[00:00:00] CS: Hitch up the wagons and polish your spurs, because it’s high noon, and the searchers are looking for a way into your network. October is National Cyber Security Awareness Month, and Infosec is helping to tame the wild, wild met with our collection of free training resources that will make your employees the masters of the cyber frontier and bring cybersecurity to the forefront of your organization. Go to infosecinstitute.com/ncsam2020 to download our free toolkit containing a stagecoach full of provisions to run month-long security awareness campaign, including posters, infographics, newsletters, email templates, presentations, and more. Grab Cybersecurity Awareness Month by the horns with this wild bunch of free material from our award-winning LX Labs team.
Just as the wanted posters in the Wild West help the public recognize the region’s most notorious villains, our free training kit reveals the identities of common cyber threats to help prepare your employees for the real attacks they face. Again, go to infosecinstitute.com/ncsam2020, or click the link in the description to get your free collection of training materials and help spread security awareness.
Now, let’s begin the show partner, partner.
[00:01:15] CW: Welcome to this week’s episode of the Cyber Work with Infosec podcast. Each week, I sit down with a different industry thought leader and we discuss the latest cybersecurity trends, how those trends are affecting the work of infosec professionals while offering tips for those trying to break-in or move up the ladder in the cybersecurity industry.
At the time that we’re taping this episode, our guest, Bruce Hallas, is just a few days out from being a guest speaker at Infosec’s Inspire 2020 Conference, a meeting place of cybersecurity professionals, thought leaders and instructors that’s taking place entirely online this year for obvious reasons. We hope you’ll check out Bruce’s conversation with Christine Zorovich or that you have already, because this is coming out a bit later. But I wanted to also speak with Bruce today, because I think there’s a lot to say about security awareness and the creation fostering the security culture inside of every organization.
So Bruce’s podcast, Re-Thinking the Human Factor, has been made into a book a well. You should check out both of them. But we’re going to talk to Bruce today about security awareness, behavior and culture of framework today. Boy! I didn’t say that. Well, Bruce’s security awareness, behavior and culture framework as well as ways that your organization can create a culture of security that really sticks.
Bruce Hallas is an enthusiastic advocate, consultant, trainer and speaker in the field of information security awareness, behavior and culture. He has worked over 20 years as an information security manager, practice manager and consultant to lead and support positive changes that helps organizations manage risk. As the creator of the SABC, Security Awareness, Behavior and Culture framework, Bruce advocates the role of the human factor in information security through speaking engagements and his Re-Thinking the Human Factor podcast and book.
Bruce, thanks for being with us today.
[00:02:52] BH: Oh, it’s an absolute pleasure, Chris. Thank you very much there. Yeah, there are some tricky ones there, aren’t they? The old SABC.
[00:03:00] CW: Yeah.
[00:03:02] BH: Normally it’s a three-letter acronym, and I think I would say I’m going to use something different than I went before. Yeah, but I call it ‘SAYBAC.’
[00:03:12] CW: Oh, there you go.
[00:03:12] BH: How accurate that it as to describe. But yeah, SABC is the –
[00:03:18] CW: SABC. That has a good ring. I’m going to incorporate that. Let’s see if I can say it three times in a sentence and then it’ll be mine. So I want to start – We always like to start by getting a background on our people here, our guests. So where did you first get started in IT and information security? I know from seeing an advance cut of your Inspire presentation that you came to IT and security from law, finance and marketing. So what was it that made you want to switch over to such a different area of focus at the time?
[00:03:48] BH: Yeah. That’s a really, really good question, and I’m going to be brutally honest with you.
[00:03:52] CW: Please.
[00:03:54] BH: This was a time where I was looking for work, and a lot of what I was looking for was really very much driven around business development more than anything. And I actually had – This is a funny story. And I actually got – I put my details out with a number of recruiting consultants, and I got a phone call from a recruiting consultant and said, “Look, somebody would like to interview you.” I said, “Okay, great. Who is it?” And they mentioned this person’s name. I said, “Hold on. That’s somebody I’ve worked within the past.” So I said, “So what’s the job problem about?” And then they explained it. It’s about IT security. And I was like, “Okay.” I said, “I don’t really know anything about IT security.” And they said, “No. But they know you and they want you to come in.”
So I went in for the interview, and I got through the first interview, because the point that I guess that we ended up talking about was really more about the human side of things. IT security, what’s IT security? And I made it very clear from the very beginning that I’m not a very technical person at all. But the human aspect was something which was more of interest to me. And I proceeded to the second interview and I was offered the job.
And I think one of the reasons why when I spoke to the MD years later, I was like, “Okay. Why did you offer me the job?” He said, “Well, funny enough, everybody in the final interview when it came to do a presentation, did a presentation around technology, you didn’t do a presentation around technology.” He said, “You actually took the catalogue that I had written, the brochure for our organization.” He said, “You took it and you dissected it. You identified the things that we felt were really important to our value and our culture, and then you aligned security to that.”
