The Monica Talks Cyber Show

Culture and Awareness - Can we measure 'good'?

Monica Verma Season 2 Episode 3

In today’s episode Monica Verma talks with an industry leader Kai Roer, who has worked with security awareness & security cultures for decades. He is a security culture coach, an author and creator of security culture framework. In this episode, they cover:

What is 'good' security culture? Can you define and measure good security culture? 
Does the security culture start and stop? Are there clear demarcations?
Has Covid brought additional challenges for security awareness?
What are some of the biggest challenges around security culture?

We talked to our experts about these and more. Let’s hop into the episode right away. 

Looking to become an influential and effective security leader? Don't know where to start or how to go about it? Follow Monica Verma (LinkedIn) and Monica Talks Cyber (Youtube) for more content on cybersecurity, technology, leadership and innovation, and 10x your career. Subscribe to The 10x Circle newsletter at https://www.monicatalkscyber.com.

Intro  0:00  
Hey folks, welcome back to another fantastic episode of We Talk Cyber with Monica: your one and only platform for real world stories from some of the renowned global experts who are making a real impact in security and privacy every single day. Do you wonder what does it take to build a personal success story within security and privacy and make a real impact? What are the most important challenges within security and privacy today and tomorrow? And how can we overcome them? How can you build a career in security and privacy, break into leadership and take it a step further? If you're interested to hear all about this and more directly from the source? Then this podcast is the right place for you. So before we hop into the episode, make sure you subscribe to my YouTube channel: MonicaTalksCyber. You will find all my videos including my podcast videos. And if you are a podcast listener and you listen to Audio Podcast, then please subscribe and tune into We Talk Cyber in your favorite podcast app. Do it right away! So you don't miss any of these amazing conversations and stories. This is We Talk Cyber with Monica.

Monica Verma  1:17  
In today's episode, we'll be talking to an industry leader who has worked with security culture and awareness for decades. He's a security culture coach, an author and creator of the security culture framework. Today we'll be talking to Kai Roer on what is security culture? And how do you define it? Does security culture start and stop somewhere? Are there any clear demarcations? Has COVID brought additional challenges to security awareness? What are some of the biggest challenges within insecurity culture? Can we even define a good security culture? And how? What is security culture framework? So if you want to learn about all these and more, let's meet our guest right away. Hi, Kai, how're you doing? Welcome to the podcast show. 

Kai Roer  2:00  
Thank you so much, Monica. It's a pleasure to be here. 

Monica Verma  2:04  
Lovely to have you. Let's just start by introducing yourself. Could you just say a few words about yourself to the audience and share a fun fact about yourself.

Kai Roer  2:12  
So let's start with a fun fact. So I love traveling. And one of those things I love traveling with is a motorbike. I have what they call an 'adventure bike'; It's a Triumph Tiger Rally Pro. And the key here is that the name of the bike is Tiger, but my bike is actually called 'Tiger Shark'. That thing that swims in water. And if you want to know why? You have to come and approach me and I will tell you.

Monica Verma  2:46  
oh, okay, interesting. So tell us about yourself to the audience, who are you, what you've been doing, and so on.

Kai Roer  2:53  
So I think you can call me a 'knowledge nerd'. Over the course of my career, I've built a number of companies; all around the three things: communication, leadership, and technology. Those three things merge into today's topic — which is security culture — and security culture is a topic I have been working with, and researching for the past decade and a half.

Monica Verma  3:24  
So let's hop right into it. Let's start by, could you define what is security culture? And why is it important?

Kai Roer  3:33  
So let's start with the definition. That's the easy part. Back in 2012, I created something called the 'security cultural framework', which is free and open and a lot of organizations are using this, and there we define security culture as "the ideas, the customs and the social behavior of a group" —so for example, your organization— "that influences group's security". And with that definition, it's like okay, so what is security culture, then? Well, it's all of those 'ideas' that I have as an employee at a special employer; it's all the 'habits' that I put in place, for example, 'clean desk' (or not...); what I discussed with my colleagues over fetching coffee; and it's all the 'social behaviors', and the key there is "social behaviors". Because all of us have a huge variety of behaviors, but also most of us and us being humans, target or filter those behaviors dependent on the group we are participating in. You've probably seen that in your workspace, compared to going with the same people to a bar or a family dinner or even something else. But their behaviors will be good difference.

Monica Verma  5:02  
So, is there a point where security culture starts and stops? Or is it is something that is a part of our lives, especially today in the environment that we have... Is it something that we should be having 24\7 in the back of our head? Or is it something that you can say, okay, now we start and now we stop?

