The cloud security rules: Five factors to consider with the cloud

Cloud services is a sector that is still growing strong. As part of the Information Security Buzz question for the Expert Panel in October, I looked into the five factors that every organization should consider when moving to the cloud. Cloud security is an important consideration for companies, and knowing what to consider is a great help. Use my advice to get you going!

The answer is based on the tips in the book The Cloud Security Rules from 2011, available here.

You may pop over to the Infosecuritybuzz website, or watch my answer directly below.

As always, your comments and questions are welcome!

Hacking Your Mind: How you are being exploited by hackers of all sorts!

As part of National Cybersecurity Month, I am traveling the country giving my talk on Hacking Your Mind – How you are being exploited by hackers of all sorts! pro bono to public and private organizations alike. Here are the slides, the notes and so forth! As always, I am better in person ;)

Below are each slide (and the videos) with my speaker notes. Enjoy!


Hi and thanks for attending this presentation on how you are being exploited by hackers of all sorts!

Welcome to Hacking Your Mind!

My name is Kai Roer, and this presentation is all about me. So let me start:


I have been working with leadership, computers and information security since 1994, a ride that has enabled me to write several books, travel to more than 30 countries, appeared on radio, TV and printed media more times than I can remember.

Simply put, as you can see on this slide, I am an awesome guy!

But don´t take just my word for it:


Rather, take a look at what some of the people that I have been working with over the years, say about me. Obviously, so many people saying so much great stuff means something, right?

Not only am I an awesome guy, I know what Im doing too!

And there is more! People from all over the world go nut´s when Im around. 

That is what I do. I hack their minds. Into doing what I want.

Today, I am sharing some of secrets about how the human mind helps social engineers and hackers to make you do what they want.


I will be talking about how your mind is being exploited by hackers of all kind – from sales people to your boss, from the social engineer who tries to gain access to your offices, to the phishing attempt you are receiving in this moment.

Broken down, I will look at three mental mechanisms that plays together to turn you into a victim.

  • I will look at how our social abilities and our need to be accepted and liked, makes it easy to ask for a favor.
  • I will show how our brains have evolved in to a dangerous tool that prefers to make shortcuts – shortcuts that make you click that phishing link.
  • Finally, I will explain how social structures are being exploited to make us follow those who lead us into temptation.

But first, let us establish a fact.


That fact is: You like me. Yes you do! I made you laugh, and I have established myself as an authority on hacking your mind. You are curious, and even if you don´t like the fact that you do like me, the fact remains. You like me. Enough to make you vulnerable.

As you saw in the #HolaKai video, requests can be small, and non-intrusive, making it easier to comply. 

This trick is being used by hackers of all sorts to convince you that it is perfectly safe for you to spend your time and money with this person. It works like this:

As social creatures, we form groups of our friends (and colleagues, family and others), groups of which we are members of. We call these groups in-groups. Everyone who are not a member of a particular in-group of ours, is automatically considered to be in an out-group – i.e. a group that may be competing with our resources, interests, politics and what not. Think of your favorite sports-team. Your team is the best, other teams are…well, not relevant, right?

Think of a fellow fan of your sports-team, let us call him John. John is approaching you, and ask you for a favor. You have never really spoken to John before, but because you both are fans of the same team, you accept to help him out.

Had John not been a supporter of your sports-team, the chances for you to help him out would be slim.

So how do hackers exploit this vulnerability? Easy! They do like I did: they make you laugh, they make you enjoy their company, and they quickly build an in-group where you both are members. An example:

These are musicians. Or pleasure-hackers, if you like. They are making you feel good, because they want you to give them money. Take a close look at how they flirt with the participants (the camera in this case), and how they interact with the audience. All is done to make you give up your hard earned cash so they can go and buy some beers (and there is nothing wrong with that, especially when they are also great musicians!)

A hacker would use similar tactics (possibly without the instruments!) to have you open a door to your office space, to ask you for information or to have you visit a website where they will automatically compromise your computer.

Now, let´s take a look at how your brain is handling those requests!


Your brain is an amazing computing unit. It handles a large number of different information at any time – even when you sleep. It is also amazingly fast at arriving at conclusions, and there is bound to be false positives and negatives. In other words – amazing as your brain is – it is not without flaws.

