Security Career Advice: Handling Executives who ignores you

Security Career Advice

Advices are important. Both to receive and to give. As my regular readers know, I occasionally answer questions about the industry, education and offer security career advice on what one should (not) do.

Brian reached out and wanted to know how to deal with executives. His question brings us to a vital area of security, and your career: How you communicate, and how you interpret other peoples communication, is key to your success.

This is the question of today:

"Hi Kai,  What advice would you give to someone who 
found vulnerabilities, brought them to the executive level 
and then had the executives 'play' them down to avoid being 
embarrassed? I believe that InfoSec has no room for egos.
Cheers and thanks again!
Brian "

This is an interesting question, particularly to me, since I am not exactly known for discovering and sharing vulnerabilities. I am not that technical anymore. However, what I can say, revolves around how you can handle different people, and how you may interpret their reactions to you.

Which is exactly what I did in my respond to Brian:

Hi Brian!

One of many challenges we see with people (execs are people, believe it or not…) is their mental patterns, ideas and customs getting in the way for rational decision making. Most people (at those levels at least) have their own agendas – either personal, professional or both, and the mental patterns can make it hard for them to see things from different perspectives.

The same is true for security pros – we tend to focus on our perspective only, and deem everyone who “don´t get it” to be stupid user, wrong or just plain ignorant of the problem.

In the words of Dr. Stephen Covey, the author of 7 habits, we all should do out best to “Seek to understand before we try to get understood”. What I am saying is that that the exec may have reasons for their behavior that they failed to communicate to you, making it hard to understand why they choose to do what they did.

Although I am a fan of full disclosure, I do not believe in total disclosure: I do believe there are situations where we should not share everything with everyone. In the case of vulnerabilities, on a general note, I believe we should try to fix the hole before we tell everyone. And when the hole is fixed and patched, there may no longer be any real reason to talk about the vulnerability?

In cases where a company choose not to fix, not to patch, and not to disclose anything, there may be a case for going public with the vulnerability. However, I strongly believe in being more responsible than we demand from others, so I would be very careful in how I choose to go public.

Questions like:
– what will be the outcome if I do this?
– what is the outcome I want to achieve?
– what other actions can I take to achieve similar results?
– who will get into trouble if I do this? Who else?
may help you decide the appropriate action.

So short answer: try to understand their (execs) motivation, and why it differs from yours.

How does my answer help you? How can you use this? What other tips would you give Brian?

Do you have a career related question? Let me know!

Travel Report from Ljubljana

It´s July 2014 when I write this travel report from Ljubljana. I spent one week in this amazing city in Slovenia, a small country south in Europe. A truly fantastic place, well worth your time.

The Ljubljana Grad / castle of Ljubljana

The Ljubljana Grad, Castle of Ljubljana, viewed from downtown.

The official reason I traveled to this, for me new, location, was an invitation to lecture about security culture and the Security Culture Framework at the University of Ljubljana. I also had the great pleasure to speak at the CSA CEE Conference, where I explained some of the psychology of security.

As you, my regular reader know, I love sharing my passion for security culture, behavior and communication.

The lectures took place at the faculty for computer science, and the students there were not at all prepared to spend six hours with me, and not using their computers! I don´t know what they expected, except it was not what they got!

Although I could go on rambling about myself and my lectures, I am not going to. Instead, I will share some of the highlights from this nice place. This is after all, a travel report from Ljubljana!

Party Crashing

One of the great things in life is attending nice parties. Meeting smart people, discussing life, love and existentialism. Or just drinking wine, beer, booze.

I am no stranger to such ideas, and as I wandered aimlessly touristy, I heard sweet voices from many people. Like a mot is drawn towards a lantern in the dark, my legs steered me towards the building, a part of the Ljubljana Grad, the local castle. I was expecting to meet some obstacles on the way, like locked doors, questioning guards or other controls aimed to keep party crashers like myself out.

Not this time.

Wine and food for thought at the Ljubljana Grad

A nice place, fantastic people and great food – the Ljubljana Grad has it all!

I must have looked like a perfect fit for this party, dressed as I were in blue jeans and half-buttoned shirt. I just smiled, nodded, and walked straight in. Into a room with beautiful people of all ages, from all around Europe as I discovered as I strolled the room with a glass of wine and some finger food.

Smart people for great conversations

Some of the students I met at the Ljubljana Grad. Great minds from all over Europe indeed!

Very nice place, great people, and fine conversations, pretty much sums up my experience.

World Cup

I also got to experience the world cup match between Belgium and the USA. I don’t usually watch soccer, my excuse this time was beer, and another party to be crashed.

Belgian Soccer Suporters in Ljubljana

I had the pleasure of joining these fine folks watching the Belgium vs. USA world cup soccer match.

Again, nice people, good drinks, a good game and not so great conversations – unless you are into soccer, possibly. The students I enjoyed the game with, were fantastic sports, though, even going all #holakai on me.

