Security awareness: How to influence others and change behavior
Bruce Hallas has a lot to say about security awareness and the fostering of security culture throughout an organization. His podcast, âRethinking the Human Factor,â is now also a book, and he recently spoke at our Infosec Inspire Cyber Skills Virtual Summit. On todayâs episode, Bruce talks about changing behaviors rather than setting rules, new ways to think about security awareness, and different industry and job search tips, particularly for those who want to get involved with cybersecurity in a totally non-technical capacity.
Bruce Hallas is an enthusiastic advocate, consultant, trainer and speaker in the field of information security awareness, behavior and culture. He has worked over 20 years as an information security manager, practice manager and consultant to lead and support positive change that helps organizations manage risk. As creator of the SABC⢠(Security Awareness, Behavior & Culture) Framework, Bruce advocates the role of the human factor in information security through speaking engagements and his "Re-thinking the Human Factor" podcast and book.
- Learn cybersecurity with our FREE Cyber Work Applied training series: https://www.infosecinstitute.com/learn/
- Use code “cyberwork” to try Infosec Skills free for 30 days: https://www.infosecinstitute.com/skills/pricing/
-
View transcript
-
[00:00:00] CS: Hitch up the wagons and polish your spurs, because it’s high noon, and the searchers are looking for a way into your network. October is National Cyber Security Awareness Month, and Infosec is helping to tame the wild, wild met with our collection of free training resources that will make your employees the masters of the cyber frontier and bring cybersecurity to the forefront of your organization. Go to infosecinstitute.com/ncsam2020 to download our free toolkit containing a stagecoach full of provisions to run month-long security awareness campaign, including posters, infographics, newsletters, email templates, presentations, and more. Grab Cybersecurity Awareness Month by the horns with this wild bunch of free material from our award-winning LX Labs team.
Just as the wanted posters in the Wild West help the public recognize the region’s most notorious villains, our free training kit reveals the identities of common cyber threats to help prepare your employees for the real attacks they face. Again, go to infosecinstitute.com/ncsam2020, or click the link in the description to get your free collection of training materials and help spread security awareness.
Now, let’s begin the show partner, partner.
[00:01:15] CW: Welcome to this weekâs episode of the Cyber Work with Infosec podcast. Each week, I sit down with a different industry thought leader and we discuss the latest cybersecurity trends, how those trends are affecting the work of infosec professionals while offering tips for those trying to break-in or move up the ladder in the cybersecurity industry.
At the time that weâre taping this episode, our guest, Bruce Hallas, is just a few days out from being a guest speaker at Infosecâs Inspire 2020 Conference, a meeting place of cybersecurity professionals, thought leaders and instructors thatâs taking place entirely online this year for obvious reasons. We hope youâll check out Bruceâs conversation with Christine Zorovich or that you have already, because this is coming out a bit later. But I wanted to also speak with Bruce today, because I think thereâs a lot to say about security awareness and the creation fostering the security culture inside of every organization.
So Bruceâs podcast, Re-Thinking the Human Factor, has been made into a book a well. You should check out both of them. But weâre going to talk to Bruce today about security awareness, behavior and culture of framework today. Boy! I didnât say that. Well, Bruceâs security awareness, behavior and culture framework as well as ways that your organization can create a culture of security that really sticks.
Bruce Hallas is an enthusiastic advocate, consultant, trainer and speaker in the field of information security awareness, behavior and culture. He has worked over 20 years as an information security manager, practice manager and consultant to lead and support positive changes that helps organizations manage risk. As the creator of the SABC, Security Awareness, Behavior and Culture framework, Bruce advocates the role of the human factor in information security through speaking engagements and his Re-Thinking the Human Factor podcast and book.
Bruce, thanks for being with us today.
[00:02:52] BH: Oh, itâs an absolute pleasure, Chris. Thank you very much there. Yeah, there are some tricky ones there, arenât they? The old SABC.
[00:03:00] CW: Yeah.
[00:03:02] BH: Normally itâs a three-letter acronym, and I think I would say Iâm going to use something different than I went before. Yeah, but I call it âSAYBAC.â
[00:03:12] CW: Oh, there you go.
[00:03:12] BH: How accurate that it as to describe. But yeah, SABC is the â
[00:03:18] CW: SABC. That has a good ring. Iâm going to incorporate that. Letâs see if I can say it three times in a sentence and then itâll be mine. So I want to start â We always like to start by getting a background on our people here, our guests. So where did you first get started in IT and information security? I know from seeing an advance cut of your Inspire presentation that you came to IT and security from law, finance and marketing. So what was it that made you want to switch over to such a different area of focus at the time?
[00:03:48] BH: Yeah. Thatâs a really, really good question, and Iâm going to be brutally honest with you.
[00:03:52] CW: Please.
