What I learned as a Startup Exhibiting at CeBIT 2016

In March 2016, I attended the CeBIT in Germany. I was a part of the IBM booth, and my startup company CLTRe (https://get.clt.re) was invited to showcase our products as part of the IBM booth. A security culture specialist as I am, I could not help but make a few observations. Here are a few:
CeBIT is not like a security event
My company and I offer security services. We developed the Security Culture Framework in 2012, and this week we launched the Security CLTRe Toolkit, the worlds first software-as-a-Service company to measure security culture and behaviors. I visit a large number of security events during a year, and most of the time I meet people who are interested in security behaviors, training and change.
During CeBIT, several hundreds of thousand people attended. Of those participants, very few seemed interested in security. And of those interested in security, even fewer thought security culture any cool.
For us, a small startup looking for customers, CeBIT turned out to not give us what we wanted. At security events, we tend to get more focus and much more interest.
cebit2016-20160313-44 cebit2016-20160313-26 cebit2016-20160314-31
CeBIT is global – in Germany
Attending CeBIT is a great thing. Few events are this large, and few other places will you meet this number of people, see so many cool products, and be able to buy or sell almost anything within the ICT-industry. CeBIT claims to be International, a global event that should attract visitors from all over the world.
After spending a week here, it is clear to me that CeBIT is indeed international. The germans have succeeded in drawing a large number of exhibitors from around the world – from Salesforce who booked three full halls (yes, actuall halls), to one hall dedicated to chinese manufacturers of all sorts of electronics, to the hall of drones.
There was only one challenge. 
Most information was in the German language. One journalist I spoke to (brittish, not german) told me that during the press tour, a guided tour for the press, the guide only spoke german. Not at all a problem is CeBIT want to be a German event. A huge challenge if CeBIT indeed wants to be an International event.
This also made an impact to us: most people we met spoke german. Most people we spoke with during the five days, came from the german speaking parts of Europe. We met quite a number of potential business partners for the german market, but few from outside. For us, this means that we will reconsider our investment in CeBIT in the future.
cebit2016-20160316-64 cebit2016-20160317-2 cebit2016-20160316-25
CeBIT is a study of Culture
CeBIT does inded attrackt a larger number of exhibitors from around the world. How the different companies reflect their countries cultures is also interesting, especially for someone like me who finds culture to be of special interest.
Take the US-company Salesforce. They went all-in and hired three full halls for their grand tour. Three halls, each large enough to house a large number of booths. Like the Chinese delegation who hired half a hall, into which they fitted probably more than 200 different suppliers and companies, each with their own booth.
Several regions in India had their own booths, showcasing local business. The Kerala one was delicately colored in green, and had a fairly active group of people, smiling and inviting you over to talk. Next to them were another indian region, one I was unable to recognize. White tables, if they were ocupied, it was with business people who where clearly introverted, or not interested in doing business.
Then you had the Romanian booth, in which my female colleague recieved a large number of sexist comments. Or the Amazon plastic cloud thingie, an idea that must have looked so much better on the computer screen during design phase than in real life.
And of course the german efficiency everywhere, making it easy to move around the huge grounds, and to get information when you needed it (if you did speak german, that is).
CeBIT all in all
Me and my team had a great time during CeBIT albeit the challenges above. Being showcased as a promissing startup in the security space by IBM is a very good thing. Spending a full week with some of IBMs smartest people, learning the tricks of the trade and networking, was equally valuable to us.
Will I be back at CeBIT? Sure thing! Not as a startup, but in a few years when we have matured and are able to afford the investment to enter the german market.

Call for Presentations!

The Call for Presentations at the Security Culture Conference 2016 is open! Join your peers in Oslo, Norway to share your experiences, to learn, and to engage in discussions and panels on how to build and maintain security culture. The conference is two-days, two-tracks, with networking opportunities, exhibition area, Norwegian culture, great program and much more! I am thrilled to be part of this great event again for 2016!

The talks we are looking for are 25+5 minutes, and should focus on topics relevant to security culture and the application of the Security Culture Framework. Questions our participants are looking for answers to include:

  • How do I measure security culture?
  • How do I get the support from the top?
  • How do I change behaviors?
  • How can I facilitate a security culture program?
  • How do I adjust my content to the needs of the audience?
  • What kind of content should I use?
  • What are good goals for a security culture program?
  • What does a good security culture campaign look like?
  • And much, much more!

