Andrew Frey is a Forensic Financial Analyst for the San Francisco Field Office of the U.S. Secret Service, working in the Cyber Fraud Task Force. As one of the most knowledgeable people in the US Government on the threat of Business Email Compromise (BEC), Andrew works directly with companies and individuals to gather intelligence on cybercriminals behind these attacks and helps recover lost funds when wire fraud has occurred. In a recent episode of the podcast, he spoke to Tim Sadler about attacks he’s investigated, explained how lost funds are recovered and why he believes BEC is on the rise. Listen to the whole episode, here, or read on for three key Q&As from the interview.

Why are BEC attacks growing more frequent and more effective? I think that the answer is in the question – BEC attacks are growing in frequency because of their efficacy. BEC is an unprecedented type of cybercrime because of its enduring effectiveness. For most scams, widespread education brings their downfall – think IRS impersonation scams, lottery scams, and the Nigerian prince scam. Those schemes are all still around but their heyday is over because most people have been made aware of them in one form or another. You also have organizations like banks and gift card retailers pitching in with warning signs or detection systems that help deter those scams with a high degree of effectiveness. In the case of BECs there is now more education, communication, and detection technology than just about any other scam, and yet they are still very common with no sign of becoming less so. The victim pool is also very broad. It isn’t just senior executives being targeted, we now see everyday people losing down payments to their new homes through BEC, for example. The victims also aren’t necessarily so-called ‘vulnerable’ or lacking in tech-savvy. Many victims are Fortune 500 companies – companies that most folks know by name and logo, companies with rigorous security and control. So as long as the crime continues to have success it is only going to grow.

What are the typical traits and characteristics of these attacks? In almost every BEC case that I have worked there were red flags in hindsight. They could be as subtle as a different font or a different representative than who you have always worked with, or even a different salutation. It is very rare that when reviewing the email with hindsight you don’t spot something that probably should have caught your eye. As for who is targeted most frequently, it is tough to say because each criminal organization probably has a favorite industry – one that they’ve spent time familiarizing themselves with to allow them to talk the talk in a convincing fashion. I am currently working on a case where about a dozen cities and counties were hit with millions of dollars in BECs, and this is a number that is growing by the day. Victims include city police departments and even some school districts, and part of what has made them appealing targets is that so many of their suppliers and the amounts and frequency paid to them are publicly available online. This takes a lot of the work out of the process for the criminals. In some instances, a cyber intrusion isn’t even necessary because the criminal actor could impersonate the supplier or municipality’s finance director and request payment without intrusion. Cases like this are becoming more and more common.

How do you recover lost funds? What is important to know for people who one day might be victims of these kinds of attacks? We have a number of tools at our disposal that can help recover funds, including cryptocurrency and funds that have been wire transferred abroad, which is common these days. As a victim, the key is timely notification to law enforcement. I personally receive one to three reports of BEC a week, and the recovery rate is actually a lot better than you would imagine. I think people think BECs aren’t recoverable and that is not accurate, but timing is everything.  When I am notified of a BEC I immediately work with the relevant financial institutions to trace these funds and I won’t stop until there is a definite dead end or the money is recovered. Simultaneously we might be arranging for an exam of the victim’s network by one of our network intrusion responders to gather evidence for a criminal investigation. But really one of the best ways we help is pro-active education. We try to get out there and provide a resource for companies and institutions so that when any kind of cyber incident happens they know who to call.  In terms of more general advice, businesses need to practice good cyber hygiene. That means anti-phishing training, using complex unique passwords, and changing passwords frequently. It is also very important to prep yourself before an attack occurs by having an incident response plan with clearly outlined roles. That way, if something does happen you don’t have a half dozen people trying to figure out who to call and what to do.

For more of Andrew’s anecdotes and further discussion, listen to our Tessian Podcast episode, here. You can also visit the Secret Service website to find out more information.

With a wealth of experience in developing and leading security and awareness programs at companies including eBay and TIAA, Lola Obamehinti knows what makes a good program. Lola, the founder of Nigerian Techie and former ,  joined Tim Sadler, Tessian CEO and co-founder, on the RE:Human Layer Security podcast to discuss security and awareness training – why it matters, how to make it effective, and the secret to keeping employees engaged. Tim and Lola also discussed diversity in tech, with Lola reflecting on the work that remains and how to increase inclusivity and diversity in the industry. Listen to the whole episode or read on for some key Q&As from the interview. Q: Why is security awareness so important in organizations today? A: Security awareness and training are crucial for every organization because employees need to understand their role in protecting confidential company data and information. When cybercriminals target a company and attempt to gain access to networks and systems they do not only target IT or tech employees. Each and every employee has the potential to be a target, regardless of their role. So it is really important to equip employees with the proper tools to identify phishing attacks and other methods that cybercriminals may use to infiltrate an organization. Q: What does a good security awareness program look like? A: Effective security awareness and training programs require a multifaceted approach. It is not just training, and it is not just security awareness events or communications – it is all of those elements working together. You could even divide security training up further into phishing simulations, which then feed into additional security training, alongside required security training (that could also be role-specific). The communications pieces and events also play a big role because you need to let the employees know where they are missing the mark, and also lead effective security awareness events. Finally, you need to use data to track the progress of all of those particular programs. This well-tracked, multifaceted approach really helps to keep security at the forefront of employees’ minds, and in my opinion, is what works best.

Q: How do you improve a pre-existing program and engage employees? A: Additional funding is the best way to improve a pre-existing program. It may seem like the easy answer, but in my experience, I have noticed that security awareness and training is one of the parts of security that is often a bit underfunded. Companies often say that additional funding isn’t necessary, but whenever an incident happens security awareness and training is one of the first teams that is notified. Now when it comes to the content of the program, context is key. To engage employees and help them retain information, you need to provide context to the lessons you are teaching them. For example, when I was leading security awareness and training at eBay, we were entirely remote, so ensuring employees were well engaged was a key focus. One of the things we did was in January after the popular Coinbase advert that was shown at the Superbowl. The advert featured a QR code bouncing around the screen, similar to a bouncing DVD logo. So, I wrote an article about protecting yourself against QR code phishing, using the advert to provide context. The engagement was huge – a few of our engineers even created their own QR codes! Until then I didn’t think that level of engagement was possible, but it just goes to show what happens when employees are truly interested in a topic. You just need to make it relevant to them.

Q: What diversity and inclusion work is left and how can leaders help? A: Right now, there is a lot of work left to do in the industry when it comes to diversity and inclusion. The security industry reflects the greater technology industry where there is not a lot of representation. Even for San Fransisco-based companies, the representation of Black, Indigenous, and People of Color (BIPOC) teeters around 2-5%, which is really really disheartening. Particularly because in 2014 a lot of the major tech companies started releasing diversity reports, but the numbers really haven’t moved since. To change this I believe that the gatekeepers, from hiring managers to executives, need to give opportunities to individuals who might not have a traditional path. Maybe they just have a passion, maybe they have done a lot of extracurriculars like starting a podcast or YouTube or Discord to educate other individuals on security. They may not have the right certifications, but those individuals should be given more opportunities at entry-level or even management. Also, for the individuals who are already in the industry – if they don’t feel included or like there are proper opportunities for advancement they leave. We have all seen the lawsuits that are being brought against Google and other tech organizations where people have been discriminated against, experienced racial microaggressions, and were not promoted or compensated fairly. So the work doesn’t stop once you have a diverse workforce – you need to make them feel continually included. Finally, I would like to highlight that diversity is not just about BIPOC. It can be gender, background, or socioeconomic status, it can be anything. I think of diversity as diversity of perspective and thought – and it is so important for the overall success of a company.

Ben Aung is the Chief Risk Officer at SAGE, formerly served as a Deputy Government Chief Security Officer in the UK government, and is a Tessian customer. He discussed insider threats, fear uncertainty and doubt (FUD), and the Great Resignation with Tessian CEO and Co-Founder, Tim Sadler, on the RE: Human Layer Security podcast. Listen here, or read the Q&A below.   Tessian: How has this year been for you and your team at SAGE?   Ben: I’m surprised how much we’ve managed to achieve under challenging circumstances.    We’ve managed to get to a “business-as-usual” state much faster than I would have expected, and many of the kind of “doomsday” threats that we might have been anticipating as a result of COVID haven’t really materialized for me.   Tessian: What are your thoughts on insider threats? Could you share a bit about how you’ve been focused on insider threats throughout your career? Ben: Most of my career in government has been in information security, computer security, or cybersecurity—depending on which term was de rigueur at the time—but when I joined the Cabinet Office in 2012, my first gig I got there was as the Senior Policy Adviser in the National Security Secretariat for insider threats.

Soon after I joined, we were dealing with the aftermath of the Edward Snowden disclosures, which—as many people will remember—were a seismic event in the insider threat world, and caused a great deal of reflection and introspection around how much confidence we could have in some of the very long-standing controls that we’d had around mitigating the most severe insider incidents, particularly in the national security context.   That was a real “baptism by fire” for me in the insider world. I was working across the Five Eyes countries and trying to join up what we all thought was a fairly consistent understanding of how to fight insider threats, but I found out we were all doing things in slightly different ways.    My experience of working with the intelligence community in that very high threat, high impact context was that—in amongst all of the complexity, and “smoke and mirrors,” and spookery—many of the issues were just fundamental people issues or control issues that I expect nearly every organization to face, in one way or another.   Tessian: According to stats, insider threats have risen almost about 50% in the past two years. Why do you think it’s such a challenging problem to solve?   Ben: I think we overcomplicate it, would be my headline. We don’t think holistically about the interventions we can make in the lifecycle of an individual or an insider incident that might reduce both the opportunity and the impact.   We often put too much emphasis on hard technical controls. We lock systems down, so they become unusable, and people just find ways to circumvent them.    We put too many eggs in one basket, and we don’t think about all the little things we can do that cumulatively, or in aggregate, can support us.   The other thing I’d say is—cybersecurity, as an area of risk, is too populated with anecdotes and an absence of data. And it’s too driven by the worst-case scenarios, rather than the everyday, which I think are too often the starting point for the more severe events that happen later down the line.    Tessian: How do we take steps towards that more data-driven approach, and what’s your advice to people who may agree that they find themselves swayed by headlines and the “fear factor”?   Ben: As security professionals, we sometimes have quite thankless roles in an organization. And actually bringing a bit of excitement and interest—it’s an interesting part of the job, and sometimes adds a bit of “mythology.”

The point is that the most effective interventions are some of the most boring and the most mundane. By that, I mean—if you look across all of the most severe insider incidents of the last “x” years, effective line management would have been one of the key mitigations.   Effect line management, good pastoral care, good understanding of employee wellbeing, good performance management processes, basic controls around access, audit, and monitoring.    I think because these things have existed for such a long time, and we don’t associate them with insider risks, then they’re either overlooked, they’ve degraded, they’re boring—they don’t attract investment in the same way that other things do.   The goal is to bank all of that stuff, get that foundation in place, and then supplement with some of the specialist tools that are available on the market—like Tessian—where you can say, “I’ve got confidence in some of these fundamentals, now I want to take that step and really understand my enterprise and what’s happening in and out of it in a much more sophisticated way.”