[00:03:54] BH: This was a time where I was looking for work, and a lot of what I was looking for was really very much driven around business development more than anything. And I actually had â This is a funny story. And I actually got â I put my details out with a number of recruiting consultants, and I got a phone call from a recruiting consultant and said, âLook, somebody would like to interview you.â I said, âOkay, great. Who is it?â And they mentioned this personâs name. I said, âHold on. Thatâs somebody Iâve worked within the past.â So I said, âSo whatâs the job problem about?â And then they explained it. Itâs about IT security. And I was like, âOkay.â I said, âI donât really know anything about IT security.â And they said, âNo. But they know you and they want you to come in.â
So I went in for the interview, and I got through the first interview, because the point that I guess that we ended up talking about was really more about the human side of things. IT security, whatâs IT security? And I made it very clear from the very beginning that Iâm not a very technical person at all. But the human aspect was something which was more of interest to me. And I proceeded to the second interview and I was offered the job.
And I think one of the reasons why when I spoke to the MD years later, I was like, âOkay. Why did you offer me the job?â He said, âWell, funny enough, everybody in the final interview when it came to do a presentation, did a presentation around technology, you didnât do a presentation around technology.â He said, âYou actually took the catalogue that I had written, the brochure for our organization.â He said, âYou took it and you dissected it. You identified the things that we felt were really important to our value and our culture, and then you aligned security to that.â
And he said, âBecause thatâs I ââ He was saying the interview was for him, I was selling to him, and this was something that was really important to him. And I aligned security to what he felt was really important. And that was a lesson that Iâve then went on to sort of expand on to do my legal and finance and marketing in the early days. I used to access a conduit between the IT director manager and the rest of the business. They would tell me what they were thinking from a technical perspective, and I would translate that into a language that the company secretary, or lawyer, or advocate would understand, or the marketing person, or the finance director. And it was a winning formula. And I think it was that, very early, speak to people in a language that they understand and comprehend, and youâre much more likely to get engagement from them and buy-in.
[00:06:53] CW: Yeah. What I like about that too, I mean, a bunch of things. But first of all, we have a lot of listeners on this show who are just considering security, or cybersecurity, or IT as a job for the first time and they might be thinking, âOh, I donât have the tech background. I donât have all these sort of stuff.â But so many really good cybersecurity professionals have no tech background and come to it, like you say, from law, or from finance, or from one of our past guests said her best computer forensics person came from a psychology background and she was able to understand the psychology of like the way people like text message when youâre breaking open a phone or something like that. This is such an industry that is understaffed at the moment and weâre looking for professionals. And I think part of the reason is that people donât realize they canât see their role in it.
[00:07:46] BH: You really make a lot of very valid points though. I think itâs really interesting. When you see where the industry has come from 20 years ago, pretty much everybody I was â All the people I knew within the industry and all the vendors that we were speaking to, it was very, very tech. And that was partly shaped by the language we use, IT security is an IT problem. So the solution had to be more IT. And so I think as an industry, we sort of evolved from this very technical basis. But overtime, what weâre seeing is â We started to stop thinking about technical solutions and saying, âWell, actually, Iâm never going to be able to secure this.â So this is really about understanding risk and balancing risk and finding ways to reduce the risk exposure in line with my appetite for risk.
And then suddenly we started to realize, âWell, actually, you know what? We could just change our process. Instead of the technology, we change the process. Hey, we could train people better.â So they make less mistakes. And so the industry has sort of matured to actually understand now that the disciplines and skills that we need to address the information security, cybersecurity challenge, much, much broader than technology. And a lot of my work around the human factor has been about understanding how behaviors are formed and influenced and how cultures are formed and influenced. And I think a big drive of mine within the rethinking the human factor program is how can we engage with people outside the industry to demonstrate, âLook, your skills could be incredibly valuable in this context.â Itâs an area of huge growth. Cybersecurity needs a continued area of huge growth. Yeah, I completely agree with you. Lots of opportunity for listeners who donât come from a tech background to really, really come in to make a big difference.
[00:09:52] CW: Another thing that just sort of occurred to me also, youâre saying like 20 years ago, there wasnât this sort of emphasis on the human element. And I wonder if thatâs also because 20 years ago, not every single person in every organization had to be sort of interfaced with every aspect of computer. Large swaths of companies were still working on pen and paper in 2000 or didnât have to necessarily even know where the G: drive was or know to sort of backup things online or do anything. So now that you have this completely expanded culture, where everybody needs to know how to get on the cloud. Everyone needs to know how to sort of like archive and backup and backups and not click the pizza coupon that might have a phishing thing in it or whatever.
[00:10:33] BH: Yeah.
[00:10:33] CW: Now you have this entire new industry thatâs sort of opened up around the idea that weâre all here now. We need to know how to do this safely.
[00:10:42] BH: I mean, youâre definitely right. The number of users interacting with the system, itâs just a complete shock. Who doesnât? But I think itâs really interesting even before then, when you went back 20 years, the IT system in a really simplistic way, and I donât mean to cause no offense. But I remember when I first started security, I always sat there looking at the PC that Iâve been on my desk and I was like, âBasically, this is a way for me to input data information which gets changed into data. It stores it and remember it a lot better I can. And then itâs there for me so that I can access it again. And then you had networking so you could store it on servers and other people would access it and those sorts of things.â
But it really came really came down to one thing. It was all about information. And I saw a change in â You can see a change in length, but people talk about IT security. And then we sort of matured to ones that itâs about information security. And I remember when that happened to me in the organization I was working for, and it was called IT security. And one of the first things we needed to do is stop calling it IT security and call it information security. As soon as we did that on the psychological level, suddenly, that information didnât belong to me. That belonged to everybody else.
