View this email in your browser

Defense in Depth

How Do We Influence Secure Behavior?

We all know that our employees need to be more security aware, but what are the methods to get them there? How can we make our employees more security conscious?

Check out this post for the discussion that is the basis of our conversation on this week’s episode co-hosted by me, David Spark, the producer of CISO Series, and Steve Zalewski. Joining us is our sponsored guest Jack Chapman, vp, threat intelligence, Egress.

Setting an example from the top is key.This starts with training, but to actually influence behavior you need more than that. "People aren't influenced by being told what to do. They're more likely to copy good behaviors they see in others,” said Mike Van Orden of Emanate Security. Mike Wilkes of Wallarm sees the need for this to come from the top leadership of the company on down, saying "You need to have a security mindset practiced by the senior leadership through the organization. Treat it as a 'whole of person' issue to improve their ability to detect malicious communications no matter their location."

Don’t just focus on cybersecurity at work, make it personal."Educate them on keeping their personal accounts safe at home. It shows you care and will bleed over into their professional world," said Brett Deroche of Lockstep Technology Group. This can even go beyond training and extend into company benefits. "I would give identity theft protection as a corporate benefit. Make them more secure and the company becomes more secure by association," said Merry Marwig of DataGrail.

Annual training and punitive actions don’t meaningfully change behavior.Instead, continuous engagement shows the best results. "It comes down to sustained, motivated engagement. Prompt people with a super simple, hassle-free action focused on a behavior you're trying to change,” said Eliot Baker of Hoxhunt. Andrew Wilder of Washington University in St. Louis even suggested a model that everyone knows for that type of training, Clippy from Microsoft Word. Imagine a pop-up with “are you sure you want to enter your corporate credentials on this suspicious site?”

People will respond to cybersecurity training, but they will prioritize their jobs first.“If we want to make security ‘stick’, implement solutions that are as invisible as possible to employees," said John C. Underwood of Big 5 Sporting Goods. Cybersecurity won’t get buyin if all you do is punish them. "People need to not see you as someone who will make their life miserable," said Yashvier Kosaraju of Sendbird. 

Please listen to the full episode on your favorite podcast app, or over on our blog where you can read the full transcript. If you’re not already subscribed to the Defense in Depth podcast, please go ahead and subscribe now.

Thanks to our podcast sponsor, Egress

LIVE!

 Cyber Security Headlines - Week in Review 

Make sure you 

 to join the LIVE "Week In Review" this Friday for 

Cyber Security Headlines 

with CISO Series reporter Richard Stroffolino. We do it this and every Friday at 3:30 PM ET/12:30 PM PT for a short 20-minute discussion of the week's cyber news. Our guest will be Gerald Auger, Ph.D., chief content creator, Simply Cyber.

Thanks to this week's headlines sponsor, Hyperproof

Cyber chatter from around the web...

Jump in on these conversations 

"Why do other cyber security professionals treat pentesting like the dark arts?" (

More here

)

"T-Mobile discloses second data breach since the start of 2023" (

More here

)

"What's the worst cybersecurity mistake you've seen someone make?" (

More here

)

Sponsored Content

Connecting Discovery With Context

In cybersecurity, just knowing what assets an organization has isn't enough. That needs to be coupled with the context of how those assets relate back to the business. Curtis Simpson, CISO at Armis, discussed how this allows you to understand the risk those assets hold within the organization. This becomes especially critical as IT and OT systems have become intertwined.

Understanding the risk posed by assets allows security leaders to quickly make the business case for taking action. This shifts the conversation from CISOs talking about securing endpoints and assets, and allow them to talk directly about how a security threat directly ties to core business functions. Adding context to asset discovery makes it easier to bring security considerations into the everyday language of business.Huge thanks to our sponsor, Armis

Live!

CISO Series Podcast LIVE in Santa Monica, CA 10-2023

We did it last year and we're doing it again. CISO Series Podcast is coming to be the closing entertainment on October 5th, 2023 at ISSA-LA Information Security Summit XIII in Santa Monica. This full day event is held at the Annenberg Community Beach House, a gorgeous location right on the beach in Santa Monica. To attend the event, you will need to get tickets which you can get right here.

On stage with me will be Chenxi Wang, managing general partner with Rain Capital.

Please come on out for a day of cyber learning with your west coast cyber friends.

Thank you!

Thank you for supporting CISO Series and all our programming  

We love all kinds of support: listening, watching, contributions, What's Worse?! scenarios, telling your friends, sharing in social media, and most of all we love our sponsors!

Everything is available at cisoseries.com.

Interested in sponsorship, contact me, David Spark.