Learn to use AI like a Pro. Learn More

Improve Your Cyber Security Culture

Estimated read time: 1:20

    Learn to use AI like a Pro

    Get the latest AI workflows to boost your productivity and business performance, delivered weekly by expert consultants. Enjoy step-by-step guides, weekly Q&A sessions, and full access to our AI workflow archive.

    Canva Logo
    Claude AI Logo
    Google Gemini Logo
    HeyGen Logo
    Hugging Face Logo
    Microsoft Logo
    OpenAI Logo
    Zapier Logo
    Canva Logo
    Claude AI Logo
    Google Gemini Logo
    HeyGen Logo
    Hugging Face Logo
    Microsoft Logo
    OpenAI Logo
    Zapier Logo

    Summary

    In this compelling session, Russell Eubanks from the SANS Institute shares his extensive experience and insights on cultivating a robust cyber security culture within organizations. Drawing from his career in cybersecurity leadership, Russell emphasizes the importance of involving every level of the organization in cybersecurity efforts. His key messages include assigning clear responsibility for the company's cyber culture, using language that resonates with every team member, incorporating cybersecurity awareness into every employee's evaluation, and practicing scenarios through tabletop exercises. By following these strategies, organizations can integrate cybersecurity into their core culture, thereby enhancing resilience against cyber threats.

      Highlights

      • Cybersecurity is not just an IT issue; it's a company-wide responsibility 🌐.
      • Use clear and resonating language tailored to different departments 🏢.
      • Include cybersecurity metrics in performance reviews to enhance accountability 📈.
      • Run regular cybersecurity drills to prepare for real-life incidents 🚨.
      • Empower non-technical staff to understand their role in maintaining security ⚙️.

      Key Takeaways

      • Empower your entire organization to embrace cybersecurity as a key culture element 🌟.
      • Use engaging and relatable language to communicate cybersecurity matters effectively 🗣.
      • Incorporate cybersecurity awareness into regular employee evaluations for accountability 📊.
      • Practice readiness through regular tabletop exercises and simulations to improve response ⏱️.
      • Cybersecurity should be a shared responsibility, not just the IT department’s job 🤝.

      Overview

      Russell Eubanks from the SANS Institute delivers an insightful session focused on enhancing cybersecurity awareness and culture within organizations. He draws from his tenure at the Federal Reserve Bank of Atlanta and his firm 'Security Ever After' to provide a roadmap for embedding cybersecurity into the corporate culture. Key to his approach is ensuring that leadership prioritizes cybersecurity by integrating it into all levels of organizational operations.

        An engaging highlight of Eubanks' talk is his emphasis on language and communication, proposing that cybersecurity topics be discussed in terms familiar to all employees, thus breaking the jargon barrier. By tailoring messages to resonate specifically with each department’s role, Russell argues that organizations can ensure wider understanding and engagement with cybersecurity policies and practices.

          Eubanks also advocates for incorporating cybersecurity responsibilities into employee evaluations, suggesting this as a method to promote personal accountability. He further recommends conducting regular tabletop exercises to simulate cybersecurity incidents, preparing teams to effectively respond to genuine threats. Russell concludes by encouraging leaders to make cybersecurity a part of everyday operations and decision making, rather than an afterthought.

            Chapters

            • 00:00 - 00:30: Introduction In the introductory chapter, Russell Eubanks expresses enthusiasm and eagerness to discuss methods for enhancing cybersecurity culture. He mentions his credentials, which include being a principal instructor with Sands for 13 years, writing classes, serving as SVP CIO CISO at the Federal Reserve Bank of Atlanta, and starting his own company three years ago.
            • 00:30 - 01:30: Russell Eubanks Background The chapter introduces Russell Eubanks and the context of the session. It emphasizes the importance of interaction and encourages the audience to ask questions or make comments during the session. The speaker, likely Russell, expresses gratitude for the attendees' presence and aims to provide them with valuable insights in exchange for their time spent in the session.
            • 01:30 - 03:30: Importance of Cyber Security Culture Chapter Title: Importance of Cyber Security Culture. The speaker aims to inspire the audience to improve their cyber security culture. They acknowledge that time is valuable and hope to make the session worthwhile. The speaker emphasizes the significance of choosing this topic, highlighting its potential impact on personal and organizational levels.
            • 03:30 - 05:00: Creating a Cyber Security Culture The chapter titled 'Creating a Cyber Security Culture' discusses the enduring significance of cyber security within organizations. The speaker, with extensive experience in the field, acknowledges that the term 'cyber' has become a buzzword but emphasizes the necessity of understanding and engaging with cyber security practices. The chapter aims to encourage active participation in activities like monitoring alerts, training, and understanding the broader implications of cyber security in the professional environment, emphasizing its critical role regardless of its modern terminology.
            • 05:00 - 10:00: Four Practical Ways to Improve Cyber Security Culture The chapter discusses the reality that most companies and organizations do not primarily exist because of cybersecurity needs. Instead, they are focused on generating revenue, serving the public, protecting nations, or responding to emergencies such as those in the medical field. Cybersecurity is presented as an important aspect but not the core reason for the existence of many enterprises.
            • 10:00 - 15:00: Example from Federal Reserve Bank of Atlanta The chapter focuses on the increasing importance of cybersecurity in today’s world. It highlights how companies strive for cyber resilience due to the growing complexity and frequency of cyber attacks. The conversation underscores the heightened awareness and attention that security issues have garnered in business and media.
            • 15:00 - 20:00: Role of Leadership in Cyber Security The chapter addresses the frequent occurrence of cyber security incidents, as illustrated by a recent example involving Dallas, Texas. The importance of leadership in preparing for and responding to such threats is implied, although specifics are not detailed in the transcript provided.
            • 20:00 - 30:00: Using Language that Resonates In this chapter titled 'Using Language that Resonates,' the discussion centers around the frequent reminders and alerts regarding cyber incidents. The speaker emphasizes the importance of cultivating a cyber security culture in response to the ongoing impacts of these incidents. This chapter likely explores how language can be used effectively to resonate with and influence this cultural development.
            • 30:00 - 40:00: Cyber Security in Employee Evaluations The chapter discusses the importance of integrating cybersecurity into the culture of an organization. It encourages a proactive approach where not only the security team but all employees, regardless of their roles, contribute to the cybersecurity landscape. The focus is on cultivating a mentality that values security throughout the organization, envisioning a future where cybersecurity becomes a core component of the organizational culture by the end of the week or year. The chapter promotes the idea of imagining and realizing a culture where everyone is aware and involved in cybersecurity practices.
            • 40:00 - 50:00: Conducting Tabletop Exercises This chapter discusses the importance of tabletop exercises for cybersecurity leaders. It emphasizes strategic planning aimed at improving cybersecurity measures to prevent, detect, and deter threats more efficiently. The chapter encourages the intentional development of a corporate culture that not only involves the team in technology and cybersecurity initiatives but also actively engages them.
            • 50:00 - 60:00: Getting Wisdom as Cheaply as Possible The chapter titled 'Getting Wisdom as Cheaply as Possible' discusses the idea of engaging an entire organization in the practice of cybersecurity, turning it into a collective effort rather than just the responsibility of tech experts. The speaker, identifying as a 'geek' or 'nerd,' emphasizes the importance of building a culture of cybersecurity and expresses gratitude for the participation of many attendees, which highlights the significance of widespread involvement in cybersecurity efforts.
            • 60:00 - 70:00: Scheduling for Success The chapter titled 'Scheduling for Success' focuses on building, nurturing, and growing a culture of cybersecurity within organizations. It discusses the significance of cybersecurity as a top risk for many companies. The chapter provides insights into strategies and takeaways that can be adopted to enhance cybersecurity awareness and practices. It also mentions the role of coaching, mentoring, and virtual CISO (Chief Information Security Officer) in strengthening a company's cybersecurity posture.
            • 70:00 - 85:00: Questions and Answers The chapter discusses the experience of teaching and touches upon the role of public companies in the United States. It mentions the requirement for publicly traded companies to file reports quarterly according to the Securities and Exchange Commission (SEC) regulations. There is a sense of excitement around the teaching responsibilities, particularly because it involves real-life interactions and scenarios.
            • 85:00 - 96:00: Conclusion and SANS Courses In the conclusion and SANS Courses chapter, the narrator discusses a method of using publicly available financial documents, like the 10K annual reports of publicly traded companies, as a source for cybersecurity research. They suggest accessing these reports through the SEC's Edgar database or through the company's website to examine how often cybersecurity is referenced. This approach is recommended as a way to gather information about a company's cybersecurity focus and is also suggested as an educational exercise for those interested in exploring cybersecurity topics.

