How to build and maintain security culture

This week I was speaking at the ISACA Nordic Conference in Oslo, where I shared my findings on security culture. I have uploaded my slides to Slideshare, and you can watch them here:

Unfortunately, Slideshare is not able to process Keynote files (the tool I use to make my presentations), so there are no presenter notes available. Therefore, I have attached them below, with slide-numbers (one being the first slide):

Slide 1

How to build and maintain security culture in any organization.

How to build and maintain security culture in any organization.

In this presentation, you will learn about the building blocks of security culture, and how to organize your security culture program to create success.

Slide 2

Security Culture eats strategy for breakfast

Security Culture Eats Strategy for Breakfast!

Why should we care about culture, you may ask. In leadership, here represented by Petter Stordalen, the Choice hotel chain owner, the realization that culture eats strategy for breakfast is the understanding that you can have the best of plans and the best of execution, but without an organizational structure and a common set of values, you will fail. Culture is the building blocks of society.

Slide 3

What is security culture?

What is security culture?

Security Culture – what are we talking about? Is this just another one of those marketing tricks? Another fancy name? Let us examine what security culture is. To do that, we need to understand what culture is.

Slide 4

Definition of Culture

Definition of Culture

The Oxford Dictionary defines culture as: The ideas, customs and social behavior of a particular people or society.

Take a moment and think about that. Ideas. Customs. Social behavior. Those are common things every individual shares. You have them – and I do too! And when we meet, we form groups that end up sharing some or all of those ideas, customs and social behaviors. Let us examine culture a little more!

Slide 5

Meet Red, Orange and Green!

Meet Red, Orange and Green!

Meet Green, Orange and Red. These are individuals as you can see, and they come with their own ideas, customs and behaviors – you can see Green is the positive, including guy, and Red is, well, on the other end of the scale.

We all know these people, don´t we?

Which one are you?

Slide 6

A group of Orange people, forming Orange culture.

A group of Orange people, forming Orange culture.

Here we have a group of people – they share the Orange values, they form a culture. This could be your work-group, your organization, your soccer team and even your country! They are all examples of groups of people, who together share a set of ideas, customs and social behaviors. In Norway, for example, we share the custom of enjoying Brown Cheese (brunost), which as far as I know, no other country does.

Slide 7

Orange meet Red.

Orange meet Red.

Now, let us introduce Red to this group. Red is, as we remember, the negative person who always gets in your way, looking for the worst, expecting a disaster in every project. The question becomes – will the group change Red? Or will Red change the group? Both are valid questions, and valid outcomes.

Slide 8

Spreading Red.

Spreading Red.

In the Orange group, however, we do not have a strong culture, which allows a stronger influence from one individual towards the group. And we see the Red ideas, customs and social behavior spread.

Slide 9

Red culture conquer the Orange.

Red culture conquer the Orange.

As we see here, Red is changing the group, by spreading the negativity, the pessimistic outlook. All that is needed is a group who is not focusing on building a strong culture to support itself. When someone new arrives, they are able to change the ideas, customs and social behavior of said group, and can create devastating results.

Slide 10

The devastating results of bad culture, creating fragmentation and negativity.

The devastating results of bad culture, creating fragmentation and negativity.

A result where other members of the group no longer want to be a part, and start leaving. What is left of your team, your department or your organization, is the negativity, the pessimistic outlook and the general consensus that nothing is possible, nothing can (or will) ever change. What is worse, is that this new culture will scare away possibly great additions to the team – or they will leave after only a very short time with the company.

Why should you care as a security officer, you may be wondering?

Remember the Insider Threat, so famously named because it is someone from within your organization who leaks your data, or who introduces malware? An organization, department or team with this negative culture is more likely to create an environment where the insider willingly starts exploiting the organization. And that, my friend, that is your problem!

Slide 11

Definition of security.

Defining Security.

