There is something dreadfully similar about cybercrimes and gun crimes. Both have become so common that people only notice the biggest breaches or highest casualty counts. Kai Roer, chief research officer for KnowBe4, the world’s most popular security awareness and simulated phishing platform, is well aware that people, including tech teams, have become numb to constant cyberthreats. That’s why he teamed up with Perry Carpenter , chief evangelist and strategy officer for KnowBe4, to promote the idea of “security culture.”
Roer and Carpenter have published a new book, The Security Culture Playbook: An Executive Guide to Reducing Risk and Developing Your Human Defense Layer, to bring some hard facts to light. For instance, more than 85%of breaches trace back to humans and there is a new ransomware attack every two seconds. These attacks are costing billions of dollars, and neither better technology or promoting security information and “awareness” is hardening organizations sufficiently.
We asked Kai Roer about the limits of tech solutions, and what security culture is and how to develop one in organizations as varied as tech savvy startups and local government.
Grit Daily: Why doesn’t good security technology limit how much damage can be done by human error?
But it does! Without good security technology, errors would be much larger, more expensive, and impossible to combat. The challenge isn’t a lack of good technology; it’s that technology isn’t enough. As we innovate and create better tools and technology, all kinds of new threats come along, too, forcing us to change our behaviors and develop even better tech.
Over the past few decades, many startups have been successful in doing just that. Think about Cisco and Fortinet; both started small, both created technology, and both helped dramatically improve security for thousands of customers around the world, and they still do. Without these and other security technologies, we’d still be combating digital worms, viruses, and similar threats that we hardly ever see today.
Because of technology’s continued improvement, threat actors today have a better ROI (return on investment) when they target humans. It’s simply easier and cheaper to trick someone into opening an attachment or clicking an email link than it is to gain access to computer systems by other means.
So, the challenge isn’t a lack of security technology as much as it is a lack of technology to help humans do the right things more often—and the wrong things less often. The good news is that even in this space, new technology is quickly adopted to reduce this risk even further.
Grit Daily: What’s an example of an organization that has what you consider a good security culture?
Very few organizations demonstrate a good security culture. One reason is that a strong security culture is a moving target: what was considered “good” yesterday may no longer be good today. As new threats evolve, organizations must adapt and change. Another challenge organizations face is resilience: how well will the organization deal with a critical incident?
Some characteristics of a good security culture include:
Resilience: Are your employees, procedures, and technology able to adjust quickly to threats and changes? For example, most organizations were forced to make dramatic changes due to COVID; over weeks—not months—employees had to move out of the office and work from home.
A way to gauge your organization’s resilience is to examine how fast—and how successfully—it managed that transition. Now apply this to your business contingency plans, and consider how a security incident would affect your company.
Preparedness: Research shows that people who are more likely to survive critical accidents, like a plane crash or train wreck, are mentally prepared. They pay attention to the security notifications and know where the emergency exits are.
This also applies to organizations. Organizations that understand and accept that there will be security incidents, regardless of their security measures, are generally doing better than those who believe “it won’t happen to us.”
Communicating to employees, “When it happens, this is what you need to do,” is a great way to prepare. Putting business contingency plans in place is also essential. And making sure employees dare to report mistakes, such as opening a loaded email attachment, is critical! Hail those who report incidents! They are your key assets.
Ongoing communication: We see over and over that organizations that communicate security and its value to employees and stakeholders do better in all aspects of security compared to those that don’t.
Consider the Government Pension Fund of Norway (GPFN), a fund with assets valued at 11 754 billion NOK, which is over $1.35 trillion USD. Its managing director, Nicolai Tangen, has made it clear that the biggest threat to the organization is cyberthreats.
He recently shared his personal experience of being the target of a cyberattack, in which the perpetrator played to his own ego to get him to open a compromised document that took control of his work computer.
Rather than pretending this never happened, Tangen shared what he and his organization learned from this experience at a number of public events. This kind of ownership demonstrates that no one is perfect; it’s just a matter of time before you’re the one being hit. And when that happens, the key is knowing what to do.
Grit Daily: The county government of Somerset County, New Jersey, which is not very far from where I live, was recently paralyzed by a ransomware attack. How do you build a security culture at government offices, school districts, and these sorts of crucial but not-very-tech-sophisticated organizations?
This is a critical question. We see government offices, schools, and other public services being hit daily, and not only in the United States. This happens all over the world.
A similar event to the Somerset County attack happened in Norway: Østre Toten Kommune (the municipality of Ostre Toten) was devastatingly hit by ransomware, and all their systems died. They are still, many months later, struggling to recreate data and bring systems back online.
The solution to this problem is to wake up politicians and public management to the reality we all face: we are all targets, and preparedness is what counts.
Now, the challenge is that funding security and IT can be difficult in many of these offices, where scant funding is often coupled with regulatory demands on how and where to spend allotted funds, leaving very little for “other services” like security. This lack of investment has led to many government offices having weak security measures in place and very little employee training. Thus, when disaster strikes, it hits hard.
To adequately secure these organizations, they need to invest in technology, procedures, and educating the workforce. A security culture won’t replace technology or procedures; it works with and alongside these areas.
Grit Daily: What are the metrics, aside from whether there was a breach today, for measuring an organization’s security culture?
In our book, we propose a new and more accurate method to help organizations measure security culture in a meaningful way. We call this the Security Culture Maturity Model (SCMM).
Unlike other maturity models, this one is evidence-based, meaning that it’s easier and more accurate to place your organization on the model compared to the guesswork that’s often needed in other models. By using indicators that are based on data from the organization itself, what we call Culture Maturity Indicators (CMIs), we can lay out a detailed and useful understanding of your security culture.
Example CMIs include the Security Culture Score, which is the resulting score of a security culture assessment by KnowBe4. Other CMIs are calculated based on security behaviors, such as clicking on phishing links, reporting threat emails, and so forth.
One of the benefits of the SCMM model is that CMIs can be created when new technology and methodologies evolve, so it will stay accurate and relevant even years from now.
Grit Daily: Does security culture require organizations to hire a director or vice president, or whatever, of security culture? Who should own this role?
No, it doesn’t require hiring someone. But doing so certainly helps! As with all organizational work, having dedicated resources to champion and focus on the topic makes a huge difference. Ultimately, this role should bridge the work performed by your security and HR teams. Organizational culture, of which security culture is a part, typically belongs to HR or executive leadership.
Grit Daily: Any other points you want to make that I haven’t touched on?
Security and security culture are board-level topics because of the dramatic risk and effect security breaches have on organizations.
If your board isn’t yet discussing security and security culture, we strongly encourage you to bring it to the table. You may even propose bringing in a board member with industry experience and knowledge. More tips can be found in our book, The Security Culture Playbook: An Executive Guide To Reducing Risk and Developing Your Human Defense Layer, and at our website securityculturebook.com.