[00:12:07] CW: Itâs not someone elseâs problem anymore. Yeah.
[00:12:10] BH: We were able to go to like finance and say, âLook, this is your financial data.â
[00:12:14] CW: Yes. Yeah.
[00:12:15] BH: So you need to make some decisions about what is the risk youâre willing to live with. And this is your marketing data and this is your sales data. Because traditionally what they had thought is this is a technical problem. Iâm going to give it to the IT function and theyâre going to solve it.
[00:12:28] CW: Yes. And I donât have to think about it.
[00:12:30] BH: Now I have to think about it, because, âHey, itâs my own information.â And in many ways, people didnât want â When they realized itâs their information, itâs their work, what they didnât want is somebody coming in and telling them what they can and cannot do. What they are prepared more to do is if you facilitate a conversation with them where they defined what was a risk that they were willing to work with and then we would come with solutions to that, they defined their needs. We brought them up a solution to their problem. They were so much happier to work with us.
[00:13:02] CW: Yeah.
[00:13:04] BH: Yeah. But I think going back to your point, before IT, there was information and thereâre also issues of confidentiality of information. There was always an issue of integrity of information. Information stored on our â I donât know. Letâs say a Rolex.
[00:13:21] CW: Yeah. Yeah. Right. Right.
[00:13:23] BH: Your filer fax, the filing cabinets. So I think itâs interesting, because weâve always have the need for confidentiality, integrity and availability of information. The growth of technology put it into a different environment. But actually the need for confidentiality, integrity and availability in the early days pretty similar to when we had physical information.
Yeah, I mean, itâs really changed somewhat now and everybody using tech to access information. Even back then, people are still using information, but theyâve never seen it as – there wasnât this industry around the whole point.
[00:14:07] CW: Yeah. You put a padlock on your filing cabinet and youâre good to go.
[00:14:11] BH: Exactly, or you had the padlock on the office to stop people getting access to information. And you might have a key in the filing cabinet for your most sensitive information.
[00:14:25] CW: There you go.
[00:14:27] BH: Itâs just the same things we do to a certain degree without a key.
[00:14:31] CW: Yeah. Letâs get into it then. So the main meat of your podcast and book; Re-Thinking the Human Factor, centers around security awareness, behavior and culture. I saw it on kind of your Inspire presentation, you noted several interesting things. First, that organizational culture and security culture are often treated as two separate things, and that thereâs work to be done in linking the two. Second, that improvement in security awareness, applications come down not to I should be doing this, but I want to do this, and this is my spot to do it.
So I want to get into some specific case studies, if you have any in mind, like where organizations were able to tie security and organization culture together effectively. And also, can you sort of like give me some examples of where people or companies were able to move from I should to I want to?
[00:15:15] BH: Yeah. Obviously, I canât talk about organizations that I work with and â
[00:15:20] CW: Oh, no. Weâll call it company X. Yeah.
[00:15:23] BH: Yeah.
[00:15:23] CW: Sure.
[00:15:26] BH: Iâm sure thereâs a company called X.
[00:15:28] CW: Oh, yeah. If there isnât, there is now. Yeah.
[00:15:32] BH: So where do we want to start? I think that the first point you make there is about culture. So as an industry, we talk about security culture a lot, and I think developing a culture is going to help change behavior, but also helps with awareness. It also helps when youâre company has an incident and youâre in front of a regulator. And more often than not, what we see reported in the media is thereâs a toxic corporate culture in relation to cybersecurity, and thatâs resulted in this breach.
Actually, focusing up on culture is really important, because eventually we all have a breach and we donât want to be in that classification in front of the judiciary, regulators, the courts, the senate, whatever. We donât want to be called up in front of a committee and then basically be told you got a toxic culture. So looking at culture is very, very important.
The one thing that came from my own research when I studied in culture in some depth, I look to organizational culture, I looked at culture more broadly, is that I think the first point is establishing and embedding an organizational culture. Trying to influence an organizational culture is very, very hard. It takes a lot of time and a lot of resources, okay? Most organizations are already either very proactively or are still pushing through projects, which take three years, 5 years, 10 years, 15, 20 years around culture.
Why would we want to try and develop a separate culture with all the cost and overheads that come with that? If you take it to the board and say, âHey, weâve got this organization culture. We want to develop a security culture.â In many ways, what youâre sort of doing is saying, âWe want something thatâs different.â
[00:17:49] CW: And something potentially very difficult that theyâre just going to roll their eyes at and go, âCome on! We canât even do the other thing.â Yeah.
[00:17:56] BH: Yeah. We havenât even finished this one and you want us to do this one.
[00:17:59] CW: Yeah.
[00:18:00] BH: The second point is that I think itâs quite well-recognized amongst security profession that one of the challenges is that we want security just to be the way things are done. We donât want it to be something special. Because making something special, people have to aspire to it. Youâve moving in towards it. Whereas if itâs just part and part of how everything is done within this organization, the values which are most important to it, that creates a lot less resistance.
[00:18:38] CW: Yes.