And he said, “Because that’s I –” He was saying the interview was for him, I was selling to him, and this was something that was really important to him. And I aligned security to what he felt was really important. And that was a lesson that I’ve then went on to sort of expand on to do my legal and finance and marketing in the early days. I used to access a conduit between the IT director manager and the rest of the business. They would tell me what they were thinking from a technical perspective, and I would translate that into a language that the company secretary, or lawyer, or advocate would understand, or the marketing person, or the finance director. And it was a winning formula. And I think it was that, very early, speak to people in a language that they understand and comprehend, and you’re much more likely to get engagement from them and buy-in.
[00:06:53] CW: Yeah. What I like about that too, I mean, a bunch of things. But first of all, we have a lot of listeners on this show who are just considering security, or cybersecurity, or IT as a job for the first time and they might be thinking, “Oh, I don’t have the tech background. I don’t have all these sort of stuff.” But so many really good cybersecurity professionals have no tech background and come to it, like you say, from law, or from finance, or from one of our past guests said her best computer forensics person came from a psychology background and she was able to understand the psychology of like the way people like text message when you’re breaking open a phone or something like that. This is such an industry that is understaffed at the moment and we’re looking for professionals. And I think part of the reason is that people don’t realize they can’t see their role in it.
[00:07:46] BH: You really make a lot of very valid points though. I think it’s really interesting. When you see where the industry has come from 20 years ago, pretty much everybody I was – All the people I knew within the industry and all the vendors that we were speaking to, it was very, very tech. And that was partly shaped by the language we use, IT security is an IT problem. So the solution had to be more IT. And so I think as an industry, we sort of evolved from this very technical basis. But overtime, what we’re seeing is – We started to stop thinking about technical solutions and saying, “Well, actually, I’m never going to be able to secure this.” So this is really about understanding risk and balancing risk and finding ways to reduce the risk exposure in line with my appetite for risk.
And then suddenly we started to realize, “Well, actually, you know what? We could just change our process. Instead of the technology, we change the process. Hey, we could train people better.” So they make less mistakes. And so the industry has sort of matured to actually understand now that the disciplines and skills that we need to address the information security, cybersecurity challenge, much, much broader than technology. And a lot of my work around the human factor has been about understanding how behaviors are formed and influenced and how cultures are formed and influenced. And I think a big drive of mine within the rethinking the human factor program is how can we engage with people outside the industry to demonstrate, “Look, your skills could be incredibly valuable in this context.” It’s an area of huge growth. Cybersecurity needs a continued area of huge growth. Yeah, I completely agree with you. Lots of opportunity for listeners who don’t come from a tech background to really, really come in to make a big difference.
[00:09:52] CW: Another thing that just sort of occurred to me also, you’re saying like 20 years ago, there wasn’t this sort of emphasis on the human element. And I wonder if that’s also because 20 years ago, not every single person in every organization had to be sort of interfaced with every aspect of computer. Large swaths of companies were still working on pen and paper in 2000 or didn’t have to necessarily even know where the G: drive was or know to sort of backup things online or do anything. So now that you have this completely expanded culture, where everybody needs to know how to get on the cloud. Everyone needs to know how to sort of like archive and backup and backups and not click the pizza coupon that might have a phishing thing in it or whatever.
[00:10:33] BH: Yeah.
[00:10:33] CW: Now you have this entire new industry that’s sort of opened up around the idea that we’re all here now. We need to know how to do this safely.
[00:10:42] BH: I mean, you’re definitely right. The number of users interacting with the system, it’s just a complete shock. Who doesn’t? But I think it’s really interesting even before then, when you went back 20 years, the IT system in a really simplistic way, and I don’t mean to cause no offense. But I remember when I first started security, I always sat there looking at the PC that I’ve been on my desk and I was like, “Basically, this is a way for me to input data information which gets changed into data. It stores it and remember it a lot better I can. And then it’s there for me so that I can access it again. And then you had networking so you could store it on servers and other people would access it and those sorts of things.”
But it really came really came down to one thing. It was all about information. And I saw a change in – You can see a change in length, but people talk about IT security. And then we sort of matured to ones that it’s about information security. And I remember when that happened to me in the organization I was working for, and it was called IT security. And one of the first things we needed to do is stop calling it IT security and call it information security. As soon as we did that on the psychological level, suddenly, that information didn’t belong to me. That belonged to everybody else.
[00:12:07] CW: It’s not someone else’s problem anymore. Yeah.
[00:12:10] BH: We were able to go to like finance and say, “Look, this is your financial data.”
[00:12:14] CW: Yes. Yeah.
[00:12:15] BH: So you need to make some decisions about what is the risk you’re willing to live with. And this is your marketing data and this is your sales data. Because traditionally what they had thought is this is a technical problem. I’m going to give it to the IT function and they’re going to solve it.
[00:12:28] CW: Yes. And I don’t have to think about it.