            Improve Your Cyber Security Culture Transcription

            • 00:00 - 00:30 hey everybody Russell Eubanks here really excited really eager to talk to you today over the next few minutes over how you can improve your cyber security culture what gives me the right to do this uh privilege to be a principal instructor with Sands I was looking at my calendar just the other day I've been teaching with saying it's the last 13 years just hard to believe and also uh worked on writing some classes as well my former day job was SVP CIO ciso of the Federal Reserve Bank of Atlanta and three years ago started my own company
            • 00:30 - 01:00 security Ever After but the most important part is uh thanks for being here really enjoy seeing many familiar faces and names here in the chat box uh as always if any questions comments or anything throughout the uh time that we're together today please don't suffer in silence please please please please just let me know and be happy to address those as they come through and my goal for you is in exchange of you spending time with Laura and myself today in this uh session I'd like to equip you and
            • 01:00 - 01:30 Empower you to go and make a difference improve your cyber security culture again that's my goal that's what we want for you uh in exchange for the time that you're spending with us so with that said hey let's get going and do this now and you might be wondering okay Russell give all the things I can talk about of all the things I can spend my hour on right now why this topic you know I'd rather Chase and work on Cyber things or
            • 01:30 - 02:00 chase alerts or stop malicious emails or go to training learn some more cyber things and you're like well why would I even bother to do that well I'm glad you asked and as it turns out I may not need to share this with many of you but you know cyber security remains a critical aspect at at every organization now in my career I've been in cyber long before we had the word cyber to use all those kind of the buzzword these days is cyber but there
            • 02:00 - 02:30 was I never worked at a company that existed because of cyber security like never for a cyber security vendor or the only reason a company exists is because of cyber but I imagine where you work right now I imagine places you work in your career kind of the same way they exist to make Revenue do good for the public do public service protect you know countries respond to Medical emergencies all types of things
            • 02:30 - 03:00 that you have worked at companies that they've tried to achieve but they didn't exist they didn't create those companies because a cyber however more and more becoming so critical the dependency the resilience on cyber security for for all of us is something that is certainly captured you know our attention and as the tax get more sophisticated and more frequent I tell you when I pick up the newspaper or I look at Twitter feed or look at Sans
            • 03:00 - 03:30 news bites or look at all the different places that we can get information it's kind of rare that we don't get information about yet another company that's been compromised I woke up this morning and saw that you know some parts of Dallas Texas structures are are being impacted now because of perhaps a rant somewhere perhaps an incident I'm like I got friends in Dallas I've been to Dallas many times to teach and do things and I was like that's it's a bad day again
            • 03:30 - 04:00 it's rare just as that one example that I saw earlier this morning it's rare for us not to learn about this and it was rare for us not to get an alert or three on a particular day that says yeah there's a reminder that cyber incidents the impacts of cyber incidents continue to impact us and what do we do as a result of that what we could choose to do is to help to develop a culture of cyber security why
            • 04:00 - 04:30 do we want to create a culture and cyber security well so that not just the security team the me you and us here in this conversation but you know just imagine imagine what would it look like in the future imagine what would it look like before the week or the year is over If You Were Somehow to insert security into the culture of your organization whatever organization that you work at I just kind of imagine you
            • 04:30 - 05:00 know we oftentimes as cyber security leaders we do work on strategic planning we plan for the future we plan to improve our cyber reprint to prevent detect deter much faster and we put initiatives we have funding we get to grow our teams to do that what would it look like if you were intentional about it had a plan to develop a culture that didn't just engage your team in technology your team in cyber security but
            • 05:00 - 05:30 dare I say would engage your entire organization what would it look like if it became a team sport not just a sport of us Geeks and nerds and I professed to be one of those so how are we going to do this that the next few minutes I'm going to explore how to build a culture of cyber security again in exchange if you spending some time with us today again so grateful it's amazing to see so many folks here love love love it so much like to make you aware of
            • 05:30 - 06:00 this and then help you to have some takeaways in particular for takeaways maybe a few extras along the way to help you build and nurture and grow a culture of cyber security in your organization you see in a lot of companies cyber security is their top risk I spent a lot of time doing coaching mentoring virtual C so a
            • 06:00 - 06:30 lot of teaching for Sans matter of fact I get to teach the next two weeks per day I'm so excited about getting to do that in real life so amazing the beautiful thing is one of the things I work on especially for companies that are publicly traded in the United States thanks to the SEC the Securities and Exchange Commission every publicly traded company has to get to tomato tomato has to get to file reports on a quarterly basis one report I look at a lot for public
            • 06:30 - 07:00 and trading companies is their 10K or their annual report and one of the things I do and you could try to do this as well is to look at a publicly traded company go to the sec's Edgar database Edgar or also on a publicly traded company's website you can see their annual report and one of the fun things I'd like to do is download the PDF look at that and then just do a search hey how many times is the word cyber mentioned in the annual report and I
            • 07:00 - 07:30 have to tell you it's like rare to not see that matter of fact I work did some research earlier this week for one of my clients I saw there was over a hundred mentions in their annual report of the word cyber and the risk that it posed and very common to have that very common to see that and in fact if you work with or work for a public and Trading Company you could do right now you could say oh how important when the company talks about itself to their Regulators when talk about to their investors to their
            • 07:30 - 08:00 executives how often is the word cyber mentioned there's not a magic number but I think it might be something interesting to watch and to track and to see how it continues in my opinion to grow and to grow and to grow but how does this relate um you know it's interesting back in the day I was privileged to lead very very large team at the Federal Reserve Bank of Atlanta Atlanta is where I live and I had the privilege because my leader my
            • 08:00 - 08:30 boss the Chief Operating Officer she was second in charge of the whole operation she was really concerned about it was a champion of cyber security and I had the privilege of briefing a large amount of the organization leaders in the organization on Cyber on a monthly basis amazing Focus there in that organization and every once in a while my leader Marie she since been retired and of course I don't work there anymore either but she would make a statement and and I
            • 08:30 - 09:00 would always choose to believe this statement was a rhetorical question you know a rhetorical question where someone asked a question but they really don't want an answer they didn't make it more of making a statement and so my former leader would have this rhetorical statement that says if cyber is a top risk hey everybody if cyber security is a top risk and then she had followed up with what are we doing to treat it that way
