telling on themselves?” And we essentially started measuring like how often does that happen.
When we first started, it was never. Nobody came to us for anything. Now, there isn’t a day that goes by that we don’t get a Slack or we don’t get an email of somebody asking us to weigh in on something or somebody telling on themselves for doing something that maybe they shouldn’t have, and now they need help to change it.
What must a security leader be able to do?
8:13.071
[David Spark] Ashish Rajan of Cloud Security Podcast and also the SANS Institute said, “Big struggle. I could not get developers / security champions to reach out to the security team for help or guidance. The resolution was started showing up for their team barbecues, parties, and game days in the office.
This connected us as colleagues first and Security Team second.” Christian Borst of Vectra AI said, “It is about culture in the first place and not simply awareness. Approach has to shift from teaching/telling to learning, nudging, and supporting to be successful through security champions.” Christian went on to say, “Talk about security over coffee, lunch, and have fun.” So, I’ll start with you again, Geoff, on this one.
They just said be friends first is kind of what it sounds like. Yes?
[Geoff Belknap] [Laughs] I feel like the answer here is something I talk a lot about. It’s like build the relationship. When you have a good working trust and relationship then you can start to talk to people about the things that you need the to hear. But if you don’t start by understanding what they do, what their motivations are, what their team is busy with… I mean, I think certainly you could throw a barbecue or a party and get everyone to come to it, and that’d certainly be one way to do it.
But if you can go to a staff meeting, have someone from that team come to your meeting and explain what’s going on in that organization… Anything you can do to sort of establish that credibility, that believability as just a fellow colleague or a fellow business leader, that is really going to help you.
Because at the end of the day, you want whatever behavioral change, whatever cultural shift to stick. And it will not stick if it’s just a one-time thing, if it’s just annual training. It will only stick if somebody understands that as part of their path to a successful outcome.
[David Spark] What have you seen work, Jadee, in terms of building that sort of true culture relationship? Because that’s really what we’re talking about here. The overarching theme of today’s episode is building culture.
[Jadee Hanson] Yeah, I totally agree with Geoff in the sense of it really comes down to relationships. There’s so many different ways to build relationships. I think obviously going to a barbecue is a great idea. The other thing that I would call out is it’s really, really important that security teams are approachable.
I think in many organizations, people are scared of us. We’re intimidating in some cases.
[David Spark] I’ve heard this a lot, by the way.
[Jadee Hanson] Yes. Yes. And in some cases, security teams kind of lock themselves in special rooms, and we don’t let anyone see what we’re doing. And so there’s this elusive thought around what is security really up to. I personally think this needs to change.
[David Spark] Like embed security in other departments possibly?
[Jadee Hanson] Absolutely. Embed it in other departments. If you think about it, the security team is only so big, and we need the collective company to help us identify where we have security gaps and where the company might be put at risk. And so we need to be engaged throughout, and we need to be approachable so people raise their hand, and they come to us when things might not be secure or when they see issues.
Sort of like the see something, say something. They have to feel welcomed when they come to the security team with something that might be a concern of theirs.
[David Spark] Let me ask for both of you, is there sometimes a little bit of an attitude adjustment that needs to be made with some of the security employees? Because I have met people who work in security that could use a little bit of an attitude adjustment? And I know this also probably happens during hiring.
But security people are their little wonky selves. Geoff, you’re smiling?
[Geoff Belknap] I think there are definitely people probably more early in their career that are very excited about vulnerabilities and things that they can do to find away to breach a system or override a control. And that’s great. I love that energy. But I think it takes a little while for people to understand that, “Hey, the head of sales, they don’t care about that.” And they won’t care about that until you can connect that to their job and to give them a reason to care about it.
Their job is to help the business be successful, not to worry about patching a thousand vulnerabilities. So, I think sometimes you just have to remind them that, “Yeah, let’s super geek out and deep dive in this area. But sometimes we have to zoom out and talk to other normal humans as well.”
[David Spark] Jadee, your experience?
[Jadee Hanson] Yeah, similar. I do think that there’s some security practitioners that still approach things with I guess an overexcited way, and that can be really scary to people that you’re working with. And so, again, going back to we really have to shift to make sure that every action that we have with the rest of the organization, we’re doing it in a way that we’re seen as very approachable, and very calm, and very collected.
And were not shaming anyone. We’re not calling anyone out. And so we become less scary, and we become an organization that people want to partner with, and they want to reach out to us, and they want to address some things that they might see within their organization that they feel like is a risk.
