Ep.21 Ken Gilmour | Creating a Security Conscious Culture
In this episode of the Cybrary Podcast, we sit down with Ken Gilmour, the CEO of Knogin and Ryan Corey, the CEO of Cybrary. Ken and Ryan discuss the importance of having a security-conscious company culture and how that needs to be something that is thought of early on and possibly rewarding the employees who emulate these ideals.
Share it with friends now!
Ken Gilmour, CEO of Knogin and Ryan Corey, CEO of Cybrary, are hosted in this episode of Cybrary podcast and they are talking about security-conscious culture.
Ken Gilmour states some steps by which a company can found a security-conscious culture. One of the major problems is that we tend to forget people while in security training. A janitor for example can clean up someone’s desk, and there can be a critical document, and that is a security concern. According to Ken, security in an organization belongs to everyone and it is inclusive. So while security training for the employees, we should take different needs into account and provide the particular area of security training for particular job roles. A developer, for instance, knows that he/she must not use public wifi, but his/her part in a company’s affair is to code securely, so training for that must be provided, and different job roles should be considered for a different area of security training. NIST’s NICE framework has made it easy for companies. It is a nice framework that takes a job role and finds out all the skills for that including the security skillsets which is needed for that particular job, so training can be provided based on it or a person with those set of skills is hired. Another step to a security-conscious culture is not to brush the crisis under the rug. This expression has a lot to say, but simply some entrepreneurs hide the breach if they are attacked specifically small organizations, but as Ken says, the companies that have survived the attacks are the ones that managed the crisis very well, not the ones that brushed it under the rug. The next step is accountability. An accountable person needs to have the knowledge and awareness regarding the criticality of data, otherwise, he/she could not be accountable for data. Another step is rewarding people. This technique is well-appreciated, and fun to use in a company’s community to make it security conscious. Rewarding people for finding security holes and things like that inside your company can be economical and fun at the same time because once that security hole is exploited, it would cost a lot for the company. But this method can make the employees search for issues and report them to be fixed or fix it themselves. Another step toward a security-conscious culture is to promote personal privacy. Well, this means, that in training if the provided materials are explained with personal and real-life examples, the participants would be more likely to catch the points.
This is because some security consciousness training is too boring for the presenter and the participants as well. It would no longer be that way once it is linked with their personal life. For example, tracking your kid's online activity. So, understanding security from a personal view and giving them a mindset of how it is like in business can be much effective. The last word about a security-conscious culture is that there should be trust among members in a community. In Knogin, for example, if someone forgets to lock his/her computer, and someone else sees it, he/she would go to the Slack community from that computer and sends “I love you all” to everybody in the community. So, it would be fun, and next time the person will be careful. So, trust is something important to get. Everybody trusts each other, and that is why one can freely do such kind of thing.
Lastly, Ken talks about Knogin (founded two years ago) which is a behavioral analytical application that finds the context of you, who you are, and such things, and you will get an alert in case some suspicious activities are seen related to you. A free version of Knogin is available for individuals through knogin.com and paid version is available for businesses. Security and security training must be a continuous process.