The Security Culture Playbook
An Executive Guide To Reducing Risk and Developing Your Human Defense Layer
Perry Carpenter, Kai Roer
- English
- ePUB (mobile friendly)
- Available on iOS & Android
The Security Culture Playbook
An Executive Guide To Reducing Risk and Developing Your Human Defense Layer
Perry Carpenter, Kai Roer
About This Book
Mitigate human risk and bake security into your organization's culture from top to bottom with insights from leading experts in security awareness, behavior, and culture.
The topic of security culture is mysterious and confusing to most leaders. But it doesn't have to be. In The Security Culture Playbook, Perry Carpenter and Kai Roer, two veteran cybersecurity strategists deliver experience-driven, actionable insights into how to transform your organization's security culture and reduce human risk at every level. This book exposes the gaps between how organizations have traditionally approached human risk and it provides security and business executives with the necessary information and tools needed to understand, measure, and improve facets of security culture across the organization.
The book offers:
- An expose of what security culture really is and how it can be measured
- A careful exploration of the 7 dimensions that comprise security culture
- Practical tools for managing your security culture program, such as the Security Culture Framework and the Security Culture Maturity Model
- Insights into building support within the executive team and Board of Directors for your culture management program
Also including several revealing interviews from security culture thought leaders in a variety of industries, The Security Culture Playbook is an essential resource for cybersecurity professionals, risk and compliance managers, executives, board members, and other business leaders seeking to proactively manage and reduce risk.
Frequently asked questions
Information
Part I
Foundation
- Security Culture: The ideas, customs, and social behaviors of a group that influence its security.
- Chapter 1: You Are Here
- Chapter 2: Up-leveling the Conversation: Security Culture Is a Board-level Concern
- Chapter 3: The Foundations of Transformation
Chapter 1
You Are Here
The greatest danger in times of turbulence is not the turbulenceāit is to act with yesterday's logic.Peter Drucker
Why All the Buzz?
- Technology-based defenses have gotten so good that attackers are being pushed to hack humans rather than spending weeks, months, or years researching and developing effective attacks to defeat technology-based defenses.
- Humans are now the primary attack vector. As such, it's imperative to strengthen the human layer of security.
The Technology-Based Defense vs. Human-Based Defense Debate: A False Dilemma
As an industry, we will always have to solve (and evolve) for both sides of the equation (technology and humanity). Not implementing standard and reasonable technology-based tools proven to improve an organization's security posture would be negligent. Similarly, not acknowledging that technology will never be 100 percent effective at preventing cybercriminals from creating well-crafted attacks targeting humans, such as emails or other messages that reach your end users, is also negligent. Neither approach is mutually exclusive of the other. And whenever we create stronger security protocols intended to help our organizations, there will be a group of employees who will intentionally or unintentionally find ways to bypass those controls. The human element must be a factor in the deployment of technology, and it should be understood as a security layer in and of itself. Your defense-in-depth security strategy should always account for the following:
- Determined human attackers who are continually probing for flaws within your security technologies (and that flaws will always exist)
- Unwitting employees who find themselves on the receiving end of a cybercriminal seeking to accomplish their goals by going around the technical layers of an organization's defenses, targeting humans instead
- Employees who negligently or intentionally circumvent technical controls
- Employees who negligently or intention...