According to Daniel Kahneman, your brain consists of two kinds of circuits: Lightning Fast Shortcuts; and Process Intensive Hard Work. Shortcuts or Hard Work – what do you think your brain prefers?

Just like me, your brain is lazy, and tries to avoid hard work as best as it can! So if you leave the choice to your brain, it choose shortcuts every time. Plain, simple and fast.

So how does your brains laziness make you vulnerable to hackers?

Let´s take a look!

(Recommended reading: «Thinking fast and slow» by Daniel Kahneman)


The best trick you can play on anyones brain, is to tell it that something is urgent. Somehow, when your brain thinks that we are running out of time, it just accept anything at face value.

This shortcut has been used by marketeers since forever to make you buy stuff you never needed in the first place. A bad manager also use this shortcut to make you do things he believes should be done (while good managers have learned a lesson or two from Dr. Stephen Coveys Time/Importance Matrix).

A hacker may use urgency in any number of ways. In a spear phishing attack, a hacker may send you an e-mail that resonates well with you, perhaps referring to a current and important project you are managing. The email may even be sent to you at a time when you are heading into an important meeting, and the email may use a title that relates to the current project to catch your attention.

Because you are in a hurry, and the project is important to you, you are more likely to open the email and any attachments, effectively opening your computer and your workplace to malicious code execution.

Stress and urgency make you vulnerable to attack. Hackers know that. Hackers exploit that. Your job is to slow your brain down and review the information requests you receive – every time, all the time.

Suggested reading: «The seven habits of highly effective people» by Dr. Stephen Covey


Humans are social creatures, we live in groups, we form complex societies. To make such complex societies work, we need rules and policies, and we need to be able to recognize friend and foe – preferably before said foe kills us. More importantly, we need to be able to recognize who is in charge – what is the pecking order, and where do we fit in?

Some studies suggests that humans are able to decipher the pecking order automatically, just like Kahnemans shortcuts from earlier. What is more, it seems like this is so ingrained in our organism that even small babies are able to recognize the power structure of a group of people.

And there are, of course, tricks to use to make other people perceive you as an authority – tricks used by hackers all the time. You have already witnessed one such trick today:


By showing off what I have done, what I do, and what people say about me, I have effectively shown that I am someone who matters on this topic. I have established myself as an authority on the subject.

Of course, since I am here as a speaker, and you are here to listen to me, we have established that authority-relationship even without the need for me to show off. However, by enforcing the message, and giving you even more reason to build that awe, you are less likely to challenge me, and more likely to accept my claims at face value.

Just like the hacker want you to do too.


There are many kinds of authorities out there, this is just one example. The important about the power of authorities is the perceived value of their requests and orders, which make them harder to refuse. In this picture, the command structure is clear and not disputed, and the soldier to the left follows the orders without questions.

When you encounter people who you perceive as an authority, you are less likely to question their instructions and requests. You are more likely to accept their arguments, and to do their bidding. You are, after all, accepting them as more knowledgable, smarter, better or just more worthy than yourself, effectively stripping yourself off the power to say No!

Hackers use this strong urge to comply with authorities to force their way with you. One example is the so called Windows Support phone call scam, where the suport person on call tell you to open your browser and visit a particular link. As a support person, (s)he is perceived by you as more knowledgable, an authority, and because of that, you do not question the perhaps strange request to have you visit a website, a website that will have you download malware.


I have just told you about how your mind is being exploited by hackers of all kinds. Sales people, managers, social engineers – and your kids too!

The fact that you like someone, makes you more likely to do what they request from you. So as a social engineer, I will use this to befriend you, and then make a request you would otherwise decline.

Next, I looked at how our heuristics, the shortcuts in our brains, makes us vulnerable to urgency. Remember that, next time you see a Limited Time Offer!

Finally, I shared some of the ways authorities may be using us, and how hackers use the pecking order to have you stop questioning their actions.


What questions do you have?

I may be hanging around the shadows if you have any questions and comments you´d like to share with me.


Thank you for being here! I hope you had as great a joy as I did!

The Security Culture Framework Ecosystem

“How can you give away the Security Culture Framework for free, Kai?” is a recurring question I get. The short answer is that I believe in sharing to build a better world (Peace and Happiness and all that…). The longer answer is somewhat more complicated, and perhaps a tiny bit more self-serving. Let me show you the Security Culture Framework Ecosystem.