[00:12:30] BH: Now I have to think about it, because, “Hey, it’s my own information.” And in many ways, people didn’t want – When they realized it’s their information, it’s their work, what they didn’t want is somebody coming in and telling them what they can and cannot do. What they are prepared more to do is if you facilitate a conversation with them where they defined what was a risk that they were willing to work with and then we would come with solutions to that, they defined their needs. We brought them up a solution to their problem. They were so much happier to work with us.
[00:13:02] CW: Yeah.
[00:13:04] BH: Yeah. But I think going back to your point, before IT, there was information and there’re also issues of confidentiality of information. There was always an issue of integrity of information. Information stored on our – I don’t know. Let’s say a Rolex.
[00:13:21] CW: Yeah. Yeah. Right. Right.
[00:13:23] BH: Your filer fax, the filing cabinets. So I think it’s interesting, because we’ve always have the need for confidentiality, integrity and availability of information. The growth of technology put it into a different environment. But actually the need for confidentiality, integrity and availability in the early days pretty similar to when we had physical information.
Yeah, I mean, it’s really changed somewhat now and everybody using tech to access information. Even back then, people are still using information, but they’ve never seen it as – there wasn’t this industry around the whole point.
[00:14:07] CW: Yeah. You put a padlock on your filing cabinet and you’re good to go.
[00:14:11] BH: Exactly, or you had the padlock on the office to stop people getting access to information. And you might have a key in the filing cabinet for your most sensitive information.
[00:14:25] CW: There you go.
[00:14:27] BH: It’s just the same things we do to a certain degree without a key.
[00:14:31] CW: Yeah. Let’s get into it then. So the main meat of your podcast and book; Re-Thinking the Human Factor, centers around security awareness, behavior and culture. I saw it on kind of your Inspire presentation, you noted several interesting things. First, that organizational culture and security culture are often treated as two separate things, and that there’s work to be done in linking the two. Second, that improvement in security awareness, applications come down not to I should be doing this, but I want to do this, and this is my spot to do it.
So I want to get into some specific case studies, if you have any in mind, like where organizations were able to tie security and organization culture together effectively. And also, can you sort of like give me some examples of where people or companies were able to move from I should to I want to?
[00:15:15] BH: Yeah. Obviously, I can’t talk about organizations that I work with and –
[00:15:20] CW: Oh, no. We’ll call it company X. Yeah.
[00:15:23] BH: Yeah.
[00:15:23] CW: Sure.
[00:15:26] BH: I’m sure there’s a company called X.
[00:15:28] CW: Oh, yeah. If there isn’t, there is now. Yeah.
[00:15:32] BH: So where do we want to start? I think that the first point you make there is about culture. So as an industry, we talk about security culture a lot, and I think developing a culture is going to help change behavior, but also helps with awareness. It also helps when you’re company has an incident and you’re in front of a regulator. And more often than not, what we see reported in the media is there’s a toxic corporate culture in relation to cybersecurity, and that’s resulted in this breach.
Actually, focusing up on culture is really important, because eventually we all have a breach and we don’t want to be in that classification in front of the judiciary, regulators, the courts, the senate, whatever. We don’t want to be called up in front of a committee and then basically be told you got a toxic culture. So looking at culture is very, very important.
The one thing that came from my own research when I studied in culture in some depth, I look to organizational culture, I looked at culture more broadly, is that I think the first point is establishing and embedding an organizational culture. Trying to influence an organizational culture is very, very hard. It takes a lot of time and a lot of resources, okay? Most organizations are already either very proactively or are still pushing through projects, which take three years, 5 years, 10 years, 15, 20 years around culture.
Why would we want to try and develop a separate culture with all the cost and overheads that come with that? If you take it to the board and say, “Hey, we’ve got this organization culture. We want to develop a security culture.” In many ways, what you’re sort of doing is saying, “We want something that’s different.”
[00:17:49] CW: And something potentially very difficult that they’re just going to roll their eyes at and go, “Come on! We can’t even do the other thing.” Yeah.
[00:17:56] BH: Yeah. We haven’t even finished this one and you want us to do this one.
[00:17:59] CW: Yeah.
[00:18:00] BH: The second point is that I think it’s quite well-recognized amongst security profession that one of the challenges is that we want security just to be the way things are done. We don’t want it to be something special. Because making something special, people have to aspire to it. You’ve moving in towards it. Whereas if it’s just part and part of how everything is done within this organization, the values which are most important to it, that creates a lot less resistance.
[00:18:38] CW: Yes.
[00:18:39] BH: So by creating a security culture and make it separate to the organization of culture, it’s counterintuitive to what we genuinely know and genuinely want, which is for it just to be part of what everybody does. So I think there’s this thing that’s counterintuitive to try and do something, which is labeled completely separate. Potentially, these are just –I’m not saying security culture is wrong. I’m just saying these are things for us to think about.
[00:19:06] CW: Yeah. We’re just starting to sort of understand these sort of things as separate things and then how to integrate them. So of course there’s going to be lexical difficulties. I’m sorry. Go ahead.