A Finnish fan, secretly cheering USA

Pekka, a Finnish linguist, secretly shared for USA during the match. We were both in disguise, using Belgium colors!

Fuzzy Goals

While there, I also took the time to record a short city walk, where I explain how fuzzy goals sometimes can be useful to help you discover what is going on in your organization, your security program, or in your systems.

Fuzzy goals are, as opposed to SMART goals, goals that are not very clearly defined. You may create a hypothesis to test, or define your goal widely so that you get a general direction towards which you can direct your actions. The purpose is to help you discover new, possibly surprising, things.

A challenge with fuzzy goals: They can easily become lazy goals, replacing SMART goals, and thus loosing it´s purpose: instead of helping you discover stuff, they get´s in the way of creating real results.

Thanks to Ljubljana

There are a number of people to thank for this great experience, here a but a very few:

Mojca, at the University; Damir, President of CSA Slovenia; Lowk3y (who prefers to stay out of sight of my camera); Pen, the Restaurant which served fantastic horse steak; Ljubljana Grad who offered me fireworks, parties and great music; Kristina, who accepted my lunch-date-invitation; the City of Ljubljana, who showed me the best of the best. And to many more!

And finally – a great thanks to the Computer Scientist doubling as a Harp musician, who played me the late-night serenade at the CSA Speakers dinner! That was brilliant!

A harp

A harp, possibly with a different name…

Security Culture Hangout – Metrics

Today is the Security Culture Hangout day, the last wednesday of the month! In this month, we take a look at security culture metrics – how to measure your security culture program. As usual, we use the Security Culture Framework as our foundation, and the Metrics module of the framework is described here.

You can watch the hangout here:

Today, we have our first guest: Geordie Stewart of Risk Intelligence. Geordie is well versed in security awareness, a popular speaker on the topic, and he will share some of his experience with measuring awareness and culture.

I first met Geordie at the RSA Conference Europe in 2012, where we both were on a panel to discuss security awareness and its applicability.

If you have any questions you would like to ask Geordie or myself, head on over to the event page and post your question there!

If by any chance you missed the hangout live, you can always watch it on youtube.

This is the second Security Culture Hangout on Air we produce. You can watch the first one here.

Please share your comments, ideas and propose guests for the show below!

How to become an infosec Rock Star

Today is the Cloud Security Alliance (CSA) Norway Summer Conference in Oslo. I have been fortunate enough to be asked to explain how to become an infosec rock star, and below are my slides and notes, all for you to enjoy.

Remember that if anyone of these can achieve Rock Star Status, you can too! Take these tips, and go ahead!

This is the full deck, available at Slideshare:

Slide 1


One year ago, I went to Colombia to deliver a keynote on security culture and human behavior at a conference. As usual, I updated my twitter stream with what happend during my stay, and this photo was posted. A napkin, given to me by one of the ladies present.

A tweet that had a colleague ask me: “Kai, how do one become an infosec rockstar?”

My name is Kai Roer, and I am here to tell you what makes a rockstar – in the infosec industry! 

Slide 2: It´s only Rock and Roll, Baby!

Its Only Rock and Roll Baby

Therefore, let us take a look at what makes a rockstar! 

First, it is about having fun! It´s all Rock and Roll, Baby! And fun can be defined in many different ways – just consider the amazing number of different rock music available – from Elvis, Stones and Beatles, to Deep Purple, Twisted Sisters, to Nirvana, Pearl Jam, and many more. 

Just like there are many bands with a wide variety of flavours, there are a large number of stars in the infosec community. And just as with rock and roll, there are some common factors to consider if you want to be an infosec rock star too: 


You need to be up for Sex and Drugs and Rock and Roll

Be newsworthy

You should be newsworthy,

Be different

Be Different,

Be daring!

Be Daring, even



Build a following

Do these things, and you will build a following and fans, 

and get yourself groupies!

and you may even get yourself some groupies!
Let´s take some time to look at each of these requirements!

Slide 3: Sex and Drugs and Rock and Las Vegas


Music: ZZ-Top: Las Vegas

Sex and Drugs and Rock and Roll was a thing of the 60s and 70s, says some. I say it still is. 

ZZ Top is closer to the Rock and Roll than to sex and drugs, just listen to the rythm in their blues-like music.

Just like sex and drugs are important to rock and roll; so are conferences, events and their parties to the infosec community. If you want to learn something new, meet new people, and possibly even score some free booze, you get out of your office (or dungeon), and go shake some hands at an event. 

Slide 4: Las Vegas Jack


As with rock music, some events are more important than others. Again, it depends on your taste, interest and friends, yet many people will agree that the Security BSides events have become a real player – not only in Las Vegas, everywhere! 

The BSides are a bit like I picture the Woodstock festivals, driven by the community, for the community.