As you can see in the slides, the business model for my company is to give away the framework and templates, while we sell consulting, coaching and products around the free content. This business model is not at all new, nor is it revolutionary anymore. The model has been applied in Open Source software for a long time, and the Freemium model is also being successfully applied by numerous startups around the world. The model scale with the needs of the customer, a flexibility that allows my company to provide our competence, services and philosophy to organizations worldwide as their needs grow.

Security Culture Framework Ecosystem

To you this means that you can spend as much or as little money and effort on building and maintaining security culture as you like. If you are running on a low budget, you can manage everything without spending a dime, just by downloading templates and explanations from the Security Culture Framework site. If you get stuck, you can ask the community for answers.

For those with limited budgets, our trainings are available both online and on-site. We also provide what we call Security Culture Coaching – a service where you pay a small fee to have direct access to our pool of Security Culture Coaches when you need it, as much as you need it. A coach is not a consultant and does not provide you with answers, the role of a coach is to ask you questions you need to consider, and to point you in directions you may benefit from. You do the work, the coach is there to ensure you do it efficiently and without too many detours!

If you lack internal resources, but have money to spend, you can use one of our consulting partners in the USA or Europe. Our partners are trained in the Security Culture Framework, and can do anything from answering simple questions to set up and manage complete Security Culture Programs on your behalf. If you are looking for a consulting partner to help you out, contact us and we will help you identify the best available partner for your needs.

The Roer Group Products and Services

The Roer Group are also providing consulting to clients in special markets. We specialize in multinational enterprises with diverse cultural assets, as well as in public service areas. Our main focus is to build internal competence at our clients so they can maintain their own security culture programs without our direct assistance.

In addition to consulting, training and coaching, the Security Culture Framework offers a special application to set up and manage security culture campaigns and programs. The application is currently available to a selection of our clients, and will be made available to more clients throughout 2015. You may request access by contacting our team, of course.

Join the Security Culture Framework Community

The Security Culture Framework is an open and free framework to build and maintain security culture. Around the framework and the community is a growing ecosystem that enables us, our partners and most importantly our community members and clients to build better security culture. You can also be a part of the ecosystem by sharing your stories, providing services and support, and being active in your search for excellence.

Feedback loops to feed your security culture program

Feedback loops are valuable tools used to learn from something you do, and applying that learning in your later activities. In the Security Culture Framework, feedback loops are used to learn from each security culture campaign that is implemented, and the input from the feedback is then used to enhance the activities in the program.


The GoalLearning from your actions is a great way to build competence. We are all learners, all of the time according to scientists. It makes sense then to put this learning into work by applying it to our next actions. In the Security Culture Framework, feedback loops are used to gather metrics and results from your activities, and then using that feedback to understand what to change, what to do again, and what not to repeat.

The same feedback may also be used to understand how different user groups are, well, different. Some people learn best from reading, others by taking active part. Some learn after seeing something once, others need repetition and deeper motivation. Gathering and using data from your security culture campaigns will help you understand where to put your focus, and who may need more work than others.

In psychology, feedback loops explain how we learn from our actions: We do something, observe the outcome, adjust our course and then apply the learning to our new action. According to psychology, our brain use feedback loops automatically. Why should we not employ similar methods when working with security and security culture? In fact, we already do. Think of the ISO/IEC standards (and many other body of standards too) using the Plan-Do-Check-Act (PDCA) cycle. The PDCA cycle is a clean copy of the feedback loop employed by our mind. This is great news: it means most of us already know how to effectively use feedback loops in a workplace!

Using the Security Culture Framework, you organize the work with security culture and awareness in such a way that feedback is gathered as part of the process. The framework is free, and open, so you can download templates and start building culture today.

New Look of The Security Culture Framework

The Security Culture Framework has evolved over the past years, from a loosely knit set of ideas into a process and methodology. With the frameworks development, the website and community have changed too.


The current iteration of the Security Culture Framework website features all content free and open. What used to be hidden away behind registration links, are now freely available to anyone, without registration. One may ask why we chose such an approach, and the short answer is that we strongly believe in creating a platform that are being applied and used by people and organizations around the world, with no strings attached.