Tessian: There have been a number of incidents reported in the news where disgruntled employees are being targeted by cybercriminals to assist in malicious activities. Is this something that concerns you?   Ben: I used to think about this a lot in government, where the notion of a “blended attack”—particularly in the nation-state context—is very relevant.   There’s often a misconception that a hostile state actor says, “I’m going to launch a cyberattack on the UK,” or “I’m going to compromise ‘x’ system”—they have an objective, and often cyber or remote attacks are the cheapest way to achieve that objective.   But in some cases, they won’t be. And a blended attack, where you use some kind of close-access technology that’s deployed by a compromised individual as a precursor to a remote attack, is a threat model that governments have to deal with.

And some of the techniques that governments can deploy against one another are absolutely crazy… the level of creativity and imagination at play… That is a very real risk in that context, and I think it’s inevitable that elements of it are going to find their way out into the commercial world.   The key consideration is: what is the cost/benefit equation that the actor is going to be relying on? And as soon as you start including vulnerable individuals, you do increase operational risks as an attacker. The ransomware groups wouldn’t care too much about that, but it’s about whether they get the pay-off they need for the level of effort they put in. And I guess, in many cases, they would. 

If you just look, in more of a social context, about how teenagers and children can be blackmailed by people on the other side of the world, then there’s no reason why someone seeking monetary gain—through a ransomware attack or otherwise—wouldn’t do the same.   I haven’t seen any real evidence that it’s happening at any sort of scale, but I think having people in your organization—like we try and achieve at SAGE—who will report early… there’s a sort of “no consequence” reporting rule in SAGE and in many organizations, where we just want to know. I think that’s one of the most effective mitigations.   This Q&A was adapted from our RE: Human Layer Security podcast. You can hear the full interview here,

At the start of this year, Tessian started a podcast. Why? Because since we launched the Human Layer Security category in 2013, the human factor has become one of the biggest considerations in cybersecurity today. Every day, we are speaking to CISOs, CIOs, business leaders and security professionals about how to secure the human layer. And I’m not just talking about conversations related to how to stop the ever-rising number of phishing attacks. We’re talking about insider threats and security incidents caused by simple human error, too. We’re discussing ways in which CISOs can better understand their employees’ behaviors and ways of working, in order to build security strategies that protect them and empower them to do great work. And we’re talking about how to get buy-in from boards. Rather than keeping the conversations to ourselves, we wanted the podcast to provide a platform for inspiring IT leaders, thought-provoking academics, and ethical hackers to discuss why it’s so important for businesses to protect their people – not just machines and data – and share their learnings so that how other security teams can do it too.

It’s been a lot of fun and I’ve spoken to some incredible people. So here are my highlights and my top learnings as we close out Season 1 of the RE:Human Layer Security podcast: 1. CISOs are doing an amazing job in their relentless roles. As Simon Hodgkinson, former CISO at bp said, the job of the CISO is truly 24/7. And it’s becoming “more and more challenging as the threats become more advanced and regulatory landscapes become even more complicated”. Hearing the work that CISOs like Jerry Perullo at ICE, Ray Espinoza at Cobalt, Tim Fitzgerald at ARM and Anne Benigsen at Bankers’ Bank of West are doing to not only navigate these landscapes and keep their companies safe, but also to help make their people into security champions and make security as seamless as possible is really inspiring. 2. … and they want to do more. It was clear from the leaders I spoke that they have a “duty of care to continue raising awareness” and “invest in making sure people are able to do the right thing.” Some believe, however, there are more engaging ways to do it, while others think there is more work to be done to get employees to buy-in to the security cultures. It was great to understand how they plan to do this.

3. Security can learn so much from psychology. In one of my favourite episodes, academics Dr Karen Renaud and Dr Marc Dupuis question why businesses continually use fear – a short term emotion – to try and engender long-term behavioral change in cybersecurity. They also explain why the role of employee self-efficacy is so important to encourage safer security practices. Their insight into what factors make people more or less likely to adopt safe cybersecurity behaviors makes me question whether FUD in security has had its day? 4. If you don’t get to know your people well, the bad guys certainly will. Ethical hackers and social engineering experts like Craig Hays and Jenny Radcliffe explained how cybercriminals select their targets and methods of attack, emphasizing the need for companies – at manager level – to know their people really well. As Jenny said, “the answer to becoming a more secure organization […] is to know your humans better than the bad guys.”

5. Employees aren’t the weakest link. The age-old saying that people are the weakest link in security is something our guests don’t believe in. To Dan Raywood, people are neither the strongest or weakest link, but rather “an essential part of your business”. Tim Fitzgerald agreed, stating that, as security leaders, “we try to take a look in the mirror and say, are we providing these people with the tools they need to help them avoid these types of threats or scenarios?” It’s been a privilege to speak with all of our guests on the RE:Human Security Layer podcast and, if you haven’t already, I encourage you to listen to their interviews and subscribe to the show.  We’re now planning Season 2 so stay tuned for that – and if you’d like to get involved or hear more about what we’re doing, please contact me on LinkedIn or Twitter.  

We have a fascinating episode lined up for you this week, as I’m delighted to be joined by Dr. Karen Renaud and Dr. Mark Dupuis. Dr. Renault is an esteemed Professor and Computer Scientist from Abertay University, whose research focuses on all aspects of human centred security and privacy. Through her work, she says, she wants to improve the boundary where humans and cybersecurity meet. And Dr Dupuis is an Assistant Professor within the Computing and Software Systems division at the University of Washington Bothell. He also specializes in the human factors of cybersecurity primarily examining psychological traits and their relationship to the cybersecurity and privacy behaviour of individuals.  And together they are exploring the use of fear appeals in cybersecurity, answering questions like whether they work or are they more effective ways to drive behavioral change. They recently shared their findings in the Wall Street Journal, a brilliant article titled Why Companies Should Stop Scaring Employees About Security. And they’re here today to shed some more light on the topic. Karen, Mark, welcome to the podcast! Tim Sadler: To kick things off, let’s discuss that Wall Street Journal article, in which you essentially concluded that fear and scaremongering just don’t work when it comes to encouraging people to practice safer cybersecurity behaviors. So why is this the case? Dr Marc Dupuis: Well, I think one of the interesting things if we look at the use of fear, fear is an emotion. And emotions are inherently short-term type of effects. So in some research that I did, about eight years ago, one thing I looked at was trade effect – which is a generally stable, lifelong type of effect. And I tried to understand how it relates to how individuals, whether in an organizational setting or home setting, how they perceive a threat, that cybersecurity threat, as well as their belief in being able to take protective measures to try and address that threat.  And one of the interesting things from that research was, how important the role of self-efficacy was, but more, perhaps more importantly, the relationship between trade positive aspect and self-efficacy. And so a trade positive effect is generally feelings of happiness and positivity in one aspect. And so what this gets at is, the higher levels of positivity we have with respect to trade effect, the more confident we feel, and being able to take protective measures. 

So how this relates to fear is, if we need people to take protective measures, and we know that their self-efficacy, their level of confidence, is related to positive effect, why then are we continually going down the road of using fear – a short term emotion to try and engender behavioral change? And so that was a, you know, interesting conversation that Karen and I had, and then we started thinking about well, let’s take a look at the role of fear specifically. TS: Karen, what would you add to that? Dr Karen Renaud: Well, you know, I had seen Mark’s background, and I’d always wanted to look at fear because I don’t like to be scared into doing things, personally. And I suspect I’m not unusual in that. And when we started to look at the literature, we just confirmed that businesses were trying to use a short-term measure to solve a long-term problem. Yeah. And so yeah, I was gonna say, why do you think that is? And you know, it almost seems using fear is just such a sort of default approach and so many, in so many things, you know, when we think about how, I’m thinking about how people sell insurance, and you know, it’s the fear, to try and drive people to believe that, hey, your home’s gonna get burgled.  Tomorrow, you better get insurance so you can protect against the bad thing happening. And why do you think companies actually just go to fear as this almost carrot to get people to do what they’re supposed to do? It feels to me as if the thing that intuitively you think will work often doesn’t work. So you know, there’s nasty pictures they put on the side of cigarette packets actually are not very effective in stopping heavy smokers. So, whereas somebody who doesn’t smoke thinks, oh my gosh, this is definitely going to scare people, and we’re going to get behavioral change, it actually doesn’t work. So sometimes intuition is just wrong. I think in this case, it’s a case of not really doing the research the way we did to say, actually, this is probably not effective, but going well, intuitively, this is going to work. You know, they used to, when I was at school, they used to call up kids to get them to study. Now, we know that that was really a bad thing to do. The children don’t learn when they’re afraid. So we should start taking those lessons from education and applying them in the rest of our lives as well. 

TS: Yeah, I think it’s a really good call that it’s almost like we just generally, as society, need to do better at understanding actually how these kinds of fear appeals work and engage with people. And, then, maybe if we just go a layer deeper into this concept of fear tactics. You know, are people becoming immune to fear tactics? 2020 was a really bad year, a lot of people faced heightened levels of stress and anxiety as a result of the pandemic and all of that change. Do you think that this is playing a part in why fear appeals don’t work?  KR: Well, yeah, I think you’re right. The literature tells us that when people are targeted by a fear appeal, they can respond in one of two ways. They can either engage in a danger control response, which is kind of what the designer of the fear appeals recommends they do. For example, if you don’t make backups, you can lose all your photos if you get attacked. So, the person engaging in a danger control response will make the backup – they’ll do as they’re told.  But they might also engage in a fear control response, which is the other option people can take. In this case, they don’t like the feeling of fear. And so they act to stop feeling it. They attack the fear, rather than the danger. They might go into denial or get angry with you. The upshot is they will not take the recommended action. So if cybersecurity is all you have to worry about, you might say, “Okay, I’m going to engage in that danger control response.”  But we have so many fear appeals to deal with anyway. And this year, it’s been over the top. So if you add fear appeals to that folks will just say, “I can’t be doing with this. I’m not going to take this on board.” So I think you’re absolutely right. And people are fearful about other things, as well as just COVID. And so you know, adding the layer to that. But what we also thought about was how ethical it actually is to add to people’s existing levels of anxiety and fear…

