Episode 16

Role of Emotional Intelligence in Creating a Healthy Information Security Culture

Nadia El Fertasi, Human Readiness and Resilience Expert and former NATO senior executive, highlights the importance of leveraging emotional intelligence to create and sustain a healthy information security culture. During a very thought-provoking discussion, Nadja made some poignant statements and recommendations such as a) build a culture of empowerment and not fear, b) use empathy to counter social engineering attacks, c) make cyber hygiene practices non-technical and reduce human firewalls, and d) practice reason over fear.


Time Stamps

00:49 -- I'd like to begin by asking you to reflect on your experience at NATO.

09:25 -- How do you get organizational members at all levels, more committed to achieving a high level of cybersecurity performance?

19:38 -- There is growing recognition that security is an important organizational capability, a very important organizational competency? How do you get that realization shaping the organization's culture?

41:01 -- During our podcast planning discussion, you shared some very powerful quotes, such as a) practice reason over fear, and b) use empathy to counter social engineering attacks. Can you speak to them?

49:59 -- This discussion we've had speaks to human-related controls. The ability to effectively implement such controls requires a very different skill set. Can you speak to that, as we wrap up this conversation?


Memorable Nadja El Fertasi Quotes

"If you want to change mindsets and implement cyber hygiene, language is important."

Build a culture of empowerment, not fear."

"So how can you speak in a way that security is seen as an enabler and not as a barrier."

"Practice reason over fear."

"Use empathy to counter social engineering attacks."


Connect with Host Dr. Dave Chatterjee and Subscribe to the Podcast

Please subscribe to the podcast so you don't miss any new episodes! And please leave the show a rating if you like what you hear. New episodes release every two weeks.

Connect with Dr. Chatterjee on these platforms:

LinkedIn: https://www.linkedin.com/in/dchatte/

Website: https://dchatte.com/

Cybersecurity Readiness Book: https://www.amazon.com/Cybersecurity-Readiness-Holistic-High-Performance-Approach/dp/1071837338

Transcript
Introducer:

Welcome to the Cybersecurity Readiness Podcast

Introducer:

Series with Dr. Dave Chatterjee. Dr. Chatterjee is the author of

Cybersecurity Readiness:

A Holistic and High-Performance

Cybersecurity Readiness:

Approach, a recently published book by Sage publishing. He has

Cybersecurity Readiness:

been studying cybersecurity for over a decade, authored and

Cybersecurity Readiness:

edited scholarly papers, delivered talks, conducted

Cybersecurity Readiness:

webinars and shops, consulted with companies and served on a

Cybersecurity Readiness:

cybersecurity SWAT team with Chief Information Security

Cybersecurity Readiness:

officers. Dr. Chatterjee is an Associate Professor of

Cybersecurity Readiness:

Management Information Systems at the Terry College of

Cybersecurity Readiness:

Business, the University of Georgia and Visiting Professor

Cybersecurity Readiness:

at Duke University's Pratt School of Engineering.

Dr. Dave Chatterjee:

Hello, everyone, I'm delighted to

Dr. Dave Chatterjee:

welcome you to this episode of the Cybersecurity Readiness

Dr. Dave Chatterjee:

Podcast Series. Today, I'll be talking with Nadia El Fertasi,

Dr. Dave Chatterjee:

Human Readiness and Resilience Expert and former NATO senior

Dr. Dave Chatterjee:

executive. NATO stands for North Atlantic Treaty Organization. It

Dr. Dave Chatterjee:

is an international security hub, and is one of the world's

Dr. Dave Chatterjee:

major international institutions. It is a political

Dr. Dave Chatterjee:

and military alliance of 28 member countries from Europe and

Dr. Dave Chatterjee:

North America. Nadia, welcome. It's great to have you as a

Dr. Dave Chatterjee:

guest on the cybersecurity readiness podcast series. Thanks

Dr. Dave Chatterjee:

for making time to share your expertise with the listeners.

Dr. Dave Chatterjee:

The theme for our discussion today is the role of emotional

Dr. Dave Chatterjee:

intelligence in building and sustaining a healthy and

Dr. Dave Chatterjee:

high-performing information security culture. I'd like to

Dr. Dave Chatterjee:

begin by asking you to reflect on your experience at NATO.