The longer answer involves our business strategy, how we as a company are making our money. We make money from our training, coaching and consulting services which we provide to organizations worldwide. We provide support to our implementation partners by training and certification services. And we provide clients with support and access to specialist competence when they need to. Our money-making services are closely tied to the Security Culture Framework, as the framework allows us to provide high-quality content, processes and methodology to organizations  who otherwise would not be able to afford our services. Now, they can use the framework, while opting to buy the services they need and see fit – directly from us, or from our certified partners.

The Security Culture Framework also allow you to register your own account so you can join the public discussion on how to build and maintain security culture, learn from others, and to get community support. Even more importantly, you can share your own results and get comments and ideas on how to improve.

Controlling your culture is a process where you must be in charge, by setting clear goals, define your metrics, involve the right people and so forth. You have two choices: leave the culture to control it self, or take charge to create and maintain the kind of culture you want in your organization. The Security Culture Framework is to be used when you want to take charge.

What is your experience with culture? How have culture impacted your job, your organization or your career? Please use the comments to share your experience!

Security Career Advice: Handling Executives who ignores you

Security Career Advice

Advices are important. Both to receive and to give. As my regular readers know, I occasionally answer questions about the industry, education and offer security career advice on what one should (not) do.

Brian reached out and wanted to know how to deal with executives. His question brings us to a vital area of security, and your career: How you communicate, and how you interpret other peoples communication, is key to your success.

This is the question of today:

"Hi Kai,  What advice would you give to someone who 
found vulnerabilities, brought them to the executive level 
and then had the executives 'play' them down to avoid being 
embarrassed? I believe that InfoSec has no room for egos.
Cheers and thanks again!
Brian "

This is an interesting question, particularly to me, since I am not exactly known for discovering and sharing vulnerabilities. I am not that technical anymore. However, what I can say, revolves around how you can handle different people, and how you may interpret their reactions to you.

Which is exactly what I did in my respond to Brian:

Hi Brian!

One of many challenges we see with people (execs are people, believe it or not…) is their mental patterns, ideas and customs getting in the way for rational decision making. Most people (at those levels at least) have their own agendas – either personal, professional or both, and the mental patterns can make it hard for them to see things from different perspectives.

The same is true for security pros – we tend to focus on our perspective only, and deem everyone who “don´t get it” to be stupid user, wrong or just plain ignorant of the problem.

In the words of Dr. Stephen Covey, the author of 7 habits, we all should do out best to “Seek to understand before we try to get understood”. What I am saying is that that the exec may have reasons for their behavior that they failed to communicate to you, making it hard to understand why they choose to do what they did.

Although I am a fan of full disclosure, I do not believe in total disclosure: I do believe there are situations where we should not share everything with everyone. In the case of vulnerabilities, on a general note, I believe we should try to fix the hole before we tell everyone. And when the hole is fixed and patched, there may no longer be any real reason to talk about the vulnerability?

In cases where a company choose not to fix, not to patch, and not to disclose anything, there may be a case for going public with the vulnerability. However, I strongly believe in being more responsible than we demand from others, so I would be very careful in how I choose to go public.

Questions like:
– what will be the outcome if I do this?
– what is the outcome I want to achieve?
– what other actions can I take to achieve similar results?
– who will get into trouble if I do this? Who else?
may help you decide the appropriate action.

So short answer: try to understand their (execs) motivation, and why it differs from yours.

How does my answer help you? How can you use this? What other tips would you give Brian?

Do you have a career related question? Let me know!

Travel Report from Ljubljana

It´s July 2014 when I write this travel report from Ljubljana. I spent one week in this amazing city in Slovenia, a small country south in Europe. A truly fantastic place, well worth your time.

The Ljubljana Grad / castle of Ljubljana

The Ljubljana Grad, Castle of Ljubljana, viewed from downtown.

The official reason I traveled to this, for me new, location, was an invitation to lecture about security culture and the Security Culture Framework at the University of Ljubljana. I also had the great pleasure to speak at the CSA CEE Conference, where I explained some of the psychology of security.

As you, my regular reader know, I love sharing my passion for security culture, behavior and communication.

The lectures took place at the faculty for computer science, and the students there were not at all prepared to spend six hours with me, and not using their computers! I don´t know what they expected, except it was not what they got!

