Fostering a Culture of Behavioral-Based Security Awareness

0:00

FRED:

Hi, I’m Fred Burton here today with Frank Cannon. Frank is a chartered security professional with over four decades of experience, and he is renowned as a security academic for his blend of academic insight and practical expertise. As founder of Cannon Asset Protection Limited and a senior consultant with Optimal Risk Group, He mentors emerging security leaders and advises CSOs on aligning security strategies with business goals. Frank, welcome to the Ontic Connected Intelligence Podcast.

FRANK:

Hi Fred, thank you for having me on. I’ve listened to so many episodes, so it’s good to be on and good to join you. Thank you for the opportunity to share what I enthuse about.

1:20

FRED:

Well, it’s our honor, and thank you for your patience getting booked. Frank, you’ve spent decades in security blending academic research with hands-on experience. What led you to focus on behavioral-based security awareness, and why is it so critical in today’s threat landscape?

FRANK:

Good question to start with, right? So you’re testing me straight away. I guess it’s best biggest bang for the buck, right? You know, I’ve often been part of a small team in a big organization, and we can only reach so many people. So if we start to educate those around us, we can actually use those as advocates. I found myself repeating the same advice again and again and again. So I thought, you know what, we should create some form of program here and be able to educate other people. I think there was a proverb by a Chinese philosopher called Confucius, and he said, you know, give a man a fish and you’ll feed him for a day. Teach a man to fish and you’ll feed him for a lifetime. And I think this actually sums up the thing, isn’t it? It’s educate people to do, behave, you know, sort of intuitively rather than have to keep telling them what to do or doing it for them. Let’s face it, security, in inverted commas, is a state, is a condition. We want to have a safe and secure workplace, so why not get everybody contributing?

2:43

FRED:

Yeah, that’s well said, Frank. Now, many organizations treat security awareness as a compliance exercise. How can leaders shift from a check-the-box approach to embedding a security-first mindset across their teams?

FRANK:

Again, you’re absolutely right there. And people associate security awareness, I think, online, digital security. And my program, the way that the program that I advocate is a holistic, both in the physical and in the cyber world. So we need to move it away from the online training and encourage active participation. And you can do this by integrating it with maybe the safety program or some other form of cultural development program that you’ve got in your organization. You don’t have to have this standalone session. You can really weave it in there. And if we can get active participation by having and facilitating meaningful conversations through toolbox talks or through security stand downs, you know, we’ve just had an event and we want to gather the team together, have a town hall and have a conversation and, you know, try to avoid educating them because most of what we talk about on security culture behavioural-based security. It’s common sense and nobody likes to be told how to do the most basic things, how to do it. They just want to know what they need to do. Create daily routines maybe, you know, have a clear desk policy, close down procedures or office walkthroughs, you know, that sort of thing. And in the military we used to call this a first and a last parade. First parade was Is everything how we left it before? And the last parade is, let’s leave it in a good condition for tomorrow. So we need to think about that sort of thing. So the mindset is absolutely critical to this. They need to have this level of trust with one another that we can care for one another. And it’s about watching each other’s six.

4:47

FRED:

Frank, whether in a corporate setting or protecting high net worth individuals, how does behavioral security culture differ? Meaning, are there universal principles that apply to both?

FRANK:

I think, and I spent sort of 13 years primarily looking after people whilst in the military, whilst in the military police, and I absolutely loved it. If I was to go back now and do that same job with the knowledge that I’ve developed in the corporate world, I would do it differently. But essentially, it’s pretty much the same fundamentals. We’ve got to sort of think about this. We don’t do security, right? We do everything securely. So if every time, and it’s a bit like the safety analogy, safety is first and foremost, safety is paramount. We do everything safely or we don’t do it at all. Let’s just take the word safety out and put the word security, protective security in there. So I think the universal principles are exactly the same, Fred. I think it’s about understanding the routine activities that we all do every single day, whether it be as a part of an EP or close protection team, or whether it be part of a corporate team working in an office, or whether it’s a construction site, wherever it is. What is it we do every day? And then we say, what behaviors do people typically adopt that introduce adversarial risk or create the opportunity for somebody to exploit that vulnerability, that weakness that we have in our defense? And then we look at, OK, so I’ve seen how they create opportunity. How can I close that down? How would I have preferred them to behave? to make a more secure environment, safer place to work. So once we start identifying those desired behaviors, we need to think about how do we communicate? How do we make sure that everybody understands what is the right thing to do? So we create that communication medium. And then we take time every now and again to step back and say, hmm, that’s actually worked. Or, no, that hasn’t worked. Or, hmm, people are adopting these complacent behaviors. So we need to remind them of what it is we want. And because unlike safety, security adversarial risk is an evolving beast. So as soon as we get a defense, somebody is looking to circumvent that barrier, circumvent that behavioral expectation, circumvent that piece of technology. So as soon as they understand what we’ve got into defend, they look for new ways to attack. And we’ve got to be on, we’ve got to be cute to that. We’ve got to understand that that’s actually what they’re doing. So therefore, our review process looks for these changes in methodology, attack methodology, changes in these capabilities of the adversary. So, yes, they are the same, those principles, but clearly we apply them in different ways, whether we’re doing executive protection or whether we’re doing corporate-based security.