[00:19:14] BH: Security culture, it’s not unheard of where people say security is not my concern. It’s the responsibility of the security team in IT or information and IT. It somebody else’s responsibility. As soon as you label it, it provides people the opportunity to say that’s not my problem.
[00:19:39] CW: Yeah. Absolutely.
[00:19:41] BH: Again, these are just small things. And my view is that understanding and fostering and embedding values which are the security and the organization have commonality. Identifying those values and leveraging those is really, really important. I think in the book I mentioned things around culture. There’s a new chapter in a new book that’s coming out as well, Security ABCs, where we talk about culture. And for me, I just think that we’re saying security culture, but maybe that is going to potentially down the road cause us some more problems that it’s going to solve. Might be too much of a focus on the shorter term.
[00:20:34] CW: Okay.
[00:20:35] BH: Yeah. And then the other point you made was – I think it was security culture.
[00:20:40] CW: And then also just sort of examples of – Like a concrete examples of how a company moved from I should be doing this to I want to be doing this.
[00:20:49] BH: Okay. Okay. The first thing about I should be doing this to I want to be doing this is that I should suggest that you got to know what it is you got to do, okay? But then the next move is I want to be doing this, is that you’re actively choosing to do it.
[00:21:12] CW: Yup.
[00:21:13] BH: Okay? So there is the assumptions we make, is that if we present information to people, to our employees through an education and awareness program, through giving the information for them to then make informed decisions. The assumption we make is that they’re way up. And that logically they’ll come to the same conclusion that we as the security professionals who’ve written the policies have come to, which is that they will comply.
So I remember having a meeting with a client where we talked about this very issue and they said, “It’s in their contracts.” I said, “So does that mean they have to comply?” They said, “Well, yes. It’s in their contract.” I said, “No. You haven’t answered the question.” Just because it’s in the contract, just because it’s legal, would everybody obey?” And they went, “Well, no.” I said, “So what’s the repercussion or what they would do? Because there’ll be a penalty.” I’m like, “Okay.”
And then I use the example of people train to drive to get their license. So they’re assessed for their competency. And as part of that, here in the UK, sorry, here’s a 13-mile an hour zone speed limit. I said, “How many people drive over the speed limit and this particular time?” They said, “Well, imagine a lot of people.” And I said, “Well, I know Yorkshire, which is a county in the United Kingdom back in the day.” I said, “There were 110,000 speeding tickets issued.” I said, “People aren’t very logical.”
And so the whole point about moving people from people saying, “This is what I need to do, to what I want to do,” is that we assume that if we give them enough information that they’ll want to do it.
[00:23:10] CW: Right, and there’s actual incentive and not just if you don’t do it, you’re going to be punished in some small way. Yeah.
[00:23:17] BH: Yeah. Now, actually, when you understand part of my research, I did an interview with a gentleman by the name of Dan Ariely. Also, there’s an interview on the podcast with Susan Weinschenk, and one of the things that came out of that is a lot of what we do in society, basically in this assumption that people do as they’re basically told. They’ll apply logic. But actually, if you want to think about it and just use my head as almost you can imagine it being a brain, okay? You can always imagine, the brain is split in half. It’s not physically split in half, but there’s one side, there’s like a system one-sided brain and the system 2. Now, one-sided brain – Let’s call it this one here, will think things through. So it will look up the information it’s received as part of this education and awareness program. It will hopefully remember some of it and it will think about it. And that’s the part of the brain where logic happens, okay?
So if you think about it, if you play chess, that’s the build of the brain you’re going to be using, okay? When you’re first learning to drive and yet – Do you remember when you first learning to drive and you’re like –
[00:24:28] CW: Every decision is incredible. Yeah.
[00:24:30] BH: It’s incredible. Yeah. You finish the driving lesson. You’re absolutely shattered, okay? So you’re having to think. When we find ourselves in situations, in some situations where like actually we’re cognitively thinking. And that’s the time when we’re at our best of weighing up the pros and cons and thinking things really through.
[00:24:52] CW: Right.
[00:24:53] BH: The other side of the brain, you can think of it as the automatic side. It’s like subconscious. And some people call it the lizard brain, because it just clips-out and does things automatically. Now, that side of the brain is used a lot more than most people would think. So the thing is that side of the brain to think that quickly is using a range of things that we developed through evolution, and these things are called biases and heuristics, okay? You could think of them as shortcuts.
Instead of having to spend all the time cognitively thinking on this side about the problem, the situation what you should be doing and trying to remember things. This side of the brain just makes really, really quick decisions, okay?
Now it does that in a range of circumstances. But one of them might be, for example, you’re under pressure, okay? One of them might be you’re in an environment that you’re not really used to. One of them might be that you haven’t actually got all your senses working efficiently at that particular time. Now you think about a phishing attack, what is it that they do? The email is generally very urgent, okay? You received a lot of these emails at particular points in the week or times in the day.