[00:18:39] BH: So by creating a security culture and make it separate to the organization of culture, itâs counterintuitive to what we genuinely know and genuinely want, which is for it just to be part of what everybody does. So I think thereâs this thing thatâs counterintuitive to try and do something, which is labeled completely separate. Potentially, these are just âIâm not saying security culture is wrong. Iâm just saying these are things for us to think about.
[00:19:06] CW: Yeah. Weâre just starting to sort of understand these sort of things as separate things and then how to integrate them. So of course thereâs going to be lexical difficulties. Iâm sorry. Go ahead.
[00:19:14] BH: Security culture, itâs not unheard of where people say security is not my concern. Itâs the responsibility of the security team in IT or information and IT. It somebody elseâs responsibility. As soon as you label it, it provides people the opportunity to say thatâs not my problem.
[00:19:39] CW: Yeah. Absolutely.
[00:19:41] BH: Again, these are just small things. And my view is that understanding and fostering and embedding values which are the security and the organization have commonality. Identifying those values and leveraging those is really, really important. I think in the book I mentioned things around culture. Thereâs a new chapter in a new book thatâs coming out as well, Security ABCs, where we talk about culture. And for me, I just think that weâre saying security culture, but maybe that is going to potentially down the road cause us some more problems that itâs going to solve. Might be too much of a focus on the shorter term.
[00:20:34] CW: Okay.
[00:20:35] BH: Yeah. And then the other point you made was â I think it was security culture.
[00:20:40] CW: And then also just sort of examples of â Like a concrete examples of how a company moved from I should be doing this to I want to be doing this.
[00:20:49] BH: Okay. Okay. The first thing about I should be doing this to I want to be doing this is that I should suggest that you got to know what it is you got to do, okay? But then the next move is I want to be doing this, is that youâre actively choosing to do it.
[00:21:12] CW: Yup.
[00:21:13] BH: Okay? So there is the assumptions we make, is that if we present information to people, to our employees through an education and awareness program, through giving the information for them to then make informed decisions. The assumption we make is that theyâre way up. And that logically theyâll come to the same conclusion that we as the security professionals whoâve written the policies have come to, which is that they will comply.
So I remember having a meeting with a client where we talked about this very issue and they said, âItâs in their contracts.â I said, âSo does that mean they have to comply?â They said, âWell, yes. Itâs in their contract.â I said, âNo. You havenât answered the question.â Just because itâs in the contract, just because itâs legal, would everybody obey?â And they went, âWell, no.â I said, âSo whatâs the repercussion or what they would do? Because thereâll be a penalty.â Iâm like, âOkay.â
And then I use the example of people train to drive to get their license. So theyâre assessed for their competency. And as part of that, here in the UK, sorry, hereâs a 13-mile an hour zone speed limit. I said, âHow many people drive over the speed limit and this particular time?â They said, âWell, imagine a lot of people.â And I said, âWell, I know Yorkshire, which is a county in the United Kingdom back in the day.â I said, âThere were 110,000 speeding tickets issued.â I said, âPeople arenât very logical.â
And so the whole point about moving people from people saying, âThis is what I need to do, to what I want to do,â is that we assume that if we give them enough information that theyâll want to do it.
[00:23:10] CW: Right, and thereâs actual incentive and not just if you donât do it, youâre going to be punished in some small way. Yeah.
[00:23:17] BH: Yeah. Now, actually, when you understand part of my research, I did an interview with a gentleman by the name of Dan Ariely. Also, thereâs an interview on the podcast with Susan Weinschenk, and one of the things that came out of that is a lot of what we do in society, basically in this assumption that people do as theyâre basically told. Theyâll apply logic. But actually, if you want to think about it and just use my head as almost you can imagine it being a brain, okay? You can always imagine, the brain is split in half. Itâs not physically split in half, but thereâs one side, thereâs like a system one-sided brain and the system 2. Now, one-sided brain â Letâs call it this one here, will think things through. So it will look up the information itâs received as part of this education and awareness program. It will hopefully remember some of it and it will think about it. And thatâs the part of the brain where logic happens, okay?
So if you think about it, if you play chess, thatâs the build of the brain youâre going to be using, okay? When youâre first learning to drive and yet â Do you remember when you first learning to drive and youâre like â
[00:24:28] CW: Every decision is incredible. Yeah.
[00:24:30] BH: Itâs incredible. Yeah. You finish the driving lesson. Youâre absolutely shattered, okay? So youâre having to think. When we find ourselves in situations, in some situations where like actually weâre cognitively thinking. And thatâs the time when weâre at our best of weighing up the pros and cons and thinking things really through.
[00:24:52] CW: Right.
[00:24:53] BH: The other side of the brain, you can think of it as the automatic side. Itâs like subconscious. And some people call it the lizard brain, because it just clips-out and does things automatically. Now, that side of the brain is used a lot more than most people would think. So the thing is that side of the brain to think that quickly is using a range of things that we developed through evolution, and these things are called biases and heuristics, okay? You could think of them as shortcuts.
Instead of having to spend all the time cognitively thinking on this side about the problem, the situation what you should be doing and trying to remember things. This side of the brain just makes really, really quick decisions, okay?