As one of the founders of BSides, and possibly the missing ZZ-Top band-member, Jack Daniel represent the Sex and Drugs and Rock and Roll. His care for the community is hard to hide between his grumpy tweets, and his infamous RV-rides with the RV filled with infosec peeps are just, well, exactly like a band driving from concert to concert in their band-bus! 

Jack is also old enough to realize that the constant buzzing about New this, New that is nothing to panic about – in his words:

Don´t panic, we´ve solved this before. Jack Daniel

Slide 5: Be new and newsworthy

Being New(sworthy)

Music: Rammstein: Sonne

In addition to have the Sex and Drugs and Rock and Roll attitude, you need to be newsworthy – that does not necessarily mean that you need to come up with something totally new – it means you must be able to present it in a new way. A way that gets people interested. 

If you choose to become a cover band, that is fine too, as long as you remember to credit the originator. 

Rammstein, however, is not a cover band, this group is doing their own thing. They are strong, can be a bit rough on the edges for everyones taste, and they combine humor, quality and care. 

Their focus is narrow, yet within their area, they simply ROCK! 

Slide 6: Mr. Passwords


Just like the Norwegian Mr. Password, or Per Thorsheim as he is known over here. 

Per has a deep interest and passion for passwords, so much so that he has established not only one, but two conferences on the topic – one in Norway, and one in Las Vegas. Just like the band, Per is very focused, can be considered a bit rough (he if from Bergen, after all!), yet those who know him know him to be caring, deeply generous and extremely knowledgeable. 

Although the topic of passwords are not exactly new, the way Per present and focus on the topic, brings new and valuable knowledge to the area, which is why he exemplifies being new(sworthy).  

Slide 7: Be Different


Music: Jamiroquai: Cosmic Girl

Being new is all well and fine. Another way to get attention is to be different. After all, you need to get heard through all the noise, right? 

Of course Im right!

Just consider all the musicians around the world who wants to become a Rock Star. They’ll do anything, with anyone, just to get a shot at becoming a star. Most of the time, though, doing anything to anyone just isn´t the right thing to do. 

You need real talent, real skills, real interest and deep understanding of what you want to achieve. Jamiroquai knows that better than most. 

Slide 8: The Father of Girl Cynic


As does Javvad Malik of 451 Research, or J4vv4d of HostUnknownTV, and his other alter egos.

He started out as an infosec cynic, you know that state many infosec peeps end up in after too many lonely years in the bunker, and upon being challenged, his English wit and humor became his savior. Just as he became the savior to the sanity of so many others in the infosec community. 

Being different lifted Javvad to starship faster than most, and by embracing the fame, he continue to share his valuable insights, ideas and humor worldwide. 

And his Cosmic Girl? His award-winning daughter Girl Cynic, of course!

When it comes to Rock Star-ing – being different is good! 

Slide 9: Be Daring!

Being Daring

Music: Serj Tankian: Uneducated Democracy 

Some musicians just do their own thing. System of a Down spawned a singer-song-writer out of the extraordinary with Serj Tankian. Playing with words, music, emotions and energy, Serj is able to rock your emotions, beliefs and mind. 

Serj accepts nothing for being a fixed truth- he dare to challenge the status quo, and he dares to ask the difficult questions, and to point fingers right where they need to be poked. 

Being daring is vital when you have an important message to bring across. 

Slide 10: Being Josh Corman


Just like Josh. 

Joshua Corman is on a life-long mission to change the world. He dares to ask the right questions, to the right people, at the right time. Because he makes it the right time, the right people and the right questions. 

Like Serj Tankian, Josh has a brilliant mind, a mind he use to better understand what our industry is all about, so he can help fixing it. Josh is all about understanding, analyzing and fixing.

Like when he dares to tell you that no-one is ever going to save you

I am The Cavalry.  Josh Corman

Meaning you are, and that you need to step up your game of defense.

So be brave, be daring! 

Slide 11: Create that SHOCK!


Music: Miley Cyrus: Wrecking Ball

Occasionally, someone is getting more attention than others. Most of the time that happens because they have planned for it, or at least understand how media and crowds work together to feed a message in every channel, so often that it becomes the Main News that week. 

Miley Cyrus knows that being SHOCKING will get you attention, and the attention of media. 

Having attention, means more sales, more fans, and ultimately, more fame. Which in turn makes it easier to spread your message to more people, which builds more fame, which again makes your message stronger, and so on and on and on and on.

Slide 12: Mikko on a Ball


And fame is something this guy have. Mikko Hypponen of F-Secure have done it all (well, possibly except riding a metal ball nude, but what do I know). Like Miley, Mikko is smart, driven and has a somewhat Disney-like background, being the nice-guy and all. 

Mikko also knows how to use media and the crowds to drive his message across. He may be the closest thing the Infosec community have to a Crowd-Drawing Rock Star, at least when he shows up at your event, the crowds come to. 