7:52

FRED:

Sage Council there, Frank. Now, you’ve spoken about the idea that everyone in an organization has a role in security. How do you engage non-security professionals in contributing to a proactive security culture?

FRANK:

Yeah, and I do have some relatively strong beliefs on this. And I’ve formed these beliefs over a number of years. So I’ve identified three reasons why people don’t comply or why they breach rules. The first one is they’re just ignorant to the fact that the rule existed in the first place. They’re not aware of what they should be doing. The second reason is that they are aware, but they’re either momentarily distracted or they are busy doing their real job if they don’t perceive security as part of their role. That’s complacency. So we’ve got ignorance and we’ve got complacency. And then we’ve got this third group of people that do it knowingly. They break the rule knowingly. They’re either not bothered about the consequence, or they’re bad actors. They’re acting with malicious intent. And those are the people that we really do need to seek out and identify. And we can use the first two groups, the ignorant, that’s now been educated, and the complacent, who’s now been reminded, to look out for this third group of activities. So again, how do we go about changing these behaviors at scale? So we need to understand the business and the activities. What do we do every day? What are the rules that we expect them, whether that’s a procedural rule, a piece of legislation, or an industry standard? So we need to make sure that we understand those rules and start communicating them. Identify the behaviors. the how, how do we want them to behave to either avoid creating vulnerabilities or close weaknesses in our defense. And then we create all these awareness programs. And I think these awareness programs are incredibly important. And again, most people associate it with an online, you know, as your previous question, a tick box exercise but that’s not what we want so i’ve in the past and i’ve used this now on on some pretty pretty big organizations including chevron oil in kazakhstan um we created four four programs and the four programs uh campaign sorry focused in specific areas and you can use these anytime by the way they’re on the shelf and you can pull them out or you can actually have a focus session um the first campaign is about the people. People are important, right? We need to protect our people and people are the biggest source of our challenge, whether it be adversaries or complacent employees. So we have a personnel and people security campaign. And we talk about vetting, working with our HR partners, working with our safety teams, our mental health first aiders, and we get all of the key stakeholders in together to start advocating these behaviors that create a secure place, but they’re not necessarily security behaviors. I’m sure you understand what I mean. And the next thing then is our property and our equipment, those things that we use to deliver on the business plan. So we look at property protection and theft reduction. If we think most of our, one of our biggest adversarial challenges is theft. So property and theft reduction. Now we’re going to move on to, and I do this in, I’ve got these four programs, Fred, and I do this in this order specifically, and I’ll tell you why in a minute. The next one that I create, this next campaign, is reporting. Reporting suspicious people, reporting incidents, reporting abnormal behaviours in the normal. So we start raising the level of the alertness using the eyes and ears of our workforce to be part of that security team but they need to understand what is suspicious how to report it and then what do they do after the immediate response. What do we expect them to do? Because they’re already then educated. So if something happens, they’re already safeguarding themselves. I don’t need to run around and look after them. And I used to use that quite heavily in the executive protection world. Everybody around the person at risk used to understand what we would do if something were to occur. And it could be as innocent as a flat tire on the car. The final one then is information and cyber security we’re in the physical and the information domain here so so information and cyber security so how do they behave using a computer managing the company information talking about what’s happening or indeed on their own personal social media. I’m sorry but security is the typical one that most people are going to when i think about security awareness on this many different programs out there to help you with that. The reason i do not order people first property second. The third one is response, and I do the response in the third quarter of the year, because in the UK and in Europe, well, predominantly deliver, there are longer days. So we can do our assessment and test exercise in the middle of summer when it’s warm, hopefully it’s dry, and we’ve got a lot of daylight to be able to prepare, deliver, and then assess the actual exercise. Fourth quarter, We all jump on the computers and we buy our Thanksgiving gifts and we buy our festive Xmas presents or whatever. So these four campaigns are very much part of a behavioral-based security awareness program. One more thing on this particular question. You can use any of these at any time. You can have them as an induction set that if you have a new stakeholder, whether it be an employee or whether it be a supply chain partner that joins the group, or whether you purchase a new company, you want to bring them into the family culture, you just pull these off the shelf and deliver them. You dust them off to make sure that they’re still applicable and they’re relevant, but then you you help deliver them. The second one is annually. Remove that complacency. Let’s just remind people. Let’s refresh their memories. Let’s make sure that they don’t inadvertently start breaching the security rules or the company culture. They’re always good as well for post-incident education. So if you do have an incident, a security event, especially if it’s an individual person, It’s nothing better than being able to pull off a pre-set package that you can just run through them. And I used to use that as part of the lessons learned or part of the, let’s say, I don’t want to use punishment, but the after action would be, we need to re-educate you. Please sit through this 30-minute program or come and have a book an hour and come and have a chat with me. And we’ll tell you the reasons why we would like you to not do what you did wrong. What’s the date what was i able to do a number of my companies is to weave in these security campaigns and the compliance program, what’s the education awareness program into the contractual obligations so when supply chain partners joined us, They understood that they have to do this training, very similar to the safety training. They budgeted for it and then when they submitted their bid, they costed for this particular training because time is money, right? So these guys and girls need to take time to do that educational program. Bit of a long answer, but for me, it’s worked time and time again.