Nadia El Fertasi:

Thank you, Dave, thank you for having me on

Nadia El Fertasi:

today. It's my absolute pleasure. So I've worked at

Nadia El Fertasi:

NATO, the world's largest security and crisis management

Nadia El Fertasi:

organization for nearly two decades. That's that's a long

Nadia El Fertasi:

time. And I worked in various countries and posts but always

Nadia El Fertasi:

within the digital transformation and cybersecurity

Nadia El Fertasi:

arena, I always held strategic customer relations and

Nadia El Fertasi:

governance position. Now, how does this relate to what I

Nadia El Fertasi:

currently do? As you know, NATO was founded just after its

Nadia El Fertasi:

beginning, the end of the Second World War, it's the beginning of

Nadia El Fertasi:

the Cold War, and where state sponsored attacks or where state

Nadia El Fertasi:

enemy was very prevalent. So our culture or security culture was

Nadia El Fertasi:

ingrained, to help us not fall for social engineering attacks

Nadia El Fertasi:

in the sense of espionage. So I was also deployed in the field.

Nadia El Fertasi:

But we always received a lot of training and awareness of

Nadia El Fertasi:

programs on how not to fall for emotional manipulation

Nadia El Fertasi:

techniques. So what is social engineering? It's basically

Nadia El Fertasi:

criminals, not necessarily hackers, because there are a lot

Nadia El Fertasi:

of ethical hackers, but criminals trying to manipulate

Nadia El Fertasi:

people to get information out of them so they can hack into

Nadia El Fertasi:

systems. Now, in our case, it was to get information out of us

Nadia El Fertasi:

so they can use it for espionage, or get a

Nadia El Fertasi:

competitive advantage because of the state to state relations. So

Nadia El Fertasi:

in agriculture, being very aware of security was a given, right,

Nadia El Fertasi:

it was really part of our DNA, which I think is very important.

Nadia El Fertasi:

And this was with me for 20 years. And how does that so

Nadia El Fertasi:

after 18 years, I decided to, to change and to resign and build

Nadia El Fertasi:

my own EQ consultancy business and really help people and

Nadia El Fertasi:

organizations deal with these digital disruption. What do I

Nadia El Fertasi:

mean with digital disruptions? Because people think when we

Nadia El Fertasi:

talk about the digital decade, it's a bit overreacted. But how

Nadia El Fertasi:

many people are working online or processing payments, or

Nadia El Fertasi:

processing data exchanging data online, especially after COVID?

Nadia El Fertasi:

Right? So and with all the challenges that are going on,

Nadia El Fertasi:

you know, people's resilience and organizational resilience to

Nadia El Fertasi:

stay not only survive, but thrive is is challenging. So

Nadia El Fertasi:

this is what I do. And I use I leverage the practical crisis

Nadia El Fertasi:

management, resilience, experience and readiness in

Nadia El Fertasi:

NATO. We were either in conflict or preparing to being in one. So

Nadia El Fertasi:

exercising our readiness is in our DNA, our bread and butter,

Nadia El Fertasi:

but I also worked with people from 40 different countries at

Nadia El Fertasi:

all levels. So emotional intelligence was key. Because at

Nadia El Fertasi:

one part you have the technology, how do you get

Nadia El Fertasi:

people to use it technology that is safe and secure and advances

Nadia El Fertasi:

the organization at the same time, right. And there are a lot

Nadia El Fertasi:

of different departments and business units when we look at

Nadia El Fertasi:

the private sector that have a stake in it. So in our case in

Nadia El Fertasi:

our agency, security was responsibility for all. And I

Nadia El Fertasi:

wanted to bring that in my work with the private sector

Nadia El Fertasi:

currently and small businesses. Now there is a lot of

Nadia El Fertasi:

misconception about emotional intelligence because when we

Nadia El Fertasi:

hear emotional intelligence, we think, Oh, this you know,

Nadia El Fertasi:

emotions, they don't belong in the workplace, or we're very

Nadia El Fertasi:

rational etc. Now, I recommend your listeners to look up Lisa

Nadia El Fertasi:

