And suddenly you know: It's time to start something new and trust the magic of beginnings.

Meister Eckhart

Well, you made it! While this may be the end of this book, it is only the beginning of your security culture journey. We hope you've been encouraged by the fact that security culture doesn't have to be a mysterious topic. We also hope you've been inspired by many of the experiences and thoughts conveyed in our expert interviews. In all of this, we see that, yes, security culture is wrapped up in the intricacies of human nature and social dynamics, but it is also something that can be defined, measured, and—most importantly—influenced.

Wondering where to go from here? If so, we suggest the next steps:

1. Engage the community.
2. Be a lifelong learner.
3. Be a realistic optimist.

Engage the Community

The power of community and collaboration cannot be overstated. They not only help fuel new ideas and continued encouragement, but members within the community will undoubtedly serve as sounding boards and people who will help you identify your blind spots. Make it a priority to get involved in communities that will support and challenge you.

One such community is waiting for you on LinkedIn right now. This group can help support discussion, idea sharing, and group problem-solving; just search “Security Culture Community” on LinkedIn (or go to www.linkedin.com/groups/8707418). We look forward to seeing you there!

We also recommend the following communities:

• The International Association of Security Awareness Professionals (IASAP): The IASAP is a members-only organization comprising security awareness professionals interested in sharing best practices, challenging each other, and pushing the industry forward. They have monthly webinars, three in-person meetings annually, and a private online community for year-round connections with resources, member question-and-answer sessions, and event recordings. Go to https://iasapgroup.org for details.
• KB4-CON: KB4-CON is KnowBe4's annual user conference. There is content for everyone from CISOs to full-time security awareness and culture program managers to IT admins with 15 other fires to put out. With keynotes, breakout sessions, and workshops, there is something for everyone. Keynotes sessions always include live hacking demonstrations, KnowBe4 executives providing insight about how best to use the KnowBe4 platform, what the future holds, industry luminaries, and other speakers with interesting and insightful messages. Go to www.knowbe4.com/kb4-con for more information.
• National Cybersecurity Alliance: The National Cybersecurity Alliance is the organization that birthed Cybersecurity Awareness Month. They focus on building strong public/private partnerships to create and implement broad-reaching education and awareness efforts to empower users at home, work, and school with the information they need to keep themselves, their organizations, their systems, and their sensitive information safe and secure online and encourage a culture of cybersecurity. This group actively seeks to engage and equip the security awareness and culture community through webinars and in-person events. See https://staysafeonline.org.
• SANS Security Awareness Summits: Each year, SANS holds security awareness summits in both North America and Europe. These are vendor-neutral, community-driven events with agendas focused on program management, metrics, user engagement, and more. You can find information at https://sans.org/SecAwareSummit.

Be a Lifelong Learner

One of the biggest points we hope you take from this book is that security culture isn't about security—it's about people. And it's about the interpersonal dynamics that shape communities. The cybersecurity part is just an overlay on top of those other dynamics. In other words, your path to build a security culture that will be a true asset to your organization requires a genuine understanding of—and interest in—the human side of the cybersecurity equation.

Become a student of the social sciences, of human nature, and seek out books, podcasts, and communities that help broaden that interest. You never know when inspiration and insight will strike, but you can up the frequency of these by cultivating a lifestyle of continually digging into new and different fields of study.

Be a Realistic Optimist

Every journey starts with a first step. Some of the ideas and goals expressed in the previous chapters may seem difficult to achieve; almost all of them require you to rely on other people in your organization. You'll need to sell many of the ideas up, down, and across your organization. And, as you've seen, this is about building maturity through an iterative process. That means that there are several aspects of your security culture journey that require time and consistency to reach their full potential. Rest assured, however, there are some short-term wins to be had, such as phishing training, seeing initial culture measurements, and more.

Always remember your purpose. As someone with responsibility for managing risk in your organization, you are ultimately serving the very people you are seeking to influence. The only way to change them is to have empathy and appreciate who they are and why they struggle. Only then will you be able to find the best method(s) to drive change. The best leaders work from a sense of passion that comes from knowing that they are serving a grand cause. Here's yours: to help build a safer and more secure world, one person, one organization, one family, and one community at a time.

Conclusion

We hope you've enjoyed reading this book as much as we've enjoyed writing it for you. We truly believe that the next few years will be critical within the cybersecurity community. These years will be when the community begins to gain a firm grasp on what security culture really is and how it can be influenced. This will help create greater empathy and greater insights and usher in a much-needed evolution in our understanding of how we can and should manage human risk. Welcome to the security culture re-evolution.

Keep in touch. We'd love to hear your stories or be able to help in any way that we can. If you've enjoyed this book and found it helpful, please recommend it to others within your network.

You can easily connect with us on LinkedIn, Twitter, or via the accompanying website for this book. Here are the links:

• Perry's social links:
  • LinkedIn /in/perrycarpenter
  • Twitter @perrycarpenter
• Kai's social links:
  • LinkedIn: /in/kairoer
  • Twitter @KaiRoerNO
• Companion website for The Security Culture Playbook: https://SecurityCultureBook.com

All the best!

Perry Carpenter & Kai Roer

February, 2022