Let us take a look at the definition of security, again according to the Oxford dict. Being secure, is the state of being free from danger or threat and/or the state of feeling safe, stable, and free from fear or anxiety

Using this definition, we can see how culture and security walks hand in hand – it is about individuals, people, and groups of people, and it is about creating an environment where people can be free from danger or threat, and where they can feel safe, stable and free from anxiety.

So I claim that your job is to make your colleagues feel safe, and free from fear – which means we should ditch FUD right away! It also mean you may have to reconsider how you do your job.

Slide 12

Red, Green and Orange - who are more secure?

Red, Green and Orange – who are more secure?

Many security officers I know, tend to act like Red by alienating their colleagues, by expecting employees to understand security, without ever trying to understand the employees real job. Over the years, the Red´s get disappointed by poor results, lack of support and becomes more and more negative and destructive – for himself, and for the organization.

Is this how you feel, perhaps?

Slide 13

Introducing Green to the Orange group.

Introducing Green to the Orange group.

So let us take a different approach. Let us introduce Green to a group, and see what happens! At first glance, this look so much happier, I can feel the warmth all the way here! How will this go?

Remember that Green is introduced to a group without a strong, supporting culture, so he is able to more easily change its ideas, customs and behaviors.

Slide 14

Green Joy!

Green Joy!

Just like negativity, being positive is contagious. Being optimistic and looking for solutions instead of problems helps yourself, your team and your organization realize there may be a way out of whatever challenge you are facing. And as this notion spreads…

Slide 15

Growing positivity and care!

Growing positivity and care!

…more and more people will join the new culture.

Slide 16

A positive culture attracts more positive people.

A positive culture attracts more positive people.

And as the culture grows, word is spread outside the organization too, attracting other individuals and groups with similar mindsets, with similar ideas, customs and social behavior. And you have created a magnet of positive attraction!

Why this matters to you as a security officer? Well, the insider threat have been reduced to the accidental incident of forgetting the Smartphone on Flytoget, a behavior that training and education can reduce – because this culture wants to learn, to grow, to succeed. This culture care about the group, and security becomes an integrated part of that culture. This groups social behavior allows it to build a better security through understanding why, by being motivated for success, and by caring for each other and the group!

Slide 17

Red, Orange or Green - which one do you want to be?

Red, Orange or Green – which one do you want to be?

So the question is: Which security officer do you want to be?

  • The negative, destructive force that is Red?
  • The indifferent, easily changeable Orange?
  • Or the positive, secure Green?

Let´s choose the Green, and let us build great security culture!

Slide 18

The definition of security culture.

The definition of security culture.

Which brings us to the question – how do we define security culture? Using the Oxford definitions of Culture, and of Security, I have come up with this definition of security culture: The ideas, customs, and social behavior of a particular people or society, that helps them being free from danger or threat.

This in turn makes the job of the security team into the job of creating an environment that helps the group to being free from danger or threat. And we can do that by working with the ideas, customs and social behaviors of our team, department and organization.

Slide 19

Go from Orange...

Go from Orange…

So we can make our goal, our purpose, to transform this…

Slide 20 green, positive culture!

…to green, positive culture!

…into this!

The good news is that we have already seen how culture can be transformed, and that should lead to the realization that we can curate that transformation. So let us do just that!

Slide 21

How to create a security culture program

How to create a security culture program

Let us see how we can create a security culture program. It may sound like a daunting task, I know. Done correctly, using readily available tools and resources, it can be done!

Slide 22

The Security Culture Framework, a holistic approach to building culture!

The Security Culture Framework, a holistic approach to building culture!

One such tool is the Security Culture Framework. The Security Culture Framework consists of four building blocks:

  • Metrics, where you define a baseline, set your goals, and define your metrics;
  • Organization, where you organize your security culture workgroup, define target audiences and build organizational wide support;
  • Topics, which are the activities your choose to implement in order to reach your defined goals; and the
  • Planner where you plan your efforts, your revisions and your metrics.