Although I could go on rambling about myself and my lectures, I am not going to. Instead, I will share some of the highlights from this nice place. This is after all, a travel report from Ljubljana!

Party Crashing

One of the great things in life is attending nice parties. Meeting smart people, discussing life, love and existentialism. Or just drinking wine, beer, booze.

I am no stranger to such ideas, and as I wandered aimlessly touristy, I heard sweet voices from many people. Like a mot is drawn towards a lantern in the dark, my legs steered me towards the building, a part of the Ljubljana Grad, the local castle. I was expecting to meet some obstacles on the way, like locked doors, questioning guards or other controls aimed to keep party crashers like myself out.

Not this time.

Wine and food for thought at the Ljubljana Grad

A nice place, fantastic people and great food – the Ljubljana Grad has it all!

I must have looked like a perfect fit for this party, dressed as I were in blue jeans and half-buttoned shirt. I just smiled, nodded, and walked straight in. Into a room with beautiful people of all ages, from all around Europe as I discovered as I strolled the room with a glass of wine and some finger food.

Smart people for great conversations

Some of the students I met at the Ljubljana Grad. Great minds from all over Europe indeed!

Very nice place, great people, and fine conversations, pretty much sums up my experience.

World Cup

I also got to experience the world cup match between Belgium and the USA. I don’t usually watch soccer, my excuse this time was beer, and another party to be crashed.

Belgian Soccer Suporters in Ljubljana

I had the pleasure of joining these fine folks watching the Belgium vs. USA world cup soccer match.

Again, nice people, good drinks, a good game and not so great conversations – unless you are into soccer, possibly. The students I enjoyed the game with, were fantastic sports, though, even going all #holakai on me.

A Finnish fan, secretly cheering USA

Pekka, a Finnish linguist, secretly shared for USA during the match. We were both in disguise, using Belgium colors!

Fuzzy Goals

While there, I also took the time to record a short city walk, where I explain how fuzzy goals sometimes can be useful to help you discover what is going on in your organization, your security program, or in your systems.

Fuzzy goals are, as opposed to SMART goals, goals that are not very clearly defined. You may create a hypothesis to test, or define your goal widely so that you get a general direction towards which you can direct your actions. The purpose is to help you discover new, possibly surprising, things.

A challenge with fuzzy goals: They can easily become lazy goals, replacing SMART goals, and thus loosing it´s purpose: instead of helping you discover stuff, they get´s in the way of creating real results.

Thanks to Ljubljana

There are a number of people to thank for this great experience, here a but a very few:

Mojca, at the University; Damir, President of CSA Slovenia; Lowk3y (who prefers to stay out of sight of my camera); Pen, the Restaurant which served fantastic horse steak; Ljubljana Grad who offered me fireworks, parties and great music; Kristina, who accepted my lunch-date-invitation; the City of Ljubljana, who showed me the best of the best. And to many more!

And finally – a great thanks to the Computer Scientist doubling as a Harp musician, who played me the late-night serenade at the CSA Speakers dinner! That was brilliant!

A harp

A harp, possibly with a different name…

Security Culture Hangout – Metrics

Today is the Security Culture Hangout day, the last wednesday of the month! In this month, we take a look at security culture metrics – how to measure your security culture program. As usual, we use the Security Culture Framework as our foundation, and the Metrics module of the framework is described here.

You can watch the hangout here:

Today, we have our first guest: Geordie Stewart of Risk Intelligence. Geordie is well versed in security awareness, a popular speaker on the topic, and he will share some of his experience with measuring awareness and culture.

I first met Geordie at the RSA Conference Europe in 2012, where we both were on a panel to discuss security awareness and its applicability.

If you have any questions you would like to ask Geordie or myself, head on over to the event page and post your question there!

If by any chance you missed the hangout live, you can always watch it on youtube.

This is the second Security Culture Hangout on Air we produce. You can watch the first one here.

Please share your comments, ideas and propose guests for the show below!

How to become an infosec Rock Star

Today is the Cloud Security Alliance (CSA) Norway Summer Conference in Oslo. I have been fortunate enough to be asked to explain how to become an infosec rock star, and below are my slides and notes, all for you to enjoy.