TS: And do you think that this, sort of, compounds? Do you think there’s a correlation between if people are already feeling naturally kind of anxious, stressed about a bunch of other stuff that actually adding one more thing to feel scared about is even less likely to have the intended results on changing their behavior? MD: Yeah, I mean, I think so. I think it just burns people out. And you kind of get this repeated messaging. You know, one thing I think about, just because we in the States just got through this whole election cycle, and maybe we’re still in this election cycle, but where all these political ads are using fear time and time and time again. And especially with political ads. But I think, in general, people do start to tune out and they want to. They just want to be done with it.  And so it’s one of these things that, I think, just loses its efficacy, and people just kind of have had enough. I have a three and a half year old son. And you know, my daughter was very good at listening to us when we said, “This is dangerous, don’t do this.” But my son, I’m like, I’m like, “Don’t get up there. You’re gonna crack your head open, and don’t do this.” And he ignores me, first of all, and then he does it anyway. And he doesn’t crack his head open. And he says, “See, Daddy, I didn’t crack my head open.” And I’m like, no. But it gets to another point; if we scare people and we try to get them scared enough to do something. But when they don’t do it and if nothing bad happens, it only reinforces the idea that “Oh, it can’t be this bad anyway.” KR: Yeah, you’re right. Because of the cause and the effects. If you divulge your email address or your password somewhere, and the attack is so far apart, a lot of the time you don’t make that connection even.  But it’s really interesting. If you look way back during the first Second World War, Germany decided to bomb the daylights out of London. And the idea was to make the Londoners so afraid that the British would capitulate. But what happened was a really odd thing. They became more defiant. And so we need to get a look back at that sort of thing. And somebody called McCurdy who wrote a book about this — she said people got tired and afraid of being afraid. And so they just said, “No, I don’t care how many bombs you’re throwing on us. We’re just not going to be afraid.” Now, one day if people are having so many fear appeals thrown at them, they’re losing their efficacy. TS: A very timely example talking about the Blitz in World War II, as I just finished reading a book about exactly that, which is the resilience of the British people through that particular period of time. And as you say, Karen, I knew very little about this topic, but it absolutely had the unintended consequence of bringing people together. It was like a rallying cry for the country to say, “We’re not going to stand for this, we are going to fight it.”  And I guess everything you’re saying is reinforced by the research you conducted as well, which completely makes sense. I’m going to read from some notes here. And in the research paper you surveyed CISOs about their own use of fear appeals in their organization. How Chief Information Security Officers actually engage with their employees, and it said 55% were against using fear appeals, with one saying, fear is known to paralyse normal decision making and reactions. And 36% thought that fear appeals were acceptable, with one saying that fear is an excellent motivator. And not a single CISO ranked scary messages as the most effective technique. What were your thoughts on these findings? Were you surprised by them?

MD: We were, I think, surprised that many were against the use of fear appeals. You look at these individuals that are the chief person responsible for the security, information security of the organization. And here they’re coming out and telling us, yeah, we don’t believe in using fear appeals. And there’s multiple reasons for this one, maybe they don’t believe in the efficacy of it. But I think it’s also because we don’t know how effective it’s going to be, but we do know that it can also damage the employee employer relationship.  And as well as some ethical issues related to it, you start to add up the possible negative ramifications of using fear appeals. And it was interesting, even going back to that example, during World War II, you think about why this was effective in what England was doing. It’s because they were in this together, they have this sense of this communal response of, you know. We’re sick of being scared, we’re in this together, we’re gonna fight in this together, and I think maybe CISOs are starting to see that, to try and help make the employee/employer relationship more positive and empower their employees rather than trying to scare them and hurt that relationship. TS: And there was one really interesting finding, which was that you found the longest serving CISOs – i.e. those with more experience – were more likely to approve the use of cybersecurity fear appeals. Why do you think that is? Is fear, maybe kind of an old school way of thinking about cybersecurity?  KR: I think as a CISO, it’s really difficult to stay up to date with the latest research, the latest way of thinking. They spend a lot of time keeping their finger on the pulse of cyber threat models, the compromises hackers are coming with. But if you go and look at the research, the attitudes towards users are slowly changing. And maybe the people who approve of fear appeals aren’t that aware of that. Or it might be they just become so exasperated by the behavior of their employees over the years that they just don’t have the appetite for slower behavioral change mechanisms. You know, and I understand that exasperation. But I was really quite heartened to see that the others said no, this is not working – especially the younger ones. So you feel that cultural change is happening. TS: One thing I was gonna ask was, there’s this interesting concept of, you know, the CISOs themselves, and whether they use fear appeals in their organization. Do you think that’s somewhat a function of how fear appeals are used to them, if that makes sense? Like they have a board that they’re reporting to, they have a boss, they have stakeholders that they’ve got to deliver results for – namely, keep the organization secure, keep our data secure, keep our people secure. Do you think there’s a relationship between how fear appeals are used to them in terms of how they use that then to others in their organization? MD: I think that’s an interesting question. I mean, I think that’s always possible. And I, you know, I think a lot of times people default to what they know and what they’re comfortable with, and what they’ve experienced and so on. And maybe that’s why we see some of the CISOs that have been in that role longer to default to that. And, you know, some of them might be organizational structural as well. Like I said, if they are constantly being bombarded with fear appeals by those that they report to, then, maybe they are more likely to engage in fear appeals. That question is a little unclear. But I do think it’s an interesting question because it, again, intuitively it makes sense. I can have a conversation with someone and, you know, if I want to use fear appeals, I don’t have to make a case for them. The case is almost intuitively made in and of itself. But trying to do the counter and say, well, maybe fear appeals don’t work, it’s a much bigger leap to try and make that argument than I think to try and say, “Well, yeah, let’s scare someone into doing something, of course, that’s gonna work, right.”

TS: I think it’s an interesting point. I think it’s just really important that we also remember, certainly in the context of using fear appeals, that there is a role beyond the CISO, as well. And it’s the role the board plays, it’s the culture of the organization, and how you set those individuals up for success. Like, on one hand as a CISO, the sky is always falling. There is always some piece of bad news or something that’s going wrong, or something you’re defending. And I think it’s again, maybe there’s something in that for thinking about how organizations can kind of empower CISOs, so that they can then go on to empower their people.  And so shifting gears slightly, we’ve spoken a lot about why fear appeals are maybe not a good idea, and how they are limited in their effectiveness. But what is the alternative? What advice would you give to the listeners on this podcast about how they can improve employee cybersecurity behavior through other means, especially as so many are now working remotely?  KR: Well, going back to what Mark was saying, we think the key really is self efficacy. You’ve got to build confidence in people, and without making them afraid.  A lot of the cybersecurity training that you get in organizations is a two-hour session that brings everyone into a room and we talk with them. Or maybe people are required to do this online. This is not self efficacy. This is awareness. And there’s a big difference. So the thing is, you can’t deliver cybersecurity knowledge and self efficacy like a COVID vaccination. It’s a long-term process and employers really have to engage with the fact that it is a long-term process, and just keep building people’s confidence and so on.  What you said earlier about the whole community effect, up to now cybersecurity has been a solo game. And it’s not a tennis solo game, right. It’s a team sport. And we need to get all the people in the organization helping each other to spot phishing messages or whatever. But you know, make it a community sport, number one. And everybody supports each other in building that level of self efficacy that we all need. TS: I love that. And, yeah, I think we said it earlier. But you know, just this concept of teamwork, and coming together, I think is so, so important. Mark, would you add anything to that in terms of just these alternative means to fear appeals that leaders and CISOs can think about using with their employees? MD: Yeah, I mean, it’s not gonna be one size fits all. But I think whatever approach we use, as Karen said, we really do need to tap into that self efficacy. And by doing that, people are going to feel confident and empowered to be able to take action.  And we need to think about how people are motivated to take action, you know. So fear is scaring them personally, about consequences they may face like termination or fines or something else. But if you start thinking about developing this and, as I mentioned before, this being in-this-together, this is developing an intrinsic motivation that “I’m not doing this, because I’m fearful of the consequences”, so much. It’s more “I’m doing this because, you know, we’re all in this together.” We want to make this better for everyone. We want to have a good company, we want to be able to help each other. And we want people to take the actions that are necessary to make sure that we are secure, and we’re here to be able to talk about it.  TS: Yeah, it’s exactly what both of you are saying that if somebody feels that they can’t, if they don’t have that self efficacy, they’re not going to raise things, they’re not going to bring it forward. And ultimately, that’s when disasters happen, and things can go really bad. And then, I love the idea of, you know, it makes complete sense that if you are striking fear into the hearts of people, it’s not necessarily going to have the desired outcome 100% of the time, but isn’t it a little bit of fear needed? I mean, when I say this, of course, it has to be used ethically. But when I’m thinking about just the nature of what organizations are facing today, and we’ve just heard about the Solar Winds hack, and there are a number of others as well. These things are pretty scary, and the techniques that are being used are pretty scary. So isn’t a little bit of fear required here? And is there any merit to using that to make people understand the severity and the consequences of what’s at stake? MD: Yeah, I think there’s a difference between fear and providing people with information that might inherently have scary components to it. And, so what I mean by that is, when people are often using fear appeals, they’re doing it to scare people into complying with some specific goal. But instead we should provide information to people – which we should, we should let people know that there are some possible things that can happen or some possible consequences – but not with the goal of scaring them, but more with the goal of empowering them by giving them information. They, again, tap into that self efficacy, more so than anything else, because then they know that there’s some kind of threat out here. They’re not scared, but they know there’s a threat. And if they feel empowered through knowledge, and through that self efficacy, then they’re more likely to take that action, as opposed to designing a message that’s just designed to scare them into compliance.

TS: From your experience, can either when you think of any really good examples of how companies or any campaigns that have maybe built this kind of self efficacy or empowered people without having to use fear as the motivating factor? KR: And I think I mentioned one of them in the paper. So there’s an organization that I’m familiar with and they had a major problem with phishing. They appointed one person and if anybody had a suspicious message, they say “you were quite right to report this to me, thank you so much for being part of the security perimeter of this organization. But email looks fine, you can click.” Overtime, this is actually built up efficacy. They don’t have phishing problems anymore, in that organization, because they have this person. And it’s almost an informal thing he does but he’s building up self efficacy slowly but surely, across the organization, because nobody ever gets made to feel small by reporting or made to feel humiliated. We’re all participating. We’re all part of this, that that is the best example I’ve seen of actually how this has worked.  TS: Yeah, I really like that. It’s like, when people do risk audits, they will say that the time the alarm should sound is when there’s nothing on the risk register. When the risk registers may be getting 510 entries every single week, you know, that people actually do have that confidence to come forward. And also they’re paying attention, right? They’re actually aware of these things.  And where I want to go next is to talk about this is a side of things in the cybersecurity vendor world. You know, many companies that are trying to provide solutions to organizations do rely quite heavily on this concept of fear, uncertainty and doubt. It’s even got its own acronym right? FUD. And, essentially, FUD is used so heavily. As the saying goes “bad news sells” – we see scary headlines, the massive data breaches dominate the media landscape. So I think it’s fair to say eliminating fraud is going to be tough. And there is a lot of work to do here. In your opinion, who is responsible for changing the narrative? And what advice would you give to them for how they can start doing this? MD: I think it definitely, you know, starts in things such as having these conversations and trying to, I guess, place a little uncertainty or doubt into those decision makers and CISOs about how effective fear is. It’s kind of flipping the script a little bit. And maybe part of it is we need a new acronym, to say, well give this a try, or this is why we think this is going to work, or this is what the research shows. And this is what your peer organizations are doing, and they find it very effective. Their employees feel more empowered. So, I think a lot of it is just beginning with those conversations and trying to flip the script a little bit to start to help CISOs know. Well, you know, it’s always easy to criticize something, but then the bigger question is, okay, if, if we’re taking the use of fear and its effectiveness for granted, then what are we going to replace it with?  And a lot of it, we know that self efficacy is the major player there but what’s that going to look like? And I think Karen gave a great example looking at what an organization is doing, which is increasing improving levels of self efficacy. It’s creating that spirit of we’re all in this together and it’s less about a formalised punitive type of system. And so looking at ways to tap into that and for one organization, it might be you have a slightly different approach, but I think the concepts and stuff will be the same.