FRED:

Yeah, most interesting, Frank. I appreciate you sharing that with our folks watching this podcast.

16:18

FRED:

You emphasize cognitive protective security governance. What does that mean in practical terms?

FRANK:

Yeah, I do. And I whack that onto my website as well. Let me just think about this for a moment. So cognitive to me is about process. It’s about the reason why we do something. And I try and base everything that I ask people to do on somebody’s research. So I’m embracing other people’s learning. So I don’t need to go outside when it’s raining and get wet before I go back and get my coat or my umbrella. So I’ve learned that. And that’s what I want to do. The safety approach is really, they understand the safety hazard, they can have a good conversation before they start that particular activity, and they can mitigate that risk to as low as possible. So they can have PPE as the last form of defense, but they can design out and built safety challenges. So two and two makes four. So the engineer is able to look at that from the get-go. Security is different. We don’t know what the hazard or adversarial threat is. We never know when it’s coming. We don’t know in what form it’s going to arrive. So we can’t work on the same basis as safety. We have to slightly evolve our approach. Will stay the same like we got to put a number of barriers of defense between the hazard all the bad people to the thing people all the property that we’re trying to protect so that stays the same but we have to do it in a slightly different way so that’s the cognitive element of it if you use to use the sporting analogy right. the sports coach, they need to win the game. They need to attack to win, to score the goal or whatever, at the same time as defending. And they need to stop the other people scoring a goal. And they study their opponents, they look at their strengths, they look at their tactics and their strategy. And if you’re playing a certain team, whether it be soccer or football, your football, you know the game plays, right? You know what their coach particularly likes. You’ve got a good idea of how they’re going to present themselves on the field of play. We can do the same, right? We can study our opponents, we can research the enemy, we look at their attack methodology, we look at their capabilities, we look at their motivation, look at their strengths, and then we can start building our defense on that. All we have to do is defend, no offense. So let’s look at the second part of that question, which is, how should security leaders ensure, I think you said, that it aligns with the business goals? So we don’t want to create a whole new world of governance or bureaucracy. We want to weave as much as we possibly can into what’s already there. So it would be incumbent upon me, therefore, to understand the business that I’m trying to protect. What is their success? What does their success look like? Then working with those within the business, I would look at the critical needs of that business. Is it the critical people? Is it their processes? Is it their information? Is it their equipment? Is it their inputs? Do they need power? Do they need water to achieve their goal? And I’m starting to pick out the key assets that I’m going to help other people, myself included, protect. Then I’ve got to look at the barriers to success. Are we an attractive target to the bad people? If we are, what is it that they’re likely to do? What have they done in the past? And start building that picture, as I’ve just discussed, of the strengths, capabilities, motivations, et cetera. If I can then match what their strengths are with potential vulnerabilities in our defense, then I’ve got a challenge. I’ve got to work with somebody to get some capital investment to close that vulnerability out and make us a more robust and resilient organization to that particular threat actor. And then so what I do then is I work with the right people, we create affordable solutions, and then we instigate those. And I’ve said it before, Fred, the adversary evolves. So we’ve got to review, review, review. And we continue to bench test and to be honest with ourselves and say, are we match fit? Are we able to go on that field of play in the best condition possible and defend? because that’s all we need to do is defend.