            • 09:00 - 09:30 if cyber is a top risk what are we doing to treat it that way and I'll never forget the first time I heard it I remember I was sitting up a straighter in my chair and like oh this is kind of what we asked for is cyber professional cyber practitioners we've wished we've longed we've waited for someone to give us attention and I'm afraid my friends that's exactly what we have right now so I'll ask you this question if cyber is a top risk in your organization and I imagine it is
            • 09:30 - 10:00 what are you doing to treat it that way like if you had to prove to me if you had to prove to Laura that cyber is a top risk how could you prove it would you show me your calendar would you show me your briefings would you show me your slides would you show me metrics and dashboards how could you prove that you see I want it to be the case that because cyber is a top risk I want you
            • 10:00 - 10:30 to be able to treat it like the top risk it is more attention more funding more exposure more mentions in an annual report all kinds of things could help to demonstrate that but how could you prove that that that's something a little bonus thing to think about there so let's examine this in four different ways and not just because number of not just because it's May the fourth was so cool of that and you probably see messages going back and forth but we're gonna happen to have four different ways and
            • 10:30 - 11:00 that's what we'll talk about to improve your culture so you'll learn four different practical ways to improve your cyber security culture and these are things that you can do before you log off at the end of the day things you might have recurring calendar reminders to focus on and continue to work on throughout the rest of your cyber security career and the goal is to not just have information like me telling you four things four practical ways but I want each of them to also have an action step
            • 11:00 - 11:30 I wanted to move from information well that's interesting trivia information to application again that's my goal for you here so ready set let's do it so this information for a couple of points of key points of attribution first one is that myself Ryan Rosado Fleet is Poston Professor Roger white he we have some conversations on topics of cyber security in a regular basis we talked about this quite a bit as it turns out this came from the idea from this uh
            • 11:30 - 12:00 came from MIT School of Management MIT Sloan School of Management specifically as you can see here it says how to build a culture of cyber security again not just Russell's idea it's really smart people that publish This research that says okay you wanna know how to do this here's how we go do this and specifically kind of zoom in on this we can see here's how to infuse safe Behavior into culture into corporate culture here's how to infuse safe
            • 12:00 - 12:30 Behavior into corporate culture wow not sure I understand what that means but look at this like I think I'd like to do that I like to infuse some safe behavior in our corporate culture I thought I was blocking alerts I thought I was responding to DLP alerts and sock alerts and updating my security policy no no here we want to have something even bigger than that and and if I could we were kind of
            • 12:30 - 13:00 sitting around having a cup of coffee together maybe uh you'd ask me this question hey Russell how do I do that how do I Infuse safe Behavior into corporate culture but I think a really neat way would be to with more attribution to for brene brown so on a bookshelf right behind me lots of books there one book I've had on my shelf for a long time it collected dust for years and years and years I finally read it from brene Brown It's called dare to lead dare delete highly
            • 13:00 - 13:30 recommend you can see some YouTube talks and TED talks from her but she makes a point in that book dare to leave she says these words to be clear is to be kind to be clear is to be kind I love that I quote it all the time it's like you know what you're right we as cyber security leaders cyber security practitioners we could do well and I'm raising my hand I'm guilty this could be doing well to be more clear and it would be kind to our colleagues if we were more clear of how we want to do these
            • 13:30 - 14:00 particular things one example Lance uh Spitzer and I would talk about this one quite a bit we can look at the things that we say the language that we use one of those is maybe you've made this statement okay I've made this statement security is everyone's job security is everyone's job it's kind of memorizing maybe get a tattoo maybe get a shirt maybe you get a little slogan or a trinket that says Securities everyone's job but but if you think about it you know security probably is your job
            • 14:00 - 14:30 and security definitely is my job but what about my non-tech non-cyber friends and colleagues and leaders it is the catchy phrase security is everyone's job but if we don't help every one of our colleagues our CFO our CEO our accountant our physical security uh partners and practitioners if we don't help them to see how they're involved and invite them to be involved in our security culture
            • 14:30 - 15:00 they're just going to say things like well yeah that's Russell's job and Laura she's got that and Alex and Andy and Ann and Anthony and so many other people yeah there it must be their job I'm busy being an accountant I'm busy defending our building I'm busy writing code or doing Dev set-ups or unless we're clear what would it look like instead to say security is your job so way number one here is to consider
            • 15:00 - 15:30 again with full attribution and full mad respect to MIT Sloan School of businesses to look at this and say you know what would it look like to make it someone's job to be the culture owner like someone's responsibility to do that and the article they talked about a given example at a large bank there's a CEO of a very large bank and worked in financial services for a while uh myself where the CEO kicks off all of the all
            • 15:30 - 16:00 staff meetings with a cyber security story or a briefing or a reminder again go back in your memory breaks just a few minutes ago when I was at a very large very prominent Bank my leader she would say if cyber security is a top risk what are we doing good treat that way she was in fact before we had the language and the vocabulary the culture owner she set the tone at the top to help us all realize hey this is an important thing what are we doing to treat that risk in this way could be a
            • 16:00 - 16:30 personal experience uh relevant or noteworthy incidents that are happening but think about this what would it look like if someone who's not you had that voice now you're like wow my CEO they're too busy they don't know cyber they don't know all the jargon they don't know the language and you're right you're right you're right you're right about all that stuff truth is it might mean that while the owner might be the owner of the culture
            • 16:30 - 17:00 in your organization might be someone with Chief in their title or chief in their job description it might be that you yeah you it would be the one who would give them ideas or give them relevant anecdotes or stories or you know somehow de-anonymized uh information from previous incidents or lessons learned to share in a way that first that respects privacy respects human rights and individual uh privacy protections but
            • 17:00 - 17:30 says hey you know last year ransomware is kind of a thing and and last year our incident costs were going up and to help remind them again so even if you're the person that has to equip them or give them a little one pager that says here's some here's some words that you can say and maybe they do that their voice is more powerful their voice is more meaningful than what my voice is and what your voice is and what our voice is so again even if you have to write the words even if you have to coach them up