Feldman Barrett, who is an author about how emotions are

Nadia El Fertasi:

made. Secret Life of the Brains is one of the top percent, one

Nadia El Fertasi:

top percent cited neuroscientist and psychologist who really has

Nadia El Fertasi:

a lot of material and research to dispel this myth, right. So

Nadia El Fertasi:

how she explains and the what I also use in my work, I use a

Nadia El Fertasi:

scientifically validated model that the feelings is very

Nadia El Fertasi:

different than emotions, feelings is when our brain makes

Nadia El Fertasi:

sense of our energy levels. So imagine you are working in an

Nadia El Fertasi:

enterprise model, and you have different business units, that

Nadia El Fertasi:

all need amount of resources to be able to sustain the

Nadia El Fertasi:

organization. Now, if acquisition has less resources

Nadia El Fertasi:

than legal, for example, the marketing department of the

Nadia El Fertasi:

research development is going to be in at the resource deficit or

Nadia El Fertasi:

resource overload. Same thing with our body. So when our brain

Nadia El Fertasi:

perceives that it is under high levels of stress, or something

Nadia El Fertasi:

is not right, it creates a body energy deficit. And this is when

Nadia El Fertasi:

we experience feelings of

Nadia El Fertasi:

fear or frustration of you know, general, negative emotions. And

Nadia El Fertasi:

emotions are actually constructed by our bias, by our

Nadia El Fertasi:

stereotype beliefs, by our formative years, by our

Nadia El Fertasi:

experiences, what we learned is emotional behaviors, which is

Nadia El Fertasi:

different than different culture and is not universal. Now, why

Nadia El Fertasi:

is this so important when it comes to cyber? First, if you

Nadia El Fertasi:

want to change mindsets, and implement cyber hygiene, the

Nadia El Fertasi:

language is important, right? Because if we talk to someone

Nadia El Fertasi:

who's an information security specialist or technology, they

Nadia El Fertasi:

may get very excited about cyber, they don't necessarily

Nadia El Fertasi:

see it as something dark or negative or complicated. Someone

Nadia El Fertasi:

who has no exposure to cyber only correlates with the ongoing

Nadia El Fertasi:

ransomware attack and all the cyber breaches may feel a lot of

Nadia El Fertasi:

fear, right? People who I loved in your book, you refer to

Nadia El Fertasi:

people who, you know, developers for examples of applications,

Nadia El Fertasi:

they want to get it out on the market as soon as possible.

Nadia El Fertasi:

While the security people want to keep the US market is as long

Nadia El Fertasi:

as possible, right? So that we have different concepts about

Nadia El Fertasi:

cybersecurity and cyber safety in general, it is only normal to

Nadia El Fertasi:

feel discomfort when you're dealing with a new concept. And

Nadia El Fertasi:

how do you get people to do things differently in a way that

Nadia El Fertasi:

secures not only the surface, not only the product, but also

Nadia El Fertasi:

the user environment. And the way they work and live, you

Nadia El Fertasi:

know, with the online world is to help them become comfortable

Nadia El Fertasi:

with the discomfort. And this is where emotional intelligence

Nadia El Fertasi:

comes in. It is relating to the immediate challenges to the

Nadia El Fertasi:

behavioral aspects of people. cognitive intelligence is long

Nadia El Fertasi:

term strategic, and you need both actually. And some people

Nadia El Fertasi:

are more equipped with it because they've learned it.

Nadia El Fertasi:

Other people who have trained to be very cerebral, and this is

Nadia El Fertasi:

especially true for the STEAM (Science, Technology,

Nadia El Fertasi:

Engineering, and Math) workforce. If you've been

Nadia El Fertasi:

trained to be very technical, logical, and you know, data

Nadia El Fertasi:

crunching for example, then it's a little bit more difficult to

Nadia El Fertasi:

put words or to understand how your emotions affect your

Nadia El Fertasi:

behavior.