Four areas that needs to be covered, each fulfilling individual tasks, while being connected to each of the others. You cannot have one without the others, and expect results – which is why most awareness trainings fails – they would sort under the Topics part, while being an important element, it is unable to create lasting change without the support of the other three building blocks required to transform culture.

With a framework like the Security Culture Framework, we can get to work:

Slide 23

A step-by-step guide

A step-by-step guide

If you want to walk a thousand miles, you start with one step.

When building security culture, we have found that these steps are a great first step.

Setting up your team is where you build a security culture work group. You want to include the kind of expertise you are unlikely to have yourself – especially from HR (training and organizational knowledge), and from Marketing (creating the story+presenting it).

Together with your team, you define your goals, and decide how you know that you have reach them (or missed). You need to measure your current status too, so you know where you are. You will use the Current situation and compare it with the desired goal to make a GAP-analysis to help you determine which elements, topics and activities you will use in your security culture program.

Then you define your target audience. Again, here the marketing guys can help. Why, you may ask? Consider the differences between the IT-department and the sales people. They are quite different, right?

Then you start choosing the topic(s) you want to focus on (remember your goal), and activities that will support your message. Again, Marketing Dept.!

Plan your efforts – think of each effort as a campaign, make it last a limited time, which will allow you to measure before- and after-effects. Which is the next you do – measure, learn, change and do it all again!

Slide 24

A program is required.

A program is required.

Now that you know why culture matters in security, and how to organize your work, let me explain why you need to create a security culture program.

Culture is changing and evolving all the time. As we saw earlier, individuals impact culture, and culture impacts individuals. We need to run an on-going program to nurture and control the change we want.

Also, when so many security officers complain that their awareness trainings fail to yield results, one of the reasons is that they fail to see the need for a holistic approach, a program where a training is one part of the whole, not the Silver Bullet to solve it all!

Slide 25

And there are no silver bullets!

And there are no silver bullets!

So to create successful security culture, a positive one, driven by the Green, you need to nurture the culture. Make it support business, your job is to secure the business, right? Create both understanding and awareness, and a support structure where your colleagues knows what to do, and whom to turn to, when they make a mistake.

A security culture program is an on-going effort, one that never stops. We can say that security is built-in to culture, that culture is a security measure to create a stable, safe environment where we are free from threat. At least we shall consider that our goal!

And remember that every walk starts with one small step! You can do it too!

Slide 26

Red, Orange, Green: Your choice, your responsibility.

Red, Orange, Green: Your choice, your responsibility.

So the question remains: Which security officer do you want to be?

I know who I want to be!

Slide 27

Thank you ISACA Nordic Conference 2014 for inviting me.

Thank you ISACA Nordic Conference 2014 for inviting me.

Thank you very much! I will be available for questions this afternoon. You can also reach me on Twitter, and my blog.

Of course, you can buy some of my books too – they are on!

Thank you!

Slide 28

Bonus: Where to find more information!

Bonus: Where to find more information!

These are some sources of information you can use to learn more about security culture, how to build and maintain it, and ideas of content.

Request me to speak at your next event!

Would you like me to speak about how to build and maintain security culture to your workgroup, at an event, or at a conference? Use this form to request my availability:

HELP: I can get no Windows XP (WinXP) Support anymore!

If you are looking for updates for Windows XP (WinXP), and you are reading this after April in 2014, you are out of luck. And you must have been hiding in a cave for a few years too, since «everybody» knows that Microsoft is pulling the plug on Windows XP after more than a decade of a decent OS. And by decent, I mean in comparison to most everything they made before (possible exceptions are the NT3.5 and NT4), and later (which is really a pity). From a user perspective, everything became less of a hazzle with XP, and even my mother where able to connect to the Internet.

And therein lies the problem.

My mother, like so many other users of XP, have no idea about the possible threats to her computer and the precious OS on it.