Remember that if anyone of these can achieve Rock Star Status, you can too! Take these tips, and go ahead!

This is the full deck, available at Slideshare:

Slide 1


One year ago, I went to Colombia to deliver a keynote on security culture and human behavior at a conference. As usual, I updated my twitter stream with what happend during my stay, and this photo was posted. A napkin, given to me by one of the ladies present.

A tweet that had a colleague ask me: “Kai, how do one become an infosec rockstar?”

My name is Kai Roer, and I am here to tell you what makes a rockstar – in the infosec industry! 

Slide 2: It´s only Rock and Roll, Baby!

Its Only Rock and Roll Baby

Therefore, let us take a look at what makes a rockstar! 

First, it is about having fun! It´s all Rock and Roll, Baby! And fun can be defined in many different ways – just consider the amazing number of different rock music available – from Elvis, Stones and Beatles, to Deep Purple, Twisted Sisters, to Nirvana, Pearl Jam, and many more. 

Just like there are many bands with a wide variety of flavours, there are a large number of stars in the infosec community. And just as with rock and roll, there are some common factors to consider if you want to be an infosec rock star too: 


You need to be up for Sex and Drugs and Rock and Roll

Be newsworthy

You should be newsworthy,

Be different

Be Different,

Be daring!

Be Daring, even



Build a following

Do these things, and you will build a following and fans, 

and get yourself groupies!

and you may even get yourself some groupies!
Let´s take some time to look at each of these requirements!

Slide 3: Sex and Drugs and Rock and Las Vegas


Music: ZZ-Top: Las Vegas

Sex and Drugs and Rock and Roll was a thing of the 60s and 70s, says some. I say it still is. 

ZZ Top is closer to the Rock and Roll than to sex and drugs, just listen to the rythm in their blues-like music.

Just like sex and drugs are important to rock and roll; so are conferences, events and their parties to the infosec community. If you want to learn something new, meet new people, and possibly even score some free booze, you get out of your office (or dungeon), and go shake some hands at an event. 

Slide 4: Las Vegas Jack


As with rock music, some events are more important than others. Again, it depends on your taste, interest and friends, yet many people will agree that the Security BSides events have become a real player – not only in Las Vegas, everywhere! 

The BSides are a bit like I picture the Woodstock festivals, driven by the community, for the community.

As one of the founders of BSides, and possibly the missing ZZ-Top band-member, Jack Daniel represent the Sex and Drugs and Rock and Roll. His care for the community is hard to hide between his grumpy tweets, and his infamous RV-rides with the RV filled with infosec peeps are just, well, exactly like a band driving from concert to concert in their band-bus! 

Jack is also old enough to realize that the constant buzzing about New this, New that is nothing to panic about – in his words:

Don´t panic, we´ve solved this before. Jack Daniel

Slide 5: Be new and newsworthy

Being New(sworthy)

Music: Rammstein: Sonne

In addition to have the Sex and Drugs and Rock and Roll attitude, you need to be newsworthy – that does not necessarily mean that you need to come up with something totally new – it means you must be able to present it in a new way. A way that gets people interested. 

If you choose to become a cover band, that is fine too, as long as you remember to credit the originator. 

Rammstein, however, is not a cover band, this group is doing their own thing. They are strong, can be a bit rough on the edges for everyones taste, and they combine humor, quality and care. 

Their focus is narrow, yet within their area, they simply ROCK! 

Slide 6: Mr. Passwords


Just like the Norwegian Mr. Password, or Per Thorsheim as he is known over here. 

Per has a deep interest and passion for passwords, so much so that he has established not only one, but two conferences on the topic – one in Norway, and one in Las Vegas. Just like the band, Per is very focused, can be considered a bit rough (he if from Bergen, after all!), yet those who know him know him to be caring, deeply generous and extremely knowledgeable. 

Although the topic of passwords are not exactly new, the way Per present and focus on the topic, brings new and valuable knowledge to the area, which is why he exemplifies being new(sworthy).  

Slide 7: Be Different


Music: Jamiroquai: Cosmic Girl

Being new is all well and fine. Another way to get attention is to be different. After all, you need to get heard through all the noise, right? 

Of course Im right!