            • 17:30 - 18:00 a little bit yeah Power the authorities that they have when someone else's job is to be the culture owner what would that be worth I imagine that'd be pretty priceless can this idea this idea of initiatives like that minutes of time four minutes of time recurring basis all of a sudden folks will start to remember those will start to pay attention those folks will start to realize and expect that everyone has a role to play and security
            • 18:00 - 18:30 culture embracing attitudes and embracing beliefs those attitudes and beliefs that ultimately affect our overall security Behavior and as we think about that who can be that person for you who can be that non-tech hopefully executive who can help change and drive the change of attitudes and beliefs and ultimately Behavior
            • 18:30 - 19:00 why do I need that again I I like technical things I like looking at Frameworks I like looking at alerts I like looking at all the things I like looking at it and I imagine you're the same way but what if what if that was possible I imagine your budget the budget your company the budget your team doesn't afford you to have every cyber person to sit with every single colleague in your organization it's probably a bad
            • 19:00 - 19:30 financial decision if that's the case because there's a lot of places where Finance is and human resources and people can be deployed to do good for their company and in light of that are there ways in which proper messaging someone being the culture owner the next best thing what if everyone was invited to participate in the sport of cyber security again it doesn't have to be the C ISO it
            • 19:30 - 20:00 doesn't have to be the CIO and if it's not that's even better having someone to be the voice to be the face to be the advocate for everyone being involved in cyber security culture at your organization again that's something that can happen why does this matter and I think of culture to come back I think of culture uh with culture and I think like this people living and doing things just like at your company your certain
            • 20:00 - 20:30 times certain ways of doing your job and and everything and and culture is a Hot Topic I remember when I was recruited to go and work at the Federal Reserve Bank of Atlanta had a great job before very familiar with how things were working kind of a new kind of knew my role in my prior organization and if you were to go and ask the HR recruiter herb hey herb what's the number one what's the top question that Russell asked over and over and over and over and over and over and over and over
            • 20:30 - 21:00 again it was about the culture hater tell me about the culture what's it like to walk the halls of the organization I mean I've learned about the organization like an economic school back in college but was elected to work there I don't know I don't know and I imagine job changes promotions you're kind of like I'm kind of comfortable here what's the culture like there is it worth it to risk leaving something I'm familiar with to go be and
            • 21:00 - 21:30 participate in a culture that maybe they won't like me maybe I won't like them and then what will happen there you see culture matters a great deal culture is really important and this idea this critical question for the first of four things to talk about on May the fourth here is for you in your company who owns who's responsible for security culture now maybe if I could overcome an
            • 21:30 - 22:00 objection some of you might be saying well the CEO they never listen to me I've never met them before I've never I don't know who I am maybe there's opportunity for you to start maybe there's opportunity for you to lead even before you're in charge maybe to start and generate that momentum to say how can we be more clear how can we be more kind how can we invite more broad participation from the non-security people at understanding and
            • 22:00 - 22:30 helping our company be more safe and secure perhaps looking at way number one so then let's say well okay that there's one way okay maybe you have some ideas maybe there's some takeaways maybe some things that you can do there another invitation I want to make for you here is this idea looking at way number two if you want to Foster change and I imagine you do or you wouldn't be here well so many people here wow so so awesome uh and overwhelming to see that how can we communicate
            • 22:30 - 23:00 in a way where our colleagues can actually understand it or to begin with a pet tip and mad respect to our friends at MIT Sloan School of Management they said use language that resonates use language that resonates what does it mean to use language that resonates well I'll tell you several years ago it was a long-term goal of mine to become a chief information security officer finally achieved that goal done that several times it's like yeah uh and then uh for
            • 23:00 - 23:30 reasons beyond my understanding the company asked me to consider being the CIO instead so leading all of it and cyber not just cyber okay well more money more responsibility more influence okay we'll give it a try and on my very first down never forget it one of the project managers came up to me and says Russell if you want to be successful as a CIO you know what it really wasn't on my vision board at Via CIO but yet please please please go on
            • 23:30 - 24:00 if you want to be successful as a CIO there's a key to your success there's a key uh yeah let me get some note let me get a note let me write this down what's the key and he told me he says you have to learn to be bilingual you have to learn Russell how to speak a better language if you want to be a successful CIO you need to learn how to speak another language I thought another language I'm looking at English that's kind of about it so I've got to learn German or Dutch or French and he
            • 24:00 - 24:30 said no speak the language of business the language of business how can I be bilingual I need to be able to not just speak cyber speak text speak um apts and moderate attack and all these other things that we have in our normal vocabulary but when I'm communicating the status of our program when I'm having lunch with a business colleague
            • 24:30 - 25:00 if I say things like murder attack and apt-29 and all the other things that we say when we're amongst friends who understand that when we say those things to others we can hear something else again he's saying things I don't he's excited about about him no any idea what he's talking about I need and I imagine you need to be able to use language that resonates with your business colleagues this idea says how could you do this in the article that I referred to and again
            • 25:00 - 25:30 full attribution we'll share a link we'll share the slides all the stuff's coming your way uh and that's one of our commitments to to do that is one idea that was shown there is that major insurance company they determined that the term cyber security as cool as it is as cool as that word is it just wasn't resonating at their organization and they change the messaging from hey cyber security is important and we need to focus on cyber security and it's a top risk they change it to our goal is to protect our data and our
            • 25:30 - 26:00 systems oh that's more clear that's language that resonates it's language it says oh that's why we're doing cyber that's why it's important that's why we want to we need to we must be able to respond to this oh so in that organization in that culture Banning language that resonates better maybe working with your Communications team maybe folks that are writers as a profession or folks who've been trained
            • 26:00 - 26:30 to be great communicators out of cyber when I say cyber how does that resonate with you and if so great if not find alternate ways to be able to share in their word and their language in ways it could make it resonate even better I know it's cyber is you know what cyber is we know what cyber is but what if what if there's a better way to use language it would resonate even better with them can this idea to our you know