She have no way to grasp the abstract understanding of a bot-net, much less the possibility that her computer is part of one. I know, I tried to explain. I did manage to get her to run auto-update, and to have a security product installed, and I did not go into telling her about the 60-80% success rate of AV-products.

What is she to do, then?

Microsoft Press Conference

As I told Dan Raywood, the Infosecurity Guru, she (my mother, not him) could just ditch the computer and get something with a more modern OS, or she could switch to Linux or some other «free» OS if she did not want to dish out some cash for a new computer. The challenge is of course that she has no idea what Linux, Ubuntu, Debian or Suse even means, much less does she have the interest and skills to download and install it. She would probably go into a coma instead.

Or call me, which would make me want to go into coma (yes, I love her, I just don’t like the idea of being her support department).

So what should an old lady do, when her computer is deemed unsafe to connect to the Internet? She may of course unplug the network, and use it as a typewriter. She could continue using it, since there is not much of a chance that she would be able to tell the difference of her computer being infected anyway.

Or she could get herself an iPad.

Which is what she got for her birthday last year, when I decided it was way past time for her to stop bothering me for support. Why the iPad, and not an android product? My reasoning was simple: Android == WinXP (no way to control/avoid infections effectively without special competence), while iPad with it´s security features (unless you jailbrake it of course) is highly unlikely to become a problem for her.

The good thing is that she can do all she ever did (write, surf, e-mails etc), while I do not have to worry about infected computers and cleaning up the old (not so) faithful.

I strongly feel that most users out there can do similar things – ditch your old XP computer, get yourself a new computer if you need that kind of power, or just get yourself a tablet.

Most of us don´t need a PC anyway.

As for organizations, the situation is a bit different.

First of all:


In other words, if your organization still are using XP in 2014, you have no-one to blame but yourself (well, Microsoft can be blamed for trying to make some money by introducing mediocre software, but you made the choice not to upgrade. And if Microsoft really wanted to make money, they would offer you a PAID support&update service for WinXP).

The fact that you are stuck with a bunch of computers running a no-longer supported operating system means you need to take a step back and review the choices that were made in the past that led your organization to this stage.

And you should do that first, before you start looking for ways to mitigate it. Why, you ask?

Because you need to understand what went wrong, so you can avoid it happening again.

You need to understand what Product Lifecycle means. What Product Lifecycle Management means. And how product suppliers like Microsoft makes their money, so that you can relate to the risks involved in buying their products for the full lifecycle of the product, and for your planned time of use. Then you may realize that the end of support for Windows XP is not the fault of Microsoft, and that it is not Microsoft who is to blame for your situation. This knowledge is useful when it comes to taking responsibility for your (organizations) actions, and then cleaning up the mess.

As I said in my comment to Information Security Buzz, if your ATMs are all running on XP, you have failed on so many levels. And if they are still running on XP in 2014, it might be time for your bank to reconsider the short-term (next quarter) financial maximization, and look at the long picture. Unfortunately, it seems most shareholders are more interested in said short-term profit, and don´t give much for next year, or the year after.

The public sector lags behind too.

Obvious challenges arise if you are the National Police Force, and your systems are not only not updated, but in large based upon Windows XP.

(Unfortunately, this is not me dreaming up a scenario).

Years (decades, possibly) of internal politics, lack of funding, and slow understanding of the strategic and tactic value of computerized systems (yes, indeed, even in 2014), has led a number of public services in the ditch. As it is with governments, it is best not to do something until it burns, and when it burns, put out the biggest fires only. Failure of planning their product life cycle management have made several governmental services to beg Microsoft to take their cash and supply them with updates and security patches.

I feel like screaming: HELLO!! This is not something that should be a surprise! Even for the bureaucrats!

And no, this is not Microsoft offering a subscription service. This is customers begging. My tip to Microsoft: Turn it into a paid service offering. As a revenue stream I bet it will beat Azure and 365 for years to come.