TS: Again, it ties in a really important point, which is just more understanding is needed, I think, by the lay person, or the people that are putting this out.  And, and then I think, Marc, to your point just about this being collective responsibility. I mean, I see it as a great opportunity as well, because I think everyone would welcome some more positivity and optimism, right? And if we can actually bring that to the security community, which is, you know, generally a fearful community, focusing on defense and threat actors. The language, the aesthetic, everything is generally negative, fearful, scary. I think there’s a great opportunity here, which is that, you know, doesn’t have to be that way and that we can come together. And we can have a much more positive dialogue and a much more positive response around it.  There was something that I wanted to touch on. Karen, you speak about, in your research, this concept of “Cybersecurity Differently.” And you explain, and I’m going to quote you verbatim here – “It’s so important that we change mindsets from the human-as-a-problem to human-as-solution in order to improve cybersecurity across the sociotechnical system.” What do you mean by that? And what are the core principles of Cybersecurity Differently? KR: When you treat your users as a problem, right, then that informs the way you manage them. And, so, then what you see in a lot of organizations because they see their employees’ behaviors as a problem. They’ll train them, they’ll constrain them, and then they’ll blame them when things go wrong. So that’s the paradigm.  But what you’re actually doing is excluding them from being part of the solution. So, it creates the very problem you’re trying to solve. What you want is for everyone to feel that they’re part of the security defense of the organization. I did this research with Marina Timmerman, from the University of Darmstadt, technical University Darmstadt. And so the principles are:  One we’ve been speaking about a lot: encouraged collaboration and communication between colleagues, so that people can support each other. We want to encourage everyone to learn. It should be a lifelong learning thing, not just something that IT departments have to worry about.  It isn’t solo, as I’ve said before, you have to build resilience as well as resistance. So currently, a lot of the effort is on resisting anything that somebody could do wrong. But you don’t then have a way of bouncing back when things do go wrong, because all the focus is on sort of resistance. And, you know, a lot of the time we treat security awareness training and policies like a-one-size-fits-all. But that doesn’t refer to people’s expertise. It doesn’t go to the people and say, “Okay, here’s what we’re proposing, is this going to be possible for you to do these things in a secure way?” And if not, how can we support you to make what you’re doing more secure.  Then, you know, people make mistakes. Everyone focuses on if a phishing message comes to an organization, people focus on the people who fell for it. But there were many, many more people who didn’t fall for it. And so what we need to do is examine the successes, what can we learn from the people? Why did they spot that phishing message so that we can encourage that in the people who did happen to make mistakes?  I didn’t get these ideas, just out of the air. I got them from some very insightful people. One of them was Sidney Dekker, who has applied this paradigm in the safety field. What’s interesting was that he got Woolworths in Australia to allow him to apply the paradigm in some of their stores. They previously had all these signs up all over the store – “Don’t leave a mess here” and “Don’t do this” – and they had weekly training on safety. He said, right, we’re taking all the signs out. Instead, what we’re gonna do is just say, you have one job, don’t let anyone get hurt. And the stores that applied the job got the safety prize for Woolworths that next year. So, you know, just the idea that everyone realized it was their responsibility. And it wasn’t all about fear, you know, rules and that sort of thing. So I thought if he could do this in safety, where people actually get harmed for life or killed, surely we can do this in cyber?! And then I found a guy who ran a nuclear submarine in the United States. His name is David Marquet. He applied the same thing in his nuclear submarine which you would also think, oh, my goodness, a nuclear submarine. There’s so much potential for really bad things to happen! But he applied the same sort of paradigm shift – and it worked! He won the prize for the best run nuclear submarine in the US Navy. So it’s about being brave enough to go actually, you know, what we’re doing is not working, and every year it’s not working Maybe it’s time to think well, can we do something different?  But like you said, Marc, we need a brave organization to say, okay, we’re gonna try this. And we haven’t managed to find one yet. But we will, we will! TS: And that’s one of the things I wanted to close out on. I spoke to you at the beginning of this podcast is how much I love the article in the Wall Street Journal, but also just the mission that both of you are on – to improve, what I see really is the relationship between people and the cybersecurity function. And my question to you is, again, touches on that concept of how much progress have we actually made? And then, to close, how optimistic are you that we can actually flip the script and stop using fear appeals? MD: Yeah, I feel like we’ve made a lot of progress, but not nearly enough. So, you know, there’s, and part of the challenge, too, is, none of this stuff is static, right? All this stuff is constantly changing; the cybersecurity threats out there change, we’re talking, so much, about phishing today, and social engineering is going to be something different next year. And so it’s always this idea of playing catch-up. But also, you know, having the fortitude to take that step out there to take that leap of faith that maybe we can do something else besides using fear. 

MD: I think I am optimistic that it can be done. We can make a lot of progress. For it to actually be done to, you know, 100%… I don’t know that we’ll ever get to that point. But I feel like we can make a lot of progress. And looking at part of this is recognizing the fact that – you’re mentioning the socio technical side of this – this isn’t just a technical problem, right? And a lot of times the people we throw into cybersecurity positions have this very strong technical background but they’re not bringing in other disciplines. Perhaps from the arts, from literature, from the humanities, and from design, we can bring new considerations to try and look at this as a very holistic multidisciplinary problem. If the problem is like that, well, then solutions definitely have to be as well.  We have to acknowledge that and start trying to get creative with the solutions. And we need those brave organizations to try these different approaches. I think they’ll be pleased with the results because they’re probably spending a lot of time and money right now, to try and make the organization more secure. They’re telling their bosses, the CISOs are telling their bosses, well, this is what we’re doing. We’re scaring them. But the results don’t always speak for themselves.  TS: And, Karen, what would you add to that? KR: Well, I just totally concur with everything Mark said, I think he’s rounded this off very nicely. I ran a study recently – it was really unusual study – where we put old fashioned typewriters in coffee shops and all over, and we put pieces of paper in. We just typed something along the top that said, “When I think about cybersecurity, I feel…” and we got unbelievable stuff back from people going: “I don’t understand it, I’m uncertain.” Lots and lots of negative responses – so there’s a lot of negative emotion around cyber. And that’s not good for cybersecurity. So I’d really like to see something different. And, you know, the old saying, If you keep doing the same thing without getting results, there’s something wrong. We see it’s not working, this might be the best way of changing and making it work. TS: I completely agree. I completely agree. Thank you both so much for that great discussion. I really enjoy getting deeper as well, and hearing your thoughts on all of this. As you say, I think it’s a win-win scenario on so many counts. More positivity means better outcomes for employees. And I think it means better outcomes for the security function.   If you enjoyed our show, please rate and review it on Apple, Spotify, Google or wherever you get your podcasts. And remember you can access all the RE:Human Security Layer podcasts here. 

If you’re interested in cybersecurity, this list of the best cyber security podcasts is for you.  We’ve collated six of the best cyber security podcasts in the world — where engaging hosts provide breaking news, intelligent analysis, and inspiring interviews. The Best Cyber Security Podcasts The CyberWire Daily Launched: December 2015 Average episode length: 25 minutes Release cycle: Daily As one of the most prolific and productive cybersecurity news networks, CyberWire has access to world-class guests, top research, and breaking news. The CyberWire Daily brings listeners news briefings and a great variety of in-depth cybersecurity content. The CyberWire Daily showcases episodes from across CyberWire’s podcast catalog, including Career Notes, in which security leaders discuss their life and work; Research Saturday, where cybersecurity researchers talk about key emerging threats; and Hacking Humans, which focuses on social engineering. Here are some great recent episodes: Deep Instinct’s Shimon Oren talks about his research on the worrying re-emergence of the Emotet malware Craig Williams, head of outreach at Cisco’s Talos Unit, discusses the perils of malicious online ads (malvertising) Ann Johson, Microsoft’s Corporate VP Cybersecurity Business Development, discusses her career journey —- from lawyer to cybersecurity executive Unsupervised Learning Launched: January 2015 Average episode length: 25 minutes Release cycle: Weekly Originally called “Take 1 Security,” Daniel Miessler’s Unsupervised Learning podcast is an insightful look at long-running themes and emerging issues in cybersecurity. Miessler has provided thoughtful written commentary on cybersecurity for over two decades. His podcast’s format varies: most weeks involve a run-down of the week’s cybersecurity headlines, but some episodes feature an essay, interview, or a book review.  Some standout episodes over the past year have included: An analysis of Verizon’s all-important annual data breach report  An interview with General Earl Matthews on election security A spoken essay about how the US should address its ransomware problem WIRED Security Launched: November 2020 Average episode length: 8 minutes Release cycle: Every weekday WIRED Security is part of WIRED’s “Spoken Edition” range of podcasts, and it’s a little different from the other podcasts on our list. Each episode features a reading of a recently-published WIRED article about cybersecurity. We love this podcast because it’s short and snappy (episodes generally range from 4 to 12 minutes long), released daily, and provides free access to WIRED’s incredible in-depth journalism.  Some great episodes from the past few months include:  A recap of 2020’s worst hacks (there were many to choose from) An analysis of the critical — and possibly permanent — security flaws among Internet of Things devices  A look at how Russia could be exploiting poor cybersecurity practices among remote workers RE: Human Layer Security Launched: December 2020 Average episode length: 22 minutes Release cycle: Weekly RE: Human Layer Security is an exciting new podcast hosted by Tessian CEO Tim Sadler. Sadler talks to business and technology leaders about their experiences running and securing some of the world’s leading organizations. The show flips the script on cybersecurity and addresses the human factor. Join world-class business and technology leaders as they discuss how and why companies must protect people – not just machines and data – to stop threats and empower employees. Guests have included:  Howard Schultz, Starbucks former CEO, on why culture trumps strategy when building and protecting a business Stephane Kasriel, Upwork former CEO, on how companies can embrace remote working Tim Fitzgerald, CISO at ARM, on why security should serve people’s interests and empower employees to take care of themselves New episodes launch every Wednesday. Don’t miss out!  Security Now Launched: August 2005 Average episode length: 2 hours Release cycle: Weekly Security Now is the oldest podcast on our list, but it has truly stood the test of time. Now entering its 16th year, the podcast still has a vast listener base — and continues to provide timely and insightful analysis on important cybersecurity topics. Every Monday, Security Now provides a detailed breakdown of all (and we mean all) the weeks’ security and privacy headlines. If you’re ever feeling out of the loop, spending a couple of hours listening to hosts Steve Gibson and Leo Laporte will bring you back up to date. Recent discussions on Security Now have included: How SolarWinds shareholders are launching a class-action lawsuit following the company’s disastrous hack Why WhatsApp users are flocking to Signal following a privacy policy update How swatters are using IoT devices to misdirect emergency services teams  The Many Hats Club Launched: November 2017 Average episode length: 45 minutes Release cycle: Sporadic The Many Hats Club is a coalition of people from across the information security community, including coders, engineers, and hackers — whether blackhat, whitehat, or greyhat. The Many Hats Club podcast is a great way to get to know the next generation of infosec professionals. Host CyberSecStu interviews a great range of guests about a broad range of topics, including hacking, privacy, and cybersecurity culture. Recent highlights include: A conversation about DDoS mitigation and mental health with security researcher Notdan A discussion about women in infosec with cybersecurity commentator Becky Pinkard  A strictly NSFW interview with the controversial McAfee founder John McAfee   Our Roundup What’s your favorite cybersecurity podcast? Let us know by tagging us on social media! And, if it’s RE: Human Layer Security, make sure you follow it on Spotify or subscribe on Apple Podcasts so you never miss an episode.