Kai Roer  5:23  
So I think that it's important here to differentiate between the 'cultural side' of things: which is how we behave, think, and our customs in a specific group. And 'your' — so you as an individual, how you think how you behave, when it comes to security. And if we start with the latter: I believe that you as an individual, always needs to be vigilant, and take precautions when it comes to any kind of, you know, 'stop-think-click', right? Because it matters —your brain is really fascinating in that way, right? So as an individual, you need to be vigilant. In your organization, you also need to be vigilant, but it's a different kind of vigilance. Because in a group of people, you will observe what other people are doing, you will listen to what they are saying. And then you will let those kind of insights and inputs, control or at least direct your actual behaviors. And the challenge today is that most of us are working from home —or me from my camper van out in Norwegian forest. But the challenge then, is that I don't go into the office; you don't go into the office; the person listening and watching that don't go into the office anymore. And what happens then we no longer get that social interaction, that will help us choose our beliefs, and our behaviors. And in that regard, I believe that both us and individual need to be more vigilant, but also the organization you work for, need to change how they do security awareness trainings, and of course security behavior assessments, and understand that the situation is very different now. So the way we deal with this needs to be different.

Monica Verma  7:43  
Absolutely, can you just say something about what kind of things you have seen in terms of cultures in different countries and different organizations? Because it's obviously very dependent on where you're coming from, how you've been working, what kind of kind of organization you belong to, what are the some key changes or similarities or differences you have seen in terms of security culture?

Kai Roer  8:05  
So I will make an example here, and I will use you as an example. So unlike me, you are not Norwegian. You have a multi ethnical background or something like that, right? And the reason I mentioned that is that most people like me who have only one ethnical background and one cultural background, and maybe even on our traveling. The challenge then becomes that you become so biased by your lack of exposure to anything different from yourself. And I see this to be the biggest challenge in multinational organizations; and when working with security culture around the world. Most people are not like you, Monica, or like me who are exposed to this. Most people think that all their experiences is exactly how everybody else has experienced life. Which means that they tend to grow up with a lot of strong biases. But more to the point here is the world is very diverse. Cultures are very diverse. People are extremely diverse. It's not so that we can talk about 'one culture fits everybody', or 'one behavior fits everybody', or 'one thought fits everybody'. And because of that, I believe that when it comes to working with culture, you first start with your own biases. And then you work your way forward. Most organizations are actually 'mom-and-pap-shops', or very small organizations spread around in one single country. But those who are not, they very quickly faced this multinational and multi ethnic or multicultural kind of challenge. And then of course, it becomes how do you deal with that? Well open up your eyes; open up your world; be accepting that your worldview, may not be the only correct one.

Monica Verma  10:16  
And that's a very good point. Because I feel as I'm very much for diversity, I blogged about diversity, I talked about a lot about diversity and inclusion. And I recently wrote a blog post also about that. We should do diversity inclusion for the right reasons. That's one thing, it's not because we want to fulfill up a quota. And the other important thing that I say quite a lot is: diversity is not only what we see, but diversity also in what we hear. That's really my biggest mantra when it comes to diversity inclusion. The reason being we talking about security culture —because first of all, we obviously come from different cultures and backgrounds. We, as you said, people have different opinions, and how they grew up. It's good to have that broader mindset. But it also helps us learn a bit more about —try different things and see what fits, because as you said, one size doesn't fit all. So now coming to 'security culture' from that perspective, obviously, companies do face challenges, right? Either, because as you said, they're just very narrow in the way that think; or for the ones that have multi cultural cooperations, then the challenge is: how do you find the right culture for the organization? Because I mean, people come from different backgrounds, different thinking, different opinions —how do we find that? So what are the biggest challenges you have seen around it? First of all, and what our experiences with it?

Kai Roer  11:39  
I think that the biggest challenge I see, are when people are so biased with their own perspective, that they don't actually see that there are different perspectives. That's for me, number one. And then number two, when you get to realize that: "oh, it's a wide variety of options and ways to do things..." Then it becomes understanding and then picking, because there are so many. In my preferred way of dealing with multi cultures is, to not create one single culture that is: "you have to do exactly like this, or your, you don't fit in", but instead: leveraging that diversity, focusing on the goal that we are trying to achieve —and of course, you need some some direction, so ethical rules, moral rules, legal frameworks, all that stuff. But when that is taken care of, leave the employees to to generate the best possible way to get that result, and you will be positively surprised...

Monica Verma  12:50  
Right! Okay. So what are the key elements in your understanding, for building a good security culture that fits the organization?

