In this Chats on the Road to Infosecurity Europe Conference podcast episode, In this episode of ITSPmagazine, hosts, Sean Martin and Marco Ciappelli, invite Robin Lennon Bylenga, a human factors expert, to discuss the impact of culture on cybersecurity.
Guest: Robin Lennon Bylenga, Information Security Awareness, Education and Communications Lead at DWS Group [@DWS_Group]
On LinkedIn | https://www.linkedin.com/in/robinlbylenga/
On Twitter | https://twitter.com/pedalchic
____________________________
Hosts:
Sean Martin, Co-Founder at ITSPmagazine [@ITSPmagazine] and Host of Redefining CyberSecurity Podcast [@RedefiningCyber]
On ITSPmagazine | https://www.itspmagazine.com/itspmagazine-podcast-radio-hosts/sean-martin
Marco Ciappelli, Co-Founder at ITSPmagazine [@ITSPmagazine] and Host of Redefining Society Podcast
On ITSPmagazine | https://www.itspmagazine.com/itspmagazine-podcast-radio-hosts/marco-ciappelli
____________________________
This Episode’s Sponsors
Pentera | https://itspm.ag/penteri67a
Semperis | https://itspm.ag/semperis-1roo
✨ ➤ Sponsorship Signup Is Now Open — And Yes, Space Is Limited!
____________________________
Episode Notes
In this Chats on the Road to Infosecurity Europe Conference podcast episode, In this episode of ITSPmagazine, hosts, Sean Martin and Marco Ciappelli, invite Robin Lennon Bylenga, a human factors expert, to discuss the impact of culture on cybersecurity.
The conversation emphasizes the importance of involving humans in cybersecurity instead of just relying on technology. Robin advocates building a cybersecurity awareness culture by making cybersecurity relevant to individuals' daily routines. Robin shares valuable insights on folding security into an organization's culture, making it relevant to employees, and using storytelling to build a security culture.
Sean and Marco highlight the significance of Robin's upcoming keynote speech at Infosecurity Europe, where she will explain the importance of a good security culture using stories. The conversation also touches upon GDPR and avoiding over-reliance on technology while making metrics to measure success.
The conversation provides an holistic perspective on how the culture of an organization influences cybersecurity, as cybersecurity is not just about technology, but it's also about the way people make sense of it.
____________________________
Resources
Learn more, explore the programme, and register for Infosecurity Europe: https://itspm.ag/iseu23
Catch Robin's session: ‘Culture Eats Strategy for Breakfast’ - Building a Strong Cyber Security Awareness Culture
Be sure to tune in to all of our Infosecurity Europe 2023 conference coverage: https://www.itspmagazine.com/infosecurity-europe-2023-infosec-london-cybersecurity-event-coverage
Catch the full Infosecurity Europe 2023 YouTube playlist: https://www.youtube.com/playlist?list=PLnYu0psdcllTOeLEfCLJlToZIoJtNJB6B
____________________________
If you are a cybersecurity vendor with a story to share, you can book your pre-event video podcast briefing here (https://itspm.ag/iseu23tsv) and your on-location audio podcast briefing here (https://itspm.ag/iseu23tsp).
Explore the full conference coverage sponsorship bundle here: https://itspm.ag/iseu23bndl
For more ITSPmagazine advertising and sponsorship opportunities:
👉 https://www.itspmagazine.com/advertise-on-itspmagazine-podcast
To see and hear more Redefining CyberSecurity content on ITSPmagazine, visit:
https://www.itspmagazine.com/redefining-cybersecurity-podcast
Please note that this transcript was created using AI technology and may contain inaccuracies or deviations from the original audio file. The transcript is provided for informational purposes only and should not be relied upon as a substitute for the original recording as errors may exist. At this time we provide it “as it is” and we hope it can be useful for our audience.
_________________________________________
Marco Ciappelli00:07
Hey, you press it
Sean Martin 00:08
up. Don't Don't press it. I want and I'm not talking about talking about my patients. The this is, I mean, there's no patients here. I mean, it's, this is a fun time, there's a lot of a lot of excitement building for the upcoming events. And I'm excited to press this button, actually, to have this conversation with one of the speakers from info security Europe in London, talking about a topic that's near and dear to our heart, I mean, this really connects the human element to the technical bits and cybersecurity. All of our own culture says, This is gonna be a fun conversation marker.
