Awareness, culture, and behavior. How are these things related to technology and security? In this episode, Kai Roer, the author of Build a Security Culture, provides some insights into the importance and impact of security culture. Kai highlights that there are social and cultural triggers that drive human behavior. Matthew Stephenson and Kai Roer also touch on Artificial Intelligence and Machine Learning. Tune in and find out more in this episode.
—
Listen to the podcast here
Kai Roer – Awareness… Culture… Behavior… OH MY!
Welcome to the show brought to you by Elevate Security. Hopefully, we’ve spent some time together talking about cybersecurity, the human element, and the general chaos of our world over the last couple of years. If you’re new to the show, welcome. Here on the show, we are bringing you all the top experts in the industry for a chat about anything interesting in keeping our world secure.
Speaking of keeping that very world secure, we’ve got somebody who’s been doing that for a while, and his approach is different from the guests that we have had before. Different often means better. We are stoked. I’m always excited to say that I’m always excited, but this one is a friend of mine. This is a guy who’s been doing some interesting things all over the world for a while.
We are so happy to welcome Kai Roer to the show. Kai is the Founder of Praxis Security Labs. He spent many years in cybersecurity with an eye toward the single most chaotic of animals in our business, humans. In previous lives, he has founded multiple companies with a focus on security culture and has served in executive positions to bring humanity into the technological approach to security.
Also, he has been a board member and an advisor to multiple companies. If you ever go to security shows, odds are he’s been a speaker there. If you’ve seen him, good. If you haven’t, hopefully, you can next time. I have to add that he’s incredibly stylish. If you know Kai, then you know how that works. Kai, welcome to the show.
Thank you so much, Matt. It’s a great pleasure being here again and an honor to be on the show with you again too. It’s amazing.
Let’s open up with some awesome news though. We mentioned Praxis Security Labs. You’ve got a newborn baby.
I do. We’ve got to do something, and one of the things I do is build. The stuff I build is usually around security. I’ve been missing that for a few years. When I got the opportunity, I decided, “What are we missing in this industry now that we are starting to get that humans are a factor and technology is still technology and we have processes?” We need to stop talking about bringing them together and actually bring them together. That is what my multidisciplinary team at Praxis is doing. We look into neuroscience, statistics, technology, roadmaps, intervention and all that stuff. Our customers come to us because they expect us to have the answers, which I imagine you do.
Usually, it’s the guest who blows up the pre-discussed outline of things we’re going to talk about, but I’m going to do it because what you said helps me understand Praxis a little bit more. Data analytics has taken over sports. For those of you out there who are not sports fans, apologies. Stick with me for the metaphor and you’ll get there.
Many decisions are being based on a deep-dive statistical analysis of performance, in which performance is inextricably linked to human behavior. When you talk about those things, how can we quantify what it is that people do to give back to them the information to say, “Here is what we have learned about you. Here are our thoughts.”
I will run with your sports story there, Matt. You are right. Statistics and data analytics have been tremendously helpful but it would never have been working if you did not have a team of real humans understanding and interpreting that data. You can have data, flashy beautiful presentations of the data graphics and the tables and what have you.
Statistics and data analytics are tremendously helpful, but it would never work if you did not have a team of real humans understanding and interpreting that data.
If you don’t understand what the data is about and try to describe it, you will make mistakes. We see that in our industry where you try to replace the human brain with AI and machine learning. I’m not saying that we should not be using AI and machine learning because those are tremendously great technologies, but what I’m saying is that we should learn from companies like Palantir, for example, the spinoff from PayPal back in the day.
What they realized is data analytics only take us roughly 80%. We need human eyeballs and brains to help us understand, is this alert over there a false flag or is it something that we need to care about? If it is, what do we need to do about it? Computers and statistics cannot help us with that but they can help us by discovering patterns and flagging issues or anomalies for us. We need people to say, “We see the football player kicks hard but in the wrong direction. We need to teach him to aim for the goal when he kicks and not kick hard.”