            • 26:30 - 27:00 for videos or blogs or articles or quick little videos or gosh you could pull out your phone these days and very very quickly be able to communicate or send a message assuming you're okay that your company's okay would do that to make something catchy capture their attention capture their desire capture their interest capture their willingness to participate in the mission of being involved with understanding and doing the things that are necessary to protect better information assets at your organization and some companies that brings back some
            • 27:00 - 27:30 memories here uh this idea of looking at some companies that language might be money hey we can save money if we hey we can avoid fines and avoid penalties avoid embarrassment when the world knows that maybe we're not as good at Cyber as what we wanted to be there you can look for what competitors are doing folks in your industry peers maybe you have a formal or informal network of fellow security practitioners that you regularly connect with I I sure
            • 27:30 - 28:00 do on Signal different lists and ways to connect with peers and colleagues to hey hey what are you doing on this problem or how are you dealing with tabletops for your Executives being able to get and understand that information clearly as quickly as possible and again sometimes it's by communicating with respect to Dollars opportunity cost dollar spent and any trends that are shown there and then we get to this
            • 28:00 - 28:30 critical question number two here that says okay in your organization again I can't answer the question I can only present the question to you here's the question what language in your company resonates better is cyber the word also is cyber the word and and you say no no it's not nobody really kind of understands that what would it look like to be able to communicate in business language the Cyber thinks having that
            • 28:30 - 29:00 ability to Pivot from cyber speak to business speak so that your folks who make decisions of how much budget you get how much funding you get how much supports you get for your security program how can you speak in a way where they can understand and they can make it more informed risk based decision that's the first two and hey we're halfway there and some would say we're Living on a Prayer but wait that's just my 80s brain going on here uh this Third Way third of four ways is this to make cyber security
            • 29:00 - 29:30 part a formal employee evaluation now if I were to ask you before the start of the hour well we're already halfway through our time together today you know get questions comments cries of outrage things to share love to see and respond to those accordingly but but if I were to say hey is cyber part of your job your job description you say oh man like a big part like I better do cyber well if I want to get a good uh bonus or incentive or I have my job next year but
            • 29:30 - 30:00 but what about your non-tech non-cyber colleagues hmm you see there if we were to make cyber a part not like a massive part but maybe a little part of everyone's job for the colleagues not the users but your colleagues your professionals folks who work at the same company you work at that just are experts in other areas if you made it a part of their job description and you help them accountable
            • 30:00 - 30:30 to perform that itty-bitty part of their job of being cyber now I'm not saying that when someone clicks on a phishing test email you're probably doing those maybe on a regular basis first time someone clicks on that you fire them they lose their job that's mean that's cruel that's that's kind of aggressive but but maybe there could be some consequences when someone does something that weakens or lessens or makes less secure your
            • 30:30 - 31:00 security posture through real phishing tests or leaving things on their desk they shouldn't leave or exposing information shouldn't expose or whatever those things are that causes pain and angst at your organization Maybe if you wanted to be clear and by being kind like brene brown in her book Derek Lee says maybe making folks aware hey by the way this year we have this new initiative we're going to have culture be really a big part of our
            • 31:00 - 31:30 organization maybe the CEO at the All Hands meeting says Hey cyber is your job not just some vague cyber things that happen everyone is going to now be held accountable for your behaviors and to be clear around those expectations and hey at the end of the year you're going to be evaluated maybe five percent of your evaluation is how well did you engage and support the mission of securing our company's most important
            • 31:30 - 32:00 assets hmm so I've worked at places where in the past someone that would click on an email or click on too many emails or have the be the root cause of incidents to have demerits on their annual review and it would literally get less money at the end of the year if their behaviors that they were trained how to avoid and they behaved a certain way anyway they actually got less money at the end of the year that's the way to get someone's attention I hate though I want my full
            • 32:00 - 32:30 bonus of course I do do you want yours of course you do how can I make sure that I do things to get my full bonus to get my promotion to get my raise to get whatever it is it's important to me when we tie cyber security as a part of employee formal evaluation then we might be able to do this and it's not making up things uh certainly my recommendation here would be to partner with your colleagues in HR Human Resources I imagine they have a progressive discipline policy that's in
            • 32:30 - 33:00 place that says hey if you do these bad things uh you'll be invited to do those bad things in another company because we just can't afford uh you doing that in our organization now a long time ago I was privileged to work it's my first management job was at UPS a company actually headquartered here in Atlanta and it's an older policy but again I'm an older person 20 plus years ago if you stole from the company twice you lost your job so I would train uh
            • 33:00 - 33:30 drivers or package car drivers that come in and hey welcome to UPS we're glad you're here here's your policies now by the way make sure that you don't steal twice because if you steal twice you'll lose your job and there's a contract that said that again at this point it's not that case anymore so don't go think of this in permission uh to go steal things or any employer but again many many years ago they have that consequence you still want so you get written up you still twice you've got to lose your job so I would
            • 33:30 - 34:00 make a statement of hey if you go Steel make it a good one but don't do it twice because you'll lose your job again an example of a policy that was in place a long time ago but what does that say it should say that eventually not following policy eventually clicking on every phishing email eventually leaving information out or sending it to your personal Gmail account or whatever behaviors are inappropriate and are against your policy eventually not
            • 34:00 - 34:30 Fallen policy should lead and needs to lead to loss of employment see uh uh this from Fleet is great hopefully it's great to see you here good friend I mentioned I mentioned you by name a little while ago security isn't what we do we are managing our levels of insecurity how insecure are we how do we manage and bring that risk down uh as low as possible love that you're spot on you're exactly right on that Cletus and again always great to
            • 34:30 - 35:00 see you eventually not following policy needs to lead to loss of employment but you're gonna go Russell how do I do that what would that look like help me make sense of that yellow template do you know somebody can you help me do this easier better faster stronger yeah have a Little Help from our friends and my friends I mean our friends at Nest turns out I imagine you're all familiar with this cyber security framework turns out it's been out there for 10