Now it does that in a range of circumstances. But one of them might be, for example, youâre under pressure, okay? One of them might be youâre in an environment that youâre not really used to. One of them might be that you havenât actually got all your senses working efficiently at that particular time. Now you think about a phishing attack, what is it that they do? The email is generally very urgent, okay? You received a lot of these emails at particular points in the week or times in the day.
[00:26:28] CW: Yeah, off-hours, or strange times, or if youâre working in the evening sometimes.
[00:26:33] BH: Yup. Okay. If you know thereâs a public holiday on the Friday and people on the Thursday are trying to close everything down as quickly as possible â
[00:26:44] CW: Yeah. Probably lose ends. Yeah.
[00:26:47] BH: Yeah. They lose their concentration. And what that is, theyâll start making decisions with this automatic side of the brain. And the biases and heuristics in there are incredibly powerful tools that weâve evolved over years and theyâve helped us really, really well in many aspects. But when it comes to decision-making, often, in the world that we live in now, and those decisions include whether to comply with things, whether to click on that link, whether to do this or whatever, they donât necessarily in positive outcomes.
And cyber criminals, and Wall Street Journal actually wrote an interesting article about two years ago where they picking up that, actually, cyber criminals have understood that people â They understand how people think, how they make decisions and how they behave and then they will incorporate their insight into their campaigns to attack organizations.
Now, we put this down in security, we say very sophisticated attacks and itâs because, âWell, actually, the whole behavioral piece from Facebook, LinkedIn, a lot of the high-tech, the tech successes that we see around us, a lot of what the businesses are doing nowadays, even governments, campaigns, are using this understanding of how the human processes the information and makes decisions and then acts upon that. And to develop products and services and get people to vote and get people to invest in healthcare and pensions and all that sorts of stuff.
I guess the thing is when you get people to move from â Is it as simple as saying, âWell, Iâve got to do this or I want to do this.â There is a third level, which is subconsciously, we recognize that people make a lot of decisions subconsciously. So itâs not just people saying, âI want to do this.â Is people doing it?
[00:28:47] CW: Instinctively. Yeah.
[00:28:50] BH: And I think thatâs one of the most exciting things for me with my research is, yes, we want to get people to buy-in to and to say they want to do it. But remember, people will often leave. Iâve seen research around people that have attended financial workshops around pensions and planning and all those sorts of things, and theyâve been assessed and they said, âYeah, definitely going to put money aside every month towards my retirement or my health or those sorts of things.â And then actually a really, really small number of people follow-up on what they said theyâre going to do. And thatâs not just health and pensions. That could be anything from going to vote in an election. It could be absolutely anything. The evidence is that we are inclined to say weâre going to do something, but actually the evidence is, in a lot of cases, even though we really want to do it, we donât do it.
[00:29:43] CW: Yeah.
[00:29:45] BH: Actually, understanding how people are making those decisions and how you can be maybe tapping into things to be more instinctive I think is one of the best opportunities we have in security to really push the agenda forward on the human factor.
[00:29:59] CW: Yeah. Now I want to talk about that in a practical way with regards to â If youâre working for a company and youâre not in a decision-making portion of the company. Youâre not the person from whom the decrease come down or whatever where we could start integrating stuff like this. If you see your organization has kind of a lax or sloppy security culture but youâre not necessarily in the leadership to make change, what are some things you can do to sort of improve the culture yourself no matter where you are in the org chart?
[00:30:32] BH: Yeah. Thatâs a real challenge, because a lot of people would talk about culture needs to come from the top down. Okay. And I âm a believer that it does come from top down, but I also believe that culture comes from the sides in and from the bottom up. And thatâs because what people â Often, organizations will say, âThis is our culture and this is what we expect. But actually the thing thatâs most likely to influence peopleâs behaviors is not necessarily what theyâre told is happening, but what they see immediately around them is happening.
If you say security is important from the top, but everybody within the â I donât know. Everybody in the logistics function doesnât really have that view â
[00:31:40] CW: Yeah. The whole doesnât apply to me thing.
[00:31:42] BH: Yeah. It doesnât apply to me. Worst, I didnât even know what a security.
[00:31:47] CW: Yeah. I didnât read that email. Yeah.
[00:31:50] BH: So culturally there, what youâve got is you could go, âOkay. Well, this isnât that important. They it is, but it isnât.â And thatâs what you call like a cognitive dissonance. And thatâs not unusual. A lot of organizations, the top seems to say this, everyone else you say, âHey, thatâs new to me.â You only have to look to organizations. Google is a great example. Where actually people join the organization because they get drawn to the culture. And when they experience that that culture isnât necessarily consistent across the organization, they shout. They make their voices heard. We know that there have been a number of protests around by Google employees when theyâre going out there and said, âYou know what? Your values that you say are important, arenât ââ
[00:32:43] CW: Theyâre not here. Yeah.
[00:32:44] BH: Arenât there. Actually, there is a point to say that culture canât come from across any aspect of the organization. And itâs almost the point of socializing. So we know that humans or people are subjective to social influence. The more they see people that they interact with behave in a particular way, the more likely they are to say that is the acceptable norms. And most people, and I say most, actually donât really want to be outsiders.
But itâs interesting, because outsiders think that theyâre not part of the group or a group. They donât belong to a set of identity. But actually by the mere choice of saying, âIâm not part of a group.â Youâre a part of a group. Itâs just that that group is people that donât want to be associated for that group.