And the key to using media? Be shocking! Or comment on the shocking news. Dance with your crowds, and make new friends while keeping your old ones close. 

Miley and Mikko both know how to rock that boat! 

Slide 13: Build followers…


Music: Metallica: Fight Fire with Fire

There are many bands and musicians that deserves a place in a presentation about infosec rockstar. IMO, non more so than Metallica. An international band (well, at least with members from Europe and US), Metallica creates a sort of music that when it came out, it was new and different, and that over the years have built an enormous following with fans around the globe. 

Their attitude towards music, their fans and their search for perfection, is just what it takes to be great. 

Slide 14: Rik the Rocker

Rik Metallica

Like Metallica, at least by the looks of it, Rik Ferguson is a true rocker. He has built a large following too. Being easily recognizable, while having a clear message, and consulting anyone from Mom&Pap to the Europol, Rik use a number of channels to build fans and followers. 

He is a frequent conference speaker, he creates video lessons (well, Trend-Micro Advertising), and he digs into the deep end of technology. 

Like Metallica, he not only looks the case, he delivers the goods too. And that is what it takes to build a large base of followers and fans. Like a real Rock Star!

Slide 15: …and make FANs!

and fans

Music: ACDC: Let me put my love into you

For many, ACDC is the epitome of Rock and Roll (or heavy metal, if you must). Their long careers in the industry has taken them around the world, they have seen and done things most of us can´t even dream of, and they still haven´t learned how to dress properly. 

Despite all their oddities, and their age, ACDC is one of those bands that have “always been there”, and that has made them a huge number of fans. 

Slide 16: Bruce the Rock Star


Like ACDC, Bruce Schneier have also “always been there”, and like ACDC, Bruce is a bit of an oddball. He can be difficult to talk with, he is doing his own stuff, and he seems to be most comfortable when he can observe, analyze and speak up his brilliant mind when he decides to. 

Also like ACDC, Bruce´s following is so huge that it turned into the meme this presentation is based on: 

"The closest the security industry has to a Rock Star» according to The Register.

Not only is he an Infosec Rock Star, he is also so loved that he is being mocked, and we all know that you only joke about those you love. Unless he really is Chuck Norris in disguise? 

Possibly one of the most influential people in modern day infosec, Bruce has a vast knowledge that he shares through books, consulting, speeches and his blog. And like ACDC, he keeps selling the same story again and again, and we all love it! 

Slide 17: Handshakin´Stevens

Bruce Quote

This is exactly how important Bruce is. 

Slide 18: The Up and Coming – on a Mission from God

The Future

Now that we have gone through how to become an infosec rock star, let me just say this. No matter the who you consider a rock star, the single most important Rock Star in this room, is you! 

This community needs more openness, care and sharing. We are on a mission from God, to create a safer world. To do that, we need to enable more people to share their stories, their ideas, their craziness and their knowledge. 

If you take nothing but one thing from my presentation, take this:

The Up and Coming are the future of this industry. Let us work together to help them succeed! 

Slide 19: The groupies are mine!

Groupies are MINE

Oh, you wonder where the Groupies part of this presentation went? 

I get to keep them! Get your own groupies! 

Slide 20: Where is the party?


Thank you everyone for giving me your attention! A special thanks to @marigrini for asking the question: 

“How do you get to be in this industry, and receive handkerchiefs like that!!??” 

Now, where is that party! 

Since you are still reading, Im guessing you´d like to see this, or other presentations, at your next event? Get in touch, and let´s see just what show I can put on for you!

Get on the bus! The Security Culture Summer Camp 2014 is about to start!

The Security Culture Summer Camp 2014 is about to start. We still accept participants for two more weeks (until the 27th June), so make that decision you know you always wanted to do: Come on and join us!

The Security Culture Summer Camp 2014

A camp, Kai, not a school!

What is the Security Culture Summer Camp, anyway?

Think of it as a seven week program that will teach you the basics of the Security Culture Framework, help you set up your very own security culture program, and a fantastic chance to spend time with others to discuss and learn security culture.

So far, we have participants from Sweden, France, UK and the USA. This means that not only do we get to learn about security culture, we also can play with culture in general to help us understand how culture impacts our behavior.

The Security Culture Summer Camp takes place online, using a mix of our own e-learning platform with assignments, readings and video lectures; and using Google Hangout on Air to allow for live discussions and Q/A sessions about the content, assignments and learnings. The workload is estimated at 4 to 8 hours per week, including readings and assignments.

Do you need more reasons to join us? Check the list below!

  • Yours truly is your teacher;
  • Take awareness trainings to the next step by creating measurable results;
  • Learn to set goals, and work towards them;
  • Create a plan, with the necessary actions, ready for implementation;
  • Learn and share experiences from other participants;
  • Understand who to involve in your programs, and why;
  • Build a list of activities that will enhance your security culture;
  • Use the Deming Cycle to create increasingly better awareness;
  • Save money: Understand your own needs before you buy content;
  • Save money: Create a program that focus on what you need;
  • Save more money: The summer schools is only 499USD. And signing up with this code give you a 25% rebate!