Just consider all the musicians around the world who wants to become a Rock Star. They’ll do anything, with anyone, just to get a shot at becoming a star. Most of the time, though, doing anything to anyone just isn´t the right thing to do. 

You need real talent, real skills, real interest and deep understanding of what you want to achieve. Jamiroquai knows that better than most. 

Slide 8: The Father of Girl Cynic


As does Javvad Malik of 451 Research, or J4vv4d of HostUnknownTV, and his other alter egos.

He started out as an infosec cynic, you know that state many infosec peeps end up in after too many lonely years in the bunker, and upon being challenged, his English wit and humor became his savior. Just as he became the savior to the sanity of so many others in the infosec community. 

Being different lifted Javvad to starship faster than most, and by embracing the fame, he continue to share his valuable insights, ideas and humor worldwide. 

And his Cosmic Girl? His award-winning daughter Girl Cynic, of course!

When it comes to Rock Star-ing – being different is good! 

Slide 9: Be Daring!

Being Daring

Music: Serj Tankian: Uneducated Democracy 

Some musicians just do their own thing. System of a Down spawned a singer-song-writer out of the extraordinary with Serj Tankian. Playing with words, music, emotions and energy, Serj is able to rock your emotions, beliefs and mind. 

Serj accepts nothing for being a fixed truth- he dare to challenge the status quo, and he dares to ask the difficult questions, and to point fingers right where they need to be poked. 

Being daring is vital when you have an important message to bring across. 

Slide 10: Being Josh Corman


Just like Josh. 

Joshua Corman is on a life-long mission to change the world. He dares to ask the right questions, to the right people, at the right time. Because he makes it the right time, the right people and the right questions. 

Like Serj Tankian, Josh has a brilliant mind, a mind he use to better understand what our industry is all about, so he can help fixing it. Josh is all about understanding, analyzing and fixing.

Like when he dares to tell you that no-one is ever going to save you

I am The Cavalry.  Josh Corman

Meaning you are, and that you need to step up your game of defense.

So be brave, be daring! 

Slide 11: Create that SHOCK!


Music: Miley Cyrus: Wrecking Ball

Occasionally, someone is getting more attention than others. Most of the time that happens because they have planned for it, or at least understand how media and crowds work together to feed a message in every channel, so often that it becomes the Main News that week. 

Miley Cyrus knows that being SHOCKING will get you attention, and the attention of media. 

Having attention, means more sales, more fans, and ultimately, more fame. Which in turn makes it easier to spread your message to more people, which builds more fame, which again makes your message stronger, and so on and on and on and on.

Slide 12: Mikko on a Ball


And fame is something this guy have. Mikko Hypponen of F-Secure have done it all (well, possibly except riding a metal ball nude, but what do I know). Like Miley, Mikko is smart, driven and has a somewhat Disney-like background, being the nice-guy and all. 

Mikko also knows how to use media and the crowds to drive his message across. He may be the closest thing the Infosec community have to a Crowd-Drawing Rock Star, at least when he shows up at your event, the crowds come to. 

And the key to using media? Be shocking! Or comment on the shocking news. Dance with your crowds, and make new friends while keeping your old ones close. 

Miley and Mikko both know how to rock that boat! 

Slide 13: Build followers…


Music: Metallica: Fight Fire with Fire

There are many bands and musicians that deserves a place in a presentation about infosec rockstar. IMO, non more so than Metallica. An international band (well, at least with members from Europe and US), Metallica creates a sort of music that when it came out, it was new and different, and that over the years have built an enormous following with fans around the globe. 

Their attitude towards music, their fans and their search for perfection, is just what it takes to be great. 

Slide 14: Rik the Rocker

Rik Metallica

Like Metallica, at least by the looks of it, Rik Ferguson is a true rocker. He has built a large following too. Being easily recognizable, while having a clear message, and consulting anyone from Mom&Pap to the Europol, Rik use a number of channels to build fans and followers. 

He is a frequent conference speaker, he creates video lessons (well, Trend-Micro Advertising), and he digs into the deep end of technology. 

Like Metallica, he not only looks the case, he delivers the goods too. And that is what it takes to build a large base of followers and fans. Like a real Rock Star!

Slide 15: …and make FANs!

and fans

Music: ACDC: Let me put my love into you

For many, ACDC is the epitome of Rock and Roll (or heavy metal, if you must). Their long careers in the industry has taken them around the world, they have seen and done things most of us can´t even dream of, and they still haven´t learned how to dress properly. 