One last thing. If you do not like the fact that Microsoft and other commercial companies out there decides to no longer support a product (which they are in the full right to decide IMO), you could always go Open Source, creating your own distro. I see a great future for the ATM-distro. Just make sure that a small part of every transaction is directed to my account as a royalty for the idea.

Curius factoid:

On my blog, a bit more than 8% of the visitors use Windows XP. (Non-scientific test today over the course of 10 hours). I hope to see that number decline fast.

Thought Leader Life: Valuable insights shared

To me, being a thought leader means to share your knowledge, constantly searching for improvements, learning opportunities and ways to engage others. Some consider me to be a thought leader too, a humbling experience that helps me stay on my track.

As part of my personal development, I go to lengths to learn more. As you may know, I just went back to the university this year to learn more about psychology – knowledge I can apply and use in my work with communication and culture. The university is one source of learning, presented in one particular way.

Kai Roer being a thought leader.

Being a thought leader is a humbling experience.

Other sources of learning include reading, writing (I find writing to be a great way to learn – and to discover what you need to learn), and also podcasts and videos.

One such video series filled with influence, knowledge and inspiration is the Thought Leader Life. Hosted by Mitchell Levy, the founder of the Happy About publisher, the #ThinkAha books and a thought leader on leadership in publishing, the show invites different thought leaders to discuss their life as a thought leader, sharing tips and knowledge.

If you are looking for inspiration on thought leadership in general, take a look at the Thought Leader Life clips! You may learn something today! Just like I will!

Panel on the need for Encryption (CSA Norway)

It is almost time for the next CSA Norway Chapter Meeting, taking place next wednesday in Oslo.

The topic is a panel discussion about the need for encryption. We have Nasjonal Sikkerhetsmyndighet (Roar Thon / @secdefense) explaining to us why they suggest everyone should be using encryption. He will meet Jon Wessel-Aas, a lawyer specialized in privacy and digital rights, and Geir Bækholt, the co-founder of Crypho, to discuss how encryption is a viable solution, who is responsible for the encryption and possible pitfalls with encryption.

The discussion will be moderated by myself, although these gentlemen know how to behave very well indeed and I forsee not much of a challenge.

This meeting will be the first one to take place at Teknologihuset, the new CSA Norway partner for locations.

If you would like to join us, just sign up at Eventbrite.

The panel will be in Norwegian, while the following social beer-drinking gathering at Lorry´s will use any (non)-appropriate language.

Will we be seeing you too?

Using Knowledge Pills to record and spread competence in your security culture framework (video)

In the first of a series of google Hangouts on the Security Culture Framework, we present Dr. Filipe Carrera, a learning expert from Europe.

Dr. Carrera explains what knowledge pills are, how to use them, and most importantly why they are useful in your toolbox for building and maintaining security culture in your organization. A knowledge pill is a short video or screencast where someone explains how to do a particular task or use a particular tool. It should be short, quick and on-topic.

Creating knowledge pills are easy and cheap. There is no need for high-end video recording and editing tools, you can use normally available equipment like handy-cams, phone-cams or screencasts. The idea is to create short, informative videos that explains the exact steps needed.

The distribution of knowledge pills can be done on your intranet. You can also show them on your in-house CCTV and display systems if you want.

One thing Dr. Carrera emphasizes is to create knowledge pills for tasks that are rarely done, but that requires specific steps to be taken. When you need to do that task, you just search for the video clip, watch it, and do the job.

This is the first in a series of hangouts about the Security Culture Framework. We will be looking into a number of topics. Please feel free to ask for topics to cover, and to promote guests I should invite.

You can watch the hangouts live if you make it at the time of recording. And if you miss it, you can always watch it later (or again) on the Youtube channel.

Remember: You can join the Security Culture Framework for free.

Security Profile: Mo Amin

Back in the day (many years ago, that is), I ran what I dubbed the Security Profile on this blog. I profiled security bloggers and podcasters, and had the pleasure to present some of the great names in infosec, like Martin McKeay, Anton Chuvakin, Richard Bejtlich and more.

