The Security Culture Playbook: An Executive Guide To Reducing Risk and Developing Your Human Defense Layer

by Perry Carpenter, Kai Roer

Mitigate human risk and bake security into your organization’s culture from top to bottom with insights from leading experts in security awareness, behavior, and culture. The topic of security culture is mysterious and confusing to most leaders. But it doesn’t have to be. In The Security Culture Playbook , Perry Carpenter and Kai Roer, two veteran cybersecurity strategists deliver experience-driven, actionable insights into how to transform your organization’s security culture and reduce human risk at every level. This book exposes the gaps between how organizations have traditionally approached human risk and it provides security and business executives with the necessary information and tools needed to understand, measure, and improve facets of security culture across the organization. The book Also including several revealing interviews from security culture thought leaders in a variety of industries, The Security Culture Playbook is an essential resource for cybersecurity professionals, risk and compliance managers, executives, board members, and other business leaders seeking to proactively manage and reduce risk.

Genres: Technology, Nonfiction, Business, Leadership

256 pages, Hardcover

Published April 19, 2022

Reviews

[Alexander · Rating 5 out of 5]

Perry Carpenter and Kai Roer essentially provide an A to Z roadmap to security culture with the release of their new book, The Security Culture Playbook. “Somehow, despite all the great advancements in security-related technologies, we are faced with a simple truth: Technology, alone, is not enough. It does not offer sufficient protection against breach. Cybercriminals inevitably find ways to bypass the technology by targeting vulnerable humans; or a malicious or negligent insider may know just the right ‘work around’ to effectively nullify your defenses. That’s a recipe for a bad day,” the duo writes at the beginning of the read. “…For far too long, organizations have fallen into the trap of equating security awareness (information sharing) efforts with behavior change…To add an effective human layer of defense, we need to embrace what is commonly referred to as the ABCs of cybersecurity: awareness, behavior, and culture. That recognition is why we are seeing a surge in people using the phrase ‘security culture.’ But here’s the thing: So many people are throwing around the phrase without actually knowing what it means.” Hence, the introduction of Carpenter and Roer’s articulation on what, exactly, security culture is in their view. In short, it essentially is a series of elaborate management expectations, behavioral choices, and informed attitudes that should become second nature in an increasingly digitized environment. Carpenter and Roer define the ideological building blocks of security culture in seven, interconnected increments. They christen the seven tenets as Attitude, Behaviors, Cognition, Communication, Compliance, Norms, and Responsibilities.

“At some point, you will undoubtedly meet resistance. The bigger the change, the stronger the resistance. This resistance is a normal human and societal reaction. So, when working to shape culture, you also need to plan how you will react to, or even remove, resistance to change,” Carpenter and Roer write with respect to actual policy implementations. “…(work) with human nature rather than against it. It will frequently be through technology, informed by the right kind of education, and supported by policies and social pressures. For example, if your employees are among the 50% of employees in Asia who use unauthorized file sharing services to get their job done, the answer is not stricter policies— they already know they are using tools that are not allowed. The better action is to understand why the employees feel the need to use tools that are not allowed.”

“When you do understand the why, you can then help your employees by implementing better tools or processes. Select a file sharing tool that allows them to do their work and that your security and legal team have deemed acceptable from a risk perspective,” they continue. “Then help the employees transition into the new tool by making it super easy. Support the technology change by updating the policies and educating the employees and their managers on why this new tool is the best and how easy it is to use. Lastly, celebrate successes. Ensure that your people feel valued and seen for making the right choices.” By making things so bell-clear and concise, Carpenter and Roer transform a potentially alienating, depth-laden concept. The result is something feeling painfully obvious in spite of its intricacies. That’s the kind of literary and informational craft deserving to be lauded…

[Vincent Vukovic · Rating 4 out of 5]

Cybercrime is considered a global top 10 risk in the World Economic Forum Global Risks Report 2023. The vast majority of data breaches can be traced back to us, people. Yet, the cybersecurity industry has largely focused on technology. This book argues that security culture, if managed correctly, can transform an organisation and consequently reduce cyber risk.

[Liam Moclair · Rating 4 out of 5]

A great insight into the ways in which human beings are an integral part of a company’s cybersecurity schemes. The authors shared their wisdom and insights in an engaging way and really helped me to understand this topic in a much more clearer and concise way

[Lana · Rating 3 out of 5]

Pretty good read for a security officer but not much in it I hadn’t heard before.

[Mark Simmerman · Rating 5 out of 5]

This will be useful to own and re-read for application.