In this episode of the RE: Human Layer Security podcast, Tim Sadler is joined by Tim Fitzgerald, the chief information security officer at ARM and former chief security officer at Symantec.  Now, Tim believes that people are inherently good. And to think of employees as the weakest link when it comes to cybersecurity is undeserving. Tim thinks employees just want to do a good job. Sometimes mistakes happen, which can compromise security. But rather than blaming them, Tim urges leaders to first ask themselves, whether they’ve given their people the right tools, and they’ve armed them with the right information to help them avoid these mistakes in the first place. In this interview, we talked about the importance of changing behaviours, how businesses can make security part of everybody’s job, and how to get boards on board.  And if you want to hear more Human Layer Security insights, all podcast episodes can be found here.  Tim Sadler: As the CISO of ARM, then what are some of the biggest challenges that you face? And how does that affect the way you think about your security strategy?  Tim Fitzgerald: I guess our challenges are, you know, not to be trite, but they’re sort of opportunities as well. That by far, the biggest single challenge we have is ARM’s ethos around information sharing. As I noted, we have a belief, that I think it has proven out to be true over the 30+ years that ARM has been in business, that the level of information sharing has allowed ARM to be extraordinarily successful and innovative.  So there’s no backing up from that as an ethos of the company. But that represents a huge amount of challenge because we give a tremendous amount of personal freedom for how people can access our information and our systems, as well as how they use our data to share both internally with our peers, but also with our customers who we’re very deeply embedded with, you know. We don’t sell a traditional product where we, you know, they buy it, we deliver it to them, and then we’re done. The vast majority of our customers spend years with us developing their own product based on our intellectual property. And so that the level of information sharing that happens in a relationship like that is, is quite difficult to manage, to be candid. TS: Yeah, it really sounds like you’ve been balancing or having to think about not just the effectiveness of your security strategy or your systems but also that impact to the productivity of employees. So has Human Layer Security been part of your strategy for a long time at ARM or even in your career before ARM? TF: In my career before ARM, at Symantec. Symantec was a very different company, you know, more of a traditional software sales company. It also had 25,000 people who thought they knew more about security than I did. So that presented a unique challenge in terms of how we work with that community, but even at Symantec, I was thinking quite hard about how we influence behaviour.  And ultimately, what it comes down to, for me is that I view my job and human security as somewhere between a sociology and a marketing experiment, right? We’re really trying to change people’s behaviour in a moment, not universally and not their personal ethos. But will they make the right decision in this moment, to do something that won’t create security risk for us?  You know, I sort of label that sort of micro transactions. We get these small moments in time, where we have an opportunity to interact with and influence behaviour. And I’ve been sort of evolving that strategy as I thought about it at ARM. It’s a very different place in many respects, but trying to think about, not just how we influence their behaviour in that moment in time, but actually, can we change their ethos? Can we make responsible security decision-making part of everybody’s job? And I know that there’s not a single security person who will say they’re not trying to do that, right. But actually, that turns out to be a very, very hard problem.  The way that we think about this at ARM is that we have, you know, a centralized security team and I guess, ultimately, security is my responsibility at ARM. But we very much rely on what we consider to be our extended employee, or extended security team, which is all of our employees. Essentially, our view is that they can undo all of the good that we do behind them. But I think one of the things that’s unique about how we look at this at ARM is, you know, we very much take the view that people aren’t the weakest link. That they don’t come with good intent, or they don’t want to be good at their job or that they’re going to take shortcuts just to, you know, get that extra moment of productivity, but actually that everybody wants to do a good job. And our job is to arm them with both the knowledge and the tools to be able to keep themselves secure rather than trying to secure around them.

And, just to finish that thought, we do both, right? I mean, we’re not going to stop doing all the other stuff we do to kind of help protect our people in ways that they don’t even know exist. But the idea for us, here, is actually that we have rare opportunities to empower employees to take care of themselves.  One of the things we really like about Tessian is that this is something we’ve done for our employees, not to our employees. It’s a tool that is meant to keep them out of trouble.  TS: Yeah, I think I think that’s a really, really good point. You know, I think a lot of what you’re talking about here, as well as just security culture, and really establishing a great security culture as a company. And I love that for employees rather than to employees. I mean, it sounds like this really, you know, you have to at the core of the organization, and be thinking about the concept of human error in the right way when thinking about security decision making. And I guess, thinking that people are always going to make mistakes. And as you said, it’s just because they, you know, they are people, and maybe walk us through a bit more about how you how you think or what advice you might have for some of the other organizations that are on the line today about how they might talk to, you know, their boards or their other teams about rationalising this risk internally and working with the fact that our employees are only human. TF: Yeah, for me, this has been the most productive dialogue we’ve had with our board and our executive around security. I think most of you on the phone will recognise that when you go in and you start talking about the various technical layers that we have, that are available to protect our system, the eyes glaze over pretty quickly. And they really just want to know whether or not it works.  The human security problem is one that you can get a lot of passion on. In parts, because, I think it’s an unrecognized risk in the boardroom. That while the insider – meaning sort of a traditional insider threat that we think about which is a person who’s really acting against our best interest – can be very, very impactful. At least at ARM, and certainly in my prior career, the vast majority of issues that we have, and that have caused us harm over the last several years have been caused by people who do not wish us harm. 

They’ve been people just trying to do their job, and making mistakes or doing the wrong thing, making a bad decision at a moment in time. And trying to figure out how we help them not to do that is a much more difficult problem than trying to figure out how to put in a firewall or putting DLP. So we really try to separate that conversation. There are a lot of things we do to try and catch that person who is truly acting against our best interest but that actually, in many ways, is a totally different problem. At ARM, what accounts for more than 70% of our incidents, and certainly more than 90% of our loss scenarios is people just doing the wrong thing. And making the wrong decision, not that they were actively seeking to cause ARM harm.  If I might just give a couple of examples because it helps bring it home. The two most impactful events that we’ve had in the last two years at ARM was somebody in our royalties, you know, we sell software, right? So every time somebody produces a chip, we get paid. So that’s a good thing for ARM. But having somebody who’s royalty forecast gives you a really good sense of what markets they intend to enter and where they tend to go as a company.  And most of our customers compete with each other because they’re all selling similar chips, software design into various formats. So having one customer having somebody else’s data would be hugely impactful. And in fact, that’s exactly what we did not that long ago. Somebody pulled down some pertinent information for a customer into a spreadsheet, and then fat fingered an email and sent it to the wrong customer. Right, they send it to Joan at Customer X instead of Joan at customer Y. And that turned out to be a hugely impactful event for us as a company, because this is a major relationship and we essentially disclosed a strategic roadmap from one customer to another. A completely avoidable scenario. And it is a situation where that employee was trying to do their best for their customer and ultimately made a mistake. TS: Thanks for sharing that example with us. I think it’s a really, really good point. And I think for a long time in security, we were talking about insider threats, and people immediately think about malicious employees and malicious insiders. And I think it’s absolutely true what you say that, the reality is that most of your employees are, you know, trustworthy and want to do the right thing. But they sometimes make mistakes. And when you’re doing something as often as, say, sending an email or sharing data, the errors can be disastrous, and they can be frequent as well… TF: …it’s the frequency that really gets us right? So insider threat – the really bad guy who’s acting against our best interest. We have a whole bunch of other mechanisms that, while still hard, we have some other mechanisms to try and find them. That’s an infrequent high impact. What we’re finding is that the person who makes a mistake is high frequency, medium to high impact. And so we’re just getting hammered on that kind of stuff. And the reason we came to Tessian in the first place was to address that exact issue. As far as I really believe in where you guys are going in terms of trying to address the risk associated with people making bad choices versus acting against our interest. TS: This concept of high frequency, I think, is super interesting. And one of the questions I was actually going to ask you was around that. Hackers and cyber attacks get all the attention because these are the scary things. And naturally, it’s what you know, boards want to talk about, and executives want to talk about. Accidents almost seem less scary. So they get less focus. But this frequency point of how often we share data. We send emails, and it’s, you know, it has analogies in other parts, other parts of our lives as well with like, we don’t think twice before we get in a car. But actually, you know, it’s very easy to have human error there. Things can also be really bad. Do you think we need to do more to educate our, again, our boards, our executive teams and our employees to actually sort of open their eyes to the fact that inadvertent human error or accidents can be just as damaging as, as attackers or cyber attacks?  TF: Yeah, it depends on the organization. But I would suggest that generally, we do need to do more. We, as an industry, we’ve had a lot of amazing things to talk about to get our board’s attention over the last 10 years. These major events, and loss scenarios, often perpetrated by big hacking groups, sometimes nation-sponsored, are very sexy to talk about that kind of stuff and use that as justification for the reason we need to, to invest in security.  And actually, there’s a lot of legitimacy behind that. Right. It’s not that that’s fake messaging. It’s just, it’s just part of the narrative. The other side of the narrative is that, you know, we spend more time on now than we do on nation-state type threats. Because what we’re finding is not only by frequency, but by impact right now, the vast majority of what we’re dealing with is avoidable events, based on human error, and perhaps predictable human error.  I very much chafe at the idea that we think of our employees as the weakest link, right? I think it sort of under serves people’s intent and how they choose to operate. So rather than that, we try to take a look in the mirror and say, what are we not providing these people in order to help them avoid these types of scenarios?  And I think if you change your perspective on that, rather than see people as an intractable problem, and therefore we can’t, you know, we can’t conquer this. If we start thinking about how we mobilise them as part of our overall cybersecurity strategy and defense mechanisms, it causes you to rethink whether or not you’re serving your populace correctly.  And I think in general, not only should we be talking to our senior executives and boards more, more clearly about where real risk exists, which for most companies is right in this zone. But we need to be doing more to help those people combat rather than casting blame or thinking that the average employee is not trustworthy, or will do the wrong thing.  You know, I’m an optimist. So I genuinely believe that’s not true. I think if we give people the opportunity to make a good decision, and we make the easiest path to get their job done, the secure path, they will take it. That is our job as security professionals.