After a long break, I hereby present the Security Profile again. This time around, I will focus on people I meet (have met) over the years as a security practitioner, and instead of focusing solely on bloggers and Rock Stars, I will look at people in the industry that makes a difference, without necessarily getting the recognition they may deserve (I leave that judgement to you!)

Introducing Mo Amin

Mo Amin

Mo Amin, failing to look mean. This is a genuinely good guy!

The first profile is of Mr. Mo Amin. I honestly don’t remember when we first met, it feels like a long long time ago. Considering his age, though, it cannot be that long. Which probably says more about my memories than anything else.

I digress.

Mo came into security by way of ICT-support, and amazingly instead of letting the users ruin his life, he managed to recognize their needs for quality learning and attention. His personality is out-going, focused and jovial – he is one of the good guys, and don´t mind bringing his positive attitude into information security.

Cynics amongst you may predict him to join you (the cynics, that is) at some point. The funny thing with Mo is that he will turn the table on you, and make you join him on a crusade to create a positive attitude in information security. His charming, boyish smile will drag you into his realm and make you consider following him to the end of the world.

Or wherever he decides to go.

Mo is a part of the London security scene, a group of people who have not failed to draw attention to themselves, with people like J4vv4d, Thom Langford (who claims to be my evil twin brother), Quentyn Taylor and many more. (Admittedly, the London Security Scene are many more than just those three, and consists of a number of people who are not actually in London too).

The London gang also organize the BSidesLondon.

BSides London was his first public appearance, when he took the stage on the rookie track 2013. With mentors like Arron Finux, he excelled (no surprise there). Some time later, he came to Norway to speak at the CSA Norway Annual Congress, and shone like a sun!


With his background from ICT-support, Mo developed an interest in helping people early on. He recognized the challenges many people have with security concepts, and how policies, technology and training efforts (or lack thereof) not always worked to help the employees to understand how to behave.

Using his people skills, he enables organizations to do better security by raising awareness. He says this about security awareness programs:

«In essence, to create an effective security awareness program you need to build security culture within an organization. So what does this actually mean? Well it means:
  • Involving the right people
  • Understanding the people within the organisation and choosing the correct topics for them
  • Planning and establishing the programme
  • Being able to measure its effectiveness
Building culture of any kind is a continuously evolving process, not a one-time activity.»

His interest in people, security and awareness is what put him on my radar, and Mo was one of the very first people to join the Security Culture Framework movement in Europe. He says it was an easy «YES» when asked to join the community. And the community is very happy to have him on board, where he volunteer his time to review and create content and templates, as well as testing the concepts.

Mo goes on to say

«The framework isn’t magic it’s simply taking existing themes within the business world and applying them in a fashion that can be used by anyone.»

Meeting Mo

Mo is London based. He works there, and he lives there. He is available on Twitter (@infosecmo), and he is active in the local security community in London. This year, he no longer speak at the Rookie track at BSLondon, he is mentoring a speaker!

Mo is also one of the central people in the Security Culture Framework community:

«This is a community effort and we welcome people with ideas, opinions and thoughts,»

he says.

Join the community, introduce yourself, and get to know a rising star!

Nominate a profile!

Do you know someone in the Security sector you think deserve visibility? Post your nominations in the comments! Let the light shine on someone who deserves it!

New week, new month – time to review goals!

This is a new week in a new month. We have reached February 2014, and I have no idea what happened to January. It just went away very quickly this year, it seems.

A new month presents a wonderful opportunity to review goals and results, and to review the current direction. I am no different, so let´s go through my current goals for 2014, and the activities I have done to work towards those goals.