            • 35:00 - 35:30 years I can't even believe it version two is about to come out uh nist said at RSA conference last week they expect that to be out by the end of the year but as it turns out assignment of job responsibility already exists not one not two but three actual places there's three places and here they are and the exact places in the CSF where you can find that ID equals identify identify protect detect respond recover that part and then am Asset Management the sixth
            • 35:30 - 36:00 thing on Asset Management says roles and responsibilities for the entire Workforce and third-party suppliers and customers and partners are established so for those of you aligning to or wondering how you compare to the cyber security framework there's words here there's language you could like copy and paste like for those of you based in the US that I realize not everyone is but those of us based in the US you can like hey thanks for the taxes that go to funness you got this
            • 36:00 - 36:30 language is you can copy paste it and feel good about it it's there and available a pretty low bar to be able to understand this and with your leadership's permission maybe hr's permission maybe legal and privacy's permission being able to help fuel progress toward making it clear to have an evaluation evaluate how well that we're solving that and so then the critical question for this topic here is
            • 36:30 - 37:00 is this and again I'm going to give a question and you may not like the question how can you write it down or get the slides later or listen to the replay later is cyber security a part of formal employee evaluation now what it doesn't say is part of the security team's evaluation you've already got that covered you're evangelite at the end of the year maybe even more often than that your company still participates in annual reviews hey Russell how good did
            • 37:00 - 37:30 you do your job and have an evaluation and hope to have a nice conversation with my leader about that but here this says for all your employees for all your colleagues are they aware of and can they contribute to being able to solve for this even if it's a little percent a percent five percent of everyone's role at our
            • 37:30 - 38:00 company how well did you contribute or take away from cyber security posture of our company for accountants for Developers for database administrators and every single employee every single colleague in your respective organization what would it look like if it looked like that what would your culture be I have to imagine your culture is going to get better when people are invited to participate in the overall security
            • 38:00 - 38:30 culture in your respective organization which leads us then to the fourth get the date May the fourth here we go the fourth way to be able to do this according to that article that we looked at just a moment ago and full attribution to them is to conduct tabletop exercises and fire drills I'm going back in my memory bank like a long time ago like in elementary school back when they called it Elementary School and Junior High School I think now I call it Middle School uh this concept
            • 38:30 - 39:00 every once in a while our teacher would say okay I've got a fire drill or it's a fire alarm but there's a problem and knock on wood there we don't want one but if there's a problem here's how to evacuate here's how to huddle here's how to keep safe in the event of a real emergency and I'm grateful never had an issue like that in in school but we were trained and we were prepared we knew what to do we knew where to go we knew how to behave how to act how to and how to to directions
            • 39:00 - 39:30 but in this this idea through you know scenario plannings or tabletop exercises or metaphorical fire drills what types of testing and planning and exercises are in place you see if you don't want and I don't want and we don't want the first time you've gone through a Cyber attack be the how did you think about what do we do and who do we call and my number my internet my emails all these things
            • 39:30 - 40:00 that could happen all these things a good threat in the Bible the company or the profitability of your company or the reputation of your company you don't want to learn as you go through that you want to as much as possible to prepare for practice and rehearse exercises just like these back in the day when I was in financial services one of the things that we would do is we'd have very often very frequent practice drills and exercises tabletop scenarios immersive exercises to make
            • 40:00 - 40:30 sure that our team was ready equipped and was prepared and had everything they needed as much as we could plan for to be responsible for those incidents and one of those is a unique scenario I'm not sure where I got the idea of I had the idea of okay well let's do this instead of just saying a tabletop exercise where maybe I'd say hey Amanda Amanda glad that you're here Amanda hey uh if there's a problem I'm just going to call Amanda as part of the exercises hey when there's this type of problem what do you do and the right answer is
            • 40:30 - 41:00 well everyone knows but you have this type of problem call Amanda she'll fix your problem and thanks Amanda for letting me use you in this example well it's one thing to say I need to call Amanda what if during that exercise it turns out that's exactly what I did when someone said well the answer to this problem our production website is down everyone knows we need to call Amanda what do we do in the tabletop exercise okay great call Amanda
            • 41:00 - 41:30 and folks like wait never done it this way before that's new I'm not done it that way Amanda what if Amanda's asleep what if she's uh busy what if she's on PTO what if all these things and the test wasn't on does everyone know to call a man and I promise I'll quit quit thinking on your own this time Amanda and thanks for letting me have the latitude there but that goal was okay if you had to do that do you have
            • 41:30 - 42:00 everything you need to be able to do that and we would literally call those individuals and get them on the phone and here's what's happening it's a scenario thanks for playing along and what do we do what's the next step not just assuming we knew the next action being able to take that and what do we learn in exercises like that well we collect a little paper and pen or note takers to say wow we need to and we have to and even simple practical
            • 42:00 - 42:30 things especially these last three years your instant responders largely have been at home is the incident response manual at home where they can get to it is it in a place where they can access it securely what are some of the lessons you can learn not through the exercise just going through and saying check the box we did one but collecting a list of things adjusting your plans your policies your procedures so that you can
            • 42:30 - 43:00 enhance your playbooks make your instant response manuals more relevant and ultimately improve the culture also improve the culture of your organization by inserting cyber security into the culture see I'm tempted sometimes to say well I want to change the culture of my company you know what until my title says chief executive officer until I'm the boss of
            • 43:00 - 43:30 the boss of the boss don't have a lot of opportunity to do that but what I can do is a cyber security leader professional just like you is I can look for ways to insert cyber into the culture existing culture of our organization and that's something I can do that's something I have done and that's what my invitation for you on this critical question is to consider this and what maybe brings back memories I was searching for images and I'm not
            • 43:30 - 44:00 saying one uh fire alarm looks like that in well a long time because I look at this now think about this I I have to ask you this question I would be failing you if I didn't ask this question and it's a rhetorical question when when was your last fire drill seriously when was your last fire truck when was the last time that you had an exercise