What are you waiting for? With a workload like this, you can even do it during your vacation time!

Oh, and yes, there will be certificates so you can prove your content. You will earn the right to call yourself a Certified Security Culture Practitioneer. Which, by the way, is the first step toward becoming a Certified Security Culture Coach!

And for those who needs CPE´s – there may be light in the tunnel. Contact me directly if you need them!

Come on! Sign up today, and be with us from the very start!

Happy summer camping – bring marshmallows!

The CISSP Companion Handbook (Book Review)

Javvad Malik's The CISSP Companion Handbook

Javvad Malik’s The CISSP Companion Handbook

Some times, great things happen. It can be the Spring in Norway, a cup of coffee in the morning, or a humorous new book on a boring topic. This post is about the latter one.

Javvad Malik, the notoriously funny and insightful guy, wrote the “CISSP Companion Handbook”,  where he set out to explain the things you need to know before your sit for your CISSP exam. This book is not to replace the official documentation, it is meant as a companion handbook, a resource to use to get a laugh when you need it most.

However, the CISSP Companion Handbook is not only about laughing and English humour (notice the u!). Javvad is, behind his beard and jokes, a very insightful gentleman who cannot fool anyone for long. The book is, in my opinion, a great resource for an overview of the CISSP requirements. It gives the reader a perspective on what the CISSP is all about, and ties it into real-life examples (like the email exchange explaining witchcraft, erm, encryption) using Javvad’s exceptional story-telling skills.

One of the many things I like with this book is how Javvad is able to explain the different concepts of information security using words and sentences that make sense also for people who are new to the topic, or who are lacks a technical background. As such, I would recommend this book as a CISSP / Infosec 101 university course book.

Why should you buy this book?

  • it gives a great overview of the CISSP
  • it helps you understand the broad scope of the CISSP
  • it is funny
  • it use real-life examples that are easily understood
  • it is written by Javvad

Why should you not buy this book?

  • it is funny (if you think a laugh can ruin your studying)
  • it makes you wonder why the official docs of the exam are so humongous
  • you may actually like it

This book is RECOMMENDED by Kai! (And yes, that is an affiliate URL. If you prefer not to be tracked, use this direct link instead).


The Security Culture Hangouts on Air

The Security Culture Framework deserves more than just a place to discuss and learn. We wanted something more interactive, something where you can join us, discuss and share your experiences.

Enter the Security Culture Hangout on Air – a monthly event that takes place on Google Hangouts, are live streamed, and automatically stored on our YouTube channel. What is more: Tomorrow is the kick-off event, and YOU are invited!

Join us for the live event here:

Or watch the recording on Youtube here:

And for your convenience: here is the embedded video:

Hosting the show is yours truly, and Mo Amin. We will be featuring interesting guests in future shows, who will share their knowledge of security culture, awareness and training.

The future shows will cover topics like: How to measure culture, What to focus on in your security culture program, Whom to involve, How to make progress and so much more.

As always, you can join the conversation at, and you can learn more about security culture in general here!

How to build and maintain security culture

This week I was speaking at the ISACA Nordic Conference in Oslo, where I shared my findings on security culture. I have uploaded my slides to Slideshare, and you can watch them here:

Unfortunately, Slideshare is not able to process Keynote files (the tool I use to make my presentations), so there are no presenter notes available. Therefore, I have attached them below, with slide-numbers (one being the first slide):

Slide 1

How to build and maintain security culture in any organization.

How to build and maintain security culture in any organization.

In this presentation, you will learn about the building blocks of security culture, and how to organize your security culture program to create success.

Slide 2

Security Culture eats strategy for breakfast

Security Culture Eats Strategy for Breakfast!

Why should we care about culture, you may ask. In leadership, here represented by Petter Stordalen, the Choice hotel chain owner, the realization that culture eats strategy for breakfast is the understanding that you can have the best of plans and the best of execution, but without an organizational structure and a common set of values, you will fail. Culture is the building blocks of society.

Slide 3

What is security culture?

What is security culture?

Security Culture – what are we talking about? Is this just another one of those marketing tricks? Another fancy name? Let us examine what security culture is. To do that, we need to understand what culture is.

Slide 4

Definition of Culture

Definition of Culture

The Oxford Dictionary defines culture as: The ideas, customs and social behavior of a particular people or society.

Take a moment and think about that. Ideas. Customs. Social behavior. Those are common things every individual shares. You have them – and I do too! And when we meet, we form groups that end up sharing some or all of those ideas, customs and social behaviors. Let us examine culture a little more!

Slide 5

Meet Red, Orange and Green!