Put in your presentation today, and let us meet in Oslo in June – the most beautiful time of the year over here! And do you know anyone who should be on that stage, please tell them to put in a talk too!

What do you get as a speaker? The list is long, here are some of the perks:

  • Free, full access to the conference inc. social event
  • Exclusive access to the Speakers Dinner on Monday evening
  • Hotel Monday-Wednesday in Oslo (at the conference hotel)
  • Travel on economy
  • Much more!

So what are you waiting for? Put in that proposal today!

Oh, and have you any questions, please shoot them over to me, I am here to help!

Security culture – one rule to rule them all

Culture is an interesting thing. We all live in it, we embrace it and we are totally dependent on it. It is also very easy to dismiss – it is only when we see other groups of people, and realizing they are not doing things like we do, that we start grasping that there may be more to life than «How it´s done here».

Funnily enough, as soon as we discover this new group, and realize their differences, we are very quick to from opinions about «them» and how «they» are doing something strange, or even wrong. «We» and «our» way are considered the only right and righteous path to success, glamour and, well, security.

Security culture is no different, being a sub-culture, and easily dismissed as not relevant or even being a wrong path by some. Personally, I find it most intriguing when people who are not from a humanistic / social scientific background (say they have an infosec background), comes up to me and makes the claim «security culture will never work».

Or, as this morning on twitter, when Chris Hoff says:

I don’t subscribe to a “security culture”

Chris, how on earth can you not subscribe to a security culture? This felt like a kick in the belly, and my gut response was to write a long, angry post aimed to convince Chris that he needed to change his opinion. I mean, how can one not subscribe to security culture? It must be an ill-informed and badly judged decision for sure, right? Surely, Chris must be jumping to conclusions, me and Wolfgang being outstanding people and all?

STOP! Just Stop it!

Now I am the one jumping to conclusions – I read one tweet, and decide that a man I deeply respect and look up to (and occasionally disagree with), is wrong? Am I being tricked by my brain? Of course I am – this is the Dunning-Kruger effect playing me!

This is an interesting phenomena with humans – we make claims we have no support for, and we do so with a conviction that what we claim is true, and the only truth there is. The Dunning-Kruger effect above is only one of the many studies Psychology has undertaken to better understand our human biases.

Another of my favorite biases is the confirmation bias: as soon as we have made up our mind about a subject, our mind (and this happens automagically, mind you!) just stops looking for proof of us being wrong, instead it filters away any information that may have a negative impact on our decision, and leaves us only with information that confirms our idea.

These biases (and there are many more!) were probably not so bad from a hunter and gather society perspective.

In a scientific society where knowledge is being hunted and gathered, knowing when you are right or wrong – or when you just don´t have enough facts about your topic, becomes critical. I like to believe I live in a scientific society, where real knowledge matters, and where each and every one of us is responsible (as well as accountable) for the knowledge we hunt, gather and spread around to others. By digging deeper into twitter, I soon discover that Chris is at some conference, where someone is talking about infosec culture.

I have seen those bars, and I agree that this is not a culture I embrace. More important, it is not the security culture I preach. Im starting to wonder, what prompted these tweets?

What is going on?

Psychology, is what is going on. Our mind and our culture is playing tricks on us.

My background, training and thought processes are trained and formed to solve ICT-challenges. Over quite a few years, I have had the fortune to work with people, and while doing so I learned (sometimes the hard way) that people are not like technology – people form their own ideas and make up their own minds. I came to realize that if I were to be successful with securing systems and organizations, I needed to really understand people. I set out to find the answer to questions like

  • what drives them
  • what forms their behaviors
  • what is culture
  • how do people change

  and I went back to university to read up on social sciences. And like Chris, I try to be sharp and critical:

Very few infosec people I know of, do this. Instead, they make claims about people, behaviors and culture, yet they may have very little understanding about real people, and how real people functions – alone and in groups.

In this particular slide (which is what prompted Chris’ question above), security culture is being touted as 2FA and email encryption. I will agree that technology should be used to inform and form security culture, and as such these examples may be used as controls. However, this is not culture. Nor security culture. This is technology. 

DISCLAIMER: I did not see the presentation, nor any other slides, so again I am drawing conclusions out of context! I am sure Stefan’s Andrew’s other slides did dig deeper into this.