21:10

FRED:

Frank, as threats continue to evolve, where do you see the future of security awareness programs heading in our business?

FRANK:

Yeah, well, one of them would be definitely, Fred, that we need to move away from this online tick box exercise, as you opened the conversation with. That’s absolutely essential. But I think that we’ll end up following the safety journey. I think that it took people a while to understand the need to be safe. It doesn’t matter what the hazards are around us. The construction industry is a good example. Aviation industry is a good example. They’ve recognized the need that they do need to safeguard their people. That’s the journey we’re going down. Digital communications will hopefully enable instant solutions, so less reliance on our memories. It’d be great if something occurred or a condition occurred and the people that needed to respond were instantly given that information to respond, whether it’s on a digital screen or whether it’s audio in the location. Somebody somebody is it gets fed to the don’t have to rely on our memory and of course you know i know i listen to many of your your podcast and the technical evolution is a friend and a phone but with video analytics and machine learning we can We can react and respond so much more intuitively now, because the AI and the crunch in this big data sets, finding that needle in the haystack, that tree within the forest. and laser focusing on that to give us the right information to make good quality decisions at an earlier stage. So that’s where we’re going with the awareness program. It’s about making sure that we tap into this information so we can deliver the right message at the right time to the right people, and then we can keep ourselves safe and secure.

23:23

FRED:

That’s very, very thoughtful response, Frank. I appreciate you sharing that. Now, we ask all of our podcast guests this question. What does connected intelligence mean to you?

FRANK:

Yeah, and I’ve thought about this. This is the question I knew was coming, right? So this should be my answer, my best answer. So a couple of keywords. Purposeful collection of information. At this stage, it’s information, but you’ve just got to make sure that you bring in the right information because there’s a lot out there. Then you’ve got to analyze it with a purpose. You’ve got to analyze it for a reason. And I think that is the conversion of information to intelligence. And then you can use that intelligence to make good quality, you hope, the best quality decisions for the benefit of the organization. That’s my understanding of connected intelligence. The information is analyzed into intelligence, makes good decisions for the benefit of the organization. That’s the connection.

FRED:

Frank, is there anything that I haven’t asked you that you would like to say?

FRANK:

Just one thing, I think, Fred. It’s about How do I know that when I’m talking to somebody, they’re going to listen? Or are they just going to have to sit there for the hour to tick the box and say, yes, I’ve done my security awareness? And for this, I use three words, personal, relevant, and important. So if I’m talking to somebody about influencing their behaviors, so they either do not create a security vulnerability or they help defend the organization, What I’m talking about, I need to make personal to them. And they need to feel as if I’m talking to just themselves, just that one person. And if I or one of my advocates can do that, then we’re going to have a better conversation, a personal conversation. The second thing is, is what we’re talking about has got to be relevant to the recipient. And you remember I explained why I do my four campaigns at different times of the year. It’s relevant to what they’re doing. There’s no point in me talking about cybersecurity if the audience doesn’t even touch a computer or doesn’t use a computer to deliver their work. It’s got to be relevant. The other thing is important. We’re all human beings, right? So what’s in it for me? OK, Frank, you’re telling me about this, but what do I get out of it? And if I can give them something that’s going to help them at work and when they’re at home, it’s going to multiply their level of interest. That’s why I do cyber security toward the fourth quarter of the year, because they’re about to jump onto their computers and buy all their online gifts. So it’s relevant to them, it’s important to them, and hopefully I’ve communicated it through using empathetic communication in a personal way. That’s really the only thing that I’d want to leave the listeners with today, Fred. Thank you very much, mate.

FRED:

Frank, thanks so much for being on the Ontic Connected Intelligence Podcast.

FRANK:

Thank you for the opportunity. A really, really good use of my time today. Thank you very much.