Meet Red, Orange and Green!

Meet Green, Orange and Red. These are individuals as you can see, and they come with their own ideas, customs and behaviors – you can see Green is the positive, including guy, and Red is, well, on the other end of the scale.

We all know these people, don´t we?

Which one are you?

Slide 6

A group of Orange people, forming Orange culture.

A group of Orange people, forming Orange culture.

Here we have a group of people – they share the Orange values, they form a culture. This could be your work-group, your organization, your soccer team and even your country! They are all examples of groups of people, who together share a set of ideas, customs and social behaviors. In Norway, for example, we share the custom of enjoying Brown Cheese (brunost), which as far as I know, no other country does.

Slide 7

Orange meet Red.

Orange meet Red.

Now, let us introduce Red to this group. Red is, as we remember, the negative person who always gets in your way, looking for the worst, expecting a disaster in every project. The question becomes – will the group change Red? Or will Red change the group? Both are valid questions, and valid outcomes.

Slide 8

Spreading Red.

Spreading Red.

In the Orange group, however, we do not have a strong culture, which allows a stronger influence from one individual towards the group. And we see the Red ideas, customs and social behavior spread.

Slide 9

Red culture conquer the Orange.

Red culture conquer the Orange.

As we see here, Red is changing the group, by spreading the negativity, the pessimistic outlook. All that is needed is a group who is not focusing on building a strong culture to support itself. When someone new arrives, they are able to change the ideas, customs and social behavior of said group, and can create devastating results.

Slide 10

The devastating results of bad culture, creating fragmentation and negativity.

The devastating results of bad culture, creating fragmentation and negativity.

A result where other members of the group no longer want to be a part, and start leaving. What is left of your team, your department or your organization, is the negativity, the pessimistic outlook and the general consensus that nothing is possible, nothing can (or will) ever change. What is worse, is that this new culture will scare away possibly great additions to the team – or they will leave after only a very short time with the company.

Why should you care as a security officer, you may be wondering?

Remember the Insider Threat, so famously named because it is someone from within your organization who leaks your data, or who introduces malware? An organization, department or team with this negative culture is more likely to create an environment where the insider willingly starts exploiting the organization. And that, my friend, that is your problem!

Slide 11

Definition of security.

Defining Security.

Let us take a look at the definition of security, again according to the Oxford dict. Being secure, is the state of being free from danger or threat and/or the state of feeling safe, stable, and free from fear or anxiety

Using this definition, we can see how culture and security walks hand in hand – it is about individuals, people, and groups of people, and it is about creating an environment where people can be free from danger or threat, and where they can feel safe, stable and free from anxiety.

So I claim that your job is to make your colleagues feel safe, and free from fear – which means we should ditch FUD right away! It also mean you may have to reconsider how you do your job.

Slide 12

Red, Green and Orange - who are more secure?

Red, Green and Orange – who are more secure?

Many security officers I know, tend to act like Red by alienating their colleagues, by expecting employees to understand security, without ever trying to understand the employees real job. Over the years, the Red´s get disappointed by poor results, lack of support and becomes more and more negative and destructive – for himself, and for the organization.

Is this how you feel, perhaps?

Slide 13

Introducing Green to the Orange group.

Introducing Green to the Orange group.

So let us take a different approach. Let us introduce Green to a group, and see what happens! At first glance, this look so much happier, I can feel the warmth all the way here! How will this go?

Remember that Green is introduced to a group without a strong, supporting culture, so he is able to more easily change its ideas, customs and behaviors.

Slide 14

Green Joy!

Green Joy!

Just like negativity, being positive is contagious. Being optimistic and looking for solutions instead of problems helps yourself, your team and your organization realize there may be a way out of whatever challenge you are facing. And as this notion spreads…

Slide 15

Growing positivity and care!

Growing positivity and care!

…more and more people will join the new culture.

Slide 16

A positive culture attracts more positive people.

A positive culture attracts more positive people.

And as the culture grows, word is spread outside the organization too, attracting other individuals and groups with similar mindsets, with similar ideas, customs and social behavior. And you have created a magnet of positive attraction!

Why this matters to you as a security officer? Well, the insider threat have been reduced to the accidental incident of forgetting the Smartphone on Flytoget, a behavior that training and education can reduce – because this culture wants to learn, to grow, to succeed. This culture care about the group, and security becomes an integrated part of that culture. This groups social behavior allows it to build a better security through understanding why, by being motivated for success, and by caring for each other and the group!

Slide 17

Red, Orange or Green - which one do you want to be?

Red, Orange or Green – which one do you want to be?

So the question is: Which security officer do you want to be?

  • The negative, destructive force that is Red?
  • The indifferent, easily changeable Orange?
  • Or the positive, secure Green?

Let´s choose the Green, and let us build great security culture!

Slide 18

The definition of security culture.

The definition of security culture.