            • 44:00 - 44:30 like what we've been talking about the last couple of minutes if it's been a while maybe to do is hey I need to go and schedule and exercise or work with a partner work with an Isaac hopefully you're working with ice X for folks in industry or different sectors where you work at today and if you've done one recently I already pat on the back good for you May the force be with you all throughout the day and throughout the year that's awesome good for you I couldn't be more happy for you
            • 44:30 - 45:00 wherever that lands if you've done it in a while no I don't know well what can be done about that and see this all these things these four things that we talked about already it leads to for me the best advice I've ever been given in my whole life came to me from someone who has nothing to do with cyber nothing to do with technology nothing to do with any of the things that we'd love to do and make careers out of doing
            • 45:00 - 45:30 and here's what it was over 26 years ago informal mentor and of mine what that means is she had no idea I was like wow I like the way she lives her life I like how where she does her things and I'm just kind of taking notes one day when I grow up I'm going to be like my informal Mentor she gave me this advice and the advice she gave me was was right here on the screen get wisdom as cheaply as you can get wisdom as cheaply as you can what does it mean to
            • 45:30 - 46:00 get wisdom as cheaply as you can how can I learn lessons from someone else how can I not have to go through the same pain and struggle and incident response and getting a phone call from Krebs or a story on the New York Times about the company that I've been privileged to lead or the security team that I'm a part of or the company that I've employed by or contract with how can I get knowledge the easy way instead of the hard way looking at
            • 46:00 - 46:30 Verizon Outreach investigation report Gartner report Sands reports news bites the ouch newsletter to so many places for intelligence to be able to pull in and woo I hear it hurts when you don't disclose everything to your regulator like you're supposed to oh I hear it really is a bad idea and a bad look for PR purposes if you don't patch your systems on a regular basis and make sure they're configured properly oh I hear it's a bad idea to say things like Securities everyone's job and figuring
            • 46:30 - 47:00 that everyone's going to understand what that means for them individually you see I want for you for you to be able to get wisdom as cheaply as you can for the you know gosh been here for about 46 minutes already a few more minutes still to go a few more things and topics to to cover and again there's always questions comments here here for for that for sure but as excited as I am for you to consider doing these things what do I know about
            • 47:00 - 47:30 you that's what I know about me I can hear you now and it's no accident I literally get to go to New Orleans next week and get to teach a sand class I'm very happy about this but I can hear you now you're you're busy you're you're probably about to type in the chat but also have you seen my calendar I have so many things to do I don't have any time for this it all sounds good maybe inspirational go team and yeah someone should really focus on one or
            • 47:30 - 48:00 two or three or four of these things on how to improve a security culture but I just don't have time I don't have enough of this as it is and you're asking me for more and and if that's you and that's been me trying to be shocked if that's not you already you're having this objection here's my response statement I got from a former formal mentor of mine Michael high he he made a
            • 48:00 - 48:30 statement it sticks with me I've said it probably every day the last 10 12 years he said this period to me he said what gets scheduled gets done what gets scheduled gets done what does it mean what gets schedule gets done well if I were to do a screen share of my calendar you'd see there's like a whole bunch of stuff on there meetings a webcast gosh spending time with you today has been like amazing amazing nowhere else you'd have to be in the world than right here with you right now uh deep deep in my
            • 48:30 - 49:00 heart mean that but there's other things I want to remember to do like pay my taxes like file my taxes like prepare for a webinars like prepare for teaching next week like updating classes I've been privileged to run it the other obligations that I have well they're personal and a professional perspective so what do I do with what's get schedule gets done turns out you can make recurring reminders you can make meetings with yourself
            • 49:00 - 49:30 you can say hey EV the end of every quarter plan a after Action Report popularized by the US Army maybe some of the procedures to look for your instant response you have Lessons Learned meetings or lesson learned briefings where you can say hey what lessons do we learn kind of the opposite of get wisdom as cheaply as you can and schedule that and you want to keep space in your brain to remember I've done that lately how many days has it been you've got a system built in that annoys you or
            • 49:30 - 50:00 emails you or blocks off your calendar once a quarter that says I want to go and see how am I doing against my goals how am I doing against improving the security culture in my company again what gets scheduled gets I hear the objections I see that I know that and I respect that and I realize I'm asking you to consider doing some more things that I want to make it easier for you to be able to do just that so I've got a question I see uh Reuben
            • 50:00 - 50:30 thanks for your question let me take a look at that real quick even if we have a vibrant security culture are we expecting too much of the end users well first of all I love the word colleagues it's just a buy someone expecting too much of our colleagues despite our fishing awareness sessions people can't be viligent all the time and people will make mistakes at some point yep we're all human you know even us cyber people uh do the very same thing self included so what can we do to help them rather than give them more things to do on top
            • 50:30 - 51:00 of their job I think you know making it more relevant to them for the accountant you know the accountant someone in finance maybe the controller maybe the CFO hey here's how the intersection of how what you're doing impacts the cyber security posture which could also in turn impact the financial status to Financial Health financial viability of our organization and so giving them little small little bits of Education that's relevant could be one tip and a lot of companies they'll have
            • 51:00 - 51:30 uh annual training maybe cyber security Awareness Month in October a lot of companies celebrate that and celebrate a whole bunch of things but has it been updated lately is it relevant is it short is it understandable is it too long and boring and people just next XXX finish uh just to get off the naughty list uh for security looking for ways to make it more relevant for them more exciting for them uh if your culture supports it uh things to have rewards
            • 51:30 - 52:00 when I worked in Telecom the CIO a huge Telecom company would walk around with gift cards in in their pocket and they would hand them up when when they would catch someone doing something good 25 bucks for you 25 bucks for you Amazon for you Amazon for you so assuming your culture supports it your company supports things of that nature being able to go out and engage and listen and participate and understand them better could be some strategies uh
            • 52:00 - 52:30 Malia to be able to engage them more and not put a heavy burden on them but do invite them to participate in and do that and one thing you one final thing I said to us almost done but one more final thing there would be maybe adopting language and vocabulary from Department of Homeland Security like when I travel when I have traveled and I will travel they make this common statement if you see something say something maybe how you enlist them is that one simple thing when you see something call this number when you see