Kai Roer  13:01  
Well, first, you need to figure out where you are today. Right? So you need to have an idea of: am I here in the forests of Norway? Or am I in New York? Or am I on the moon? Before you have a good way of observing, measuring and documenting your current situation—your 'as is' for the 'ISO-fancier'. It's difficult to know that you are achieve what you want. So you need to start the document what you have. Then, of course, you need to figure out: how can I best use some tools available. Describe the 'to be' that the future situation; that culture you would like to see. And again, I always strongly recommend, I think is the word here, that one use the same language and the same kind of metrics for that 'future situation'. But then comes a challenge for many people, especially if you have a project kind of background. You think that okay, when I have set that target goal, I work to get there. And when I get there... I'm done! Yay, hooray! But a big shock here: culture doesn't work like that. So one of the challenges if you like in that perspective, with a culture, is that culture is 'plastic'. Plastic means that it is flexible, it moves, it changes it adapts. And to make it even more interesting from my perspective, or complex for for other people, it has a two way direction. So the culture —that group— influences the individual members. Right? Just so that's easy. But the interesting factor is that also the individual members influence the culture. So it's not a one way street, it is a two way street. And that makes it more difficult to control if you like. And it makes it very important to understand that this 'thing' is in constant change. If there's one thing we can say about culture is that: it is changing.

Monica Verma  15:28  
Yeah, and rightly so. I mean, we need to also adapt our mindset as we go with time. And that's also something we generally say about security. I mean, things said, work yesterday, not necessarily work today, the same way, look at even cloud, I mean, it just moving from the on prem to cloud; it's not about just moving your data from your servers to somebody else's server, you have to have a completely different mindset of what that actually entails. Not only from a security perspective, but also from a risk and a legal perspective. I mean, there's so many, it's multifaceted, right? So my question really is, then how do you even define good security culture? What is good?

Unknown Speaker  16:10  
That's an excellent question! There are two ways of answering that question. The pragmatic or difficult, if you like, is to say that: well, that actually boils down to you. You have to figure out what 'good' means to you. And in this context of security culture, and if you choose to go down that route —which is fine, you can do that— I strongly suggest that you look at a specific set of behavior, but remember the plasticity and the norms and ideas that you want your organization to have. But the other approach of defining good security culture is to use the 'security culture survey' and have a score of 80 or above. Then you actually know that you have a good security culture using a validated and reliable measurement instruments.

Monica Verma  17:08  
Interesting! Tell us more. What is this 80 or more?

Unknown Speaker  17:11  
Some years ago, I teamed up with some very smart people, and we created an instrument to measure security culture. Of course, back then first time you do stuff people will tell you, it's not possible to do that. But you know, we did, we have validated it. And we have measured it a number of times. Basically, we went from 139 different questions, down to a core set of 28. Over the course of three and a half years, I think, or two and a half or three years. Which means that we have a very accurate way of measuring security culture based on a specific definition. And then we take the results here, which comes in on a scale from zero to 100 —100 is best. And you would think that if you're above, you know, 'average' (so well above 50), you will be good, but no... You need to have a certain level before you can actually see that you are good. And in the beginning, this was a hypothesis we had that you know, 50 is not good; it is probably the opposite. But where do you become good. We thought maybe around 80 mark, but we didn't really know. A few years later, my company was purchased by knowbe4. And in that merger, one of the things that happened was that we were —as my team were getting access to a lot of additional data; one part of that data is actual user behaviors. Very fascinating, right? So now we are able to look at employees from around the world —and we are talking millions of employees from around the world— and how they behave when it comes to security culture. One example is phishing: will their employees open the phishing email? Well most of them do. And it's because we usually open the email to see what it is right? And then a subset of those people who open, clicks on it; and then a subset of those again enter credentials. So with that kind of data on actual behavior, and our security call to score with the same people, alright. So we are tracking the same individuals and their organizations. And then what we did was to look at the actual behaviors and the security cultural scores of their employer. I will give you two examples here. If your employer have a score of 60, or below, so not even average and below, but 60 and below. Employees will click and enter or share credentials in 52 out of 1000 phishing emails! So 5.2%, and some of you think: well you know, 5.2 is not that bad. Well, maybe it's not that bad to you, but then do the math...

Monica Verma  20:45  
Plus also passwords are reused, that's the issue. It's not just about the fact that they're doing it 5.2% of times, but that how many of the services out there would actually have that password?

Kai Roer  20:55  
Yeah. So that's one perspective. The other one is business email compromise, because we've seen a lot of those cases. But that's an example of poor security culture. Now, you also asked what, what is a good one? Well, I mentioned 80. Where did the number come from? Well, it initialy it came from our understanding, we didn't have the evidence. Now we have the evidence. And the evidence is very, very clear. So if you're in an organization with security culture score of 80 or more. Your employees now are sharing credentials in one out of 1000 phishing emails. And that is tremendous. It is a 52 times difference, right?

Monica Verma  21:49  
Yeah, it's quite extreme in terms of difficulty of actually defining the culture and that actually making that behavior change happen. Change takes a lot of time to happen. So let me ask you something, then, because you said what was fascinating for me in this is that: you have now —you've done this analysis on the data worldwide, multiple companies and user behavior and analytics on that— do you believe this score, would it suit the majority of the cultures in the world?

