Dr Lance Hayden Ph.D, Living Security advisor and security awareness pioneer, discusses his “Competing Security Cultures Framework,” his experiences as a HUMINT officer working for the CIA and the importance of celebrating failure.
LS: What is culture mapping and how did you develop your methodology?
LH: Maps are metaphors. They express relationships between things that would otherwise be too complex or abstract. As I was developing the Competing Security Cultures Framework (CSCF), I wanted to provide a way that people could visualize their enterprise security cultures across four basic security cultural types and to identify which cultural traits are the strongest or weakest using the Security Culture Diagnostic Survey (SCDS)
LS: Why is it important to assess, design, build and maintain human firewalls?
LH: People are an organization's most important infrastructure. As today's threats focus more and more towards the human attack surface and people as the most vulnerable vector, technical infrastructures are becoming more challenged to prevent breaches without degrading productivity. When individual members of the organization possess strong security awareness and skills, then the response to threats and attacks can happen closer to the actual event. This can result in many attacks being thwarted immediately, without the need for technical interventions. People-centric security architectures like human firewalls complement rather than replace security technology.
LS: From your experience as a HUMINT officer, what part of human nature is malleable to behavior change?
LH: Research today increasingly shows just how susceptible to behavioral change we can be, often without even realizing that we are being targeted. As a HUMINT officer, the most important aspect of behavioral change for me was motivation. If you could understand what a person wanted, what motivated them, then you had keys you could use to unlock behavior. Human nature is most malleable when the humans involved truly want to change.
LS: How can we derive actionable intelligence from culture mapping and human profiling?
LH: It's hard to get actionable intelligence if you don't know what intelligence is important to you. In management terms this becomes a measurement question. You can't manage what you don't measure, and you can't measure what you don't understand. So the first step in culture mapping and human profiling is all about defining what an organization wants to achieve. Be specific.
LS: What is one thing that if you told organizations to do it, today, for cybersecurity training (but improved resilience) - they would think you were crazy?
LH: Celebrate failure. Encourage people to fail and share how and why they did. Reward them for it. All the while working to push failure as far as possible "to the right" so that it happens quickly, gets discovered quickly, and stays small and easily corrected. Essentially this is the DevSecOps ideal, but it's still hard for old school security folks to get their head around it.
Living Security was founded out of personal experience with the problem as a practitioner combined with a passion for solving problems with large impact and opportunity. Our team is comprised industry experts, SME’s and fun, passionate people that are just a little crazy – hey, we did join a startup! We are all here to build something great – will you join us? It’s an incredible journey! At Living Security, we reduce the cybersecurity risk for enterprises, human error, through engaging and impactful security awareness training that is brought to life by innovative tech enabled experiences.
Dr. Lance Hayden, the Chief Privacy and Security Officer for ePatientFinder, is also an author, speaker, and researcher with over 25 years experience in the field of information security. A leading expert on security behavior and culture, Dr. Hayden is the author of People-Centric Security: Transforming Your Enterprise Security Culture and IT Security Metrics: A Practical Framework for Measuring Security and Protecting Data.
Dr. Hayden began his career as a human intelligence (HUMINT) officer with the CIA, which contributed to a philosophy emphasizing human behavior, organizational psychology, and strategic leadership as central to a successful InfoSec program. Dr. Hayden's career includes security roles at KPMG, FedEx, Cisco, and the Berkeley Research Group before joining ePatientFinder, where he has executive responsibility for all enterprise data protection and security-related regulatory compliance.
Dr. Hayden received his Ph.D. in Information Science from the University of Texas at Austin. As a professor at the UT iSchool, Dr. Hayden develops and teaches graduate and undergraduate courses on subjects including information security, privacy, surveillance and the intelligence community. His industry credentials include CISSP, CISM, CRISC and ISO 27001 Certified Lead Auditor certifications.