Which brings us to the question – how do we define security culture? Using the Oxford definitions of Culture, and of Security, I have come up with this definition of security culture: The ideas, customs, and social behavior of a particular people or society, that helps them being free from danger or threat.

This in turn makes the job of the security team into the job of creating an environment that helps the group to being free from danger or threat. And we can do that by working with the ideas, customs and social behaviors of our team, department and organization.

Slide 19

Go from Orange...

Go from Orange…

So we can make our goal, our purpose, to transform this…

Slide 20 green, positive culture!

…to green, positive culture!

…into this!

The good news is that we have already seen how culture can be transformed, and that should lead to the realization that we can curate that transformation. So let us do just that!

Slide 21

How to create a security culture program

How to create a security culture program

Let us see how we can create a security culture program. It may sound like a daunting task, I know. Done correctly, using readily available tools and resources, it can be done!

Slide 22

The Security Culture Framework, a holistic approach to building culture!

The Security Culture Framework, a holistic approach to building culture!

One such tool is the Security Culture Framework. The Security Culture Framework consists of four building blocks:

  • Metrics, where you define a baseline, set your goals, and define your metrics;
  • Organization, where you organize your security culture workgroup, define target audiences and build organizational wide support;
  • Topics, which are the activities your choose to implement in order to reach your defined goals; and the
  • Planner where you plan your efforts, your revisions and your metrics.

Four areas that needs to be covered, each fulfilling individual tasks, while being connected to each of the others. You cannot have one without the others, and expect results – which is why most awareness trainings fails – they would sort under the Topics part, while being an important element, it is unable to create lasting change without the support of the other three building blocks required to transform culture.

With a framework like the Security Culture Framework, we can get to work:

Slide 23

A step-by-step guide

A step-by-step guide

If you want to walk a thousand miles, you start with one step.

When building security culture, we have found that these steps are a great first step.

Setting up your team is where you build a security culture work group. You want to include the kind of expertise you are unlikely to have yourself – especially from HR (training and organizational knowledge), and from Marketing (creating the story+presenting it).

Together with your team, you define your goals, and decide how you know that you have reach them (or missed). You need to measure your current status too, so you know where you are. You will use the Current situation and compare it with the desired goal to make a GAP-analysis to help you determine which elements, topics and activities you will use in your security culture program.

Then you define your target audience. Again, here the marketing guys can help. Why, you may ask? Consider the differences between the IT-department and the sales people. They are quite different, right?

Then you start choosing the topic(s) you want to focus on (remember your goal), and activities that will support your message. Again, Marketing Dept.!

Plan your efforts – think of each effort as a campaign, make it last a limited time, which will allow you to measure before- and after-effects. Which is the next you do – measure, learn, change and do it all again!

Slide 24

A program is required.

A program is required.

Now that you know why culture matters in security, and how to organize your work, let me explain why you need to create a security culture program.

Culture is changing and evolving all the time. As we saw earlier, individuals impact culture, and culture impacts individuals. We need to run an on-going program to nurture and control the change we want.

Also, when so many security officers complain that their awareness trainings fail to yield results, one of the reasons is that they fail to see the need for a holistic approach, a program where a training is one part of the whole, not the Silver Bullet to solve it all!

Slide 25

And there are no silver bullets!

And there are no silver bullets!

So to create successful security culture, a positive one, driven by the Green, you need to nurture the culture. Make it support business, your job is to secure the business, right? Create both understanding and awareness, and a support structure where your colleagues knows what to do, and whom to turn to, when they make a mistake.

A security culture program is an on-going effort, one that never stops. We can say that security is built-in to culture, that culture is a security measure to create a stable, safe environment where we are free from threat. At least we shall consider that our goal!

And remember that every walk starts with one small step! You can do it too!

Slide 26

Red, Orange, Green: Your choice, your responsibility.

Red, Orange, Green: Your choice, your responsibility.

So the question remains: Which security officer do you want to be?

I know who I want to be!

Slide 27

Thank you ISACA Nordic Conference 2014 for inviting me.

Thank you ISACA Nordic Conference 2014 for inviting me.

Thank you very much! I will be available for questions this afternoon. You can also reach me on Twitter, and my blog.

Of course, you can buy some of my books too – they are on!

Thank you!

Slide 28

Bonus: Where to find more information!

Bonus: Where to find more information!

These are some sources of information you can use to learn more about security culture, how to build and maintain it, and ideas of content.

Request me to speak at your next event!

Would you like me to speak about how to build and maintain security culture to your workgroup, at an event, or at a conference? Use this form to request my availability:

HELP: I can get no Windows XP (WinXP) Support anymore!

If you are looking for updates for Windows XP (WinXP), and you are reading this after April in 2014, you are out of luck. And you must have been hiding in a cave for a few years too, since «everybody» knows that Microsoft is pulling the plug on Windows XP after more than a decade of a decent OS. And by decent, I mean in comparison to most everything they made before (possible exceptions are the NT3.5 and NT4), and later (which is really a pity). From a user perspective, everything became less of a hazzle with XP, and even my mother where able to connect to the Internet.