Kai Roer  22:19  
So for what we know today? Yes. So one of the things we make very, very sure when we created the security culture survey was that we validated the items. And we did that in a number of cycles. And with roughly 10,000 employees, over the course of several measurements in the years. Now that we are measuring other countries, we translate the original language into the local language. And that is not as easy as me just taking it and you know: "oh, it says this in norwegian, I'll just make it this in English". And English is a fascinating example. Because you have at least three, but probably more, different English language cultures. Now, when we create this survey in those other areas, we don't use one English. We have US English, British English, Australian English. We do the same with French, for example. So French French, Canadian French; Spanish, we have a European Spanish (or Spain Spanish. I don't know what they call it, but you know...) Spanish, and Latin American Spanish and they were exploring, do we even need to make an Argentinian and Chileen, Colombian, Mexican, so we are looking into these things to make sure that we measure the culture as accurate as possible.

Monica Verma  23:55  
Is it possible for you to share maybe two three questions from that 28 that you mentioned. What kind of questions they are? Just for the audience to have an understanding.

Kai Roer  24:07  
So I cannot share the actual items—due to IPR. But if you take a look at the security culture report for 2021, we share a couple of the items in the translated way if you like. So basically, we share the idea what we are measuring. And what we're measuring is the cultural aspect of security. So not really the knowledge. So whether or not you know how to use a password manager is.. that's we call 'considered knowledge'. So we don't do that in the 'cultural side'. But we do ask questions around: do you or your colleagues discuss or talk about security culture and if you do in what kind of form? To what extent do you know the policies of the organization? How do you observe your colleagues when it comes to security, and those kind of things. And again, the point here is that we are not asking you about how you are behaving, we are also asking you about what you are observing.

Monica Verma  25:20  
Interesting. So that gives you basically insight into not only one person, but everybody's perspective on what's happening in the organization. And that helps you basically understand and score the security culture of the organization in a way of what I understand? Fascinating, fascinating. Okay, let's say some organization takes your methodology, and they want to apply it to their organization; they do some surveys; they check out; that let's say they are way below 80. And they want to approach '80'. What would you recommend to them? How will this methodology also help them understand how do they approach '80'? Or how does it work?

Kai Roer  25:57  
So the scale itself, today just have general recommendations, we are working on a set of more specific recommendations; to move you from one bracket to the next one. And the reason for that is that it takes a different effort to move from below 60 to the next one, then it takes from below 80, to pass 80. So the specific things that we are observing, and then the recommendations will be to put those things in place, and then move to the next one.

Monica Verma  26:37  
You talk a bit about human aspects. So let's try to maybe wrap up with that, what in accordance to you: what is your opinion, understanding and experience on the human aspect of the security culture?

Kai Roer  26:48  
So I think the most important thing that I believe is mostly ignored by our security professionals: is the fact that we are making mistakes. So as an individual as a human, it is in my nature to click on that link; it is in my nature, to to share my credentials; it is in my nature to make these mistakes. I don't mean to do it, but my brain is wired in a way that I will be doing it. So as professionals, we need to realize that. And that change is happening quite fast now. Especially over the past five years, this is getting somewhere. But what we are still missing is the next logical step. If we accept that I will make that mistake, we also need to prepare 'me' and the organization for what happens when I do. So I need to know: what do I do when I realized that I have actually shared my credentials? Do I pretend I never did that? Or do I know exactly who to call; and those people I call know exactly what to do when I call. And that's where I believe we need to go, we are not there yet.

Monica Verma  28:19  
And this last thing that you mentioned is so true and so important. Because the real change and a sustainable change, in my opinion will only come when we are allowed to make mistakes; It's not taboo; It's not a blame game; it's not shame. And then we can actually talk about it in a way that we actually helped organization get better instead of worrying about the consequences of making a mistake. And the saying or the same that goes is to us is human is a very old thing. And I feel like accepting that is the first step, and then changing after we accepted, as you say, is the second step. Fantastic. I think that's a lovely message Kai. And I will take that as really your key message from this whole conversation. It was really, really lovely to have you on the podcast show today. I had really an amazing time. I had a really fun conversation with you. So thank you for that.

Kai Roer  29:14  
It's been all my pleasure. Thank you so much for dragging this information out of me.

Monica Verma  29:20  
Lovely, it was a pleasure. So that was today's episode: We Talk Cyber with Monica. We talked a lot about security, culture, communication, and also the human aspect of it. And I really loved as a surprise, key message on accepting to error is human. And also then taking the next step of what we do with that and how do we build a positive security culture going forward. I hope you enjoyed the conversations as much as I did. I'll be back with more episodes, fantastic guests and amazing conversations. So please continue tuning in, take care and stay safe.

Outro 29:51