[00:26:28] CW: Yeah, off-hours, or strange times, or if you’re working in the evening sometimes.
[00:26:33] BH: Yup. Okay. If you know there’s a public holiday on the Friday and people on the Thursday are trying to close everything down as quickly as possible –
[00:26:44] CW: Yeah. Probably lose ends. Yeah.
[00:26:47] BH: Yeah. They lose their concentration. And what that is, they’ll start making decisions with this automatic side of the brain. And the biases and heuristics in there are incredibly powerful tools that we’ve evolved over years and they’ve helped us really, really well in many aspects. But when it comes to decision-making, often, in the world that we live in now, and those decisions include whether to comply with things, whether to click on that link, whether to do this or whatever, they don’t necessarily in positive outcomes.
And cyber criminals, and Wall Street Journal actually wrote an interesting article about two years ago where they picking up that, actually, cyber criminals have understood that people – They understand how people think, how they make decisions and how they behave and then they will incorporate their insight into their campaigns to attack organizations.
Now, we put this down in security, we say very sophisticated attacks and it’s because, “Well, actually, the whole behavioral piece from Facebook, LinkedIn, a lot of the high-tech, the tech successes that we see around us, a lot of what the businesses are doing nowadays, even governments, campaigns, are using this understanding of how the human processes the information and makes decisions and then acts upon that. And to develop products and services and get people to vote and get people to invest in healthcare and pensions and all that sorts of stuff.
I guess the thing is when you get people to move from – Is it as simple as saying, “Well, I’ve got to do this or I want to do this.” There is a third level, which is subconsciously, we recognize that people make a lot of decisions subconsciously. So it’s not just people saying, “I want to do this.” Is people doing it?
[00:28:47] CW: Instinctively. Yeah.
[00:28:50] BH: And I think that’s one of the most exciting things for me with my research is, yes, we want to get people to buy-in to and to say they want to do it. But remember, people will often leave. I’ve seen research around people that have attended financial workshops around pensions and planning and all those sorts of things, and they’ve been assessed and they said, “Yeah, definitely going to put money aside every month towards my retirement or my health or those sorts of things.” And then actually a really, really small number of people follow-up on what they said they’re going to do. And that’s not just health and pensions. That could be anything from going to vote in an election. It could be absolutely anything. The evidence is that we are inclined to say we’re going to do something, but actually the evidence is, in a lot of cases, even though we really want to do it, we don’t do it.
[00:29:43] CW: Yeah.
[00:29:45] BH: Actually, understanding how people are making those decisions and how you can be maybe tapping into things to be more instinctive I think is one of the best opportunities we have in security to really push the agenda forward on the human factor.
[00:29:59] CW: Yeah. Now I want to talk about that in a practical way with regards to – If you’re working for a company and you’re not in a decision-making portion of the company. You’re not the person from whom the decrease come down or whatever where we could start integrating stuff like this. If you see your organization has kind of a lax or sloppy security culture but you’re not necessarily in the leadership to make change, what are some things you can do to sort of improve the culture yourself no matter where you are in the org chart?
[00:30:32] BH: Yeah. That’s a real challenge, because a lot of people would talk about culture needs to come from the top down. Okay. And I ‘m a believer that it does come from top down, but I also believe that culture comes from the sides in and from the bottom up. And that’s because what people – Often, organizations will say, “This is our culture and this is what we expect. But actually the thing that’s most likely to influence people’s behaviors is not necessarily what they’re told is happening, but what they see immediately around them is happening.
If you say security is important from the top, but everybody within the – I don’t know. Everybody in the logistics function doesn’t really have that view –
[00:31:40] CW: Yeah. The whole doesn’t apply to me thing.
[00:31:42] BH: Yeah. It doesn’t apply to me. Worst, I didn’t even know what a security.
[00:31:47] CW: Yeah. I didn’t read that email. Yeah.
[00:31:50] BH: So culturally there, what you’ve got is you could go, “Okay. Well, this isn’t that important. They it is, but it isn’t.” And that’s what you call like a cognitive dissonance. And that’s not unusual. A lot of organizations, the top seems to say this, everyone else you say, “Hey, that’s new to me.” You only have to look to organizations. Google is a great example. Where actually people join the organization because they get drawn to the culture. And when they experience that that culture isn’t necessarily consistent across the organization, they shout. They make their voices heard. We know that there have been a number of protests around by Google employees when they’re going out there and said, “You know what? Your values that you say are important, aren’t –”
[00:32:43] CW: They’re not here. Yeah.
[00:32:44] BH: Aren’t there. Actually, there is a point to say that culture can’t come from across any aspect of the organization. And it’s almost the point of socializing. So we know that humans or people are subjective to social influence. The more they see people that they interact with behave in a particular way, the more likely they are to say that is the acceptable norms. And most people, and I say most, actually don’t really want to be outsiders.