Sponsor – Code42
13:40.920
[David Spark] Okay, before I go on any further on this fantastic episode so far, I do want to talk about our awesome sponsor, Code42. For those of you not yet in the know, Code42 is the insider risk management leader addressing the full spectrum of data loss. Now, whether it’s malicious, negligent, or even accidental.
Code42 delivers a SaaS solution built with the modern day collaborative culture in mind. So, did you know that there’s a one in three chance that your company will lose IP when an employee quits? That’s a pretty high odd. So, economic uncertainty has created workforce volatility. A lack of confidence in job security means that many employees are taking action to protect themselves, gaining the competitive edge by downloading IP, customer lists, or sales strategy.
Don’t tell me you haven’t done this before. I know you have, those listeners out there. So, all of this makes data protection more challenging. Code42 Incydr, that’s the name of their product, gives you the visibility, context, and control needed to stop data leak and IP theft. With Code42 Incydr, you can, listen to this, see when data is exfiltrated without setting up strict classifications, two, eliminate excess alerts for your security team, and contain data leaks without disrupting employee productivity.
Plus maintain compliance with security standards and corporate policies. If you want to learn more…and I’m sure you do…go to their site. Visit code42.com to learn more about Code42 Incydr, a new approach to data security.
How do we determine what’s most important
15:24.867
[David Spark] So, Chris Nolke of Skycrane said, “You must…” And he talks about this all has to start from the top. And here’s his advice. “Solicit the CEO and their officers to include security goals as top line corporate goals tied to incentives. Two, have the CEO star in and lead awareness work and training requirements.
Three, have the CEO mention security in presentations to the company including their own personal journey of awareness. And four, create real penalties for multiple clicks on phishing test emails, propping open doors, and violating security policies. Heads on stakes work. So, all struggles I’ve run into are cases where the officer or CEO are unwilling to do the above, abdicating leadership from thee top makes ‘security culture’ impossible in strict terms.” All right, Jadee, I’ll start with you on this one.
We are mostly as we have seen actually in a recent recording very pro the carrot approach, not the stick approach. And we’ve also seen things work from the bottom up, not necessarily the top down. But top down is also very important. But Chris seems very adamant about it has to be top down. And if people screw up, you got to penalize them.
What do you think?
[Jadee Hanson] Okay, so for the first three, I can sort of get on board. Yes, you want to have your CEO involved and supportive. We use our CEO to drive certain security messages. He actually started as Obi-Wan Kenobi in a Star Wars parody video that we did, which was fantastic. But…
[David Spark] But also this is quite unique in that you are a security company.
[Jadee Hanson] True. True.
[David Spark] So, obviously he would be on board with security.
[Jadee Hanson] He would be on board with security. The big but in using your CEO to drive the message is that’s really the job of the security team and the CISO of the organization. And so to an extent, you want your CEO involved, and you want him supporting the messages. But to me, it’s very much the job of the security team to influence the organization the right way.
The fourth item that was called out, penalties for multiple clicks and phishing fails, I read that, and I had to kind of read it again because who are we suggesting the penalties are for. Are they for the person who clicked, or are they actually for the security team for not doing a good enough job influencing the organization?
[David Spark] Good point.
[Jadee Hanson] And then protecting the organization when things go wrong. So I think that what was meant was for the individual. I would almost turn it around and think about, “Well, okay, if this keeps happening in our organization, there’s accountability back on the security team for potentially not educating the right way or protecting the end point if somebody does click.” So, I don’t love the idea of heads on stakes.
I think everything that we talked about previously makes us not at all approachable. And to me, you need the collective organization to be working with the security team. And when we do things like mass penalize people for simple things like clicking on a link, I think that’s where we get into trouble.
[David Spark] Geoff? So, we talked about this a little bit before, but pretty much Chris I’m getting the sense is saying that the CEO must be involved. Without it, it’s not going to happen.
[Geoff Belknap] I don’t agree. I’m much more closely aligned to Jadee here. I think Chris has a great direction that he’s trying to take this. He or she. And I think where we get this right with these four bullet points is it is very useful to have your senior leadership reinforce and echo whatever message you want coming out of security about why security matters and why it’s valuable to the company’s success.
[David Spark] Good point.
[Geoff Belknap] I don’t think you need the CEO to star in all of your training and mention all your things. Let’s be honest, if you’re an up and coming company, the security leader should be going to the all hands and saying whatever security updates you need. The security leader should do the training or people from the security team.
Like get them exposed to people.
[David Spark] Yeah, it’s like you want the CFO talking about the finances of the company.
