Episode 8: Discover the perspective of a CISO on how to create a security culture and manage human risk effectively.
In cyber security, the CISO is crucial for safeguarding organizational assets and operations. As the cyber threat landscape becomes more complicated and AI-powered attacks become more widespread, CISOs face increasing pressure and challenges, which are exacerbated by ongoing burnout and a talent shortage. This puts them in a critical situation that threatens their mental health and well-being.
To fight the growing threats and adapt to the changing threat landscape, organizations need to foster the creation of a security culture that focuses on reducing human risk and empowers their employees to become the first line of defense. In this episode of the Human Firewall Podcast, Dr. Niklas Hellemann and Andrew Rose discuss these topics as well as the shift of the security awareness training industry towards human risk management.
Human
Firewall
Podcast
Overview of episode 8
Want to skip to the topics that matter most to you? Our detailed overview with timestamps lets you jump straight to those sections.
Minute | Description |
00:00:45 – 00:06:10 | Welcome and introduction to today’s expert, Andrew Rose. |
00:06:10 – 00:13:18 | The role, responsibilities, and challenges of a CISO and how it has evolved over time. |
00:13:18 – 00:16:26 | Trends in the current threat landscape. |
00:16:26 – 00:25:38 | The demanding nature of a CISO role, its impact on mental health, how it can lead to burnout, and strategies to combat these challenges. |
00:25:38 – 00:33:08 | Shortage of security professionals, opportunities and uses of automation, and AI in cyber security. |
00:33:08 – 00:42:00 | Creating a security culture and how social pressure can lead to insecure behaviors. |
00:42:00 – 00:50:05 | How involving employees and building a champions network helps build a cyber-safe organization. |
00:50:05 – 00:52:33 | Highly hierarchical organizational cultures as a risk factor for attacks. |
00:52:33 – 00:55:49 | The importance of a just culture and not blaming employees. |
00:55:49 – 01:03:57 | The evolution of security awareness from compliance to human risk management. |
01:03:57 – 01:04:28 | Farewell and an invitation to preview the next episodes. |
Highlights & key learnings
Security awareness and training are where we need to start to get the foundation, but we need to go deeper and start to actively monitor and manage the risks associated with human behavior and actions.
- The role of a CISO: One of the main challenges CISOs face is defining their responsibilities, which vary drastically from one organization to another.
- Burnout leads to talent shortage: Mental health issues, including burnout, are prevalent among CISOs due to the constant pressure to ensure 100% security, leading to potential long-term consequences for the industry’s talent pool. We need increased efforts to attract more diverse candidates.
- The adoption of cloud services: Cloud services and remote work have made data spread across the globe, which changes the way you need to protect it.
- Citizen developers: These are non-IT employees who develop an application that fulfills a need within the organization, often without the necessary security measures and not enough visibility from the IT team.
- Awareness, Behavior, Culture (ABC): Organizations need a structured strategy that allows their employees to go from understanding security best practices to translating it into secure behavior, and ultimately creating a security culture.
- Building a security culture: Organizations should create a way of working where people make the right choices even when the security team is not looking.
- Using social dynamics to promote secure behavior: Social pressure plays a crucial role in shaping a security culture, as peer influence often outweighs policy directives.
- Security champions: Designating security champions across various departments can reinforce security messages and provide peer support, but maintaining a two-speed awareness campaign to keep champions ahead of the rest of the employees is very important yet challenging.
- Focus on human risk management: The evolution of the security awareness industry towards human risk management signifies a shift from compliance-driven approaches to actively monitoring and managing human-related risks.
- Cultivating a just culture: Companies should motivate their employees, create the right environment for them to succeed, and let them know that they will not be blamed for their mistakes. In this way, they will feel confident reporting their mistakes, which the company should use to look at and improve its internal processes.
- Addressing negative behaviors: Minimizing negative behaviors requires a multi-faceted approach, including additional controls, reducing access to sensitive data, implementing automated measures, and monitoring for anomalous activities to mitigate risks effectively.
- The human role going forward: Human-layer security will likely become increasingly integrated into the security stack as organizations recognize the importance of protecting their most valuable asset – their employees.
A security culture is something many CISOs want. The problem is not many of them really know what that means.
Deepen your knowledge: Further information
- The 2021 Colonial Pipeline incident: How a successful cyberattack in the U.S. resulted in a nationwide gas shortage.
- Asiana Airlines crash: A case where the national culture made a copilot hesitant to warn the pilot about a mistake in the landing procedure, resulting in a crash that killed three and injured 181 passengers.
- Deepfake scam: A 2024 case where a deepfake from the CFO was used to trick a finance worker into releasing a payment of $25 million to fraudsters.
- Forrester research: The evolution from cyber security awareness training to a human risk management approach.
Learn more about the threat landscape
Andrew Rose invited us to explore the threat landscape and the state of the cyber security industry from a CISO’s perspective. He discussed the challenging role of chief security officers in defending companies in an increasingly complex landscape and emphasized the importance of creating a strong security culture and adopting a holistic human risk management approach.
If you’re interested in what other industry experts think about the current changes in the security industry and the strategies they’re using to address the current threat landscape, don’t miss the opportunity to read our Human Risk Review 2024, with interesting insights from over 1,250 European security leaders.
Human Risk Review 2024
Discover the latest cyberthreats, industry changes, and how security professionals are responding to the evolving threat landscape.