TS: Yeah, I think the huge point there and you know, the word that was jumping out for me is this concept of empowerment. And I think it is strange sometimes when you look at a lot of security initiatives that companies deploy, and how we almost don’t factor in that concept of the impact it will have on an employee’s productivity.  And I guess at Tessian, we’re great believers that, you know, the greatest technology we’ve created has really empowered society. So it’s made people’s lives better. And we think that security technology should not only keep people safe, but it should do it in a way that empowers them to do that best work. When you were sort of thinking about how to solve this problem of inadvertent human error on email people sending emails to the wrong people, or dealing with the issue of phishing and spear phishing. What consideration did you have for other solutions that were out there? You know, what did Tessian address for you that you couldn’t quite address with those other platforms?  TF: Yeah, a couple things. So coming from Symantec as you might expect, I used all of their technology extensively and one of the best products Symantec offers is their DLP solution. So I’m very, very familiar with that. And I would argue we had one of the more advanced installations in the world running internally at Symantec. So I’m extremely familiar with the capability of those technologies. I think what I learned in my time and doing that is when used correctly in a finite environment, a finite data set, that type of solution would be very, very effective in keeping that data where it’s supposed to be and understanding movement in that ecosystem. When you try and deploy that, broadly, it has all the same problems, as everything else is, you start to run into the inability of the DLP system to understand where that data is supposed to be. Is this person supposed to have it based on their role and their function? It’s not a smart technology like that. So you end up trying to write these very, very complex rules that are hard to manage. What I liked about Tessian is that it gave us an opportunity to use the machine learning in the background, to try and develop context about whether or not something that somebody was doing was, was either a typical, or perhaps just by the very nature, and maybe it’s not a typical, maybe it’s actually part of a bad process. But by their very nature of the type of information they’re sending around and the characteristics of information, we can get a sense of whether or not what they’re doing is causing us a risk. So it doesn’t require recipes, completely prescriptive about what we’re looking for. It allows us to learn with the technology and with the people on what normal patterns of behaviour look like, and therefore intervene when it matters and not, and not sort of having to react every time another bell goes off.  To be clear, we still use DLP in very limited circumstances. But what we found is that was not really a viable option for us, particularly in the email stream. To be able to accurately identify when people were doing things that were risky, versus, you know, moving a very specific data set that we didn’t want them to.  TS: Yeah, that makes a tonne of sense. And then if you’re thinking about the future, and sort of, you know, what you hope Tessian can actually become, you know, where, where does it go from here? What’s the opportunity for, for Tessian as a Human Layer Security platform?  TF: Yeah, I recall back to talking to you guys, I guess, last spring, and one of the things I was poking at was, you have all this amazing context of what people are doing an email, and that’s where people spend most of their time. It’s where most of the risk comes from for most organizations. So how can we turn that into beyond just you know, making sure someone doesn’t fat finger and email address, or they’re not sending a sensitive file where it’s not supposed to go? Or, you know, the other use cases that come along with Tessian? Can we take the context that we’re gaining through how people are using email, and create more of those moments in time to connect with them to become more predictive? Where we start to see patterns of behaviour of individuals that would suggest to us that they are either susceptible to certain types of risk, or, you know, are likely to take a particular action in the future, there’s a tremendous amount of knowledge that can be derived from that context, particularly if you start thinking about how you can put that together with what would traditionally be kind of the behavioural analytics space. Can we start to mesh together what we know about the technology and the machines with real human behaviour and, therefore, have a very good picture that would help us? It would help us not only to find those actual bad guys who were in our environment that we know were there, but also to get out in front of people’s behaviour, rather than reacting to it after it happened. And that, for me, that’s kind of the holy grail of what this could become. If not predictive, at least start leading us towards where we think risk exists, and allowing us an opportunity to intervene before things happen. TS: That’s great, Tim, thanks so much for sharing that with us. TS: It was great to understand how Tim has built up his security strategy, so that it aligns with and also enhances the overall ethos of the company. More information sharing equals a more innovative and more successful business. I particularly liked Tim’s point, when he said that businesses should make the path of least resistance the most secure one. And by doing that, you can enable people to make smart security decisions and build a more robust security culture within an organization.  As Tim says, It’s security for the people, not to the people. And that’s going to be so important as ways of working change. If you enjoyed our show, please rate and review it on Apple, Spotify, Google or wherever you get your podcasts. And remember you can access all the RE:Human Security Layer podcasts here.   

Tim Sadler: In this episode, I’m speaking with Stephane Kasriel, the former CEO of Upwork, and a future of work visionary. Now, some companies have been practising remote working for many years. But for others, the Covid-19 pandemic has forced a remote work environment almost overnight.  In my research for this discussion, I was amazed to find that last year 44% of companies didn’t allow remote work at all. And globally, only 52% of people worked from home at least once a week. We’re fast forward now to 2020. And things couldn’t look more different. And as Stephane says, in our upcoming discussion, it’s likely will never go fully back to our old ways of working. Stephane shares his tips on how to build a remote working strategy for the long term, his opinions on what the future holds, and explains why he believes flexible working is a win-win for everyone.  And, by the way, you can find all our podcast episodes here. TS: Stephane, can you tell us a bit more about how distributed working was built into upwards DNA? Stephane Kasriel: You know, there’s an expression here. So first of all, thank you for having me, Tim, this is fantastic. But really, you know, one of the expressions that people use in the Bay Area is eating your own dog food. And so Upwork is a website and a mobile app that helps people work from home, and helps companies engage with people that work from home. And so we decided from day one, that we couldn’t convince our customers to do this if we didn’t do it ourselves.  And so Upwork today has about 2000 people. There’s about 300 of them who work in an office, two offices in the Bay Area, one in Chicago, but the vast majority of people are working from home. I think we have people in something like 500 different cities in the world. And some of them have been working with a company for a decade or longer. So this is not just short term gigs for low value work. A lot of these core software development, legal services, financial services for the company, just people that are not physically present in the office. TS: 500 offices, that is a huge achievement to have that kind of scale of remote workforce. What have you actually learned along the way about making remote work a success with your team? SK: You know, there’s a lot of different learnings. I would say increasingly, people have documented those learnings. So Upwork has an entire website, and it’s been updated for the pandemic. You know, obviously to say the obvious, there’s a lot more people that are working from home right now than ever in the past, many of whom were not prepared for this, and their companies were not prepared for this. So Upwork has published a pretty meaningful set of recommendations. But it’s not the only company that has done it. GitLab has an amazing set of documents, Zapier, Trello – which is part of Atlassian. And there’s probably half a dozen different companies that have done remote that scale, you know, automatic. The people behind WordPress, are the people behind Basecamp.  So I would say like at the very highest level, I would just say treat people the way you want to be treated, right? Like, put yourself in the shoes of one of your people working from home, particularly in a time like today where this is not normal remote work. This is remote work where people may be sick, people may be scared of being sick, they may have people close to them that are sick, they may have children at home, they may have multiple people on zoom at any point in time and not enough bandwidth to connect.  And so just I would say rule number one is empathy, realize that this is a tough time for everybody. And leading with care and love is probably one of the best things you can do. The second one – which is probably pretty obvious if you manage people in different time zones – realize that they have different working hours from you. Switch from a very synchronous model, where everybody’s on Zoom all day long, or everybody’s meeting at the same time, to something that’s more asynchronous – where you you do more writing, or you do more things on Loom – which is kind of the the offline version of Zoom, if you will.  And you know, and I would say that the third thing is just realize that you need to communicate even more when people are distributed than when they’re local. So, you know, repeat yourself, set up meetings, when meetings need to be set up, document more than you would otherwise and don’t assume that everybody knows what’s in your head. Because that’s really not true even when they work close to you. But it’s even harder for them to get into your head if they’re remote. And there’s a long long list beyond that. But I would say those are like the high level ones.

TS: Yeah, and I love that point about leading with empathy. I think it’s so important during this time, and obviously these are… You know, we’re seeing the kind of the key takeaways from years and years of trial and error. What have been some of the lessons learned along the way? And, you know, you’ve outlined some really important practices here for companies who are just getting to grips with this with this new normal. But it’d be really interesting to understand, you know, what hasn’t worked out in the way that you thought it might have? And what approach would you encourage companies to take so that they can have a continual cycle of learning with how they’re improving their remote work initiative? SK: I think like, that’s the key, right is a continuous cycle of learning, like, get feedback on what’s working and not document the best practices, share them to the organization, especially if you’re a bigger company, there might be part of your organization that’s doing it really well, and other parts of their organization not so much. And sharing best practices is absolutely essential. But you know, I would, I would say, there’s probably two things. One is, learn about time zones, you know, if people are in multiple different countries, work life balance matters, and expecting somebody to be always awake from 2am to 5am, because that’s what you need. Unless that’s truly what they were signing up for. Initially, it’s probably not a good idea. So when we assembled teams within Upwork, we were always cognizant of having people and potentially two different time zones that were compatible with each other, but really on three, so for instance, us plus Asia plus Europe, somebody does not sleep. So that’s, that’s one component of it. The second one, which actually is what companies are being forced to do right now. So that’s helpful, is when you’re switching from a very local model to a very distributed model, the easiest way to do it is not to hire a bunch of people from the outside that are working remotely. But instead to allow your current employees, especially the people that are the most tenured, that really know how to get things done. When they give you feedback, you’re going to listen to the feedback, let them work remotely. And by the way, that doesn’t just mean working from home in San Francisco, that means if they choose to relocate to another part of the country, let them do that, in fact, encourage them to do it. We have a relocation package, we actually call it the relocation package, which is, if you’re based in San Francisco, and you want to move to another part of the country, we will actually pay for your moving expenses. It’s hard enough, if you’re not a remote first company, it’s hard enough for your existing employees to work remotely, it’s even harder for new people to come in and work remotely.  And so the challenge with a lot of companies is they try to go from one extreme, which is, you know, everybody’s in the same office to the other where you hire a bunch of new people who know nothing about the company, and don’t know anybody, and have them be successful. And I think the intermediate plan is to take your existing people and allow them to work from home. Check this is happening right now. Step two is allow your existing people to relocate to another part of the country if they choose to. And, then, step three, start to open up hiring, probably first in places where you have local employees already, because you’re going to have that, you know, face to face connection from time to time, which is really helpful to build a sense of community. TS: And this leads me on nicely. I think that the relocation pack – I like that terminology. And there are a lot of people who are, I think rethinking where they have to be based in terms of, you know, their location to actually now work for the companies they do. You describe flexible working as a win-win scenario, I guess, for employees, and also for the employer. Could you maybe unpack that a little bit and just share a bit more of your thinking around that with us? SK: Yeah, and I would say there’s even a third component, which is society as a whole. Right? So why is it a good thing for employers? Well, you know, the main downside, which is the myth is people are going to be working less, it’s bad for your culture, you’re going to have retention issues, all that stuff, none of which is true, right in, in companies that are good at measuring worker productivity, and most of them are not. There is no data that shows that worker productivity goes down when people are working remotely. In fact, there’s tonnes of data that shows the opposite. The idea that it’s bad for retention, like employee loyalty, I can give you the example of Upwork the people that work remotely stay at the company at least twice as long as the people that are based in San Francisco. And it’s pretty obvious why, you know, if you’re based in San Francisco, you’ve got all the other tech companies that are trying to poach you all the time. When you live in the middle of Sacramento or Stockton, Modesto or even outside of California, there’s a lot less competition for talent, right, so it’s good for companies. employee retention, obviously cost, you know, like the cost of living in San Francisco is so high that you can find equally talented talent for significantly less money elsewhere.  Right. So that’s the company point and I would say more than cost savings. For the most part. It’s about attraction of talent and retention of the talent on the employee side, you know, like, I think we’ve done many, many surveys over the years at Upwork. And most people would prefer to have more flexibility in their life, and to be able to potentially relocate to another part of the country. You know, the San Jose Mercury News does a study every year, and they just updated it and went up again. But last year, more than 50% of the tech employees who live in the Bay Area said that they would choose to leave the Bay Area if they could keep the same job and the same thing. And so there’s a meaningful number of people who live in places like New York and London and San Francisco and Shanghai, not because they really enjoy the lifestyle of the cost of living, but because that’s where the jobs are. So that’s, that’s how it helps people.  But secondly, it also helps people that are excluded from the current workforce to participate in the workforce. So one of the studies that Upwork does every year is called Freelancing in America. We asked freelancers, would you ever choose to work for a regular employer? And 50% of freelancers say no. And when you ask them why, usually the answers are care duties. If physical or mental disability makes it hard for them to contribute to a regular office environment, or living in a part of the country where there’s no job. So you’re really allowing lots and lots of people, who otherwise can’t get access to great jobs, to have access to them.  And then the third piece is society as a whole. So one thing that’s, you know, pretty well documented by economists. If you have a highly paid worker, moved to a part of the country that is economically challenged, it creates, on average, an extra four jobs. And it’s pretty obvious why right? You put a highly paid software developer in the middle of the country, and they’re going to start to consume goods and services, which further creates more jobs and restarts the new economy, as opposed to today. I mean, if you look at the situation here in San Francisco, almost all of the people whose jobs truly require them to be in San Francisco, can’t afford to live anywhere nearby. And meanwhile, the people whose jobs can be done from anywhere only live in San Francisco. So it’s kind of the opposite of where it needs to be. And I think this distributed work approach can really be a win-win for society, for the workers and for the employers as well.