[Geoff Belknap] Exactly.
[David Spark] You don’t want the security leader talking about the finances of the company.
[Geoff Belknap] Yeah, I think this is…the part that we just miss on this advice is… We talked about it on this show before. If you want your board to become a better advocate for security, you don’t need to go teach them more about security. You need to connect your success with what the board sees as success for the business.
I think the same thing here. It’s you don’t need the CEO to go do security’s job. You just need them to be a strong ally. And then finally, I can’t underscore enough – it is no one’s fault at this stage in the game…it is no one’s fault if they click on a phishing email. It is absolutely…and I want to underscore this because this might be controversial, just like Jadee said…it is absolutely the security team’s problem if you click on a phishing email and it’s devastating to your business.
[David Spark] Yes, this has come up. You shouldn’t be one click away from collapsing the company.
[Geoff Belknap] 100%. Everyone who works in security wishes people wouldn’t click on those, just like we wish the bad guys wouldn’t send them. But it is my job as a security leader to make sure that we are more resilient in our business than one email click away from complete and total devastation.
So, I’m not aligned there. I don’t actually think the stick approach works here. I do think reinforcing the positive message, telling people how to report things, being quicker at responding, having tools available to you like Code42 and others that help you recover when there’s a problem, those are the places I would spend all of my time.
And if it was up to me, I would spend zero time testing people to see if they would click on a phishing email.
What would a successful engagement look like?
21:26.723
[David Spark] Shaun Marion, who’s the CISO over at McDonalds, said, “Meet people at their level. Don’t expect them to come to yours. Don’t talk to the board about threat landscape unless you are prepared to relate it in business terms.”
[Geoff Belknap] Sounds familiar.
[David Spark] Yes. Duane Gran of Converge Technology Solutions Group said, “I had someone say some rather uncharitable comments about the training material we use for quarterly security awareness campaign. In the near term, this stung a bit. But I took the high road. I thanked her for taking an interest, asked for her to elaborate, and eventually got her involved as a volunteer to help select awareness topics.
Sometimes your most vocal critics can become your most vocal champions for the security program.” Jadee, I love Duane’s example here of if people are passionate about it and they’re angry and upset, that’s the person you want to work with. Yes?
[Jadee Hanson] Absolutely. When you think of it, it’s like they know where the issues are within their particular line of work. And so when you get somebody that’s excited and says, “Hey, your training did not hit the mark,” use that. What do we need to be telling people? What do you know that we don’t know that we should rotate on and get specific training to that particular team?
I think the concept around security training in general is pretty flawed. If you think about it, we send some companies…we send one video out. It’s usually long, and we ask everyone to watch it. And we expect them to remember the exact thing that they are suppose to do if ever a situation were to arise maybe even 11 months later.
Nobody will remember to do that and what to do. And so I think we absolutely have to shift to more real time, and we need to shift to a spot where it is very, very actionable and in the moment.
One thing that we do at Code42, we do a lot of things related to this space. But one thing that we do with our product is as people are moving data around, if let’s say for example they make a document public or they send a document outside of the organization, we just Slack them a 30-second quick video that says, “Hey, I don’t know if you knew you did this, but this is what happened, and this is what you should change.
Or these are the settings that you should apply so that this document is no longer public.” And it is in those moments… We all have those moments. We all can think about a situation where maybe we did something incorrect, and then it was corrected right away. Those are the moments that our organizations learn the most.
And so to me, we absolutely have to capitalize on the feedback from the rest of the organization and then also shifting our training so that it’s much more tied to in the moment issues that potentially come up.
[David Spark] Yeah, getting them in the moment is key. I just think it’s also… When people are extremely critical, it means they care. Geoff, have you been highly criticized and turn that person into a champion?
[Geoff Belknap] Every single recording, David.
[David Spark] [Laughs]
[Geoff Belknap] Yeah, look, I’ve definitely received critical feedback. And I think I’m definitely a proponent of or an adherent to the philosophy that feedback is a gift, even if sometimes you would very much like to give that gift back and not accept it. The critical feedback is the place where the most truth lies sometimes.
Especially if you’re getting critical feedback about training, that is your target audience saying that they consumed this content, which you’re just thrilled to hear about in general. And they have feedback. They disagreed with it. They considered it. They thought about it. They processed it, and here is their feedback.
That is gold. You can’t pay enough money to get that kind of feedback. Now, it might not feel good in the moment, but if you sit with it, you stir it, and you process, you’re usually going to be able to make whatever the feedback is about better as a result of that kind of feedback. I also just want to say like, Jadee, that’s amazing.
