Measuring Security Culture — it works!

Measure Security Culture — it works!Finally a method to measure your security culture!For years, the (information|cyber) security industry has been pouring money into security awareness programmes. According to Gartner, some 2.6b USD was invested in computer based security culture programmes in 2015 alone. That is, the 2.6b USD only includes the money spent on computer based training programmes — imagine the amount if we add posters, live classes, one-on-ones and all those stickers printed and distributed!One important question has been posed regarding this spending on security awareness programmes: is it working?Some are firm believers in the need for training and developing the employees, while others are making claims that the investment in security awareness programmes are a waste of time and money — money that would be better spent on other security controls.The problem is that no-one knew the answer. The claims (and investments) where based on gut-feelings, personal opinions and discourses. No facts were available to analyse. No method of measuring security culture existed. And most people where either too busy doing their job, or pursuing the latest security product fad (er trend).This went on for decades. Yes, decades. We are now 2016, and we have been training employees since the 1990’s if we look at...
Read more

Moving to Medium — a Major Move!

Expect more on culture!I think it is time to realise that the days of self-hosting blogs is over and gone. With great new platforms like Medium, sharing thoughts and ideas becomes much more valuable — more readers equals more impact, and when you set out to create a better world, impact matters.I am hoping that Medium will make it easier for my readers to interact with me and my content, and that sharing my work, research and findings here will influence more people and organisations. Over the coming weeks, I will migrate content from the old platform to this one, and in doing so I hope to achieve better results for all.The domain https://roer.com will remain, and point to the Medium Publication (where you read this). The content, some of it dating as far back as 2006 (my older content got lost in a transition back then), will remain accessible. That also include the blunders, errors, spelling mistakes and much more. I also hope that moving illustrations and pictures will prove easy, if not, I will have to spend quite some time moving it all. After all, it more than a decade of ramblings!AFAIK, comments on the old blog / content,...
Read more

What I learned as a Startup Exhibiting at CeBIT 2016

In March 2016, I attended the CeBIT in Germany. I was a part of the IBM booth, and my startup company CLTRe (https://get.clt.re) was invited to showcase our products as part of the IBM booth. A security culture specialist as I am, I could not help but make a few observations. Here are a few:CeBIT is not like a security eventMy company and I offer security services. We developed the Security Culture Framework in 2012, and this week we launched the Security CLTRe Toolkit, the worlds first software-as-a-Service company to measure security culture and behaviors. I visit a large number of security events during a year, and most of the time I meet people who are interested in security behaviors, training and change.During CeBIT, several hundreds of thousand people attended. Of those participants, very few seemed interested in security. And of those interested in security, even fewer thought security culture any cool.For us, a small startup looking for customers, CeBIT turned out to not give us what we wanted. At security events, we tend to get more focus and much more interest.CeBIT is global — in GermanyAttending CeBIT is a great thing. Few events are this large, and few other...
Read more

Call for Presentations!

The Call for Presentations at the Security Culture Conference 2016 is open! Join your peers in Oslo, Norway to share your experiences, to learn, and to engage in discussions and panels on how to build and maintain security culture. The conference is two-days, two-tracks, with networking opportunities, exhibition area, Norwegian culture, great program and much more! I am thrilled to be part of this great event again for 2016!The talks we are looking for are 25+5 minutes, and should focus on topics relevant to security culture and the application of the Security Culture Framework. Questions our participants are looking for answers to include:How do I measure security culture?How do I get the support from the top?How do I change behaviors?How can I facilitate a security culture program?How do I adjust my content to the needs of the audience?What kind of content should I use?What are good goals for a security culture program?What does a good security culture campaign look like?And much, much more!Put in your presentation today, and let us meet in Oslo in June — the most beautiful time of the year over here! And do you know anyone who should be on that stage, please tell them to put in a talk too!What do you get as a...
Read more

Security culture — one rule to rule them all

Culture is an interesting thing. We all live in it, we embrace it and we are totally dependent on it. It is also very easy to dismiss — it is only when we see other groups of people, and realizing they are not doing things like we do, that we start grasping that there may be more to life than «How it´s done here».Funnily enough, as soon as we discover this new group, and realize their differences, we are very quick to from opinions about «them» and how «they» are doing something strange, or even wrong. «We» and «our» way are considered the only right and righteous path to success, glamour and, well, security.Security culture is no different, being a sub-culture, and easily dismissed as not relevant or even being a wrong path by some. Personally, I find it most intriguing when people who are not from a humanistic / social scientific background (say they have an infosec background), comes up to me and makes the claim «security culture will never work».Or, as this morning on twitter, when Chris Hoff says:Further @fsmontenegro, both @kairoer & @jwgoerlich...
Read more