Dr. Dave Chatterjee:

Great. Fantastic. Thanks for that

Dr. Dave Chatterjee:

introduction, that primer on emotional intelligence, the

Dr. Dave Chatterjee:

significance of emotional intelligence, in bringing about

Dr. Dave Chatterjee:

the desired information security culture. As you as you know that

Dr. Dave Chatterjee:

when we look at cybersecurity, the challenges with

Dr. Dave Chatterjee:

cybersecurity, we have to understand it from a people

Dr. Dave Chatterjee:

process and technology standpoint. The good news is

Dr. Dave Chatterjee:

there are lots of soft, sophisticated technologies out

Dr. Dave Chatterjee:

there. The good news is there are great process

Dr. Dave Chatterjee:

recommendations, great frameworks out there. The

Dr. Dave Chatterjee:

challenge lies in the human factor. And you spoke to that

Dr. Dave Chatterjee:

when you said that some of us are better trained than others,

Dr. Dave Chatterjee:

or are better have better abilities than others, to deal

Dr. Dave Chatterjee:

with uncertainty, to deal with, deal with challenges that are

Dr. Dave Chatterjee:

not within our domain of expertise, or interest. So

Dr. Dave Chatterjee:

therefore, managing the human factor effectively, to build and

Dr. Dave Chatterjee:

sustain a strong cybersecurity culture is easier said than

Dr. Dave Chatterjee:

done. It is often something organizations try to stay away

Dr. Dave Chatterjee:

from, because it's very hard to show immediate results, the ROI

Dr. Dave Chatterjee:

is not very tangible. But as more and more executives are

Dr. Dave Chatterjee:

recognizing, at the end of the day, it's really about

Dr. Dave Chatterjee:

execution, you can have the best plan, but if you are not able to

Dr. Dave Chatterjee:

execute to precision, to the plan, you're unlikely to be very

Dr. Dave Chatterjee:

successful; especially in the context of cybersecurity, where

Dr. Dave Chatterjee:

an organization needs to be able to sustain an element of

Dr. Dave Chatterjee:

stability in their management and performance of the cyber

Dr. Dave Chatterjee:

secure defense measures. To be able to act and perform in a

Dr. Dave Chatterjee:

precise and consistent manner, over a period of time, you need

Dr. Dave Chatterjee:

the right kind of culture that needs to become part of the

Dr. Dave Chatterjee:

organizational DNA. And that's where someone with your kind of

Dr. Dave Chatterjee:

expertise comes in, and can be of immense benefit to

Dr. Dave Chatterjee:

organizations who are trying to understand people, human

Dr. Dave Chatterjee:

mindset, how to bring about changes in human behavior. So

Dr. Dave Chatterjee:

let's get a little specific because I'm sure our listeners

Dr. Dave Chatterjee:

are thinking, Yeah, this is all good. But what are your

Dr. Dave Chatterjee:

recommendations? So from a recommendation standpoint, let's

Dr. Dave Chatterjee:

have this discussion organized along some of the success

Dr. Dave Chatterjee:

factors that I talked about in my book, and I appreciate you

Dr. Dave Chatterjee:

having read the book. And we if we look at it from the

Dr. Dave Chatterjee:

standpoint of the three highperformance cultural traits

Dr. Dave Chatterjee:

of commitment, preparedness and discipline, if you could take

Dr. Dave Chatterjee:

one of them, let's say commitment, and speak to that,

Dr. Dave Chatterjee:

in terms of how do you get the organizational leadership? How

Dr. Dave Chatterjee:

do you get organizational members at all levels, more

Dr. Dave Chatterjee:

committed to achieving a high level of cybersecurity

Dr. Dave Chatterjee:

performance?

Nadia El Fertasi:

Yes, thank you, Dave. And I really enjoyed

Nadia El Fertasi:

the book. Everyone talks about leadership, right? It needs to

Nadia El Fertasi:

start at the top. But what does that look like? Right, and we

Nadia El Fertasi:

forget the top leadership are also human beings as well.

Nadia El Fertasi:

Right. And one of the biggest challenges we faced at NATO, and

Nadia El Fertasi:

many organizations face is, we don't want to change people, we

Nadia El Fertasi:

want to do get them to do things differently on the things on the

Nadia El Fertasi:

job for sustainable period of time. So emotional, intelligent

Nadia El Fertasi:

leadership is critical. I think there is a lot of focus on

Nadia El Fertasi:

building agile systems on building agile technology. But

Nadia El Fertasi:

how do we build agile people, right? People are not programs

Nadia El Fertasi:

that can be flexible, there are different levels of flexibility.

