Companies need to put more effort into empowering their people when it comes to creating a cybersecurity culture. This is what’s called the people-centric approach to cybersecurity culture. When someone comes forward because they clicked a malicious link, reward them. Don’t punish them because the more they will keep quiet about what they’re doing. Humans are at the highest risk when it comes to cyber-attacks, so you need to enable your people. Join Matt Stephenson as he talks to the co-CEO and co-founder at Cygenta, Jessica Barker about having a people-centric approach to your security culture. Jessica and her team at Cygenta look at security culture in terms of perceptions, values, awareness, and behavior. Learn how to apply that to your organization start treating your people, not as the weakest links, but as the number one attack factor.
Listen to the podcast here
People-Centric Approach To Cybersecurity Culture With Jessica Barker
Here in the show, we are bringing you all the top experts in the industry for a chat about anything that’s interesting that’s going on to keep our world secure. Speaking of keeping the world secure, we are excited to welcome Dr. Jessica Barker. She is the Cofounder and Co-CEO of Cygenta, the author of Confident cybersecurity, was a keynote speaker at RSA 2020, but also an entrepreneur and named 1 of the top 20 most influential women in cybersecurity in the UK and UK’s Tech Women 50. Dr. Barker, welcome to the show.
That was a nice introduction. What a wonderful welcome. Thank you. It’s a pleasure to be here.
The easiest thing in the world is reading off your accomplishments. This is the list that we created because you did all the work. All I have to do is not trip over the words.
They sound better in your voice.
We’re going to get to the shameless plugs but would you describe Cygenta? Your team is doing something interesting that I feel is a bit different from the standard industry approach to security. What do you do?
We are a small team working with big clients. We bring together the human, the technical, and the physical sides of cybersecurity. My husband and I set up Cygenta because we felt this frustration that these issues were always looked at in a silo. I come from the human side of security. That’s what I’ve been working on for the last several years. My husband comes from the technical and physical sides.
We were always having these conversations and this frustration that everybody was trying to look at these issues in isolation. That’s where Cygenta was born from. We do everything from traditional pen testing and also, pen testing of smart buildings. We do cybersecurity culture assessments, awareness raising, and everything in anything else in between.
With everything we do, we take that lens of always looking from the human, the technical, and the physical. I might be delivering awareness-raising training or a culture assessment but we’re also bringing in that perspective of, “What does this look like from the physical side and the technical side? How can we bring all of that together for what we deliver to our clients?”
Technology is at the heart of cybersecurity, both in terms of the problem and the solution.
When you and the team, whether it’s you or your husband, Freaky Clown, also a well-known character in this world and you gain entrance, have gotten past the gatekeeper, sat down with the CISO, and making the proposal of, “This is what we do,” do they present their issues to you and say, “This is what we need?” Do you present to them and say, “Here’s what we can do?” What is the exchange given your holistic approach when you are across the desk from her and she says, “These are the issues we need to solve?” How do you get after that and start working through the strategy to solve the problem?
A lot of it is listening on our part. Usually, clients come to us and say, “We have this problem or we think we have this set of problems and we want your opinion, advice, and help.” I lead on the human side so I’ll give you that perspective. It’s common for a CISO to come to us and say, “We’ve been trying to improve how we manage human risk for a while. We don’t know if we’re making progress. We don’t feel like we’re making progress. What should we do?”
Sometimes they might have an idea in mind. They may know they want to tackle culture or do more innovative awareness raising. A lot of the time, it’s about having a conversation and pulling out, “What have you been doing? What metrics do you have in place? How do you define culture? Do you define culture?” It’s about us listening, firstly, because they know the business and challenges but then we can apply our expertise, draw on experiences that we’ve had working with all sorts of other clients, and then make a recommendation. “This is what we think we should do together. How does that look for you?”
Once upon a time, there wasn’t a CISO position. There was the CSO. Over time, that evolved where the CISO became an equally important, if not more important position at the table. When you talk about culture as opposed to the human aspect, is culture evolving enough into its thing, or is that still a sub-bullet under the human notion of insider threats of risk?