Despite all their oddities, and their age, ACDC is one of those bands that have “always been there”, and that has made them a huge number of fans. 

Slide 16: Bruce the Rock Star


Like ACDC, Bruce Schneier have also “always been there”, and like ACDC, Bruce is a bit of an oddball. He can be difficult to talk with, he is doing his own stuff, and he seems to be most comfortable when he can observe, analyze and speak up his brilliant mind when he decides to. 

Also like ACDC, Bruce´s following is so huge that it turned into the meme this presentation is based on: 

"The closest the security industry has to a Rock Star» according to The Register.

Not only is he an Infosec Rock Star, he is also so loved that he is being mocked, and we all know that you only joke about those you love. Unless he really is Chuck Norris in disguise? 

Possibly one of the most influential people in modern day infosec, Bruce has a vast knowledge that he shares through books, consulting, speeches and his blog. And like ACDC, he keeps selling the same story again and again, and we all love it! 

Slide 17: Handshakin´Stevens

Bruce Quote

This is exactly how important Bruce is. 

Slide 18: The Up and Coming – on a Mission from God

The Future

Now that we have gone through how to become an infosec rock star, let me just say this. No matter the who you consider a rock star, the single most important Rock Star in this room, is you! 

This community needs more openness, care and sharing. We are on a mission from God, to create a safer world. To do that, we need to enable more people to share their stories, their ideas, their craziness and their knowledge. 

If you take nothing but one thing from my presentation, take this:

The Up and Coming are the future of this industry. Let us work together to help them succeed! 

Slide 19: The groupies are mine!

Groupies are MINE

Oh, you wonder where the Groupies part of this presentation went? 

I get to keep them! Get your own groupies! 

Slide 20: Where is the party?


Thank you everyone for giving me your attention! A special thanks to @marigrini for asking the question: 

“How do you get to be in this industry, and receive handkerchiefs like that!!??” 

Now, where is that party! 

Since you are still reading, Im guessing you´d like to see this, or other presentations, at your next event? Get in touch, and let´s see just what show I can put on for you!

Get on the bus! The Security Culture Summer Camp 2014 is about to start!

The Security Culture Summer Camp 2014 is about to start. We still accept participants for two more weeks (until the 27th June), so make that decision you know you always wanted to do: Come on and join us!

The Security Culture Summer Camp 2014

A camp, Kai, not a school!

What is the Security Culture Summer Camp, anyway?

Think of it as a seven week program that will teach you the basics of the Security Culture Framework, help you set up your very own security culture program, and a fantastic chance to spend time with others to discuss and learn security culture.

So far, we have participants from Sweden, France, UK and the USA. This means that not only do we get to learn about security culture, we also can play with culture in general to help us understand how culture impacts our behavior.

The Security Culture Summer Camp takes place online, using a mix of our own e-learning platform with assignments, readings and video lectures; and using Google Hangout on Air to allow for live discussions and Q/A sessions about the content, assignments and learnings. The workload is estimated at 4 to 8 hours per week, including readings and assignments.

Do you need more reasons to join us? Check the list below!

  • Yours truly is your teacher;
  • Take awareness trainings to the next step by creating measurable results;
  • Learn to set goals, and work towards them;
  • Create a plan, with the necessary actions, ready for implementation;
  • Learn and share experiences from other participants;
  • Understand who to involve in your programs, and why;
  • Build a list of activities that will enhance your security culture;
  • Use the Deming Cycle to create increasingly better awareness;
  • Save money: Understand your own needs before you buy content;
  • Save money: Create a program that focus on what you need;
  • Save more money: The summer schools is only 499USD. And signing up with this code give you a 25% rebate!

What are you waiting for? With a workload like this, you can even do it during your vacation time!

Oh, and yes, there will be certificates so you can prove your content. You will earn the right to call yourself a Certified Security Culture Practitioneer. Which, by the way, is the first step toward becoming a Certified Security Culture Coach!

And for those who needs CPE´s – there may be light in the tunnel. Contact me directly if you need them!

Come on! Sign up today, and be with us from the very start!

Happy summer camping – bring marshmallows!