Others also engaged in the topic:

Do we need rules?

Rules – everybody hates them! Especially when it comes to security, right?

The subtopic of Social Psychology have spent the better part of 7 decades to understand how individuals function in a social setting. (in)famous experiments like the Stanford Prison Experiment, the Milgram Experiments and the experiments of Dr. Solomon Asch are just a few, that shows us how extremely powerful other people are on us as individuals when forming opinions and changing behaviors.

We are social creatures, who first and foremost adjust and adapt to our surroundings. We change as needed, to make sure we survive. To do that, we pick up the rules – written or unwritten – of the group we want to conform with. We pick up these rules automagically, on autopilot, most of the time not even realizing that we are, and how we are changing our own behaviors to meet the perceived requirements of said group. Together, they help form an understanding of what culture is, and how it is being influenced. It quickly becomes evident that rules are important:

  • Culture apply rules of acceptable behavior – what is allowed and what is forbidden for members of this group. As societies evolve and grow, rules change. Some rules turns into formal rules (laws, policies, regulations), while most rules are informal (group habits, dress codes, language, greetings etc).
  • Innovation informs rules – new innovations enables people to do new things, or to be more efficient (guns means better chance of hunting and more efficient war), while often also introducing new risks that needs to be regulated (guns are used for murder of civilians, robbery etc). I cannot think of any technological innovation that comes without a possible need for rules.
  • Ignorance is bliss – if you do not know the rules, they are easily broken. Sometimes that means you get away with it, other times you don´t. The perceived severity of your crime dictates the groups response.

  This is not an argument to substitute culture with rules. Culture is more than just rules, however, understanding the role of rules in culture will help us align our culture-building efforts to be more efficient.

Culture is not an option – it is always mandatory.

The interesting thing is how the mandatory part of most culture is hidden to us: most of the time, culture do not feel mandatory. Only when you try to move outside of the groups rule, do they become evident to you. Culture is the building block of human societies.

Humans cannot survive alone, which in turn mean we form groups and societies. For groups and societies to function, they need rules to regulate what is acceptable (or not) behavior. For you, as a person, this boils down to accepting the rules and be a member of a group, or dismiss the rules at your own peril.

Security culture is, just like safety culture and organizational culture, sub-cultures of (duh) culture. It is the part of culture that promise you a safe and secure place in your group – your group will help secure and protect you, as long as you do the same for the group by accepting the rules.

Do you get it yet?

The real challenge Hoff and others are pointing to, is the same thing as I try to fix with the Security Culture Framework. And surely, digging a bit deeper into the tweets, Chris get’s it:

Culture is truly impactful. As such, it should be treated with care and understanding. Just because you are into infosec does not automatically make you an expert on building and maintaining security culture. As I have said in my books, talks, trainings and the Security Culture Framework – you need help to understand culture. You should not do it alone, instead you should bring on those who know.

Culture is not new, it has been with humans since the start. Let us apply the techniques, methods and structures shown to work over millennias.

To build and maintain security culture, we can learn from social sciences, and from other areas where culture have been successfully managed, like safety culture and to some extent organizational culture. It is, however, not so that security culture is a silver bullet. It is one of the controls to apply – just like that firewall, IAM or crypto. Leave it out at your own peril!

Congratulations to all the new CSCP´s out there!

Another Security Culture Summer Camp is over, and five weeks of learning how to build and maintain security culture is over for now. During the summer camp, students – security professionals – from around the world have learned how to use the Security Culture Framework to build and maintain security culture in their organizations. It is with great pride I can congratulate another batch of Certified Security Culture Practitioners (CSCP) – more fantastic people to help organizations enhance their security by applying the principles of the Security Culture Framework.

Congratulations, all CSCP´s!

Who are these CSCP´s, anyway?

People and organizations around the world recognize the importance of good security culture to reduce the risk and impact of security incidents due to the human factor. There are two typical types of participants who join and complete the Security Culture Summer Camps:

  • Internal Awareness Officers – this is a group of people who work with security culture and awareness internally in an organization. They are focused on creating a good process of ongoing security awareness, and to document the security behavior change internally. Their actual titles vary, as does their location in the organization – from security professionals, compliance officers, via HR and training. Organizations who consider security culture a critical area sign up several participants to ensure the best results
  • Consultants – this group typically serve a number of clients, and help build and maintain security culture on behalf of their clients. Some consultants manage the whole process including executing the security culture program, others facilitate the process. No matter how the consultant and the client choose to work together, both parties recognize the value of the Security Culture Framework in building and maintaining good culture.