In the typical vein of cybersecurity, it depends. All of our clients are on the more mature side or have that aspiration and on that roadmap to be more mature. For the more mature ones, they have a whole department looking at security culture. There is somebody leading on security culture and have a team of 6 or 7 people all working on security culture in that organization. We’ve seen this huge evolution around the human side of security and security culture over the last few years where it’s gone from hardly ever being discussed to being something that gets a lot of time, attention, and budget in its own right. I can’t wait to see where that goes next.
You said the keyword budget. We had not planned on digging deep into the culture so we’re going to table that one for your next appearance. I do want to attach that to the question, as you’re talking with the CISOs on the plan and strategy, and given that Cygenta does break things out into human technical and physical, do they see it that way? In your experience, do CISOs look at it like that?
Increasingly, yes. A lot of clients we work with, very much the CISOs will see it through the lens of technical and human. That’s a big change because years ago, it was a no. I would often have to fight for them to see that human lens. The physical side is where it varies because sometimes we’ll have a CISO and they won’t have any oversight in terms of physical security. In other places, it will be very much integrated. It’s hugely varied but the mature clients are the ones that have that more integrated approach where they are looking at the lens of the three sites as well.
Do you feel that they stack rank them? If we only have so much budget, we’re going to pour most of it into this and then figure out the rest.
Yes. I would go beyond saying I feel that, too. We do that in the industry. There is still so much attention on technology understandably because technology can support us to do so much. Technology is at the heart of cybersecurity, both in terms of the problem and representing a lot of the solutions. Also, we can overlook the fact that human and physical issues are very much at the heart to offer the problem and many of the solutions. In this industry, we always seem to get more attracted to technology. That’s something that always seems to be still highest up the agenda but we’re making progress.
It seems odd in this era of artificial intelligence, blockchain security, and everything that at the end of the day, it’s like, “I kicked the door open, steal your server, and then I’ll figure it out once I get back to the shop.” If they’re not considering that, then it’s like, “Nice job installing that bit of endpoint protection on the server. The server’s gone. Good luck. Have fun.”
This is something FC always says in particular. You can spend millions as many do on your technical solutions but if you’re not looking at security culture and physical security, if I can walk in and make my way past the security guard and the receptionist and get into your server room, then it doesn’t matter how much money you’ve spent on the technical side. Those other dimensions are going to be where your vulnerabilities lay. They’re going to be your attack vectors.
You get your blue coveralls on walking out with a server under the arm and you’re like, “That’s good. I’ll have this back in about three hours.”
Blue scrubs, I don’t know if we’ve told you that one but we did a social engineering assessment on a hospital before the pandemic. They were pretty concerned when we managed to get our hands on some scrubs and we’ve got some photos of us walking around the hospital with identity passes. We also run manage to get the scrub and were like, “I’m a doctor but I’m not that kind of doctor.”
These are real things that happened. Dear reader, please look up Jessica Barker and Freaky Clown on YouTube. These stories are legit. This is not some terrible episode of CSI: Cyber. These things did happen. It’s a great anecdote when you are sitting across the table from a CISO and talking about the human element. I don’t know if they always recognize where humanity and physical security things both come into play.
We’ve got state-of-the-art cybersecurity technology in place but you can charm your way into a place and walk your way out with something. When you are talking with CISOs, where do they consider the human element when they are considering risk internal threats and then ideally resolving the issues at hand all wrapped around a budget? If we can solve this problem in the next few minutes, go save the world.
We’ve seen an evolution, I’m pleased to say. We’re seeing more people in security at the leadership level and beyond who recognized that this outdated notion of people are the weakest link and got to go. We’re seeing more people recognize that when it comes particularly to the human side, it’s not about seeing people as the weakest link. It’s about seeing people as the number one attack factor. We are seeing much more of a move towards trying to empower people. That’s a huge theme coming through with a lot of our clients and the awareness raising they do.