[00:33:45] CW: Yeah, right.
[00:33:46] BH: Yeah. Itâs quite well-established. Yeah, I think that hopefully that sort of answers your question a little bit. Iâve seen it within organizations where â Iâm just giving you an example, Google, where people turn around and go, âHey, thatâs not good enough.â And then the board or whatever have to make decisions.
The other thing which is something â What does the board pay attention to? So if itâs not going to pay attention to you, what does it pay attention to? Okay? Now this for me the role of leadership, middle managers and senior managers in information security, is about developing relationships where you can facilitate a discussion where you come to learn something about your customer. The board is your customer.
[00:34:46] CW: Right. Okay.
[00:34:48] BH: Okay. You give them their ideas. They say, âYes, you can have the investment and our support.â In many ways, I sometimes ask myself when people say the board just arenât buying into this. Are we pushing the blame to the board for us not being as effective as we potentially could be in terms of influencing them? Sometimes itâs being realistic. I think with Christine, in the chat I had with Christine, which is mentioned in the beginning of this chat. One of the things she said to me is can you give you some advice? One point of advice?â I said, âWell, the one thing that i would advise everybody is to realize your invulnerability, because often, when I started off looking at the human-factor, I made a lot of assumptions. And then when I did reach it, I realized that my vulnerability was that I thought I knew something that I didnât. And it can sometimes be that if your board isnât behind you, the question isnât necessarily why is the board not behind me? But what is it that Iâm not necessarily doing as well as I could do or maybe itâs just not a strength of mine. I need to speak to somebody else to get support.â To understand actually what it is that the buttons that they need pressing. And maybe it could be â Here in the UK, the Financial Services Authority has often pointed its finger towards culture and said, âLook, for those people that are breached,â it open said they had a toxic corporate culture. I know thatâs happening in the US. And you say to the board, âMaybe thatâs the point.â And then they say, âWell, I donât want my reputation damaged on the chief exec.â And said, âAn instance is going to happen,â and this is the sort of feedback weâre getting back from the senate committees when they interviewed chief execs following an incident, and they talk about culture.
So where do you want to be as a chief exec if you have to stand or sit in front of the senate committee? The lawyer in the house will say we want to be in the best position that we are to defend us up as effectively as we can. And you go, âWell, these people are saying that because there was no culture or it was a toxic culture.â That is part of the reason why theyâre holding you to account. So finding out really what the board is interesting, what they listen to and then shaping your discussion leveraging that. For me, thatâs got to be one of the best ways to get things done.
[00:37:22] CW: Okay. Now, I want to pivot from that a little bit towards sort of career aspects of what you do. Youâve learned what youâve learned over a course of a decade. So listeners who might want to do something similar as a career are probably wondering where you start with the type of work you do. So what kind of â On a granular level, what type of information or study or training, etc., do you recommend who might want to implement better security awareness practices in their own organization or do the job of this sort of thing for other organizations?
[00:37:52] BH: Yeah. So one of the things, if you listen to the podcast, one of the things you will find is that most of the guests donât work in security.
[00:38:05] CW: Okay.
[00:38:08] BH: So we interview a lot of people, behavioral psychologists. We interview lawyers. We interview people who â Bill Clintonâs former speech writer. Barack Obamaâs director of comm strategy for cybersecurity. Weâve had storytellers. We got somebody coming on whoâs a linguist. And the thing is I found that there are a lot of other people whose focus is upon raising influence, influencing behavior and embedding something within culture.
And those people have been doing it far longer that our industry. So I ask myself the question why we invest the wheel. Why not go out there and listen and engage with people and do causes and effect and learn about these other aspects and not focus on the security side of it.
And somebody asked me this, âCould you make a recommendation to me about conferences?â I said, âYeah, stop going to security ones.â
[00:39:36] CW: Except for Inspire.
[00:39:38] BH: No. I said, âYouâve got to find a balance.â I said, âYouâve got to understand security. But if your focus is around raising awareness, influencing behavior and fostering an organization culture,â I said, âWhy do you go to a conference around behavioral science?â
[00:39:56] CW: Yeah. Yeah, there you go.
[00:39:58] BH: And all my research was about going to conferences and reading books and doing interviews. Well, not all of it. But a lot of my research was about actually engaging with all these other disciplines and then making sense of it myself where I was then able to come up with my SBAC framework, but it enabled me to challenge. A lot of the assumption I had back then was 14, 15 yearsâ experience. And a lot of the assumptions I was making about how things should be done. And this was as a relatively senior information security managers. I challenged him and I realized that, âHmm, thatâs really quite an eye-opener,â and that meant that I could go and have conversations with chief information security officers and chief security officers and heads of data protection, that sort of thing, and have a different conversation, which opened their mind and educated them. And that built the trust relationship up. And thatâs how I tended to get things more done and introduced new concepts.
From a career perspective, I was just â If youâre in security and you want to move into education and awareness, is to think about, âWhere can I learn about awareness, behavior and culture?â
[00:41:16] CW: Yeah. Think about what youâre really trying to sort of implement, I guess.