The Certified Security Culture Practitioner (CSCP) provide both organizations and consultants value by documenting the knowledge of the practitioner, access to a global network of other CSCP´s and a clear statement that security culture is taken seriously.

Do your organization consider getting serious about security culture? Hire a CSCP!

Or become a Certified Security Culture Practitioner yourself – sign up for the 2016 Summer Camp today:


Full Day Workshop on the Security Culture Framework


It is with great pleasure I invite you, you readers, to this special opportunity to join a full-day workshop on the Security Culture Framework. Why is this such a big thing? Simple: Previously, we have only done half-day workshops on parts of the workshop, or virtual workshops like the Security Culture Summer Camp. Now you get to spend one full day with me to learn all about the Security Culture Framework, and how to use it!

The workshop is being organized by ISACA Slovenia, and takes place in beautiful Ljubljana, fully worth a visit on it´s own, if you ask me. Time is September 24th, as part of the ISACA Slovenia conference (which you also should consider, a lot of the program is in English), and it looks great too! Oh, and did I mention the conference is to be held at the Zrece Spa! I will be there, and I will indulge myself to the fullest!

ISACA is charging a very reasonable 347.70 Euros including taxes for the workshop (must be paid in advance!). Participation in the workshop entitles you 8 CPE hours too!

The program of the day looks like this:

  • 9.00–10.30 Key concepts of security culture
  • 10.30–11.00 Coffee break
  • 11.00–11.45 Metrics
  • 11.45–13.00 Organisation and topics
  • 13.00–14.00 Lunch
  • 14.00–14.30 Plan
  • 14.30–15.00 Conclusions

Which means you should be able to catch the evening flights out of Ljubljana, or join me for a beer in the afternoon. I would certainly prefer the latter!

You can sign up here. More information at the ISACA Slovenia website. And should you be reading this too late (after September 20th 2015), you can always download the PDF here: 23konf-rkis_1506_invitation-workshop


CSA ASEAN Summit and Thai TV

In June 2015, I visited Thailand, and the beautiful Bangkok. My visit was business first, as I was invited to lecture the psychology of security at the Mahidol University, and to be on a panel on cloud security standards on the CSA ASEAN Summit 2015.

I did enjoy a couple of days as a tourist too, I got to see the beautiful Emerald Buddha Temple, where we met with the best tourist guide I have ever met (possibly with an exception of myself, for those of you in the know!). Our guide was knowledgeable (as far as I can tell), and she treated us as kings who deserved only the best. She also had an immense respect for the holy place, and made sure the other tourists and guides were told straight when they failed to honor the temple properly. It was a great experience indeed!



I also got to visit the Chatuchak (Latin spelling is…diverse) Market, the (in)famous weekend market with an unbelievable number of sales boots. This was a great experience for me, and a place I would love to visit again.

chatuchak2 chatuchak

There were shopping too, this time thai silk:


And do not forget the elephants!


elephant elephants

More serious business was done in the evenings over beers and streetfood. There can be no doubt that if you want a fantastic meal in Bangkok, go eat on the streets. Bring friends along, and have fun! I got to sit down with some great people, including Kitisak Jirawannakool and his friends in the local security community. Food, beers, good people sharing experience – what more can you want?


I did some work too. I gave a lecture on Hacking Your Mind, how our mind is tricking us into doing poor security, at the Mahidol University. They treated me very nice, and gave me a tour of their campus – a very nice one indeed!


The main reason for my trip to Bangkok was the CSA ASEAN Summit 2015. I was invited as the CSA Norway chapter President, and did two panels:

  • one on cloud security research, where I discussed the gap between academic research focus and the focus on the commercial industry, and how these two different focuses works to increase the distance between academia and industry, instead of closing it. We had a good discussion.
  • the second panel was on cloud security standards, where I voiced my concern that bad implementations of standards are bad for all, as well as standards tends to create a common security approach, leaving many organizations open to attach because of their failure of implementing the standard according to their own needs.

panel csa

The last panel was recorded on Thai TV, and can be seen below.