Marco Ciappelli00:55
This is the main reason why ITSPmagazine was born about seven, eight years ago, I lost the count at this point, but was the intersection of cybersecurity and society with the humanity in between. So, you know, we realized back then it wasn't just about technology, resolving technology, but the culture in within organization, the way that we look at security, and the way that we, we make sense of the security, there is no really tangible, it's more on, you know, it turned out in a button or a keyboard. But it's, it's a lot more than that. So people were talking
Sean Martin 01:33
about injecting technology into humans, and we're like, that's kind of gross. Let's talk about injecting humans into technology.
Marco Ciappelli01:41
There you go. That's more, that's more like it. I don't know if you're doing it as a society, but maybe a topic for conversation. Shawn, one, another fantastic keynote, that is going to happen very soon. I am going to get on the plane in a few days. And I know you're going to do the same. So let's talk about this, who we have on
Sean Martin 02:06
part of our chats on the road, we're going to be talking about culture eating strategy for breakfast. Sounds delicious. Building a strong Cybersecurity Awareness culture, with the one and only Robin bilinga. Robin, how are you Robin Lennon by Lingus, I should say, Good to have you.
Robin Bylenga02:24
Hi. I'm good. Thanks so much for inviting me. It's quite an honor.
Sean Martin 02:30
It's our it's our pleasure. And I'm excited to get into the into the topic and unpack it a bit. Of course, Mark, and I have our own thoughts on this, having talked about it for quite a while we're interested in yours. But first, I want to know more about who Robin is and what you're up to, and what led you to this keynote at info security in London.
Robin Bylenga02:53
So I have a little bit of an interesting background, which as a human factor, expert, if you will, we've learned that it is really imperative that people enter in from a variety of different backgrounds, you know, psychology and having skill sets, soft skill sets, empathy, compassion, the ability to communicate with people, so that we can build that relationship with the technical versus the, the human, which we all know, it all comes down to the human right. But I had a business that I built and we were rather successful, I actually had an internal threat issue. And it shifted the course of my life dramatically. I went and sought my Masters in Information Security, I focused on human factors and internal threat management, and then just really wanted to shift my focus on helping other people not experience what I did, it was rather life changing. You can look at all kinds of statistics. But there's one particular which was written several years ago, and I think it was a magazine that said 60% of small businesses will will go out of business after a hack. And it's not just financial, it's it's because you know, all of these emotional things are happening as well you know, I should have we should use this I should have COULDA, WOULDA should have known better. I should have been more alert, I should have seen this coming. But several years ago, and people weren't as knowledgeable, quite frankly as we are now. But when when it comes to security, culture, awareness training, so from my my daily living, I do awareness, culture building, comms education. The Cyber champions network, I build that and there's so much involved with understanding people so I'm a big fan of Stephen Covey and is Seven Habits right I read that when I was in grad At school first time, and habit number five is seek first to understand then to be understood. And I really liked that quote, because if we just go and password management, you know, you've got to learn about being safe, remote working and being safe when you're traveling and blah, blah, blah, it's really, it can become white noise. And when you change the method of delivery, when you change the narrative, and you make it about the people, and again, going back to that fifth habit, meet the people understand what they do daily in their work in their workflow, make, make it relevant, make make the issues relevant to them first. And one of the, when I first got out of college, the first time I was working, I was a flight attendant, actually, for a couple of years. And great, great experience, great company, I worked for a company called Southwest Airlines, you might have heard of them. And this is back in the day, when they were changing the world with their different culture. But the different way that they approach their customers, and with the way that they approach their employees, and it was culture driven. And everything was ingrained to everybody. And it didn't matter if you were in OPS, if you were checking bags, if you were doing tickets, if you're a flight attendant, if you were an HR, whatever, everybody got that same culture training, and it was consistent. And the message aligned with the mission and vision of the company. And no, this wasn't security culture, but its culture. And when that Peter Drucker, quote, culture eats strategy for breakfast. Makes a lot of sense to me, because you can have all the strategic plans in the world. But Texas, we just call it talking out of both sides of your mouth when you when you say one thing, but you do another even as a parent, if I say, you know, don't steal, and then I go and put something in my pocket, we watch what people do we watch what our leaders do, even as adults, we watch we, it's top down. So whatever our leadership is doing and saying, even if it doesn't mesh with the strategic plan, we're gonna we're gonna follow the path. Yes,
Marco Ciappelli07:21
let's let's talk about the title for for for a little bit, because I think he's an interesting quotes. And I think that if you look at from a more logic mind, more business mind, you may think that in order to have to create culture, you do need a strategy to achieve that. Because that kind of mindset, you want a strategy for everything. But what you're saying with this, it's it's more like the other way around, where the habits, the way you behave, the way you you see the world, you see the business, you have a goal, what is your WHY right for the company, you brought the example of the company you used to work with? When in that, from that perspective, culture come first and strategy, maybe adapt to that. So it's kind of like, depending on where you look at it from, how do you start this conversation when somebody in the company, it's more of a strategic mind versus psychological, creative, sociological, mind of approach, softer skill, if you I hate that word, but let's use it.