Mbappé is not going to get 5 goals against every team if they’re a 5th-division French League team. It is an appropriate metaphor to move to something radically different when you’ve got 2 chefs in 2 different kitchens, and they have the same protein veg seasonings to make a dish, but there is an artistry to one as opposed to a mechanic approach to the other. We put them together and go, “Here’s the meal.” One of them wins a Michelin star and the other is like, “I’m full. Thanks.” You pay and go.
That is something you see everywhere, especially if you do go outside and eat but you don’t have to go out and eat. You can turn on your television and look at these chefs’ shows where they bring in chefs. I give them recipes and all the ingredients and then they compete in making or creating whatever it is that they’re supposed to be making. If you haven’t seen those shows, I can tell you there are huge varieties of success rates, shall we call it that? Some people can do it. Some are not. I would rate myself humble as I am. I’m in the middle.
We’re going to talk about security as opposed to football and cooking. Although, we have no guarantees that we won’t keep talking about that throughout the rest of it. The word culture gets tossed around a lot. Given over the course of your career, your focus in security has been on people. By definition, it’s self-created culture, good, bad and indifferent. You’ve written books and keynotes and founded companies. When that word gets thrown out there, do you roll your eyes? Do you lean in? How do you explain the idea of security culture to respectfully address the notion of the chaos that people bring and what we need to do about insider threats?
I will correct you first, Matt. My background is in technology, like a lot of people in our industry. At some point, I found technology to be boring. I could get it to do whatever I wanted to do and very rarely would it surprise me. I’m the guy who needs challenges. I was working with people, having employees and colleagues. I’m like, “Didn’t I just ask Matt to do something? He’s doing something else. What is going on here?” For me, that was an intellectual challenge.
In the beginning, it’s frustrating and interesting. After a while, I’m like, “This is fascinating and worth pursuing.” That’s when I went into leadership, a couple of years later, I was still working on security and technology. I was like, “What is our industry missing?” We are missing the fact that people are building and using our technology. We were good at technology years ago. We’re getting somewhere at least but maybe not good compared to now. We’re also missing this big elephant in the room. People are using and building this.
I then started looking at people and reading organizational psychology, theory and communication. What does a marketer do when they want their target audience, which is a keyword word? They first need to know who are their target audience. If they want you to buy that football ticket, how do they need to tweak their message and put their message in a place where you will see the message and that message will trigger? Is communication a huge thing here?
I started connecting the dots between these single topics like technology and communication. It turns out there are more people who speak to other people. They work in groups. I did some social psychology studies and have been playing with social engineering for some time. I was like, “There is something I am missing here. The dots and bridges are to be built across huge areas. We have a thing called culture.” Culture is something I have. It’s something you have. You reading this have culture. That was a rabbit hole that heads first down into and I’m still trying to find my way out.
If getting out of it means you stop doing it, please don’t do that. Staying in helps people to get better at these things. I love that you mentioned marketers. In your career, as you have evolved into executive leadership positions, how much marketing do you need to do or do companies need to do internally to communicate the best practices and ideas, whether it’s unwitting people who make mistakes, that was a great term that you used that I want to get back to, people with malicious intent or even defending against outside attackers? How much do you need to sell in your philosophy as a company inside?
All the time. This is a very important question you ask there. How do we communicate? What is it we are communicating? In your words, how do you sell and what are you selling? The philosophical answer to that is you are selling ideas. You want me to buy into your idea, if that is buying the new latest firewall with blue LEDs and in 2022, they were orange, this new policy to handcuff your employees to someplace where they can’t work from home or a new employee education program. Whatever your idea is, you need to sell it because if no one is buying into it, no one agrees with you or you don’t market it, you are not getting anywhere.
Depending on where you are and how large this organization is, your ability or access to people to buy your idea and their power may vary. If you work in a large enterprise with tens of thousands of employees and you are a factory worker at the bottom of the pyramid, you may have the best ideas. You may talk to your pals and colleagues about it but you may not have access to those people who can do something with it.
Another challenge here related to that one is if you are a heavy technical person and I don’t mean heavy in the American, physical way. If you are in IT and your focus is technical, all you care about is the technology. You are good at that but you need to communicate with your CISO, CIO, the board or someone who is not working in IT and does not care much about technology because they have different jobs.
You must ask yourself this question, “Why are they not listening to me?” Is it because they are stupid, ignorant and idiots who only care about money or is it because I don’t understand how I need to change my approach to make my message resonate with them, my target audience? I see this mistake everywhere.
We believe that everybody looks at the world the same way that we do ourselves, which means that we don’t put effort to tune and tweak or even understand how our message will be received by the receiving party. If I don’t make an effort to make my message receivable based on how my receiving party is, I shouldn’t be talking at all because they will not get it and it’s a waste of resources.
You as a serial founder and also someone who has published books and keynoted and founded companies. Elevate does what we do when we capture data and is pulled from the available technology but we have to apply it to the squishiest of things, which is humanity. How do we close that gap? Do you come in, sit down with the board with the C-Suite and say, “This is what we have learned from looking at your environment and these are the suggestions?” Especially if they think, “We’ve got a great corporate culture.”
One of the biggest issues communicating with the C-Suite and the board is that they don’t get it and I argue. It’s not their job to get it. Instead, I argue that it’s your job to adjust however you present this in such a way that it resonates with their day-to-day job and perspectives. Most board members I know don’t work with IT or security. Some of them may have had some stints as CIO or similar but most of them come from the business world and the communication world.
Very rarely do they understand the technology, especially the security side of things. You need to ask yourself, “If I want these people to understand my pain and help me solve it by giving me money or focus, how should I change the way I communicate so that it resonates with that?” Let me tell you, Matt, Screaming louder more frequently is not helping here.
That one I’ll accept as the American approach. Louder, speak slowly and everybody speaks English.
Understand your job. As a board member, what’s your role there? As a chairman, what are you doing? As a president, what is your main target and job? Ultimately, it comes to something you know if you are insecure, which is risk management. That’s what they do. They look at every decision they make from a risk perspective. How probable is it that we make the output that we are looking for here? If we do this merger, for example, will we get these benefits?
What are the probabilities of us getting there and what happens if we don’t? Unlike most security people, they look at this risk from a monetary perspective. They counted in dollars or euros, not in the number of breaches and incident reports. You need to understand what they need, for them to understand so that they can make the right decision that you need. You adapt your messaging and talk to them on their terms instead of expecting them to talk to you on the board terms.
Given your experience as a board advisor and founder and all the different things that you have done, when you go in to speak to boards or C-Suites, it feels like technology and security had to fight hard to get a seat at the table. We need to come in and also talk to them about the human element and the notion of insider threat. This is the king of my five-prong question. Are they willing to listen to that? They’re like, “We gave the security person a seat and you want to talk to me about people.” How hard is it to communicate that those are inextricably linked in their approach?
This depends on the company or organization. I work with organizations where their security unit doesn’t have a seat. We are not talking about a seat at the table at the board but they are not even part of the C-Suite. You can imagine their pain in getting heard, budgeted and focused. Some companies don’t get that security that needs to be part of the discussion. Other organizations are mature in this regard.
Some companies don’t understand that security needs to be part of the discussion. Other organizations are mature in this regard. They will invite the security team and have these discussions.
They will invite the security team and discussion because they realize that it is another part of the risk discussion but they need to understand it. They are curious. They try to learn but still their job is to think of risk in monetary terms and make decisions based on how they interpret that information and the world. Sometimes that means that you will not get that new shiny, beautiful firewall because we think we can accept that risk.
A little bit of a segue. You’ve been doing this for a long time and have been dealing with both the technology and human side of the attackers versus the target’s conversation. At this point and I’m going to take this bullet because this comes from something from our prep call, what bores you to death?
I’m not a sports guy. I’m more of a music guy. One of my favorites is the Black Eyed Peas. In 2008, they had this song where they were going something along this way, “I’m so 3008. You so 2000 and late.” For me, it’s technology. Years ago is when I sold Fortinet. In 2023, it’s a different landscape. We are in a different place.
Even IT security people understand that there are people, if not using, at least building and managing. We are moving forward, which brings a lot of interesting questions. Who are these people? Why are they doing all this stuff that they do? For example, being an insider, which is not a term I enjoy. It lends itself to a very small number of malicious insiders.
It’s only the theme of the show but as long as we can annoy you, we’re here for you.
It is an important topic. I have tried to find data on this and failed but in my opinion, a malicious insider is almost not a problem for most organizations. That does not mean that you should not be aware of it because there is a risk that may become a problem for your organization. In my opinion, what we should be worrying about when we run companies are not a malicious insider but everybody else who had not received the proper training, education and understanding of the reality of the world and that leads back to technology.
What we should be worrying about when we run companies is not that malicious insider but, instead, everybody else who has not received the proper training, proper education, and proper understanding of the reality of the world today.
Part of the world is controlled by AI and ML. It is also controlled by huge social media corporations that have fine-tuned their algorithm in such a way that you and I will live in echo chambers. Those echo chambers only emphasize whatever tiny idea we might have had one time when we clicked like on whatever you posted there. All I see is you and your ideas. My idea starts to change. I no longer see everything that may challenge my perspectives and worldview. I lose them. I no longer control my ideas. Somebody else does, which leads to global geopolitics.
I want to press pause on that answer because I have a very specific bit that I would like to talk with you about AI and ML but I do want to do the flip side of what bores your question. Given your evolution, as you’ve been in the industry from technology and the people in all the different things you’ve done, what’s inspiring you when you look out on the security landscape?
One thing that is inspiring me is how the past ten years, I am no longer the only person using the term culture. I was fighting uphill for almost a decade using the term and putting a focus on it, researching, publishing, talking and trying to get our industry to understand that it is not only technology, audits and policies.
We have that people’s thing too. It’s getting very close to ten years. People are using this. Sopra Steria, for example, is a huge European consulting company that started its security culture and business unit within its security consulting team in 2017. That was a long time ago. Companies like H&M have their Directors of Security Culture. Cognite is another tech company in oil and gas and then service things. They have a Director of Security Culture. You wouldn’t see that before and now, everybody is getting it. Some of them may still be getting culture wrong but the fact that they use the term, talk, learn, start to care and implement programs means that we have gotten much further in a few years and that is a huge inspiration to me.
Take a walk with me on this metaphor and tell me if it’s dumb. Is it wrapping the fleshy bits around the 1s and 0s and the hardware or are they two separate things that sit next to each other?
In what context?
The notion of culture and humanity, which is more about psychology and marketing sitting with the hardcore technology angle or do we merge them into one thing?
They are merged. The reason is that who built that tech? Who is using that tech? Who is managing that tech? It’s that bloody flesh or blood and flesh depending on how hard they had to hit that computer to get it to work. The technology that we use now and in the past is based on the culture that we have. They wouldn’t be here without people. The wheel would not have been here without the people and from the wheel, a lot of things happened.
This boils down to the cognitive abilities of humankind. Combined with that, most people are like me. We are lazy and we don’t want to do stuff. It’s much easier for us, especially our brains to have something or someone else, and slave is not so PC anymore, to do our work, hence technology. We put in place technology but it’s still there for us. It’s there to serve us. For me, it’s the same thing. It’s different artifacts and ways that they manifest themselves in our lives.
Returning to what we were talking about artificial intelligence and machine learning, as we are building these things and tools to serve us, it seems like it’s everywhere. For anybody who watches commercial TV, everything is driven by AI. I’m sure at some point there’s going to be breakfast cereal that is created by AI. Where does it fit?
As we’re looking at these things, there are these horrifying ads you’ll see on social media. You can have AI write your marketing content. Put in a couple of bullets and it’ll spit back out. I won’t name them by name but an esteemed long-standing technology journalism site has come under fire because it turns out there was a decent chunk of their stuff that was being generated by AI.
As we look at this idea, if we are pouring things into this bucket of AI to put things back out, what are the ramifications as you’ve spoken of risk if we don’t have the human finger that can deal with chaos? How does that affect what we need to do to keep our users safe, employees and customers?
Number one, there are many different questions you are asking there. Number two, this is a philosophical thing. It’s a practical and technology thing but mainly it boils down to two different things, especially your examples there with the website and stuff like that. The first thing is what is machine learning and AI. The answer is mathematics and statistics. That is what it is. It takes information and puts it into different models and forms. In Europe and the US as well, for every Christmas, we make gingerbread men, pigs and females. A lot of these dough things we put into these forms and we eat them.
We call them cookies here.
Cookies but not necessarily round. They can have any shape and form. AI, you can think of having a cookie and trying to match it to some form. That’s what it does. The cookie would be the data and the form is the model that the AI is training on and trying to figure out. “Is this a cookie dough man or cookie dough circle?”
As long as they’re trained properly, they will usually find a good match. The challenge is that they may find good matches but they don’t know. This is why when it comes to AI and things, we need human brains and eyes to help us realize to what extent they are accurate, yes or no. They may find false positives and false negatives. Our job is to then help figure out, “This was a cookie man but here is math trying to fit into this cookie man form.” It doesn’t work and that takes humans. These algorithms will improve but they will never be in a place.
I believe that we don’t need human specialists or subject matter experts, who can understand what the data is trying to fit in the models, pick the right term and tune the right algorithms. This leads me to the second part of this answer. These journalists or news outlets, what is their job? How do they make money? They make money by eyes, not on the actual text but on that ad next to the text and they want you to click on that ad or if it’s on TV or a sports show to pick up your phone and order in or go and buy something. It’s all about the ad revenue.
They understand like you probably do. You don’t care about the quality of the story. You care about being a story. They don’t need to pay for high-value journalists anymore, which is why most journalism is not what we used to know back in the ‘70s and ‘60s. Journalists were trained to use their brains, ask difficult questions and share interesting tidbits, not just repeat what everybody else is saying. I’m not pointing fingers at you, Matt. I’m still talking about AI in general.
What these outlets are doing then is realizing that they need to create stories because stories resonate with the human brain and the human brain needs and craves these stories. They will come to our website and humans will click. The problem is that there is this story about AI being dangerous. Terminator, for example, comes back to haunt you and that’s scheduled.
What these outlets are doing then is to realize that they need to create stories because stories resonate with the human brain, and human brains need and crave these stories.
In those stories, we are critically negative towards automated content creation because we believe we can do it better ourselves. Whereas many examples of good-quality content have been shown. I do suspect that going forward we’ll see more and more of this automated generated content, like texts. We see translated TV shows because this hit the right form. That’s a problem. It’ll work most of the time but never fully.
This brings us back to Praxis. What we do is to help you make that fully because we can help you figure out when most of the time is not good enough. That’s a problem with AI. You need subject matter expertise to help you figure out when I read this text, it makes sense. ChatGPT is very convincing in this argument, but it can be extremely wrong. If I’ll ask it to describe the security culture, for example, I’m sure that it may come up with stuff that sounds good but it may not be correct.