With the security culture, they’re looking to build, I’m delighted to say that is more positive, empowering, and looking more at making people feel confident in building a no-blame culture and just culture. We have to empower and enable people. People have to feel confident that they can say, “I might have clicked on a link, left some papers somewhere I shouldn’t, or held the door open.” We’re getting more organizations to recognize that that is one of the number one things that they can do to manage insider risk.
You can spend millions on your technical solutions, but if you’re not looking at security culture, you’ll still be vulnerable.
CISOs, by definition, have to have an analytical side. Regardless of how he or she came up through the organization, they have to be able to present data. Humans by definition are chaos. As you are doing your study and presenting, “Here’s what we did, and here are the results of the things,” how do you quantify culture or behavior?
I love that you’ve asked me that because I’ve been working on it for so many years. We have a solid definition of a cybersecurity culture that resonates with the organizations we work with. We look at security culture in terms of perceptions, values, awareness, and behavior. We break each one of those down so that we are looking not just at the superficial layer of culture. It’s somewhat easy to measure awareness and behaviors but then that only tells you what people are doing.
It doesn’t tell you why. It’s the why that we need to get to if we want to move the needle on this. That’s when we’re looking at perceptions around the just culture. Do people feel that they can report an incident or do they think they’ll be the scapegoat? These are perceptions around their level of self-efficacy. Do people feel confident, capable, or intimidated? These are perceptions of the security team and leadership. Do they think this is a priority? They are huge factors in influencing what culture you have around security.
We have the values. What are the company values in general? Are they aligned with the security values that are embedded under the surface in an organization and the security values the individuals have? There are different ways that we tease that out and we measure it. We use surveys and focus groups. The number one thing is listening. For me, the central scale in cybersecurity is actively listening. It’s not about telling people what to do. It’s about understanding why they are behaving in a certain way and then responding to that in a way that is constructive, enabling, and empowering.
Read this 3 or 4 times because there is so much to unpack that’s valuable. It’s something that never occurred to me. When you talk about not wanting to scapegoat people, it’s the reluctance to report. When you said a no-blame culture, from what you witnessed, as companies are trying to secure but at the same time deal with insider threats, how big of a stumbling block does that tend to beat? 1) They don’t want to let the hacker in but, 2) They don’t want to be the ones to say, “I let the hacker in.” How hard is that to get past?
It’s a massive challenge because we’re not just dealing with company culture. We’re dealing that with elements of psychology and this wider culture that we have in security. We do have a tendency to victim blame and make people feel that they are stupid or have done something wrong if they’re manipulated or socially engineered.
I published a blog post about this, looking at the psychological elements and impact of phishing. There is a technology impact and an impact on financials and our money but there’s also this impact on people. When they’re manipulated and the social engineering attack, they can blame themselves, suffer from real problems around self-esteem, and go on to have problems for many months or even years.
Research shows that some people will suffer from PTSD. This stuff is real. The organization is pointing the finger and as I’ve seen in many cases, making people feel like they are the weakest link and calling people as repeat offenders if they click on links more than once. It’s so commonplace. People don’t mean to cause more problems but it perpetuates this negative narrative around people. That means they won’t come to us.
We are not building up a culture of trust where people feel that they can raise their hands. They’re going to brush it under the carpet and think, “I clicked that link but nothing’s happened or popped up. Maybe it’s fine. Maybe I don’t need to tell anyone.” There’s an incident playing out on the network. You don’t even know about it. It could take whoever knows how long to identify that because you don’t have a culture that encourages people to report and feel comfortable reporting.
That was part of the ransomware trend years ago. If someone would click the thing, you would get that notification that popped up with some official-looking seal that says, “We have found child pornography on your computer.” The immediate reaction is to stop, look around, and make sure nobody else can see that. You’ve already lost ten seconds, which might as well be forever inside the thing.