But it’s interesting, because outsiders think that they’re not part of the group or a group. They don’t belong to a set of identity. But actually by the mere choice of saying, “I’m not part of a group.” You’re a part of a group. It’s just that that group is people that don’t want to be associated for that group.
[00:33:45] CW: Yeah, right.
[00:33:46] BH: Yeah. It’s quite well-established. Yeah, I think that hopefully that sort of answers your question a little bit. I’ve seen it within organizations where – I’m just giving you an example, Google, where people turn around and go, “Hey, that’s not good enough.” And then the board or whatever have to make decisions.
The other thing which is something – What does the board pay attention to? So if it’s not going to pay attention to you, what does it pay attention to? Okay? Now this for me the role of leadership, middle managers and senior managers in information security, is about developing relationships where you can facilitate a discussion where you come to learn something about your customer. The board is your customer.
[00:34:46] CW: Right. Okay.
[00:34:48] BH: Okay. You give them their ideas. They say, “Yes, you can have the investment and our support.” In many ways, I sometimes ask myself when people say the board just aren’t buying into this. Are we pushing the blame to the board for us not being as effective as we potentially could be in terms of influencing them? Sometimes it’s being realistic. I think with Christine, in the chat I had with Christine, which is mentioned in the beginning of this chat. One of the things she said to me is can you give you some advice? One point of advice?” I said, “Well, the one thing that i would advise everybody is to realize your invulnerability, because often, when I started off looking at the human-factor, I made a lot of assumptions. And then when I did reach it, I realized that my vulnerability was that I thought I knew something that I didn’t. And it can sometimes be that if your board isn’t behind you, the question isn’t necessarily why is the board not behind me? But what is it that I’m not necessarily doing as well as I could do or maybe it’s just not a strength of mine. I need to speak to somebody else to get support.” To understand actually what it is that the buttons that they need pressing. And maybe it could be – Here in the UK, the Financial Services Authority has often pointed its finger towards culture and said, “Look, for those people that are breached,” it open said they had a toxic corporate culture. I know that’s happening in the US. And you say to the board, “Maybe that’s the point.” And then they say, “Well, I don’t want my reputation damaged on the chief exec.” And said, “An instance is going to happen,” and this is the sort of feedback we’re getting back from the senate committees when they interviewed chief execs following an incident, and they talk about culture.
So where do you want to be as a chief exec if you have to stand or sit in front of the senate committee? The lawyer in the house will say we want to be in the best position that we are to defend us up as effectively as we can. And you go, “Well, these people are saying that because there was no culture or it was a toxic culture.” That is part of the reason why they’re holding you to account. So finding out really what the board is interesting, what they listen to and then shaping your discussion leveraging that. For me, that’s got to be one of the best ways to get things done.
[00:37:22] CW: Okay. Now, I want to pivot from that a little bit towards sort of career aspects of what you do. You’ve learned what you’ve learned over a course of a decade. So listeners who might want to do something similar as a career are probably wondering where you start with the type of work you do. So what kind of – On a granular level, what type of information or study or training, etc., do you recommend who might want to implement better security awareness practices in their own organization or do the job of this sort of thing for other organizations?
[00:37:52] BH: Yeah. So one of the things, if you listen to the podcast, one of the things you will find is that most of the guests don’t work in security.
[00:38:05] CW: Okay.
[00:38:08] BH: So we interview a lot of people, behavioral psychologists. We interview lawyers. We interview people who – Bill Clinton’s former speech writer. Barack Obama’s director of comm strategy for cybersecurity. We’ve had storytellers. We got somebody coming on who’s a linguist. And the thing is I found that there are a lot of other people whose focus is upon raising influence, influencing behavior and embedding something within culture.
And those people have been doing it far longer that our industry. So I ask myself the question why we invest the wheel. Why not go out there and listen and engage with people and do causes and effect and learn about these other aspects and not focus on the security side of it.
And somebody asked me this, “Could you make a recommendation to me about conferences?” I said, “Yeah, stop going to security ones.”
[00:39:36] CW: Except for Inspire.
[00:39:38] BH: No. I said, “You’ve got to find a balance.” I said, “You’ve got to understand security. But if your focus is around raising awareness, influencing behavior and fostering an organization culture,” I said, “Why do you go to a conference around behavioral science?”
[00:39:56] CW: Yeah. Yeah, there you go.
[00:39:58] BH: And all my research was about going to conferences and reading books and doing interviews. Well, not all of it. But a lot of my research was about actually engaging with all these other disciplines and then making sense of it myself where I was then able to come up with my SBAC framework, but it enabled me to challenge. A lot of the assumption I had back then was 14, 15 years’ experience. And a lot of the assumptions I was making about how things should be done. And this was as a relatively senior information security managers. I challenged him and I realized that, “Hmm, that’s really quite an eye-opener,” and that meant that I could go and have conversations with chief information security officers and chief security officers and heads of data protection, that sort of thing, and have a different conversation, which opened their mind and educated them. And that built the trust relationship up. And that’s how I tended to get things more done and introduced new concepts.