TS: Yeah, yeah. There’s some fascinating stats there as well. I’d seen a few, a few of those recently. It does, you know, it seems obvious when you say it, that there are so many other benefits that come from this kind of setup. And I guess from the company’s perspective, it’s, it’s really, really important that you’re empowering your workforce and your employees to be successful in this environment. And there are certain things, when you’re running a company that you still have to get right, whether you’re a remote work environment, or whether you are in physical offices around the world.  And obviously, a topic very close to our heart is security and thinking about how you keep people secure with the data they’re handling, whether they’re working from their home office, or their front room. And it’d be good to hear your perspective, some of the things that you’ve done to empower your workforce overall from a technology perspective. And then, when it comes to actually security specifically, what do you think companies need to have in mind? SK: Yeah, absolutely. So there’s definitely several, you know, components to allowing a distributed workforce to be successful. There are human resources related matters. There are legal related matters, right? Employment is regulated in just about every country. So you need to understand what you’re getting yourself into. Usually, there’s tax and accounting implications, if you have Nexus in multiple states in the US, let alone if you have people in multiple countries, and you employ them directly, this might create financial tax and accounting matters that you need to resolve.  And then to your point, there’s huge security considerations that you need to take into account. And I would say, like in the case of Upwork, specifically, there’s two different natures of the issue, if you will. One is bring your own device, right? Most of the people on Upwork are freelancers. We don’t send them a laptop, we don’t send them an iPhone, we don’t control their environment. But then they get access to the secure environment of the network infrastructure. So securing a Bring Your Own Device type of environment, absolutely critical.  The second one is we don’t know where they are. You can’t assume that, right? So you need to design systems and policies to make sure that the intellectual property of the company and the security of the company is not compromised. To give you one example, very early on Upwork, we decided that anything that needs to be secure, should be behind the VPN, irrespective of whether you’re working from home, or working from the office. So from day one we said, location should not matter. There’s nothing magical about the office, we should always assume that you are in a non trusted environment, and make sure that we build systems to accommodate for that. TS: Yeah, and this also comes down to the point, I imagine, of the culture that you create as a remote work company. And you know, we can be used to building culture or certainly as a CEO, I’ve been used to building culture, when you have people in the office. You can get people together, you can do socials together, and those kinds of things. What are some of the tips that you have for organizations who are thinking about how you actually create a really, really amazing culture as a remote company, and, you know, having to consider all of these other things like the practices? And you ran through some of them HR legal security? SK: Yeah, well, you know, I would say other than right now, where everybody’s stuck at home and really can’t meet face to face. In general, I think most remote-first companies tend to do lots and lots of face to face meetings. At Upwork, we had a meaningful travel budget where we would do meet ups. So not 2,000 people in the same place, which, you know, doesn’t work for most people, but we would give agile teams a small budget every year so that they could meet up in a cool city. And every time we’d have meetings in, you know, Budapest, and Madrid and Chile and where have you. And it’s a great perk for people. For a couple of weeks, they would be in an Airbnb, and they’d be coding during the day. And they’d be, you know, socialising in the evenings and weekends, and people tend to really like that, right? So, face to face does matter.  I think we’re going to go from a world where we organize off-sites to a world where we organize on-sites, if you will. But this, you know, is really true. Like there is a social connection network, that is how to do a Zoom. And regularly you need to, you know, updated by having face to face meetings. Now, that’s not really possible right now. But I would say the second part of your answer is, culture is bigger than just, you know, free coffee in the office or ping pong table, or what have you. Culture is a set of values and a shared purpose. You’re widening the talent pool so much that you can find people that are really passionate about what you do. And so as a result, you can find people who really live the values, live the purpose of the company, they’re here, because they truly believe in the mission of what you’re trying to do. And that, to me, is really what culture is about.

TS: Yeah, it’s so important. I couldn’t agree more. And I think as well, for many companies there, it’s also a good thing that we’re being stretched, and they’re being challenged to think deeper than just some of the kind of superficial skin deep perks, maybe that you know, otherwise would have substituted something that is altogether so much more important for for companies. And I have to ask you, we’ve spoken a lot about remote work, this is something you’ve been practising for a long time. Now, what is your thesis? What’s your opinion on the future of work? And I guess I’m specifically interested as well, this change, I guess, nobody saw coming in this way that we, you know, we’ve been accelerated to remote working, what do you think it means for, you know, the next five years in terms of companies and technology, but also outside of our sector? SK: You know, I think it just accelerated the future by a decade. The sobering fact is, I think, the virus has done more in three months than I’ve been able to do in 10 years. But we’ve really gone into the future in a really big way. And I think what really matters here is to understand what’s not working and fix it quickly. There are plenty of things that you can do wrong. This is the time where we can improve diversity, we can improve inclusion, and we can improve efficiency, and have more efficient companies. And so I think it’s really important for companies to pull their managers, to pull their employees, and to figure out, you know, very quickly, like, what are we not doing well, and to optimise for it. Because that train has left the station, and it’s moving fast right now. TS: So you think that the, I guess this change will show companies a way of working, that means that you know, whether they like it or not, we’re not going back to the way things were, you know, this is something that’s here to stay. And whether we go to hybrid environments, or fully remote environments, we now have to adapt to this new way of working. SK: Yeah, I mean, I doubt that every company is going to be fully distributed anytime soon, right? I mean, there’s definitely going to be a hybrid model, which is one thing that companies need to figure out is how you become inclusive of the remote workforce when there’s a lot of people still in the office. But I think there’s a lot of misconceptions companies had about remote work that are being disproved right now.  Now, to be fair, I think there’s also a concern right now that because people are working from home in conditions that are not ideal, you know, as I said earlier, people that are sick, and people that have kids that are. I think some companies may come to the wrong conclusion, which is why this was really a failed experiment. We can’t wait to have everybody back in the office. But the reality, though, is the workforce has moved on. So if you as an employer think you can go back to the old ways, you’re going to lose a lot of your team members because they’re not moving back. In fact, the place they’re moving to might be outside of where they live right now, in a place where they can have a much better lifestyle.  Frankly, I think the workforce is going to be voting with their feet. If you don’t allow people to work more flexibly post COVID. There’s a lot of employers who will and they’ll attract the best talent. TS: That’s a really interesting way of looking at it, which actually, it’s the overall market for employment and flexibility. As you say, as soon as it’s there with one set of employers, it’s going to become something that people prioritise.  So there you have it. Remote work has its benefits for employers, employees and society. And, so, in Stephane’s opinion, we’ve accelerated the future by a decade. And it’s time for businesses to consider what the long term strategy for a hybrid or remote way of working will be. Whatever their decision, securing people and empowering them to work both productively and safely has to be a priority as employees can now work from anywhere.  If you want to learn more about securing your hybrid workforce, we have plenty of great content and actionable advice on the Tessian blog. And if you enjoyed our show, please rate and review it on Apple, Spotify, Google Play or wherever you get your podcasts. Remember, you can find all of the RE:Human Layer Security podcast episodes here.

Welcome to the RE:Human Layer Security podcast. This is the show that flips the script on cybersecurity and in each episode, Tim Sadler, Tessian’s CEO and co-founder, will be speaking world-class business, tech and security leaders about why businesses need to protect people – not just data and machines – to stop breaches and make businesses thrive. Tim Sadler: For our first episode, we’re kicking things off by talking about the importance of culture to build a resilient business. I think we can all agree 2020 has been a turbulent time, a year of many firsts. And like many other leaders, managing a suddenly remote company has forced me to adapt my ways of working and think deeply about how this huge change would affect the people within Tessian.  How would it impact their mental wellbeing? Do they have the tools in place to work both productively and securely? And how do you build and maintain a culture when everybody is working in isolation? So when I had the chance to speak to the brilliant Howard Schultz, the former chairman and CEO Starbucks earlier in the year, I wanted to ask for his advice on how to lead during times of extreme difficulty. With stories from his days leading Starbucks, how to explain why managers mislead with humanity to help keep people motivated and inspired. And if you want to hear more Human Layer Security insights, all podcast episodes can be found here.  TS: Howard, it is a great honor to have you with us here today. Howard Schultz: Honored to be with you, Tim.  TS: Howard, like so many others, I’ve been really lucky to learn from your leadership lessons as the CEO of Starbucks. And for anybody who does an ounce of research on that company, they will hear that it was all about the people. Why do you think it’s so important that leaders invest in their people? HS: Well I think, regardless of what business you’re in, whether you’re in the consumer business, the tech business, or the security business, it’s always all about the people and the culture and values and guiding principles of an organization. When we began at Starbucks, in 1987, when we had 11 stores and 100 employees, we actually framed a unique way to look at the business. And that was to try and achieve the fragile balance between the fiduciary responsibility of building shareholder value in the conscience and the benevolence necessary to share success with our people.  I think in the environment that we’re living in today, perhaps more than any other time, certainly in my lifetime, you can’t build a company or attract and retain great people, unless people recognize that they are part of something larger than themselves, and that they believe 100% with great trust and confidence in the management team, their leaders, their managers and the mission of the enterprise. And so this is a time when leaders must recognize the importance of truth, transparency, being vulnerable in the moment, and bringing your people along with you.