Goals for 2014

  • For 2014, I will focus more on learning than to teach. That means that I am back at the university, this time I study psychology. The reason I chose to look at psychology at this level, is the increased understanding I have that psychology (and anthropology) have a deep impact on our understanding of security, and security behavior / culture specifically. So for me to be able to connect more dots, and to help more people and organizations work securely, I need to understand more about people.
  • Another goal for 2014, which is related to the above, is to do less.  Less speaking engagements, less voluntary activities, less stuff I do not want to do.
  • And I will spend more time with my family, doing stuff together.
  • I will also get my body back into shape, and the goal for 2014 is to be able to run 10Km at a good pace.

Results for January

Let me walk through each of the goals, and see how I am doing.

  • For the learning/teaching part, I am cutting back on classroom teaching, and travels. Instead, I am creating e-learnings, and I share more information using this blog. So far, this is very frustrating, one reason being that creating e-learning is much more work than I first thought, which means I put in more hours, and becomes more frustrated with the results than before. However, I do believe this investment in time and effort will pay off later, and will continue to create and enhance the e-learning courses. So teaching less is going so-so at the moment.
  • As for learning, I am (as of this week) going to classes at the university three times a week, I read and work on the topics a minimum of two hours per day, and I learn a lot. Not that I remember it all, what happens is that I feel good by doing something I like very much. In addition to learning psychology, I also learn other things – like creating e-learning courses. So I can honestly say I have been learning a lot in January.
  • As for doing less, I am not doing so good. I do do less of some things, while I see I have started doing other things instead. For example, I have stopped volunteering my time to causes I no longer believe in, so that is a win. On the other side, I have joined a group that works on creating and revising ISO/IEC Standards, and I have accepted an honorary attachment to the National Cybersecurity Institute in Washington DC. I have also said yes to write some articles for Computer Weekly in the UK, and to write another book. So overall, I am failing big-time on this goal.
  • For the family goal, I just initiated a robot-building project with Kiddo, which will make us do more together, as well as teach him math and logics (and I will have to re-learn it), programming, mechanics and so much more. And of course we will be doing this together, meaning more time together. So far, this goal is progressing.
  • The final goal for 2014, getting my body back into shape, is progressing very good too. I have managed to get out the door four times a week since new year, to complete a 5km course in snow and ice. I am not yet able to run the full distance, but the subgoal for January was to make the habit of getting out four mornings a week, and that has been a huge success. Next subgoal, probably by end of March, will be to run the full 5km course four days a week. Then I can start extend the course, possibly by the same time spring is making it possible to run in the forest again.
Taking time to reflect on your success

Take time out to reflect on your success!


Evaluation of the results

So far, I find the results for 2014 to rock.

Although I have failed on some goals, I can say the progress on the others are so good that I can accept the poor results of doing less. What is more, is that those things I have accepted to do (thus failing my own goal), are things I want to do, with one possible exception.

Adjusting course

Having goals, and evaluating them are good. To go from good to great however, you must also use the evaluation of your goals to adjust your course. These are my adjustments for the next months:

I will do a monthly goal review and evaluation, with things I can revise and change in order to better achieve my goals. I will work hard on saying «No», as there is no doubt that I need to be better at choosing the right activities for me in order to achieve my goals.

I also believe it is time to step up the studies a bit. So from now on until exam, I will spend more time studying than working.

These are my reflections on goals and progress for 2014. What are your reflections? How are you progressing with your goals for 2014?

Working on Standards: ISO/IEC27017

Having used a number of standards in the past, I have convinced myself that I don´t have the the right personality to develop and audit standards. I have considered the documents themselves to be tiresome, lenghty beyond belief, and either too specific or too general.

It turns out that I am both wrong, and right. Then standards comes in many flavours, where some are too specific, and some or too general. One point to me. On the personality issue, I may have to review my position, though.

Yesterday, I took part in Standard Norge (the Norweigan entity for ISO and standardization) group for the ISO27000-family development for the first time. The group is well established, and have been working for many years. In my mind, I figured the members of such a group had to be dried up, stiff-nosed, highly intelligent, introverted brainiacs.