Robin Bylenga08:35
Well, I owned a business, I know what I had to do to write a strategic plan to get a loan to appease my bank, and the strategic tax plan you let's say, a five year plan. So here are my goals. How am I going to get there? What's our what's our corporate motto? What's our vision? How are we going to get there, and you really can't separate a strategy from from your people from the people that you want to implement that strategy. Because they're not passionate about the goals and the mission and the vision of the company, you've just got paper shufflers and when you're trying to really make a difference, and and, quite frankly, we need to put security, information security at the top of the importance if it hasn't, you know, we all know that that's critical now. And if you look at the culture of of safety back in the 80s, whatever, you could go through a manufacturing plant and front door to backdoor loading dock, not a word about safety. Then there was a shift a total paradigm shift, and that that safety and the safety of our humans is a big part of our business strategy. Because it affects stock shares. It affects our employees it affects so many Same thing. So you look at the same thing with security culture, and you encourage people to implement it. And I hope I'm guiding you in the right push in the right way to answer your question. Every, every corporation has their ultimate mission and vision statement. It's the first thing you do. And you've always got to go back to that mission and vision. I love the story about the brand. It's a retail brand. And it's it's grown into this huge life force of its own. But when the three guys that got together, decided the brand, they said, Okay, here's this man, right? What does he drink? What does he smoke? What does he wear the date kind of car? Does he drive Tommy Bahama? That was everything? Everything went back to? Okay, who is this persona? And then we work from there. So my culture is, who is the culture? What is what do we want to go for business? How do we want to do that? And what are our values? And how do they align? And then how do we get people to care? About this persona, or this culture or this vision? How do we get people to care about the mission, so much so that we can define security culture, I can give, you know, pretty words about behaviors and attitudes and different things like that. But one of my favorite is culture is what people are doing, when nobody is looking that define.
Marco Ciappelli11:35
Yeah, that's what your brand is. I think Jeff Bezos said that many others said something.
Sean Martin 11:42
What they say about you that whenever you say by yourself, now I want to, I want to stick with this idea. Because I mean, you describe mission and vision, and you can wrap goals in there. And you can have personas of how your brand how you want people to envision you and picture you and think how you how you are and what what you value and those types of things. And then and then you have GDPR. Yeah, that says, you will now have to care about these things. So now I have this, this amazing looking, looking person that's wearing a GDPR back, like, they're driving a Lamborghini and drinking this fine whiskey with a GDPR backpack, that's all raggedy on on it. So it changes the way
Marco Ciappelli12:37
the visual out of my mind, and
Sean Martin 12:40
it changes the way you look. Right? So my question is, can you rap? And this, there's a second point to that, which is there's security culture, and there's data protection, culture and GDPR, how you use data, which two different factions within the organization. And then you have this big giant culture that you have to deal with? And you have you mentioned the Southwest example. I mean, that's, that's who they are. Right? They're funny, and then that kind of thing. And how do you throw security into that? I guess, do you make it funny and fit in? So the question I have is, do you find a way to fold security in to the culture? Or does the culture define how security is managed? Because you are there you mentioned, it has to be relevant and fit into the workflows, right? It's what you do. So I've grown a lot there. But I just have this, this weird picture in my head of, well, how does this really come together to actually be a culture that people do when nobody's watching?
Robin Bylenga13:47
So I mean, you've touched on several different things, not the least of which is learning, learning behaviors, and, and that's a whole different conversation, because I studied training in development for years, and, and we all learn in very different ways. Some with humor, some with constant nudges, some with the written word, some people, you know, when I was with that airline, there were some people that really didn't like the hammer. So there you have, you have to read gotta be able to read the room. So that's why that's why virtual training is so difficult because you can't see people's eyes. You can't shift the message as you lose people or game people or whatever. So, you know, learning methodology is one thing, but, you know, developing a whole culture is it's not overnight. I mean, it's basically at least a two year program and that's when you've got it really relative, relatively well defined. Board, taught leadership. Full backing 100% support And, and it's just a part of your daily routine. And, and then people expect it. And I really believe people want to know how to be secure, because it doesn't just affect when I go to work, or punch a clock, and I'm there from eight to five or whatever. I mean, learning about information security is critical to everything we do from this point forward. And protecting our children protecting ourselves, protecting our identities, our bank accounts, everything. So when you have the ability, which is amazing, to go in, and actually create a culture with a company that is supportive, it's fun, because you get to go to the conversations with people are critical. And, you know, 100 years ago, there was a book called I think it's Tom Peters management by walking around and I was in graduate school at the time, and I thought, well, Hmm, that sounds stupid. I mean, that sounds like common sense, right? And Marco, you were talking about, you know, the human element and taking the technical and merging the humans or injecting the human into the technical. And I think that sometimes we get so myopic, and so focused on what we do, whether it be coding, cybersecurity, whatever, that we forget that this is not everybody's job, and they don't care, I don't care how the engine in my car works, I want it to do the things I want it to do. Safely course, there are so many things we can talk about, you know, we used to not put on your seatbelt Now you wouldn't get in the car without a seatbelt. Now your car warns you if you don't have the seatbelt on, or once you have your back, passengers don't have their seatbelt. So it's up to us, I think from a technological standpoint, to put in those little warning things to help people remember to operate safely. But you do it in a way that's respectful and empathic. And ultimately, your whatever your company is, your suppliers, your customers, your investors, they want, they want to know that you're being cyber secure. And to your point, John GDPR, it's it's not my job anymore. It's all of our jobs. And it, it, it it's a collective effort. And if we don't, and that's culture, in order to collect effort, that's,
Marco Ciappelli17:50
you know, that's why I went right there at the beginning with with the with the title and the quote, because I feel like it takes it needs both, right? I mean, you can, you can attack the problem from one side or from the other. But ultimately, it's not just one side that isn't gonna win. It's a mix of the two, I think you need the regulations, you need the culture, the understanding that like, you know, you're going in the car, if you grew up in that transition of not seatbelt seatbelt. We didn't, you know, the car then started to remind you that with that annoying beep. And now I probably just put it on by itself. But there was also a moment that you just walk, you sit in the car and automatically you do it. Right And automatically, you put it on your kids and the person next if he doesn't do it, you're gonna say you should do it, because that's that's culture, right? So it goes in a lot of different direction. And of course, to go to your presentation to your talk Infosecurity Europe, you're not going to have an entire curriculum of lessons to go through this. So what are going to be your your main point there, and especially what people will walk away or your hope they'll walk away with thinking about after they hear your presentation.
Robin Bylenga19:18
I love to tell stories, and I think storytelling is one of the best ways to have people remember to take a cybercrime class and we had all the statistics and data and hundreds of 1000s of slides, it felt like 100,000 slides. It is the stories that I remember it was a stories of the people that were you know, cyber bullied or whatever, you know that stuff that speaks to all of us. It's a story. The best advertisements you have are horror stories and I so I want to tell a couple of stories that hopefully will will To help people resonate with people, I want to talk about the importance. What Why Why is it so pivotal, and important that we have a good security culture and address the human element? And also metrics? Is there a way to measure it? How do you measure something that you can't see? We didn't have any attacks this year? Oh, great. So now we don't need the team, we're all great. That's that, that has always been an issue. So we're going to talk, I'm gonna address some of the metrics or some of the ways that you can actually baseline yourself, and then steps along the way to really understand if you're having success, but you also need to define what success is, you know, what does it mean to you?