The point in time engagement with people about security matters is fantastic. I was kind of reminded of when my dog was a puppy, trying to correct behavior or working on potty training, whatever, you don’t go, “Didn’t you watch the video we showed you about pottying?”
[Laughter]
[Jadee Hanson] 11 months ago.
[Geoff Belknap] “We’re going to show it to you again in 12 months.”
[David Spark] Are we making an analogy of our employees as in potty training a dog?
[Geoff Belknap] I wouldn’t compare my employees to dogs, but I would say in both cases we’re trying to adjust behaviors and improve lessons and internalize them. Those are not done by showing someone a 35-minute video once ever 6 to 12 months. That is like you’re reinforcing the messages. And if you have any retention of that, fantastic.
But that’s the beginning of the job. That’s not the end of the job.
[David Spark] And as a closing piece of advice, if they do a good job, you do give them a treat, yes?
[Geoff Belknap] Absolutely.
Closing
26:42.336
[David Spark] That brings us to the close of the show. We get to the portion of the show where I ask both of you which quote was your favorite and why, and I will start with you, Jadee. Which quote did you like the best, and why?
[Jadee Hanson] I loved Shaun Marion’s quote from McDonalds. “Meeting people at their people, don’t expect them to come to yours.” I think this is incredibly important. We talked about this kind of throughout the show. We have to engage. We have to build the right relationships. And we have to understand what is the threats to the organization’s business area and talk about it in a way that they would understand.
[David Spark] On the money. You opened with it, you closed with it. Geoff, your favorite quote and why?
[Geoff Belknap] I’m going to have to go with my friend, Ashish Rajan’s quote here of the Cloud Security Podcast and also at the SANS Institute. “Big struggle, I could not get developers and security champions to reach out to the security team for help or guidance.” And here’s my favorite part – “Started showing up for the team barbecues.” And spoiler alert, I would like to know which of my teams that are listening to this have barbecues so I can attend.
But, “Parties and gamedays in the office connected us as colleagues first and security team second.” I think this is great. This is what I often tell my teams. Like first we have to connect credibly and reliably as peers, and then we can start to talk about security or talk about what we want someone to learn about security.
What a fantastic idea. Nice quote.
[David Spark] Excellent. Well, that brings us to the very end of the show. Jadee, I’ll let you have the very last word here, but I do want to mention your company, Code42. Code42.com. Reimagined enterprise data protection for insider risk. And check out their Incydr product that they’ve got. Geoff, thank you, as always, for being on the money.
We greatly appreciate it. If you’re looking for a job at either LinkedIn or any place whatsoever, guess what, there’s a website to find that. It’s called linkedin.com. Am I correct on that?
[Geoff Belknap] linkedin.com is a fantastic little website. You should check it out.
[David Spark] I’ve been on it a couple of times. Jadee, any last piece of advice to our audience or any offer or anything you want to say to people about Code42?
[Jadee Hanson] Yeah, so I guess we talked about it a bit, but at Code42 we’re really focused on giving you the right tools, the right tech to respond to any sort of data exfiltration. Whether that response is training videos that we talked about that are kind of in the moment, micro trainings or it is blocking the highest risk data from leaving your organization.
Or just surfacing of data exfiltration that you might actually not have noticed. So, if you’re looking to solve any of those problems, come visit us. Come check it out. I mentioned before, I run our IT department. So, naturally I support our demo environment. So, if anyone wants a quick walk through of what the solution does by a CIO and not a system engineer, I’m happy to provide that.
[David Spark] Aw. I’m assuming contact you on the LinkedIn?
[Jadee Hanson] Contact me on the LinkedIn.
[David Spark] All right.
[Geoff Belknap] Good idea.
[David Spark] There you go. It all comes full circle here. Thank you very much, Jadee. Thank you to Code42. And thank you to Geoff Belknap as well. And also most importantly, thank you to our audience for your great contributions and for listening to Defense in Depth.
[Voiceover] That wraps up another episode. If you haven’t subscribed to the podcast, please do. We have lots more shows on our website, cisoseries.com. Please join us on Fridays for our live shows, Super Cyber Friday, and Cyber Security Headlines – Week In Review. This show thrives on your input. We’re always looking for more discussions, questions, and “what’s worse” scenarios.
If you’re interested in sponsoring the podcast, check out the explainer videos we have under the sponsor menu on cisoseries.com and/or contact David Spark directly at david@cisoseries.com. Thank you for listening to Defense in Depth.