            • 52:30 - 53:00 something send an email or when you see something send a slack message invite them when something looks weird to let you know they're off the hook tell me on something and don't punish them don't get them in trouble but to invite them to be able to do that would be my uh a whole bunch of things there on that topic and again thank you for uh that so we're starting to wind down a little bit one thing here uh Lance Spitzer and I co-authors of a class with science management five two one leading
            • 53:00 - 53:30 cyber script change building a Security based culture we did a lot of research in this class we subscribe to the paid version of hbr Harvard Business review for articles just like us started off this whole conversation with of here's what the folks in the cultural world are saying about culture here's what they're saying research that we've done a lot of time putting this information together and not just saying okay here's some review and Survey of a lot of really smart people talking about culture but finding ways to make it relevant just
            • 53:30 - 54:00 like hey it's nice we had that article got these four things but what are some practical ways through questions and responses and showing up uh maybe even taking notes of being inspired by this to move from information to application and then ultimately to transformation transforming and having security be a part of the culture of the organization that you're privileged to work at what does this look like what an action that you could take here completely free here and I kind of
            • 54:00 - 54:30 zoomed in on this with the course demo button turns out uh the class here management 521 we're actually going to be the first Sans class to switch from MGT is in management to ldr as in leadership I'm very happy about that very proud about that Lance and I are super super stoked to be the first class to transform what we called ourselves from managers to leaders love it so much and in fact when I teach this class the
            • 54:30 - 55:00 end of July then we'll flip over and after July I'll be called ldr521 last an hour update in the class as we speak I'm halfway through with my updates Lance is working on his updates an amazing partner to work with that you've heard of him you know him an amazing Communicator Lance and I together put this class together with ideas and so again the idea here is completely free like right now you could click well not on the screen but on the website you could click on this and get an hour excerpt to listen for other practical ways where a culture can be embedded and
            • 55:00 - 55:30 stored and improved in your respective organization uh that we have right there and it's just been an amazing to spend time with you I think some things come through in the chat I'll take a look at and in the Q a as well and that is just uh fantastic yeah like Laura said uh the slides will be available like Laura said you could have given your slides and I'm going to send those to her whenever we're done we'll upload those into the stands for all recordings are available if you're listening live thank you if you're on the replay hey glad you're
            • 55:30 - 56:00 here as well uh and then one final thing I'll say uh here's my information love for you stay in touch email Twitter and then a link at direct link sounds.org mgt521 uh hey thank you you spent 55 plus minutes with me and Laura I'm grateful again I highlight my heart's like swelling and so excited and so grateful that you've chosen to spend time uh as you're starting to understand what are some
            • 56:00 - 56:30 practical ways that you can do to improve the security culture at the organization that you're privileged to be at I'll stay on for a second if you have any questions comments anything please let me know thanks Laura for making this possible and thanks everyone for being a part with us today thank you Russell we do have one question here from Maria cyber security issues are well known through informal education has Sans invested in informal education
            • 56:30 - 57:00 cyber security issues so thanks for as promised I want to I appreciate that so so subscribers issues well known throughout informal education has Sans invested in informal education I think a lot of one of the things that I I would point to uh as our times winding down is sams.org forward slash free one of the things that Sans did at the start of the pandemic was to have a collection of all the things that are not uh paid I think like pay for classes pay for a master's degree and and that kind of nature I
            • 57:00 - 57:30 would point to that location uh and look for those things whether it be newsletters webcasts like what we have here to be able to point towards things that are absolutely free every time I teach I talk about it science.org four slash free and a listing of all the free things and perhaps ways to address informal education newsletter screensavers uh little notices like what I said you know security is your job versus security is everyone's job might be somewhere ways that you could have
            • 57:30 - 58:00 that be addressed and then I also see Aaron so not a question thank you Russell my privilege my pleasure Anonymous attend to give any advice about creating remedial training programs I would say that if possible a great chance to be able to work with your local Human Resources organizational development um OD uh workers who who already have plans like that in place that you might be able to leverage borrow or like what Lance says steal and use that and build
            • 58:00 - 58:30 upon that to be able to have a remedial training program one thing that I've done in the past is whenever someone over the course of a rolling year maybe they clicked on one too many fishing email phishing test emails we'd bring them in for an in-person session and the person wasn't my ID at all uh someone else's idea they would actually reverse order the phishing test that went through it put them on a big screen and as a class as a cohort everyone would be invited to point out the 15 reasons why
            • 58:30 - 59:00 they shouldn't have clicked on those links and what did that do it showed that we were care we were curious we wanted to help them overcome any barriers they had for understanding that a lot of email out there is just bad stuff and then at some point what was always funny is someone would say hey that's the phishing email I saw that and of course the reason they saw that is because they engaged they clicked on those it kind of made it light-hearted uh humorous and what we also did was we said you know what it's easy to blame someone says hey you need to stop clicking on that link why would you do that you're
            • 59:00 - 59:30 the problem if you ask questions such as what is it about my leadership that allowed them to think they can click on every email I can look in the mirror I can take some responsibility and I can make a better more relevant message and do my part to do things as possible to reduce the likelihood that people will click on those uh in the future so Anonymous attendee I hope that is helpful
            • 59:30 - 60:00 uh George love your question from my experience which industry has the most appetite and achieved security embedded in their culture as you described without a doubt Financial Services why there's a lot of money at stake in financial services and by far companies like not exclusive there but I typically see much more cyber investment much more awareness of culture because of the stakes that are higher they're in that industry because of the monetary loss it has and unfortunately continues to occur
            • 60:00 - 60:30 it doesn't have to just be there but those can be models whether you're a team of one or you're privileged to lead people that lead people that lead people that do all kinds of cyber uh George that would be my answer there my pleasure all right Laura any back to you anything else before we adjourn no I believe we are all done for the day then thank you so much Russell for your expertise and
            • 60:30 - 61:00 sharing your knowledge with the community everybody this will be recorded and the slides will be available in your Sans portal in about 48 hours you'll also be able to download your CPE credit and your portal under my webcast we hope to see you again soon and have a wonderful rest of your day thanks everybody