And therein lies the problem.

My mother, like so many other users of XP, have no idea about the possible threats to her computer and the precious OS on it.

She have no way to grasp the abstract understanding of a bot-net, much less the possibility that her computer is part of one. I know, I tried to explain. I did manage to get her to run auto-update, and to have a security product installed, and I did not go into telling her about the 60-80% success rate of AV-products.

What is she to do, then?

Microsoft Press Conference

As I told Dan Raywood, the Infosecurity Guru, she (my mother, not him) could just ditch the computer and get something with a more modern OS, or she could switch to Linux or some other «free» OS if she did not want to dish out some cash for a new computer. The challenge is of course that she has no idea what Linux, Ubuntu, Debian or Suse even means, much less does she have the interest and skills to download and install it. She would probably go into a coma instead.

Or call me, which would make me want to go into coma (yes, I love her, I just don’t like the idea of being her support department).

So what should an old lady do, when her computer is deemed unsafe to connect to the Internet? She may of course unplug the network, and use it as a typewriter. She could continue using it, since there is not much of a chance that she would be able to tell the difference of her computer being infected anyway.

Or she could get herself an iPad.

Which is what she got for her birthday last year, when I decided it was way past time for her to stop bothering me for support. Why the iPad, and not an android product? My reasoning was simple: Android == WinXP (no way to control/avoid infections effectively without special competence), while iPad with it´s security features (unless you jailbrake it of course) is highly unlikely to become a problem for her.

The good thing is that she can do all she ever did (write, surf, e-mails etc), while I do not have to worry about infected computers and cleaning up the old (not so) faithful.

I strongly feel that most users out there can do similar things – ditch your old XP computer, get yourself a new computer if you need that kind of power, or just get yourself a tablet.

Most of us don´t need a PC anyway.

As for organizations, the situation is a bit different.

First of all:


In other words, if your organization still are using XP in 2014, you have no-one to blame but yourself (well, Microsoft can be blamed for trying to make some money by introducing mediocre software, but you made the choice not to upgrade. And if Microsoft really wanted to make money, they would offer you a PAID support&update service for WinXP).

The fact that you are stuck with a bunch of computers running a no-longer supported operating system means you need to take a step back and review the choices that were made in the past that led your organization to this stage.

And you should do that first, before you start looking for ways to mitigate it. Why, you ask?

Because you need to understand what went wrong, so you can avoid it happening again.

You need to understand what Product Lifecycle means. What Product Lifecycle Management means. And how product suppliers like Microsoft makes their money, so that you can relate to the risks involved in buying their products for the full lifecycle of the product, and for your planned time of use. Then you may realize that the end of support for Windows XP is not the fault of Microsoft, and that it is not Microsoft who is to blame for your situation. This knowledge is useful when it comes to taking responsibility for your (organizations) actions, and then cleaning up the mess.

As I said in my comment to Information Security Buzz, if your ATMs are all running on XP, you have failed on so many levels. And if they are still running on XP in 2014, it might be time for your bank to reconsider the short-term (next quarter) financial maximization, and look at the long picture. Unfortunately, it seems most shareholders are more interested in said short-term profit, and don´t give much for next year, or the year after.

The public sector lags behind too.

Obvious challenges arise if you are the National Police Force, and your systems are not only not updated, but in large based upon Windows XP.

(Unfortunately, this is not me dreaming up a scenario).

Years (decades, possibly) of internal politics, lack of funding, and slow understanding of the strategic and tactic value of computerized systems (yes, indeed, even in 2014), has led a number of public services in the ditch. As it is with governments, it is best not to do something until it burns, and when it burns, put out the biggest fires only. Failure of planning their product life cycle management have made several governmental services to beg Microsoft to take their cash and supply them with updates and security patches.

I feel like screaming: HELLO!! This is not something that should be a surprise! Even for the bureaucrats!

And no, this is not Microsoft offering a subscription service. This is customers begging. My tip to Microsoft: Turn it into a paid service offering. As a revenue stream I bet it will beat Azure and 365 for years to come.

One last thing. If you do not like the fact that Microsoft and other commercial companies out there decides to no longer support a product (which they are in the full right to decide IMO), you could always go Open Source, creating your own distro. I see a great future for the ATM-distro. Just make sure that a small part of every transaction is directed to my account as a royalty for the idea.

Curius factoid:

On my blog, a bit more than 8% of the visitors use Windows XP. (Non-scientific test today over the course of 10 hours). I hope to see that number decline fast.

EDIT: The embedded XP version used in many ATM´s are in fact not part of the EOL, as commented by Tero:


And here is a link to the Microsoft updated on the EOL for the different XP versions: