Skip to content

Security is People! Posts

Holding Pattern


There’s nothing worse than an “active” blog with no activity… I started Security is People! as my book People-Centric Security was coming out, intending to use the blog as a platform to talk about security culture. Since then, things have gotten busy. One of the coolest things to happen was being invited to become a CSO Online contributor, where I now have my own blog on security culture and strategy.

I’m not particularly prolific. I like to write but I can’t do it fast and I can’t do it continuously. I thought I would try to maintain both my CSO blog and this one. That strategy has produced more stress than posts. So I’m going to park Security is People! for now. The blog itself and the small batch of posts I created for it will remain, but I won’t be updating it very often (I might if there’s a topic I really want to write about but that doesn’t fit or isn’t appropriate for CSO Online)…

So, for folks I meet or who hear me speak and find their way here, that’s what’s going on. Please head over to Security Culture and Strategy to see what I’m up to blog-wise, or visit or LinkedIn to learn more about me and my work.


What’s Human Capital and Why Should InfoSec Care?

Human capital concept in tag cloud on white background

I’ll be speaking in a few weeks at the Cyber Security: The Human Factor conference in Ottawa. My topic will be, in part, the role that human capital can and should play in security programs. But many people I speak with about human capital and people-centric security are more or less unfamiliar with the term. Human capital is something discussed a lot in other industries and fields, but not so much in information security. That’s a shame, really, because it means that security programs often allow a powerful source of wealth and value to go untapped in support of their efforts, even while fighting for the scarce resources they need to do their jobs. To better leverage human capital in support of cybersecurity, it’s important to understand what it is.

The Cost of a Bad Decision: Measuring the Impact of Security Culture

Selling the value of culture isn’t easy. Especially in a cybersecurity program. I’ve found security professionals to be among the loudest complainers about terrible security cultures within their organizations. But, ironically, they also tend to be the first ones to throw up their hands when it comes to changing those cultures. Sometimes the reason behind this feeling of helplessness is the unpleasant truth that, as much as companies say they take security seriously, InfoSec teams and CISO’s often lack the political juice to effect fundamental change. Other times the reason has more to do with the fact that people don’t come equipped with a command line interface. That tends to make them more or less unfathomable to security teams used to working with technology systems. Changing the unconscious biases and values that make up organizational culture seems about as likely as writing a shell script that will make your server kiss you and really mean it. So why bother?

The Competing Security Cultures Framework

It’s been a little hectic lately, and I’m letting myself down on the “one post per week” promise I made to myself. This week I was in Anaheim at the (ISC)2 Congress, where I was fortunate enough to give a couple of presentations. And the good folks at the ‘con came through even further by handing me a ready made and easy to do post for the week. Several people who saw my People-Centric Security talk at (ISC)2 asked about the Competing Security Cultures Framework (CSCF) that I described in my presentation. The CSCF is one of the models I created for the book and, for a detailed exploration, I would encourage you to pick up a copy. But for the curious, and those folks from my talk who asked, here you go…

Security Drift: A Visual Metaphor for Why Things Fail…

Here’s a short(ish) video of the “security drift” concept I describe in People-Centric Security. Inspired by the research of Sidney Dekker, I find it works best in motion (I usually draw it on the back of a business card…) and illustrates the risks that can emerge when security competes with other cultural and behavioral priorities

Apologies in advance for quality issues. This ain’t exactly Khan Academy…

Will Culture be Security’s Next Compliance Challenge?

handcuffs and judge gavel on computer cyber crime concept

It is safe to say that compliance is a major reason that organizations worry about security today. Despite fears of hackers and cyberespionage dominating the news, despite appeals and guidance encouraging enterprises to shift their focus from audits and control checklists to threats and risks, there is plenty of evidence, from healthcare to finance, that complying with laws, regulations, and industry standards remains the biggest driver of security program strategies and budgets.

Security Culture: From the Front Lines

I just got back from Philly and I want to thank Lance Spitzner at SANS Securing the Human and team for inviting me to the 2015 Security Awareness Summit. It was a good day. I got to raffle off a few copies of my new book (in this case IOUs, since the book still has a few weeks before it hits the shelves), heard some wonderful speakers talk about their security training and awareness programs, and talked to many great people working day in and day out to secure the most critical infrastructure any organization has: it’s people.

Driven to Fears

Bad Example?

A couple of weeks ago I was talking to an Irish Times journalist about security in the Internet of Things. I used one of my favorite analogies for the way cybersecurity fears can get overhyped – the automobile. Driving is among the most dangerous things a person can do in modern life, yet we take it in stride. Few of us freak out as we climb behind the wheel, terrified of the incredible perils we face simply by pulling out of our driveway. My point was that there are plenty of technology risks that should scare us more than (legitimate but largely theoretical) IoT vulnerabilities, but we choose to ignore them. The comparison seemed to go over well. At least until a few days later, when someone hacked a Jeep.

New Job. New Book. New Blog.

Just about everyone experiences a point of transition at some point in their lives, a time when lots of things change very quickly. Things can get better or they can get worse or they can simply get… different. The only constant is the realization that there’s no going back. 2015 has been like that for me. Things got worse, things got better, and things got different. And though most of my changes have been happy ones, it’s still scary and the initial steps are usually the hardest. The first day in the new job, those first few pages in the new chapter, that first post. You hesitate even as you keep telling yourself to move. And then, suddenly, you’re in motion…