And suddenly you know: It's time to start something new and trust the magic of beginnings.
Meister Eckhart
Well, you made it! While this may be the end of this book, it is only the beginning of your security culture journey. We hope you've been encouraged by the fact that security culture doesn't have to be a mysterious topic. We also hope you've been inspired by many of the experiences and thoughts conveyed in our expert interviews. In all of this, we see that, yes, security culture is wrapped up in the intricacies of human nature and social dynamics, but it is also something that can be defined, measured, and—most importantly—influenced.
Wondering where to go from here? If so, we suggest the next steps:
The power of community and collaboration cannot be overstated. They not only help fuel new ideas and continued encouragement, but members within the community will undoubtedly serve as sounding boards and people who will help you identify your blind spots. Make it a priority to get involved in communities that will support and challenge you.
One such community is waiting for you on LinkedIn right now. This group can help support discussion, idea sharing, and group problem-solving; just search “Security Culture Community” on LinkedIn (or go to www.linkedin.com/groups/8707418
). We look forward to seeing you there!
We also recommend the following communities:
https://iasapgroup.org
for details.www.knowbe4.com/kb4-con
for more information.https://staysafeonline.org
.https://sans.org/SecAwareSummit
.One of the biggest points we hope you take from this book is that security culture isn't about security—it's about people. And it's about the interpersonal dynamics that shape communities. The cybersecurity part is just an overlay on top of those other dynamics. In other words, your path to build a security culture that will be a true asset to your organization requires a genuine understanding of—and interest in—the human side of the cybersecurity equation.
Become a student of the social sciences, of human nature, and seek out books, podcasts, and communities that help broaden that interest. You never know when inspiration and insight will strike, but you can up the frequency of these by cultivating a lifestyle of continually digging into new and different fields of study.
If you are looking to hire (or become) someone who has a demonstrated level of knowledge and understanding regarding the intricacies of security awareness and culture, then we'd recommend starting with the Security Awareness and Culture Professional (SACP) certification. Launched in 2021, this vendor-neutral certification covers a wide range of topics related to awareness, behavior management, and influencing security culture. This credential was created by H-Layer Credentialing. You can find more information at www.thehlayer.com
.
You may also be interested in the Sans Security Awareness Professional (SSAP) credential. Students can test for this certification upon completion of the two-day SANS MGT433: Managing Human Risk: Mature Security Awareness Programs course. More information is available at www.sans.org/security-awareness-training/career-development/credential
.
Every journey starts with a first step. Some of the ideas and goals expressed in the previous chapters may seem difficult to achieve; almost all of them require you to rely on other people in your organization. You'll need to sell many of the ideas up, down, and across your organization. And, as you've seen, this is about building maturity through an iterative process. That means that there are several aspects of your security culture journey that require time and consistency to reach their full potential. Rest assured, however, there are some short-term wins to be had, such as phishing training, seeing initial culture measurements, and more.
Always remember your purpose. As someone with responsibility for managing risk in your organization, you are ultimately serving the very people you are seeking to influence. The only way to change them is to have empathy and appreciate who they are and why they struggle. Only then will you be able to find the best method(s) to drive change. The best leaders work from a sense of passion that comes from knowing that they are serving a grand cause. Here's yours: to help build a safer and more secure world, one person, one organization, one family, and one community at a time.
We hope you've enjoyed reading this book as much as we've enjoyed writing it for you. We truly believe that the next few years will be critical within the cybersecurity community. These years will be when the community begins to gain a firm grasp on what security culture really is and how it can be influenced. This will help create greater empathy and greater insights and usher in a much-needed evolution in our understanding of how we can and should manage human risk. Welcome to the security culture re-evolution.
Welcome to the security culture re-evolution.
Keep in touch. We'd love to hear your stories or be able to help in any way that we can. If you've enjoyed this book and found it helpful, please recommend it to others within your network.
You can easily connect with us on LinkedIn, Twitter, or via the accompanying website for this book. Here are the links:
/in/kairoer
@KaiRoerNO
https://SecurityCultureBook.com
All the best!
Perry Carpenter & Kai Roer
February, 2022
3.145.177.115