We’re less than a month away! Join us at the 2024 Human Firewall Conference on November 14-15. Spaces are filling up, reserve your free spot now.

Podcast

Andrew Rose on building a security culture and managing human risk

6 August 2024 · 3 min read

In cyber security, the CISO is crucial for safeguarding organizational assets and operations. As the cyber threat landscape becomes more complicated and AI-powered attacks become more widespread, CISOs face increasing pressure and challenges, which are exacerbated by ongoing burnout and a talent shortage. This puts them in a critical situation that threatens their mental health and well-being.

To fight the growing threats and adapt to the changing threat landscape, organizations need to foster the creation of a security culture that focuses on reducing human risk and empowers their employees to become the first line of defense. In this episode of the Human Firewall Podcast, Dr. Niklas Hellemann and Andrew Rose discuss these topics as well as the shift of the security awareness training industry towards human risk management.

Background

Human
Firewall
Podcast

Listen now

Episode 8: Discover the perspective of a CISO on how to create a security culture and manage human risk effectively.

Overview of episode 8

Want to skip to the topics that matter most to you? Our detailed overview with timestamps lets you jump straight to those sections.

Andrew Rose & Niklas Hellemann portrait
Minute
Description

00:00:45 – 00:06:10

Welcome and introduction to today’s expert, Andrew Rose.

00:06:10 – 00:13:18

The role, responsibilities, and challenges of a CISO and how it has evolved over time.

00:13:18 – 00:16:26

Trends in the current threat landscape.

00:16:26 – 00:25:38

The demanding nature of a CISO role, its impact on mental health, how it can lead to burnout, and strategies to combat these challenges.

00:25:38 – 00:33:08

Shortage of security professionals, opportunities and uses of automation, and AI in cyber security.

00:33:08 – 00:42:00

Creating a security culture and how social pressure can lead to insecure behaviors.

00:42:00 – 00:50:05

How involving employees and building a champions network helps build a cyber-safe organization.

00:50:05 – 00:52:33

Highly hierarchical organizational cultures as a risk factor for attacks.

00:52:33 – 00:55:49

The importance of a just culture and not blaming employees.

00:55:49 – 01:03:57

The evolution of security awareness from compliance to human risk management.

01:03:57 – 01:04:28

Farewell and an invitation to preview the next episodes.

Background dots

Highlights & key learnings

Security awareness and training are where we need to start to get the foundation, but we need to go deeper and start to actively monitor and manage the risks associated with human behavior and actions.

  • The role of a CISO: One of the main challenges CISOs face is defining their responsibilities, which vary drastically from one organization to another.
  • Burnout leads to talent shortage: Mental health issues, including burnout, are prevalent among CISOs due to the constant pressure to ensure 100% security, leading to potential long-term consequences for the industry’s talent pool. We need increased efforts to attract more diverse candidates.
  • The adoption of cloud services: Cloud services and remote work have made data spread across the globe, which changes the way you need to protect it.
  • Citizen developers: These are non-IT employees who develop an application that fulfills a need within the organization, often without the necessary security measures and not enough visibility from the IT team.
  • Awareness, Behavior, Culture (ABC): Organizations need a structured strategy that allows their employees to go from understanding security best practices to translating it into secure behavior, and ultimately creating a security culture. 
  • Building a security culture: Organizations should create a way of working where people make the right choices even when the security team is not looking.
  • Using social dynamics to promote secure behavior: Social pressure plays a crucial role in shaping a security culture, as peer influence often outweighs policy directives. 
  • Security champions: Designating security champions across various departments can reinforce security messages and provide peer support, but maintaining a two-speed awareness campaign to keep champions ahead of the rest of the employees is very important yet challenging.
  • Focus on human risk management: The evolution of the security awareness industry towards human risk management signifies a shift from compliance-driven approaches to actively monitoring and managing human-related risks.
  • Cultivating a just culture: Companies should motivate their employees, create the right environment for them to succeed, and let them know that they will not be blamed for their mistakes. In this way, they will feel confident reporting their mistakes, which the company should use to look at and improve its internal processes.
  • Addressing negative behaviors: Minimizing negative behaviors requires a multi-faceted approach, including additional controls, reducing access to sensitive data, implementing automated measures, and monitoring for anomalous activities to mitigate risks effectively. 
  • The human role going forward: Human-layer security will likely become increasingly integrated into the security stack as organizations recognize the importance of protecting their most valuable asset – their employees.

A security culture is something many CISOs want. The problem is not many of them really know what that means.

Deepen your knowledge: Further information

  • The 2021 Colonial Pipeline incident: How a successful cyberattack in the U.S. resulted in a nationwide gas shortage.
  • Asiana Airlines crash: A case where the national culture made a copilot hesitant to warn the pilot about a mistake in the landing procedure, resulting in a crash that killed three and injured 181 passengers.
  • Deepfake scam: A 2024 case where a deepfake from the CFO was used to trick a finance worker into releasing a payment of $25 million to fraudsters.
  • Forrester research: The evolution from cyber security awareness training to a human risk management approach.

Learn more about the threat landscape

Andrew Rose invited us to explore the threat landscape and the state of the cyber security industry from a CISO’s perspective. He discussed the challenging role of chief security officers in defending companies in an increasingly complex landscape and emphasized the importance of creating a strong security culture and adopting a holistic human risk management approach.

If you’re interested in what other industry experts think about the current changes in the security industry and the strategies they’re using to address the current threat landscape, don’t miss the opportunity to read our Human Risk Review 2024, with interesting insights from over 1,250 European security leaders.

Background

Human Risk Review 2024

Read the report

Discover the latest cyberthreats, industry changes, and how security professionals are responding to the evolving threat landscape.

Do you want to stay ahead of the cyber game?

Sign up for our newsletter to receive the latest cyber security articles, events, and resources. No spam, only content that truly matters.

Newsletter visual

Request a demo

Learn how our platform can help you empower your team to continuously avert cyber threats and keep your organization secure. Schedule a demo and one of our experts will contact you soon.