From a career perspective, I was just – If you’re in security and you want to move into education and awareness, is to think about, “Where can I learn about awareness, behavior and culture?”
[00:41:16] CW: Yeah. Think about what you’re really trying to sort of implement, I guess.
[00:41:18] BH: Yeah, because we don’t need to tell you about security, okay? What we need to tell you is these are your new objectives, and it’s really interesting, because when you study awareness behavior and culture, so many things like doing an education awareness campaign is like actually what if I just designed security controls to be better? What if I make the security controls, the policies, the process and procedures easier?
From a behavioral psychology perspective, one of the early lessons, the easier you make it, the more likely people are to do it. The harder you make it, the more likely people are not to do it. And people say, “Well, can you give us an example?” I said, “Okay, at the beginning of new year in United Kingdom, we’ve had a great Christmas. We’ve eaten way too much turkey and we thought we drank too much as well.” And we have this thing where we go, “Okay, I’m going to make a promise. I’m really go to the gym and all those sort of things.” Hey, but it’s January. It’s miserable outside. It’s wet, it’s cold, okay? I’ve got to make a real effort to get down to the gym. I’m not running in that cold, because it’s hard. Even with all our best intentions and know its’ the right thing to do for health and all those sort of things, the number of people that do it is small, and the number of people that start and drop-off is huge.
[00:42:44] CW: Right. I was just going to say, I’m less worried about my January 1 plan than my February 15th plan, because I also have a gym membership and the first three weeks, you can’t get a treadmill or anything. And then by mid-February, nothing, nothing at all.
[00:42:58] BH: Yeah. That’s it. Okay, yeah. That’s when I’m going to start using my gym membership. See, that’s the point. As part of my research, when I started doing my research, I was like, “Everyone is focused upon doing the education and awareness campaign.” Actually, if you really want to bring around behavioral change, one of the things you really want to be thinking about is how can I better do my security thing? How can I design better security controls? And that’s why, for me, I have this concept philosophy of design with the human in mind. And I apply that not just to education and awareness campaigns, but to how I go around doing governance risk and compliance and developing control frameworks?
And it’s really simple things, really simple things, like tweaking a process can realy have a massive impact on behavior without the need to spend large sums of money on flash campaigns, or even very basic campaigns around awareness, which are generally forgotten within a relatively short period of time.
[00:44:05] CW: Right. Okay. Yeah, as we wrap up today, we’ve talked a bit about Re-Thinking the Human Factor, both the podcast and the book. But to conclude, and you were just talking about a little bit, but give me some highlights from the podcast. Some upcoming episodes you’re excited to share. Some things, episodes that you’ve done that you think people should start with, things like that. Just talk it up.
[00:44:28] BH: I’ll tell you what. If somebody asked you this question, you’d probably go – “where do I start?”
[00:44:35] CW: I don’t remember what I said 5 minutes ago. Yeah.
[00:44:39] BH: That’s a really, really –
[00:44:41] CW: Yeah. No. Yeah. I understand. When you have a deep bench like that, where do I even start recommending? But yeah.
[00:44:47] BH: Let’s start with that. And I think, also, I was having a chat with one of my guests. So we’ve got a French linguist coming on to talk about the power of language. And actually, when you listen to this stuff, it’s going to be like, “Wow! Okay. I’d never really thought of it that way.” And he’s going to be kicking off his own podcast. And he said, “How much time and effort does it take? What’s the cost?”
And we’re talking through and I said, “Look, the biggest thing, the biggest challenge is finding good people to come on the show and educating them about why what they do is relevant to cyber.” Because a lot of my guests, they’re like, “Why would I come on a cybersecurity podcast?”
[00:45:27] CW: Oh, interesting. Yeah. Yeah.
[00:45:29] BH: Yeah. And I have to go through a process of educating them. It was one guest, it took me two years to get on the show. So sometimes my passion is based upon how much effort went into it. And that’s a very behavioral thing. It’s called the IT-er effect. But if I had to pick some, I would say people often come back to me and say the interview with Dan Ariely, okay? Yeah. I mean, that was a very special moment for me, because it was basically two years of ‘to-ing and fro-ing’ before he came on the show. The interview with a gentleman by the name of Gert Jan Hofstede. Now Gert’s dad, basically is probably one of the most approached people when it comes to culture. And basically between the two of them over the years, they are an absolute force in understanding how cultures are formed and influenced. So he’s been on the show twice. He’s from Holland.
I think Susan Weinschenk, who is another behavioral psychologist. The conversation with her was absolutely fantastic. We have – I’m trying to think of other ones that really pick-out. Conversation with – Oh! Here we go. We’ve done culture. We’ve done behavior. From an awareness perspective, there is an interview with – Oh! I’ve forgotten his name. Because there are so many. There was an interview in series 3 with a gentleman by the name of O’Reilly, and he’s an ex-ad man from North America who’s really successful. An amazing podcast. He talks about things from a very marketing type of perspective.