Cloudy standards - or are they clear as day?

Cloudy standards – or are they clear as day?

It turns out, again, that I was wrong.

They were (are) highly intelligent. Or so they seem to me. And although some have introverted tendensies, the group as such acted highly extraverted. Humorous. Insightful. Funny. As in not at all boring.

A meeting I dreaded, expecting it to drag out with disucssions on semantics until the next morning, turned out to pass quickly enough. We laughed, we discussed responsibilities of the different entitiies in the standard we worked on, had a couple of friendly arguments, and quickly agreed upon the changes we believed the new standard needed.

I had to accept that my fantasy of how a group of people creating and maintaining the ISO/IEC standards were like, was just that – a fantasy. I am very happy that I accepted the challenge of joining this group, and I very much look forward to the continued work.

Today: First CSA Norway Member meeting in 2014

CSA Norway chapter has it´s first member meeting in 2014 today. The topic is mobile security, where we will look into who is listening to your calls, SMS and data traffic, and how you may avoid being a victim of rogue surveillance.

As the chapter president, I am very happy to see that we draw a lot attention to our events. Today, we had reserved a room for 20 people, and capped the registration at the same number. Me and the board have received a number of requests from people who were unable to secure a ticket, resulting in us having to move location in the last minute.

By moving to a larger location, we are able to fit everyone in. Perhaps this is a trend we need to consider for future meetings too?

Our success factors are simple, and easy for you to copy too:

  •  A group of peers who care enough to actually do something together,
  • An interesting topic,
  • A relaxed setting, with plenty of room for both professional knowledge and socializing
  • A welcoming, open group, where everyone interested are accepted

I know this is easy to copy, because that is what we did ourselves.  We have learned from ISSA France, BSides, JCI and so many others to keep things informal and fun, yet relevant and learning.

If you would like to join CSA Norway, you are free to do so too, just join our LinkedIn Group, and become a hang around in our meetings!

If you know of a company who would like to support our community, please direct them to the board members or myself.

The Power of Grit: Cross that finish line today!

Success depends on achieving results. Whether it is your security culture program, your technical skills or your personal workout, success only comes by achieving results by completing your goals. 

There are many strategies you can apply to define and achieve goals – from dividing the main goal into bite-size chunks, to start with a small, manageable goal. One thing that does not change, is the need for your to commit to your goals – long and short, and to hang in there even when you meet obstacles.


The ability to persist, to hang in there, is your key to successfully finish your tasks, to reach the goal ahead and to cross the finish line. What does grit look like? You can think of it as your ability to get back up on your feet when you stumble and fall. You can think of it as the power that makes you do another approach to that programing problem you face, the next attempt to solve that mathematical challenge.

You can also think of grit as the force that makes you put one feet ahead of the other, keeping you running until the end of your course, even when your chest is pounding with pain, your heart is pumping so hard and so fast you can feel it on your ears, and your legs are in such agony you imagine dropping them into a bucket of boiling water would be soothing. Yet you continue. One step ahead. One step ahead. One Step. Just one more step.

Grit is what gets you across that finish line! One more step!

Grit is what gets you across that finish line! One more step!

Pushing yourself through the dirt, forcing your brain to take charge, no matter how tired you are, no matter how far is left to run (or walk if you have to), is what it takes to have success. So say the scientists.

Using your Grit

Grit is what keeps you doing what you do. No matter how hard it is to do your job, to reach your targets, you do not give up. You get yourself out of bed in the morning (there is morning somewhere on this planet right now. That is my excuse, anyway), and you head to your workplace, ready to tackle what-ever issues are thrown your way. You review your long-term plans, adjust your course, and press on.

You also use your grit when you help motivate your team, your peers and others to finish their task even when they struggle.

With security awareness, you have plenty of opportunity to use your grit too. You will get results as long as you continue to work towards your long-term goals. Every day.

How do you use your grit today? How did your grit help you build your success?