You’re talking about this idea of shame and carrying a burden on this. They become a repeat offender if they let that sit for a minute, an hour, or a couple of days. What impact is that? What can you do as a company to foster the notion, “It’s okay to tell us that we have done this. You are human and so are we. We need to fix the technical side of things?”
There’s been so much research that we can draw on in other fields as always with the human side of security. We can turn to psychology, behavioral economics, and neuroscience. That’s great work that’s been done around safety culture on this. Often, it’s how we deal with an incident. When an incident happens, is the organization seeming to look at what went wrong or who is to blame?
People pick up on that and carry that with them. They take that as a lesson. “When there was that incident a couple of years ago, it seemed like they pointed the finger and so-and-so got in trouble. I’m going to do my best to keep it quiet.” Rather than if there’s a systems-based approach where there is a no-blame look at what went wrong, it is about finding out what went wrong in the system so that this doesn’t happen again and supporting the individual that has reported or been involved in that incident. That’s a huge impact on how people will perceive that level of a just culture.
One thing organizations can do is a super simple thing. If you’re running phishing simulations, think about how you handle that. Do you focus on the click rate or on the negative result of the click rate? Do you say, “X amount of people click the link. That’s bad. Do better next time,” or do you say, “The majority of people didn’t click the link this time. That’s fantastic?”
It’s great if you can avoid clicking on links but do you know what’s even better? We had whatever percentage who reported the incident or the simulation. Focus on positive reinforcement. Don’t focus on the behaviors that you don’t want and punish and tell people off. Instead, focus on the behaviors that you do want, amplify those, and shine a light on people who, for example, report phishing simulations. Maybe give out a prize or some public recognition to your reporter of the month because that builds up more of a culture of psychological safety where people feel comfortable reporting this stuff.
For more information on that, make sure to check out Confident cybersecurity by Dr. Jessica Barker. It’s available at finer booksellers near you. Talking about people and the chaos and the mess, the UK has been thrown into a little bit of chaos. We made the joke about it upfront. When you get into a potentially catastrophic weather situation, whether it’s extreme heat, cold, or even something like the World Cup or in the States, it’s the NCAA Basketball Tournament, do CISOs plan for these types of things? Can they plan for something that is almost unanticipated as far as what they do with their people? People react to stuff in a way that you don’t know.
In terms of the weather, I don’t know. In terms of big sporting events or political events, CISOs planned for that in terms of expecting maybe phishing or social engineering around those themes. Raising awareness of it is a fantastic thing that an organization can do, thinking about the extent to which they anticipate the unanticipatable.
I’m involved in the ClubCISO Community. I was the Chair for a couple of years and I’m on the advisory board. One thing that was interesting was when the pandemic started. Organizations around the world were forced into this digital transformation in the space of days or weeks. That had a big demand on people and technology.
I remember at the real start of the pandemic when we were in our first lockdown in the UK at ClubCISO. We were running our annual event. It’s supposed to be in person. We survey our members and chat about security challenges and issues. We ran it online. There were a lot of discussions over, “How are we going to hold up? What resilience are we going to have around all of this forced digital transformation?”
We said, “It will be interesting to come back a year later and see.” We did and we found a lot of organizations held up well. Security in a lot of places was able to be resilient. There were incidents. We know that but a lot of places failed and CISOs reported feeling that they were more resilient than they may be had been concerned about.
People and technology held up pretty well for them. It will be fascinating to see what happens next. As we are getting more used to this hybrid world, what’s that going to look like? Has the security that was put in place around the digital transformation at the start of the pandemic been enough and long-lasting? Is it embedded?
Is it good for humanity that we get better at something because of this horror that’s happened in the last few years?
It’s an interesting thing. The last few years have been a horrendous experience. The fact that we’re able to take some lessons from it and reflect, we managed to do pretty well with that. Thinking about humanity reminds me of the book Factfulness. I wonder if your readers have read it. It talks about how much progress we’ve made as humanity.