But what we’ve got coming up in series 4 is just to die for. We’ve actually got the ex-data protection commissioner from the UK coming on the show to talk about it from a regulatory perspective, which is a huge thing to have somebody like that come on the show. We’ve got this linguistics person professor coming on the show who’s also an author. He’s French. We’ve also got the head of branding at the Sorbonne University – a full professor in branding. And we’re going to talk about Louis Vuitton, on what branding tells us about the chance we face in security. The security brand, how it affects behaviors, engagement, that type.
Yeah. I mean, there are some that just stick out immediately. But yeah, if you listen to the show, I think they all bring something pretty unique. It’s the sort show you need to listen to it a couple of times and write notes down. One of the things we are going to be doing for those people who haven’t got the time is I’m going to be doing a series of podcasts where I basically summarize every single episode.
[00:48:51] CW: That’s also very helpful. Yeah. Yeah.
[00:48:52] BH: Yeah.
[00:48:54] CW: Get the whole scope or just get the takeaway. Yeah.
[00:48:57] BH: Yeah, absolutely. Really, at the end of the day, we did an interview with the ex-director of general for health in the European Union and he was talking about the challenges of having a health policy, which is really like an information security policy. And then it was like, “Okay, now I’ve got to get people to actually do it.
I’ve got to get people to do it across 27 counties, which all have different cultures. So when we talk about the Chinese and we face an information security, “Here’s my policy. I need to deploy it across all these countries. They all have different cultures.” It’s the same challenge. And so it was great to have him on the show, because he started talking about behavioral economics and uncomfortable truths and things like that. You have to sit there and just let it sync in and then come back to it.
But a lot of people, I just want the shortcut, which is very human. Okay, well, you can get the shortcut if you just go in and you go and look at the membership program we have, and Bruce basically goes, “These are the points you really need to take away.”
[00:50:01] CW: Okay. Is there anything you want to talk about going on a marmalade box at the moment?
[00:50:07] BH: Well, I think what we’re doing at the moment and then just a real focus because of COVID, all our training we used to do face-to-face. And we did get quite a few encouragement when people say, “When can you put it online? I can’t make it there geographically.” The cost of traveling and the time away from the office, all those sort of things. So we’re actually in the process of taking all our training courses. So there’s the Re-Thinking Human Factor introduction. There’s the SBAC framework, basically level 1, and the SBAC framework level 2. And there’s a really exciting thing where risk – So we’ve done a risk assessment around the human factor, which we are pretty confident we’ll provide you with the best case you have for getting investment security in the human factor. So we’ve got that. Of course, we do around that and we got quite a few organizations to implement that. So we’re pushing that all online, which is great. There’s the membership program, which is going to be available. And also, we’re looking to run a summit at the end of Q1 in 2021, where we sort of take the format of a podcast and we bring it all online. And it’s all like going to be an online summit where you’re going to get introduced to some really challenging thoughts around how the industry can maybe reshaped to address the human factor.
[00:51:38] CW: Okay. So you’ve wetted everyone’s appetite for all these different things they can check out. So if you want to hear the podcast, or read the book, or find out more about Bruce Hallas, where they can go online?
[00:51:48] BH: Okay. Well, I mean, if you go to – First thing, if you want, here’s my personal email address, bruce.hallas@marmaladebox.com. If you want to drop me a message, I’m always happy to respond. The other thing, you can go to the marmaladebox.com website where you can find the podcast. You can also find the podcast and you can find the book on Amazon. You can find the podcast on iTunes and a number of other –
[00:52:16] CW: Standard podcast thing. Yup. Good.
[00:52:19] BH: Yeah. If you do Google search Re-Thinking the Human Factor, you will come across quite all the content on there. Yeah. I mean, if you’re struggling and you’re really interested, drop me an email. I’m always happy hearing from people.
[00:52:32] CW: That’s great. Bruce, thank you so much for joining us today. This was super, super informative and really fun to talk to you.
[00:52:39] BH: Absolutely pleasure having me on the show. I’m really chuffed that you decided to invite us on.
[00:52:46] CW: Well, thank you again. And thank you as always for all of our listeners and watchers. If you enjoyed today’s video, you can find many more of them on our YouTube page. Just go to youtube.com and type in Cyber Work with Infosec and you can check out our collection of tutorials, interviews, and past webinars. If you’d rather have us in your ears during your workday, all of our videos are of course available as audio podcasts. Just search Cyber Work with Infosec in your podcast catcher of choice. And thanks as always to people who are rating and reviewing. It does help. The more, the merrier. Tell a friend. Tell anybody.
As a reminder, if you want to download our free Wild Wild Net security awareness campaign, which includes posters, infographics, newsletters, emails, templates, presentations and more to keep your employees safe, go to infosecinstitute.com/ncsam2020 to get them all.
Thank you once again to Bruce Hallas and Marmalade Box, and thank you all for watching and listening. We will speak to you next week.