Sean Martin 20:51
And referencing the seatbelt as a societal culture. But I picture you mentioned, like, manufacturing, warehouse or hub, where on the board is how many days without an accident. Right. And that's, that's the business safety culture. And in the US that's driven by OSHA, I'm sure in Europe, there's different standard body that oversees that kind of thing. And they may pair up, right, somebody might wear a seatbelt to work and then not care about safety, or vice versa and not not wear the seatbelt, but care about the safety at work. But well, they're both cultures, cultures.
Robin Bylenga21:39
Yeah. And I think that the one thing that that I do like to remind people that we want to avoid is reliance on too much technology. And my mother is gonna kill me for telling this story. But I was with her. Recently, before my dad passed, he bought her this magnificent vehicle that warns her about everything Sherif Ali asked, thank anymore, and we were riding in one of the other vehicles because that woman was in getting some, some things done. And so this other vehicle doesn't vibrate when her she's going off the road, and it doesn't remind her of everything. And, and, you know, she's relying on the camera, and I said, you know, with all due respect, just just, can you just like, not focus, trust the technology quite so much. So then we had a little rerender. And that was funny, because she was using the backup camera and not her eyes. But anyway, I digress. But it was just, you know, it was just like, just the words that just come out of my mouth. You know, I think you're relying too much on technology. I know what I'm doing. And, you know, so that's,
Marco Ciappelli22:51
it's a great, it's a great point, it's still a lot of conversation nowadays about, you know, we said the easy button, but we also talk about, you know, AI and charge up days gonna just do things for you. It's not going to I mean, I see all of this technology as a tool as an help, but you can't just rely 100% on it, you need to, you need to still use your own judgment. And that's what culture I think I mean, so your example, your mother, I think is pretty, there's pretty good, you know, I Okay, I trust my camera that my car that will break by itself, but I'm gonna have my foot on the brake. Not gonna go 100% on that. So yeah, I think there
Sean Martin 23:40
are other differences. I mean, your mother is probably driven without technology. So at least she knows what it's like to drive without, right. Right? The newer generations don't know what it's like to do business without a lot of these technologies. So when something fails, things things happen. And that's where the culture really steps.
Robin Bylenga24:04
Yeah. And ironically, Shawn, when you're talking about that kind of stuff, if you look at the data, and you look demographically at, at how people interact with technology, some of the younger people right now that have had technology since they were infants, I know I've seen it, that they're more likely statistically speaking to click, because they're just there. They're busy. They're doing, you know, the older generations that did not have that, you know, coming along are a little bit more cautious. I mean, that's just so you know, when you're dealing with all of these demographics and culture, actual, you know, cultures have homeland and cultures of busyness and work and how do you put all that into a security culture and the One thing that that I want to leave people with is the criticality of knowing your people. So I did a, I did a seminar once called Know Your people people, because which is imperative? And how do you do that? If you've got an organization? Or something? You just don't hear me? Sorry. And, and that's culture, because they're a small team of InfoSec people can't be there every day to make sure so you, you know, it's it's, how do you not make this a priority to ingrain it into the first days of someone's relationship with the company, you started in the new interview process? And, you know, this is a big part of organization, and, you know,
Marco Ciappelli25:55
no, well, a lot too lot to talk about here. And definitely a large conversation. And I think it will be a session that will let people think a lot about what they're doing, what they've done, and the way that they are approaching culture and security. So I'm gonna make a call to action here for everybody that is info security Europe, but the excel in London in a few days, which will take place on the the 20, the 21st, and the 22nd. To also on the 22nd 1225. I see on the on the schedule, to come to your keynote stage session, and that is called culture eats strategy for breakfast. So let alone it's, it's already an interesting, building a strong Cybersecurity Awareness culture. So I want to thank you for sharing a little tease. I think it will be plenty of stories for people to listen, clearly you like to tell stories and make reference and so I like that approach of making things visual and memorable. And, Shawn, we're going to be there as well.
Sean Martin 27:14
So we're talking about breakfast, you know, I love food. So I'm gonna,
Marco Ciappelli27:17
it's a light breakfast is 1225. So it's more of a brunch. That's eating breakfast. I know I was making a joke there. But anyway, that everybody that it's going to be the event, please join this session, and we sure will do. So. Thank you so much.
Robin Bylenga27:42
I appreciate it. Have a great day. Thanks.
Marco Ciappelli27:44
Thank you. Bye bye.