View this email in your browser

Defense in Depth

How to Create a Positive Security Culture

How do you create a positive security culture? It's rarely the first concept anyone wants to embrace, yet it's important everyone understands their responsibility. So what do you do, and how do you overcome inevitable roadblocks?

Check out this post and this post for the discussion that is the basis of our conversation on this week’s episode co-hosted by me, David Spark, the producer of CISO Series, and Geoff Belknap, CISO, LinkedIn. We welcome our sponsored guest, Jadee Hanson, CISO/CIO for Code42.

Here’s what we discussed.

If you want a security-minded staff, you need to make it personal and be patient. "Cyber needs to become second nature, like looking both ways before you cross the street,” said Lisa Ackerman of GSK who advises patience in getting there. “It will take more than once a year cyber training or a monthly phishing test." If you can make people care about their personal security, they’ll start to understand the value of security to the business. "Giving users actionable education related to their homes, family, and friends has been helpful," said Gabe S., CISO of PDC TECHNOLOGY.

To build a security culture, just build culture first. Find ways to connect with your staff before you begin a conversation about security. "It is about culture in the first place and not simply awareness,” said Christian Borst of Vectra AI. "I could not get developers or security champions to reach out to the security team for help or guidance,” admitted Ashish Rajan of Cloud Security Podcast. “For me, the resolution was to start showing up for their team bbq parties and game days in the office. This connected us as colleagues first and security team second.”

Security culture from the top down. Must the CEO be on board and part of the education on security culture? We know we want them to not be a blocker, but must they be leading awareness and training requirements? “Have the CEO mention security in presentations to the company, including their own personal journey of awareness,” Chris Nolke of Skycrane who warned of consequences of letting someone else lead: “Abdicating leadership from the top makes ‘security culture’ impossible in strict terms."

Listen to their concerns before you tell them what to do. "Meet people at their level - don’t expect them to come to yours,” said Shaun Marion, CISO of McDonald's. “Don’t talk to the board about ‘the threat landscape’ unless you are prepared to relate it in business terms." Use criticism of your efforts as a way to improve and let others lead for you. After receiving negative feedback on a training program, Duane Gran of Converge Technology Solutions Corp. was able to turn a detractor into a champion. "I thanked her for taking an interest, asked for her to elaborate and eventually got her involved as a volunteer to help select awareness topics. Sometimes your most vocal critics can become your most vocal champions for the security program."

Please listen to the full episode on your favorite podcast app, or over on our blog where you can read the full transcript. If you’re not already subscribed to the Defense in Depth podcast, please go ahead and subscribe now.

HUGE thanks to our sponsor, Code42

Super Cyber Fridays!

Join us Friday [07-21-23], for "Hacking 5G Security"

Join us Friday, July 21, 2023, for “Hacking 5G Security: An hour of critical thinking about the looming explosion of IoT on 5G networks.”

It all begins at 1 PM ET/10 AM PT on Friday, July 21, 2023 with guests Kevin McNamee, security product manager, Nokia and Howard Holton, CTO and industry analyst, GigaOm. We'll have fun conversation and games, plus at the end of the hour (2 PM ET/11 AM PT) we'll do our meetup.

Register

Thanks to our Super Cyber Friday sponsor, Nokia

LIVE!

 Cyber Security Headlines - Week in Review 

Make sure you 

 to join the LIVE "Week In Review" this Friday for 

Cyber Security Headlines 

with CISO Series reporter Sean Kelly. We do it this and every Friday at 3:30 PM ET/12:30 PM PT for a short 20-minute discussion of the week's cyber news. Our guest will be Phil Beyer, former Head of Security, Etsy.

Thanks to this week's headlines sponsor, Conveyor

Cyber chatter from around the web...

Jump in on these conversations 

"The human factor is often the weakest link in cybersecurity. What strategies have you found to be effective in keeping your team informed and engaged in maintaining strong security practices?" (

More here

)

"Pinnacle of your career in cyber security" (

More here

)

"Company wants to implement AI note taking software for our meetings, how do other feel about this from a security perspective?" (

More here

)

Coming Up On Super Cyber Friday...

Coming up in the weeks ahead on Super Cyber Friday we have:

• [07-21-23] Hacking 5G Security

Save your spot

and register for them all now!

What the Heck Is OpenText Doing In Cybersecurity?

Most people know OpenText as an information management company. But what they don't know is they've been building and acquiring assets in the cybersecurity market. In this video Geoff Bibby, svp, security marketing for OpenText explains their portfolio. They are trying to fill out the threat intelligence spectrum. Check out cyberres.com for additional information.Watch the videoHUGE thanks to our sponsor, OpenText

Live show!

[06-19-23] CISO Series Podcast Live in Tel Aviv

We’ll be kicking off the CISO Summit TLV 2023, a six day event, with a live audience recording of CISO Series Podcast. This is a private invite-only event, but if you’re a CISO/security leader you can apply to be invited to the event. Huge thanks to our hosts, Team8, for bringing us out to Tel Aviv.

The full event happens from June 18-23 at the Sheraton, Tel Aviv. We’ll be doing our recording on June 19th, 2023.Joining me on stage will be Paul Branley, deputy CISO and director of strategy, innovation and testing, Lloyds Banking Group and we'll have Jesse Whaley, CISO, Amtrak.

Thank you!

Thank you for supporting CISO Series and all our programming  

We love all kinds of support: listening, watching, contributions, What's Worse?! scenarios, telling your friends, sharing in social media, and most of all we love our sponsors!

Everything is available at cisoseries.com.

Interested in sponsorship, contact me, David Spark.