The Security Culture Playbook. Perry Carpenter
Читать онлайн книгу.
Kai Is the world leader on security culture helping organizations understand what culture they currently have, what culture they would like to have, and more importantly how to get there.
—Quentyn Taylor, Senior Director – Product, Information Security and Global Incident Response Canon Europe Middle East and Africa
For over a decade, Kai Roer has advised and guided security executives on leading teams and developing culture. His pragmatic approach, informed by psychology and backed by metrics, moves beyond the fluffy platitudes so often found in leadership books. If you are looking for where to begin or wondering what good looks like, Kai Roer's expertise lights the path.
—J. Wolfgang Goerlich, CISO
I was quite happy living with the knowledge that I had invented the phrase “Security Culture.” Then I met Kai. He had been working on the concept for a couple of years already and went on to become the master of the subject. I am proud to have been on some of that journey with him and have followed and implemented his work at some of the most forward-thinking organizations on the planet.
—Shan Lee, CISO, Wise PLC, ex-Just Eat
Kai is a consummate professional cyber security risk adjudicator and educator; I have known Kai and worked with him for several years, and he is someone I implicitly trust in all settings.
—Bill Hagestad, Author of 21st Century Chinese Cyberwarfare and several other books on China's use of computer systems as national strategic weapons. He advises NATO, the US Marine Corps and interfaces with the Chinese People's Liberation Army (PLA).
There is no such thing as a comprehensive cybersecurity posture without a security culture program. Carpenter and Roer provide executives with all the tools they need to help secure the frontline of defense ― the human. With ransomware and novel social engineering techniques on the rise, there has never been a timelier moment for this book ― it simply is the must-read cyber book of the year!
—Dr. Lydia Kostopoulos, SVP Emerging Tech Insights
Kai Roer is a person who has been at the forefront of Security Awareness for many years and as such is leading by example. From the early days of his Awareness model to his recent book successes, Kai has proven time and again through his experience in the field implementing his knowledge that he is a true leader in this field.
—Stuart Coulson, Director, HiddenText Ltd
The Security Culture Playbook
Perry Carpenter
Kai Roer
Introduction
We're here to put a dent in the universe. Otherwise, why else even be here?
Steve Jobs
So, you're interested in security culture. You are not alone. The use of the phrase “security culture” has been steadily increasing over the past few years as organizations seek to combat the ever-present, daily drip of data breaches.
Somehow, despite all the great advancements in security-related technologies, we are faced with a simple truth: Technology, alone, is not enough. It does not offer sufficient protection against breach. Cybercriminals inevitably find ways to bypass the technology by targeting vulnerable humans; or a malicious or negligent insider may know just the right “work around” to effectively nullify your defenses. That's a recipe for a bad day.
Security leaders and business executives are coming to recognize that it's time to pay close attention to a long-neglected layer within their security stack: the human layer. But, you may ask, doesn't that mean that we should be talking about security awareness? The answer is both yes and no. Awareness is definitely part of the answer, but, by definition, simple awareness can take you only so far. Heck, even the old G.I. Joe public service announcements got that right. If you remember, they ended with the tag line, “Now you know. And knowing is half the battle.”
For far too long, organizations have fallen into the trap of equating security awareness (information sharing) efforts with behavior change.
For far too long, organizations have fallen into the trap of equating security awareness (information sharing) efforts with behavior change.
We all know, however, that knowledge doesn't always change behavior. Tons of people will tell you that they know they should adopt better behavior patterns around what they eat, their financial habits, and more. So, in the same way that technology alone is not sufficient for protection, knowledge alone isn't the answer either.
To add an effective human layer of defense, we need to embrace what is commonly referred to as the ABCs of cybersecurity: awareness, behavior, and culture. That recognition is why we are seeing a surge in people using the phrase “security culture.” But here's the thing: So many people are throwing around the phrase without actually knowing what it means. They know that a good security culture must be a positive thing, but there is no precision or general agreement about what a good security culture looks like or how to achieve this promised security culture goodness.
That creates a dilemma. Security culture becomes this thing that has a lot in common with Bigfoot, the Abominable Snowman, or the Loch Ness Monster. People swear that it exists, but they have a hard time producing anything other than the equivalent of fuzzy photos and rambling stories of how they once saw one. And that's why we wrote this book.
Security culture becomes this thing that has a lot in common with Bigfoot, the Abominable Snowman, or the Loch Ness Monster. People swear that it exists, but they have a hard time producing anything other than the equivalent of fuzzy photos and rambling stories of how they once saw one. And that's why we wrote this book.
We're here to make security culture something that is not only understandable, but also measurable and manageable so you can finally get a handle on how to effectively engage your human layer of security and reduce human risk in your organization.
So let's go on a journey together—a journey to unlock the mysteries of security culture. Your guides (the collective “we” that you've been seeing throughout this short introduction) are Perry Carpenter and Kai Roer. Between the two of us, we have over 35 years of experience studying and consulting on various aspects of security culture. Seriously, we won't bore you with our bios and CVs here. You can find those elsewhere in this book. Just know that you are in good (virtual) hands as we guide you through this journey.
The path awaits. Let's begin.
Perry Carpenter & Kai Roer
February, 2022
What Lies Ahead?
Our goal in writing this book is to add much-needed precision and guidance to the security culture conversation. We believe the security industry is at a tipping point where leaders are ready to accept that technology is not a panacea. There have been so many great advances in security-related technologies over the past few decades, but those advances are not stemming the tide of breaches. Yes, those advances made technology-dependent hacking much more difficult, but they created the unintended consequence that our people are now the primary target. As an industry, we've been so focused on (and enamored with) technology that we've ignored the human side of the equation.
As leaders now seek to build their human-layer defenses, it is important that they move quickly and effectively. We can't afford to get this wrong. As such, our focus over the next several chapters will be to add much needed clarity about security culture: what it is; what it comprises; how