TS: And for you, I know that you’ve said this a number of times, and it’s something I picked up on. It’s not just about being good enough, though, I think you have this saying, which is you’ve got to exceed the expectations of your people. How do you go about achieving that as a leader? HS: Well, actually, we took it a step further than that. We said, if you want to exceed the expectations of your customers, you have to first exceed the expectations of your people. And in the environment, again, that we’re living in today. It’s not only exceeding the expectations of your people in terms of compensation, but also their values and value of the enterprise.  And I think any environment that we are all trying to navigate through today, people are coming to work with a tremendous level of anxiety and uncertainty, because there are, in my view, three pandemics going on at once. Not only the pandemic of COVID, but the pandemic of our political system here in America, where we’ve lost trust and confidence in our institutions. And third, the third pandemic is the unbelievable level. I think there’s a lack of understanding of racial inequality, racism, and in terms of our election here in America, the possibility of voter oppression. And so those three pandemics are colliding at once. And so if you are building a business or managing people, it’s not just managing and leading your business, because that isn’t the only thing your people and your employees are dealing with. They are living and dealing with many other aspects of their life and their life experience and their personal situation. They are bringing that to work, whether they are on Zoom calls at home or not. And as a manager and a leader, you must understand with great sensitivity and compassion. Then if we want to exceed the expectations of our people, then as managers and leaders, we need to walk in the shoes of our people. And that is what I mean by exceeding expectations of our people at a time like this.

TS: I think that’s so important. And again, that was another thing that that really stuck with me this, this, this notion that actually, the role of a company is, you know, it’s no longer just a place where people show up come to work, maybe they’re here 9-5, it is, it has to be so much more, especially given this this turbulent time where actually, people, you know, they can’t I think we spoke about it previously, Howard, where you said, if you can’t put your faith in the work that you’re doing, and you can’t be proud of that, then, there are so many other things that well, there are, there are so few other places where you can you can put that pride or you can find that pride right?  TS: Now, when you were building Starbucks, you were a young leader yourself, I think you were in your early 30s, when you bought the company, what guided you or what helped you in establishing this great culture for that company as you built it? HS: Well, I think all of us have a life experience and a personal story. Having grown up in public housing, where I saw firsthand the fracturing of the American dream with my parents, I understood at an early age, what can happen when you are your family and the resources of the family are left behind. And so in building Starbucks, I wanted to really create a company in which we were managing and leading the company through the lens of humanity. Now, it’s easy to say that it’s very hard to do. What do I mean by that?  Well, when you’re leading a company that’s growing at 50-100% a year, and you’ve got the wind at your back, it’s very easy to be humane. But the challenge for leaders in starting a company and dealing with adversity is what happens when the challenges are difficult. And the wind is in your face, are you going to compromise your values and your integrity and your ethics for a short term game?  And now, everyone who works in a company remembers the actions of what leaders do in good times and bad. And what you want to do as a leader is ensure the fact that you’re imprinting the organization with the values that people will remember during bad times. And so in terms of your question, I was trying to build the kind of company that my father and an uneducated blue collar worker who didn’t get respect in the workforce could work for, and in effect, trying to build the kind of company regardless of your station in life, that you would be valued and respected.  And that’s why we gave ownership to everybody, comprehensive health care to everybody, free college education, all of those things; we felt were important in terms of the company’s responsibility. And I think the question for all of us today is, what is the role and responsibility of a for profit company in today’s world? TS: I think there’s so much that to unpack when talking here, about leading through times of adversity. And one of the things you said there was, you know, when it’s easy to live up to your values when the winds, you know, the winds at your back. And I wanted to draw on a point of history at Starbucks, which is when you returned as a CEO, which I think was in January 2008. And the financial crisis was in full swing and from what I understand, Starbucks was in some financial difficulty at the time. And one of the first things that you wanted to do on your return. And to me, this really speaks to that notion of you know, you have to live your values in good times, and you have to live your values in bad times. One of the first things that you did was to take 11,000 store managers to New Orleans at a cost of $33 million. And share the news that your company was seven months away from insolvency. Why was it so important that you did this? HS: Tim, I have to commend you on your research. Well, the company was in dire straits. And I wanted to be in front of the most important person at Starbucks, which is the store manager. And I said we’ve got to get everybody in one room. And believe it or not, we went to New Orleans for three days. And this was not a getaway. This was not a retreat. This was a come to Jesus for the company. Now before we had one minute of our meeting, every single person who came to New Orleans devoted hours of work in the community in the 90s toward post Katrina, and we contributed 55,000 hours of community service – again, demonstrating the values of the company.  Now, the story you bring up is this, I had an opportunity on the third day to give a $30 million speech, the cost of the event. And before I gave the speech, my colleagues and a couple of board members asked me, what was I going to share with the people? What was the rallying cry? And I laid it out for them that I was going to tell them the dire condition that we were in. And in fact, if we went seven more months, like this.  Starbucks was going to be insolvent. That’s how bad it was. And the people around me were so afraid, basically saying, “You can’t tell them this, you will scare the crap out of them, they won’t be able to handle this kind of information.” And the question at that moment is, do you trust your people enough to have the same information that you have? And the answer has to be yes, you can’t leave people by hiding information. You can’t be a pentagon General, you’ve got to be in them on the battlefield in the mud with them. And they have to send the same information you did. So I stood up in front of 11,000 people. And I asked them two things: one as I laid out the problem, I asked them to join with me to lock arms, to all of us facing in the same direction to be aligned against what we have to do. And don’t do it for me. Do it for your, your people you work with and do it for your family. 

And the speech did not turn Starbucks around. But we wrote we roared out of New Orleans, like a tidal wave. And seven months passed, and we never looked back. And of course, today, Starbucks has 32,000 stores in 83 countries, and one of the most recognised brands in the world. But we have challenges just like everybody else.  But the HR issue in every company, the human condition, human behaviour, if you can unlock that. And I’ll let me say it this way, if you separate the culture from the strategy, i.e. you have a great strategy, but a bad culture, I think nine times out of 10, you are not going to achieve the aspiration of that strategy. The execution is going to be flawed. You have a world class culture, where there is a currency of trust throughout the organization where everyone believes in the mission of each other, and we’re going to take the hill together, you link that with an average strategy.  With a lot of competition, you give me that scenario. And I tell you, you are going to win. Because culture, and I hate to use this word, trumps strategy. TS: And I think that’s so important. When we think about also leading, leading teams, leading our people and protecting the company, something you told me how which was, you know, vulnerability can actually help you build stronger bonds with your people. Sharing vulnerability, being vulnerable with those around us actually allows us to get closer and people come closer when they see that, you know, where we will have the right world working on something.  HS: Yeah, and especially for men, you know. We’re not taught to be vulnerable. We’re not taught to be sensitive. And I think the more you can reveal to your people about who you are, and take the defenses off, and be real and be authentic, the better off we will be. TS: I want to go to something that he said over a year ago now, but I think it was January 2019. I’m quoting you, but it really struck me. When I heard this, you said that the elephant in the room of the country today is humanity. And it really resonated, I think with many of the challenges that we’re facing right now, you know, in society, but also, we see this in many companies. And I wanted to get your thoughts on how is that quote aged for you, given where we are today? HS: You know, as I said to you earlier, I really believe we’re living through three pandemics at once all colliding with one another. And I think, especially for young people. It’s very easy for young people today to lose trust and confidence in the future. And when I speak about humanity as the issue in the room, the elephant in the room, I just think people are living with tremendous anxiety and uncertainty and are so hungry to be lifted up by something that’s real. That’s something that’s truthful. And, and no integrity, if you’re trying to build a great enduring company, you’re trying to provide a much needed service to your customers. If you can do that, while at the same time, building an organization in which people are truly valued for who they are, and people are seen and understood, and really feel like they are part of an organization where they, they themselves feel as if they are not only contributors, but they are being valued in a way that’s so unusual.  If you can lift humanity, and integrate humanity into the core purpose and reason for being, and if everyone on the call, can integrate and lift up their people, and recognise the importance of humanity, in their business, every single business on this call will be better for it. Because we, as people, in the US and all over the world, we are hungry longing for humanity, for truth, and for people and organizations that we can believe. TS: And I think that’s something that’s so it’s such a powerful statement that something we can all take away into our practice, whether we’re leading a company, we’re leading a team, or we are serving our company. And again, I think something that’s so unique and special about the security community is that leadership is your, it’s your team, it’s the people who report to you, but you’re having to show leadership for the whole company, you know, there is a huge task ahead every single day, you’re tasked with the security and the protection of the whole company.  And one thing I wanted us to finish on Howard. There is often so much pressure in our day to day lives, or you know, we are tasked with really important initiatives and really important things. And I think the remarkable, or one of the remarkable moments that again, you’ve shared with us today and is, you know, for anyone who does any research they will see is those moments when faced with extreme difficulty or uncertainty, you are able to deeply not only live your values, but I think go back to your values and embrace your values.  And the question I have, or the advice that I would love to finish on is what can you offer? What advice would you share with people who are on the call today thinking, you know, this sounds great, but actually, I’ve got the pressure of my day to day job just to get through? How can I ensure that I am constantly living those values, the values I have for myself and the values that my company has to me? What advice would you give to them? HS: That’s a very big question, Tim. I try my best! TS: I’ve saved the best for last. HS: When each of us goes home at night, and we’re sitting with our wife or husband or partner or family. And we have an opportunity to talk about the company that we are part of, or the work we did today. The rhetorical question is, did you as a leader provide the people who work within for you an opportunity to speak about their work in the company with pride? And if the answer is yes, then you know that you can start your day tomorrow realising that what you did today was really, really good. The challenge we have as leaders, is we got to do it more often than not. And I think what we’ve always tried to do at Starbucks is answer the question in the affirmative. Are we making our customers and our people proud of the equity of our brand, the values of our company, and the guiding principles of what is our core purpose or core purpose and reason for being? And let me let me say in a week or two is the 50th anniversary of Milton Friedman’s famous essay about the role and responsibility of a company. Now, Milton Friedman was a god in terms of his economic acuity.  But I disagree with humility. That Milton Friedman’s theory, that a business his primary responsibility was to its shareholders and to make a profit. I don’t think that applies today. It goes back to what I said earlier. We all have to be in the business of improving the lives of our people, the communities we serve, and I bet you that your customers and the customers of theirs want to do business with companies and management teams who are values based.

Never, it’s never been more important to me and to recognise the critical importance of business today to lead with his heart and with his conscience. TS: I think that’s a fantastic note to finish on. And again, Howard, thank you so much for your time today and sharing all of this insight and guidance with us.  TS: It was amazing speaking with Howard. I think one of the things that stuck out for me was if you have a great strategy, but a bad culture, it’s very likely you’re going to be unsuccessful.  A company’s culture is built on that currency of trust with values that inspire people to do great work. And also leaders shouldn’t be afraid to be vulnerable. As Howard points out, it can lead to stronger bonds with people and then foster that trust. Join the next episode of RE: Human Layer Security, where we talk with Stephane Kasriel, the former CEO of Upwork, and a future of work visionary. Stefan and I will be talking about the topic of remote work, and why it really isn’t something that’s going away anytime soon.  And that just leads me to say thank you very much for listening. We have more Human Layer Security insights in our next episode. But if you can’t wait that long, you can visit our blog, where you’ll find lots of amazing content, advice and tips. And if you enjoyed our show, please rate and review it on Apple, Spotify, Google Play or wherever you get your podcasts.