[00:41:18] BH: Yeah, because we donât need to tell you about security, okay? What we need to tell you is these are your new objectives, and itâs really interesting, because when you study awareness behavior and culture, so many things like doing an education awareness campaign is like actually what if I just designed security controls to be better? What if I make the security controls, the policies, the process and procedures easier?
From a behavioral psychology perspective, one of the early lessons, the easier you make it, the more likely people are to do it. The harder you make it, the more likely people are not to do it. And people say, âWell, can you give us an example?â I said, âOkay, at the beginning of new year in United Kingdom, weâve had a great Christmas. Weâve eaten way too much turkey and we thought we drank too much as well.â And we have this thing where we go, âOkay, Iâm going to make a promise. Iâm really go to the gym and all those sort of things.â Hey, but itâs January. Itâs miserable outside. Itâs wet, itâs cold, okay? Iâve got to make a real effort to get down to the gym. Iâm not running in that cold, because itâs hard. Even with all our best intentions and know itsâ the right thing to do for health and all those sort of things, the number of people that do it is small, and the number of people that start and drop-off is huge.
[00:42:44] CW: Right. I was just going to say, Iâm less worried about my January 1 plan than my February 15th plan, because I also have a gym membership and the first three weeks, you canât get a treadmill or anything. And then by mid-February, nothing, nothing at all.
[00:42:58] BH: Yeah. Thatâs it. Okay, yeah. Thatâs when Iâm going to start using my gym membership. See, thatâs the point. As part of my research, when I started doing my research, I was like, âEveryone is focused upon doing the education and awareness campaign.â Actually, if you really want to bring around behavioral change, one of the things you really want to be thinking about is how can I better do my security thing? How can I design better security controls? And thatâs why, for me, I have this concept philosophy of design with the human in mind. And I apply that not just to education and awareness campaigns, but to how I go around doing governance risk and compliance and developing control frameworks?
And itâs really simple things, really simple things, like tweaking a process can realy have a massive impact on behavior without the need to spend large sums of money on flash campaigns, or even very basic campaigns around awareness, which are generally forgotten within a relatively short period of time.
[00:44:05] CW: Right. Okay. Yeah, as we wrap up today, weâve talked a bit about Re-Thinking the Human Factor, both the podcast and the book. But to conclude, and you were just talking about a little bit, but give me some highlights from the podcast. Some upcoming episodes youâre excited to share. Some things, episodes that youâve done that you think people should start with, things like that. Just talk it up.
[00:44:28] BH: Iâll tell you what. If somebody asked you this question, youâd probably go â âwhere do I start?â
[00:44:35] CW: I donât remember what I said 5 minutes ago. Yeah.
[00:44:39] BH: Thatâs a really, really â
[00:44:41] CW: Yeah. No. Yeah. I understand. When you have a deep bench like that, where do I even start recommending? But yeah.
[00:44:47] BH: Letâs start with that. And I think, also, I was having a chat with one of my guests. So weâve got a French linguist coming on to talk about the power of language. And actually, when you listen to this stuff, itâs going to be like, âWow! Okay. Iâd never really thought of it that way.â And heâs going to be kicking off his own podcast. And he said, âHow much time and effort does it take? Whatâs the cost?â
And weâre talking through and I said, âLook, the biggest thing, the biggest challenge is finding good people to come on the show and educating them about why what they do is relevant to cyber.â Because a lot of my guests, theyâre like, âWhy would I come on a cybersecurity podcast?â
[00:45:27] CW: Oh, interesting. Yeah. Yeah.
[00:45:29] BH: Yeah. And I have to go through a process of educating them. It was one guest, it took me two years to get on the show. So sometimes my passion is based upon how much effort went into it. And thatâs a very behavioral thing. Itâs called the IT-er effect. But if I had to pick some, I would say people often come back to me and say the interview with Dan Ariely, okay? Yeah. I mean, that was a very special moment for me, because it was basically two years of âto-ing and fro-ingâ before he came on the show. The interview with a gentleman by the name of Gert Jan Hofstede. Now Gertâs dad, basically is probably one of the most approached people when it comes to culture. And basically between the two of them over the years, they are an absolute force in understanding how cultures are formed and influenced. So heâs been on the show twice. Heâs from Holland.
I think Susan Weinschenk, who is another behavioral psychologist. The conversation with her was absolutely fantastic. We have â Iâm trying to think of other ones that really pick-out. Conversation with â Oh! Here we go. Weâve done culture. Weâve done behavior. From an awareness perspective, there is an interview with â Oh! Iâve forgotten his name. Because there are so many. There was an interview in series 3 with a gentleman by the name of OâReilly, and heâs an ex-ad man from North America whoâs really successful. An amazing podcast. He talks about things from a very marketing type of perspective.
But what weâve got coming up in series 4 is just to die for. Weâve actually got the ex-data protection commissioner from the UK coming on the show to talk about it from a regulatory perspective, which is a huge thing to have somebody like that come on the show. Weâve got this linguistics person professor coming on the show whoâs also an author. Heâs French. Weâve also got the head of branding at the Sorbonne University – a full professor in branding. And weâre going to talk about Louis Vuitton, on what branding tells us about the chance we face in security. The security brand, how it affects behaviors, engagement, that type.