It’s essential reading in security because we’re in a challenging industry. It’s hard not to get burnt out and be cynical. At the same time, there’s a lot to be worried but there’s also a lot to be optimistic about. Factfulness doesn’t necessarily talk much about security but it’s a must-read in terms of looking at the progress of humanity.
Look at security culture in terms of perceptions, values, awareness, and behavior.
It’s Factfulness: Ten Reasons We’re Wrong About the World–and Why Things Are Better Than You Think by Hans Rosling. After you buy Jessica’s book, make sure you pick that one up at finer booksellers near you. Cygenta has decided to eat the entirety of how to secure things. When you have the “glorious purpose,” as Loki once said, of looking at the entirety of security, where do you see the biggest weaknesses in security? We talked about the three pillars that you are based on. Is there one that we need to be doing better? None of them are good but they’re as good as they’ve ever been. Is there 1 that is lagging behind the other 2 or 1 that is far ahead of the other 2?
We’ve made a lot of progress in terms of security culture. I look at that through to some extent, rose-tinted glasses because the organizations that we work with at Cygenta are making progress. Otherwise, they wouldn’t be coming to us and wanting to work with us on that. We’ve got a long way to go. I have been rallying for many years for us to take this more people-centric approach to security and drop the idea that people are the enemy. Somehow, are we not people? It’s all this us-and-them attitude that we have. There are still a number of times that I hear people are the weakest link or blaming people, even calling people users as if there is a barrier there.
I’m going to flex my English Literature degree. If we want to talk about Linguistics and get pedantic about word usage, I am all in. You host. I’ll guest. Let’s do that show.
I was thinking I’m going to turn around and start asking you the questions. For me, there is more recognition we shouldn’t call people the weakest link. That’s great. I still hear it way too much. For me, that is a symptom of a deeper problem we have in the security of not paying people at the center and not respecting people as much as we should. It’s not just about changing this one phrase. It’s about changing the whole way that we interact, conceive of people, and treat them.
For me, that is what I want to see us make more progress on in the next few years. it’s truly taking a people-centric approach where we don’t use any of those negative terms. We don’t take that approach. We don’t think of people that way. We understand that we are there to help and support people. We are not securing technology for the sake of technology itself. We are doing it to help and support people, families, communities, and businesses. When we think of it like that, there’s no way we’re going to call people the weakest link.
If you want to deal with phishing, don’t focus on punishing your people. Focus on positive reinforcement.
That’s not hippy nonsense. Words are weapons. There is an impact. The way that you communicate messaging to the people that are involved in all this stuff is directly going to cause them to do what you require them to do to keep everybody safe. When you say communities, that’s the thing. It’s not just about keeping that glass tower up. Those are jobs, which lead to families and education. Let’s talk about the people who are at the center of this. You have spent enough time in the rarefied air of the boardrooms, whether it is with VCs, the board, or the executive leadership. In your experience, have there been a lot of people who come from cybersecurity and evolve into that position?
Not yet. I have not found that to be true. I work with lots of organizations where security is very much a conversation at the board level. The CISO is at least an active resource and advisor over the board level, if not integrated at the board level. Do I work with many organizations where someone in the C-Suite has come from a security background? I would be lying if I said yes. We’re still moving towards that. There are often people on the board who sponsor security, always ask great questions around security, and are educated and fully engaged. Are we seeing many CISOs moves into that wider board role? It’s not my experience but I would love to be corrected on that.
We’re going to save that for the next episode because after everybody reads this, they’re going to take those steps to bring it around. We are coming up against it but this was one of my favorite things. Anytime I’m talking to somebody that’s cool, interesting, and does all of the heavy lifting that you do, I’m also curious. What do you do when you’re not doing the heavy lifting? For a little bit of leadership corner, what’s on your playlist? Are you reading anything? You’re too busy writing everything to read anything. When you’re not out saving the world or trying not to be 105 degrees, what else is going on?
I love to read. I’m reading The Lazarus Heist by Geoff White. It’s required reading. It’s fantastic. Geoff White wrote Crime Dot Com, which was a great overview of some of the biggest hacks of recent years and dug deep into the story behind those. He’s continuing that with The Lazarus Heist. It’s highly recommended reading.