Salad tastes good but there’s not a lot of nutrition there. I’m not going to get stuck in this, but I did read something about “how AI is running out of the good works” to be fed to learn to create good language. This is global. This is not just English language written things. Is there a risk in the security world as we continue to feed data into AI and rely on what we get out of it that we might run out of good data? We’ve given everything that we’ve had and have relied on AI to do these things. We’re feeding back AI something that the AI had created. Am I getting too tinfoil hat in that thought?
That is not going to be an issue. There are two other issues though that are going to be much more important. One is bias and the other one is geopolitics. You did mention running out of words. We are going to run out of funding much sooner compared to countries like China where they have higher capacity in using that to train their AI and machine learning algorithms.
One of the geopolitical issues and from a defense and security perspective, the potential challenge is we are losing out on the tech race because we cannot keep up in the future. Who is winning? China will because they have more power, words and people to not only create content but also analyze it. Remember that subject matter expertise. That is critical. Why? That is because of the biases. Humans have been created with and also, evolved into several biases. Biases mean how we see the world and often how we don’t see the world, meaning we have a lot of filters going on that we may not be a VERO which controls our behaviors, thought processes, ideas and how we do stuff, including building technology.
You may recall that a couple of years ago, maybe it was Google’s hiring algorithm, I don’t recall exactly what it was, but it was discovered that it was having a high brogramming bias. If you’re familiar with that term, it means that it would more often than not select a guy, blue-eyed, white-pink or pink like myself instead of an equally competent female or a person of color. I hope those are not created on purpose but because of how we are as humans, it is very difficult for us to realize these things and the effect of scale these biases have that we automate and build technology based on these patterns.
I’m going to do a hard shift because this is the official invite for you to come back and I’ve said this to a couple of fascinating guests before. We got about halfway through the things we want to talk about. Enough about us. Let’s move into the leadership corner without violating your OPSEC. You did mention that you were a music guy so when you are not doing all of the fabulous things that you do, which can be seen at all of the most important shows around the world, what are you reading or listening to? What’s on your playlist? Do you have books on the coffee table and magazines in the bathroom? Do you hang glide, which wouldn’t surprise me?
It’s difficult to live the life I do and also have what our industry would call Optimal OPSEC. I don’t have that. I gave up on that many years ago. Very often than not, I would read scientific papers and psychology, understanding how the human brain works, biases and these things. One of my many heroes is Richard Thaler. He co-authored the Nudge. He’s a brain scientist dude. He used to work with Kahneman and that sort of people. His big idea is that you can help people do the right thing by nudging them in the right direction. Nudging in our case can be like, “I have to go back in time.”
You can help people do the right thing by nudging them in the right direction.
This may not work in the US. If so, please excuse me but many years ago, Hillary Clinton wanted to become president of the United States. She was caught red-handed differently by using Gmail or something instead of reading emails on the White House platform. What makes this related and relevant to Richard Thaler and Nudge’s theory?
Her reason for using Gmail was that the internal systems were so difficult to use because of security that she couldn’t do her job, especially when not in the office. What can we as security professionals do then? If we want employees to do the right and not the wrong stuff, we need to make it easy for them to do the right stuff and difficult for them to do the wrong stuff.
You cost him hundreds of thousands of dollars in book sales and people don’t have to do that anymore.
It’s the opposite. It’s true because of human minds. We are curious and everybody will go in there and either try to prove me wrong which means they will read everything he did and see if I were wrong or they were like, “That’s intriguing. I need to learn more about this.” They too will read his books. I did him a huge favor there.
You mentioned Black Eyed Peas. Give me 5 songs that you’ve listened to from anybody or even just 3.
I refuse because one of them is a WTF moment. In my music stream, I do like Pussycat Dolls. I listened to Don’t Cha and that was so before me and all those things.
I listened to a Banjo band cover Motorhead. There’s no shame here.