All in all, I enjoyed Thailand and Bangkok very much. A sucker for travel and exploring new cultures, I would love to spend more time in the region. So get those invites flowing!

Brighttalk summit: Incident Response and Insider Threats EMEA

Security culture is gaining popularity around the world, and I am continuing talking and training the topic. This time at the virtual summit Brighttalk Summit Incident Response and Insider Threats EMEA 2015.

A virtual summit means I do not have to travel, and nor do you! Another bonus as far as I understand is that you can watch the recording at your own convenience, should you miss the live event. In addition to myself talking about how to use the Security Culture Framework to get results from your awareness activities, you will also be able to join Shan Lee from Just Eat, explaining how he is building security culture.

Here is my talk, available for you:

You should sign up right away so you don´t forget!

The Conference of Culture

securityCultureConferenceSecurity culture is spreading it´s wings across the globe, and it is time to dedicate a conference to the topic. The Security Culture Conference invites speakers from US, UK and the Nordics to share their experience of building and maintaining security culture with attendees who want to know who to succeed with their security awareness activities to change the culture and behaviors.

With a fantastic speakers line-up, the Security Culture Conference takes place in Oslo in June 2015. A full day of talks and hands-on workshops, the conference is dedicated to sharing knowledge between all the participants. Speakers include:

  • J. Wolfgang Göerlich, who will share his experience of using the Security Culture Framework to build security culture into a team of developers.
  • Mo Amin, who will share how to burst the bubble and make security culture stick.
  • Waldo Rocha-Flores, who will share his secrets of measuring security culture.
  • Shan Lee who will share how he is building security culture across borders
  • Roar Thon who will share his passion for security culture, and why it matters
  • Myself, I will be sharing the basic principles of the Security Culture Framework, current status, and news!

In addition to talks, a series of hands-on workshops are planned too. These runs just after lunch, and will teach the participants relevant techniques and skills in one of three domains: Planning a security culture program, Involving the organization, or Measuring culture. Each of the workshops are 2 hours, and you get to choose one.

A the end of the day, a closing panel consisting of some of the speakers will be sharing their most important learning points from the day.

I am stoked to be part of the global movement that is the Security Culture Framework. It is fantastic to be working with some of the smartest people in the industry on a project that already is making huge impacts on the organizations applying it. I hope I will see you at the conference, and welcome your thoughts, ideas and discussions!

What are you waiting for? Sign up already!

This event is sponsored by The Roer Group AS and Cyberon Security AS. Thank you for your support!

Speaking at the Honeynet Project


This year, possibly for the first time, the Honeynet Project visit Norway with its full-week workshop! I am very excited by being invited to speak there, with amazing people like Lance Spitzner, Anton Chuvakin, Raffael Marty and Francesca Bosco to name just a few of the great names of speakers.

I will be doing the Hacking Your Mind talk on the CxO track, a talk where I explore three of the mental biases that makes humans vulnerable to exploitation, phishing and scams. As luck has it, I also propose a few strategies to become better at handling such events too.

In addition to giving a talk, I will be doing a half-day workshop on building security culture, using the Security Culture Framework, the free and open platform to build and maintain security culture. I hope there will be a huge turnout to this interactive workshop where you may have your habits and ideas challenged!

Sign up for the Honeynet Project Workshop today, and get to experience beautiful Western-Norway in spring – an experience worth it alone!

Oh, if you bring a copy of my latest book, I will sign it for you too!

Build a Security Culture – Now in a store near you!

My latest book, Build a Security Culture, is now available in a store near you – well, at least if you have access to the Internet, and reading this, I guess you have! The book is about building and maintaining security culture in organizations, and use the Security Culture Framework as a backdrop.

Here are a couple of pictures from the book – the first ever taken, as far as I know! Thanks for the pics, Thom!

Build a Security Culture Build a Security Culture cover

You can order the book at Amazon. I, obviously, think you should! It is also available in other stores, I am sure! You could also ask your local bookshop to put it on display – I would love that of course! Even better, take a picture of it, and post it on social media tagging me or #securityculture!

I also love to hear from you:

  • how do you use the book to build security culture?
  • what kind of goals do you use to measure your security culture progress?
  • who do you involve in your culture programmes?
  • what kind of activities do you find gives you the best results?

Share your thoughts below in the comments!