I read a lot about psychology and behavioral economics. I read a lot of papers. When I’ve been working on the blog post around The Psychological Impact of Phishing, I was digging deep into some of the papers that have come from academics, looking at that exact factor, the psychological impact. Beyond that, I love to get away from a screen, garden, horse riding, and singing.
I’ve known you for how long but I’ve never heard you say you love singing.
I don’t sing in front of anyone other than myself and occasionally, my husband. It’s good for me to do. Anything that stops me obsessively thinking about security is good for not too long.
What’s on your playlist? What are you singing along to?
My interpretation of Numb is not like the original at all. Also, a beautiful song called Lost Without You by Freya Ridings, some ‘90s soft rock with the 4 Non Blondes, and a little bit of Zombie by The Cranberries.
Let’s get over to the shameless plugs. We have talked about a lot of the awesome stuff that you have done personally and Cygenta is doing. If people are looking for information about you, where should they go? Make sure to plug the book and then also Cygenta.
For the website, check out Cygenta.co.UK. Make sure you check out our blog in particular for some of the stuff I’ve been talking about. I love to write about that. You can find me on Twitter @DrJessicaBarker. You can find my newly relaunched YouTube channel. Please do subscribe because that will mean I keep publishing videos. That’s @DrJessicaBarker as well.
It’s super fun. Parts of it are animated.
I appreciate that. I’m learning so be kind to me. I might not be a natural YouTuber but I’m doing my best. The book, Confident cybersecurity, is an Amazon number one bestseller. I’m proud to say that. A lot of people are finding that helpful. I’m the co-author of Cybersecurity ABCs, where I dig a little bit deeper into awareness.
I’m going to shamelessly plug my friend. I have the book and I’ve read it. It’s awesome and so cute. Jessica, thank you so much for this and for spending a little time with us.
It’s an absolute pleasure. Thanks to everyone for reading.
We’ve got a lot more to do. Trust me. This is not the last you have read from Dr. Barker. If we’re lucky, we might be able to pry FC into one of these things at some point. However, for this episode, that is it. Thanks for reading. For more information on all that’s good in the world of cybersecurity and all the things that you can do to get better at this stuff, find us @Hello_Elevate, as well as LinkedIn and Facebook.
ElevateSecurity.com podcast is anywhere you go. That’s where we’re going to be. All we ask is you subscribe, rate, and review. You got to give us five stars for this episode. If you give us four, we’re going to think you’re a hater. You can find me at @PackMat73 across all the things. We have had some interesting guests. We’ve got a lot more coming up. Black Hat, by the time you read, has happened where it will also be 105 degrees. We are going to keep talking about all that is hot in the world of security and what you need to do to make sure that you are in good shape but until then, stay cool. We will see you next time.
- LinkedIn – Elevate Security
- @Hello_Elevate – Twitter
- Facebook – Elevate Security
- @DrJessicaBarker – Twitter
- @DrJessicaBarker – YouTube
- Confident cybersecurity
- Blog Post – The Psychological Impact of Phishing
- Jessica Barker and Freaky Clown – Dr Jessica Barker and Freaky Clown: Is Your Security Team Ready for Anything?
- The Lazarus Heist
- Crime Dot Com
- Confident cybersecurity – Amazon
- Cybersecurity ABCs
- @PackMat73 – LinkedIn
- @PackMatt73 – Twitter
- @PackMatt73 – Instagram
About Dr. Jessica Barker
Dr Jessica Barker (@drjessicabarker) is a leader in the human nature of cybersecurity, has been named one of the top 20 most influential women in cybersecurity in the UK and awarded as one of the UK’s Tech Women 50 in 2017. She is the Chair of ClubCISO. Equipped with years of experience running her own consultancy, she co-founded Cygenta, where she follows her passion of positively influencing cybersecurity awareness, behaviors and culture in organizations around the world.