Yeah. I mean, there are some that just stick out immediately. But yeah, if you listen to the show, I think they all bring something pretty unique. Itâs the sort show you need to listen to it a couple of times and write notes down. One of the things we are going to be doing for those people who havenât got the time is Iâm going to be doing a series of podcasts where I basically summarize every single episode.
[00:48:51] CW: Thatâs also very helpful. Yeah. Yeah.
[00:48:52] BH: Yeah.
[00:48:54] CW: Get the whole scope or just get the takeaway. Yeah.
[00:48:57] BH: Yeah, absolutely. Really, at the end of the day, we did an interview with the ex-director of general for health in the European Union and he was talking about the challenges of having a health policy, which is really like an information security policy. And then it was like, âOkay, now Iâve got to get people to actually do it.
Iâve got to get people to do it across 27 counties, which all have different cultures. So when we talk about the Chinese and we face an information security, âHereâs my policy. I need to deploy it across all these countries. They all have different cultures.â Itâs the same challenge. And so it was great to have him on the show, because he started talking about behavioral economics and uncomfortable truths and things like that. You have to sit there and just let it sync in and then come back to it.
But a lot of people, I just want the shortcut, which is very human. Okay, well, you can get the shortcut if you just go in and you go and look at the membership program we have, and Bruce basically goes, âThese are the points you really need to take away.â
[00:50:01] CW: Okay. Is there anything you want to talk about going on a marmalade box at the moment?
[00:50:07] BH: Well, I think what weâre doing at the moment and then just a real focus because of COVID, all our training we used to do face-to-face. And we did get quite a few encouragement when people say, âWhen can you put it online? I canât make it there geographically.â The cost of traveling and the time away from the office, all those sort of things. So weâre actually in the process of taking all our training courses. So thereâs the Re-Thinking Human Factor introduction. Thereâs the SBAC framework, basically level 1, and the SBAC framework level 2. And thereâs a really exciting thing where risk â So weâve done a risk assessment around the human factor, which we are pretty confident weâll provide you with the best case you have for getting investment security in the human factor. So weâve got that. Of course, we do around that and we got quite a few organizations to implement that. So weâre pushing that all online, which is great. Thereâs the membership program, which is going to be available. And also, weâre looking to run a summit at the end of Q1 in 2021, where we sort of take the format of a podcast and we bring it all online. And itâs all like going to be an online summit where youâre going to get introduced to some really challenging thoughts around how the industry can maybe reshaped to address the human factor.
[00:51:38] CW: Okay. So youâve wetted everyoneâs appetite for all these different things they can check out. So if you want to hear the podcast, or read the book, or find out more about Bruce Hallas, where they can go online?
[00:51:48] BH: Okay. Well, I mean, if you go to â First thing, if you want, hereâs my personal email address, [email protected] If you want to drop me a message, Iâm always happy to respond. The other thing, you can go to the marmaladebox.com website where you can find the podcast. You can also find the podcast and you can find the book on Amazon. You can find the podcast on iTunes and a number of other â
[00:52:16] CW: Standard podcast thing. Yup. Good.
[00:52:19] BH: Yeah. If you do Google search Re-Thinking the Human Factor, you will come across quite all the content on there. Yeah. I mean, if youâre struggling and youâre really interested, drop me an email. Iâm always happy hearing from people.
[00:52:32] CW: Thatâs great. Bruce, thank you so much for joining us today. This was super, super informative and really fun to talk to you.
[00:52:39] BH: Absolutely pleasure having me on the show. Iâm really chuffed that you decided to invite us on.
[00:52:46] CW: Well, thank you again. And thank you as always for all of our listeners and watchers. If you enjoyed todayâs video, you can find many more of them on our YouTube page. Just go to youtube.com and type in Cyber Work with Infosec and you can check out our collection of tutorials, interviews, and past webinars. If youâd rather have us in your ears during your workday, all of our videos are of course available as audio podcasts. Just search Cyber Work with Infosec in your podcast catcher of choice. And thanks as always to people who are rating and reviewing. It does help. The more, the merrier. Tell a friend. Tell anybody.
As a reminder, if you want to download our free Wild Wild Net security awareness campaign, which includes posters, infographics, newsletters, emails, templates, presentations and more to keep your employees safe, go to infosecinstitute.com/ncsam2020 to get them all.
Thank you once again to Bruce Hallas and Marmalade Box, and thank you all for watching and listening. We will speak to you next week.
-
Cyber Work listeners get a free month of Infosec Skills!
Use code "cyberwork" to get 30 days of unlimited cybersecurity training.

Weekly career advice
Learn how to break into cybersecurity, build new skills and move up the career ladder. Each week on the Cyber Work Podcast, host Chris Sienko sits down with thought leaders from Carbon Black, IBM, CompTIA and others to discuss the latest cybersecurity workforce trends.

Hands-on training
Get the hands-on training you need to learn new cybersecurity skills and keep them relevant. Every other week on Cyber Work Applied, expert Infosec instructors and industry practitioners teach a new skill â and show you how that skill applies to real-world scenarios.

Q&As with industry pros
Have a question about your cybersecurity career? Join our special Cyber Work Live episodes for a Q&A with industry leaders. Get your career questions answered, connect with other industry professionals and take your career to the next level.