I do listen to System of a Down. When I’m in the right mood, I would put on Staind. Usually, I will use some music that relates to what I need to do, either to chill down, work out or write something. I will use different kinds of music to get me in the right mood. That’s music. We covered some of the reading. I do not read my work except when I’m editing it. I do love cooking though but you will never see me on the cooking show. I’m also riding motorcycles which is something I love doing. The last time I was in the US back in November 2022, I rented myself a motorcycle and rode from San Francisco down to Baja, then East to Joshua Tree North, up to Death Valley and back to San Francisco in a couple of weeks. I love that.
My official goal is to get you introduced to a previous guest Kurtis Minder, where you can ride motorcycles but that’s another episode. We’re making that happen. It’s going to be half motorcycles, half security.
We should be meeting with motorcycles, sitting around a fire or something and doing the show.
If we only had the budget but it’s happening. We’re going to do it. I don’t care. I’m going to take out a loan to get it done. Shameless plugs. We’re rolling into the silly season with trade shows and stuff. You’ve got a newborn baby that we want to make sure that you can crow about. If you are writing or appearing anywhere, any other podcast that you were on that you would listen to after listening to this, where can people find Kai out in the world?
This is one of the things that I find very difficult because I am not American. I’m not trained in shameless plugging myself but it’s the website PraxisSecurityLabs.com. My latest book which came out in 2022 is The Security Culture Playbook, which I co-authored with Perry Carpenter. That book has received a lot of positive attention. I’m very happy about that. It’s cool to see how people have received it. On social media, I’m on LinkedIn with my name. I have an account on Twitter. I don’t use it anymore because of stuff going on there. You may still follow me but it won’t be much in my view anymore.
You could say nice things about yourself because they’re true or you could have me do it as we did for the intro and I’ll do it all over.
That was a bit too much but thank you. I appreciate it.
We could go on and on but we want to save it for the next one because odds are things are only going to get weirder and that’s why we want to bring people like Kai to do this thing. That’s it for this episode. This a friendly reminder that all comments reflect the personal opinions of the participants and the host, not necessarily those of their employers or organizations.
For more information on all that’s good in the world of cybersecurity, make sure that you check us out. You can find Elevate on LinkedIn and Facebook, as well as the mothership, ElevateSecurity.com You can find me @PackMatt73 across all the socials. Much like Kai, I’m not that active on Twitter anymore but still got some things going on.
As far as the show goes, we are everywhere that you go like Spotify and iTunes, people still use it for that. All the good stuff. All we ask is to subscribe, rate and review so you’ll never miss all the great folks who are coming on the show. Trust me, we’re going to do a motorcycle episode over a burning fire somewhere in Arizona desert but you’re going to have to follow to find out. Until then, we will see you next time.
Important Links
- Elevate Security
- LinkedIn – Elevate Security
- Facebook – Elevate Security
- LinkedIn – Kai Roer
- Praxis Security Labs
- Palantir
- Sopra Steria
- H&M
- Cognite
- ChatGPT
- VERO
- Nudge
- The Security Culture Playbook
- @PackMatt73 – Twitter
About Kai Roer
Kai has been providing actionable advice founded on empirical evidence to public and private organizations around the world since the 1990’s. His work over the past decades has focused on helping organizations understand what culture they currently have, what culture they would like to have, and more importantly how to get there. Kai works with the information security community on a global stage to educate the importance and impact that security culture has.
Kai has authored and co-authored several books on leadership and technology. His popular book “Build a Security Culture” (IT-Governance, 2015) is widely considered as the guiding resource on the topic of security culture.
Recognized by many as a leading global authority on the topic of security culture, he has received several awards, including the Ron Knode Service Award by the Cloud Security Alliance CSA for his extensive voluntary work in the security community around the world. Thanks to his invaluable contributions to the industry and his unique background that combines leadership, communication, and technology, Kai is a popular keynote speaker and guest lecturer. He focuses on presenting complex challenges in easy-to-understand language that resonates with non-security people.
When Kai is not working, he enjoys riding his motorcycles, spending time in the outdoors, and BBQing with his family and friends.