“Somehow, despite all the great advancements in security-related technologies, we are faced with a simple truth: Technology, alone, is not enough. It does not offer sufficient protection against breach. Cybercriminals inevitably find ways to bypass the technology by targeting vulnerable humans; or a malicious or negligent insider may know just the right ‘work around’ to effectively nullify your defenses.
That’s a recipe for a bad day,” writes Perry Carpenter, and Kai Roer, inside the pages of the aptly titled Security Culture Playbook. “…We all know, however, that knowledge doesn’t always change behavior. Tons of people will tell you that they know they should adopt better behavior patterns around what they eat, their financial habits, and more. So, in the same way that technology alone is not sufficient for protection, knowledge alone isn’t the answer either…That creates a dilemma. Security culture becomes this thing that has a lot in common with Bigfoot, the Abominable Snowman, or the Loch Ness Monster…
We’re here to make security culture something that is not only understandable, but also measurable and manageable so you can finally get a handle on how to effectively engage your human layer of security and reduce human risk in your organization.” It’s through this mixture of wit and candor regarding successful, objective implementation of Carpenter and Roer’s brand of said, titular Security Culture practice that the read is elevated from the heady ranks of its literary peers. Many people can have a certain level of expertise in the fields Carpenter and Roer cover, but not many can do it in a manner that communicatively has the cake and eats it too.
Carpenter and Roer are able to make things genuinely entertaining, but never at the expense of their integrity as seasoned professionals, nor in the spirit of the latter dumbing things down so as to reach a wider audience. You may need a B.A. from university to fully appreciate and comprehend the concepts at hand, but you don’t need to work within the specific field. That’s to be commended.
“Our goal in writing this book is to add much-needed precision and guidance to the security culture conversation. We believe the security industry is at a tipping point where leaders are ready to accept that technology is not a panacea,” Carpenter and Roer write. “There have been so many great advances in security-related technologies over the past few decades, but those advances are not stemming the tide of breaches. Yes, those advances made technology-dependent hacking much more difficult, but they created the unintended consequence that our people are now the primary target. As an industry, we’ve been so focused on (and enamored with) technology that we’ve ignored the human side of the equation.”
They then add, “As leaders now seek to build their human-layer defenses, it is important that they move quickly and effectively. We can’t afford to get this wrong. As such, our focus over the next several chapters will be to add much needed clarity about security culture: what it is; what it comprises; how to measure its subcomponents; and how to shape those all-important security-related facets of your organizational culture.”