Nadia El Fertasi:

One excellent model called the Kubler Ross model really

Nadia El Fertasi:

explains actually the different emotional states people go

Nadia El Fertasi:

through before they, when they go through a loss, right. It was

Nadia El Fertasi:

developed for grief, but the same emotions apply when change

Nadia El Fertasi:

happens. Now, it's and I'll give an example of my own time when

Nadia El Fertasi:

we were facing a lot of geopolitical uncertainty after

Nadia El Fertasi:

911 after you know what happened also in in the border with

Nadia El Fertasi:

Russia and Ukraine that put a lot of pressure on us in NATO

Nadia El Fertasi:

and also created a lot of uncertainty in challenging time.

Nadia El Fertasi:

Especially because cyber was really used as part of a hybrid

Nadia El Fertasi:

warfare tactic. So we had a new general manager coming in at the

Nadia El Fertasi:

time, he was from the Pentagon, brilliant, brilliant man. And he

Nadia El Fertasi:

really had this, he had it right, he surrounded himself

Nadia El Fertasi:

with the right people. But he also had people-centric

Nadia El Fertasi:

leadership and people-centric mindset. So what he did in terms

Nadia El Fertasi:

of, you know, demonstrating it from the top and emotional

Nadia El Fertasi:

intelligence leadership, he understood that the chief

Nadia El Fertasi:

surface line, so the people who were accountable and responsible

Nadia El Fertasi:

for delivering the service and delivering the product, there

Nadia El Fertasi:

was too much bureaucracy and too much power distance between them

Nadia El Fertasi:

and himself. Right. And so he created a matrix organization as

Nadia El Fertasi:

much as possible. So the people who were responsible and

Nadia El Fertasi:

accountable for the full lifecycle of the services, they

Nadia El Fertasi:

were responsible of the product, including security that was just

Nadia El Fertasi:

ingrained, and cyber safety was ingrained in every aspect. We're

Nadia El Fertasi:

directly responsible to them, what did that create? It created

Nadia El Fertasi:

a sense of empowerment in these people, right? They were seen,

Nadia El Fertasi:

they were validated, they were held accountable, they were

Nadia El Fertasi:

given more empowerment, right? And they increased their buy-in,

Nadia El Fertasi:

why should they go all the way? Right, it increased their kind

Nadia El Fertasi:

of purpose, the getting up in the in the morning, and really,

Nadia El Fertasi:

you know, moving in towards the same direction. The other

Nadia El Fertasi:

element was he appointed chief operating officer, who was also

Nadia El Fertasi:

another brilliant man, who had not only a high level of

Nadia El Fertasi:

expertise in the technical arena in the business, brilliant

Nadia El Fertasi:

diplomat, he came from diplomacy as well and had very good

Nadia El Fertasi:

relationships with national delegations, with the

Nadia El Fertasi:

ambassadors, with the decision makers, because when you look at

Nadia El Fertasi:

policy, and strategy and governance, right, and you can

Nadia El Fertasi:

compare it to the C suite in the business arena, there's often a

Nadia El Fertasi:

disconnect when it comes to the information security culture,

Nadia El Fertasi:

not that they don't understand, it's just they have many other

Nadia El Fertasi:

fires, and business risks going on. So these relationships with

Nadia El Fertasi:

him, made him very credible, and they had his trust, which made

Nadia El Fertasi:

it easier to actually navigate building this culture within

Nadia El Fertasi:

within the very uncertain and challenging environment we were

Nadia El Fertasi:

working in. So both of these very senior people, right. They

Nadia El Fertasi:

had high levels of cognitive intelligence, they had high

Nadia El Fertasi:

levels of political intelligence, they had high

Nadia El Fertasi:

level of technical intelligence, business intelligence, but what

Nadia El Fertasi:

made the organization shift our agency shift our people, you

Nadia El Fertasi:

know, the way we work shift,is the emotional intelligence part.

Nadia El Fertasi:

Is the people, right, you need to inspire people to guide to

Nadia El Fertasi:

hold them accountable, right? Emotional Intelligence doesn't

Nadia El Fertasi:

mean

Nadia El Fertasi:

how do I say soft, right? Being various not at all right? true

Nadia El Fertasi:

leader, can listen to everyone can take into consideration but

Nadia El Fertasi:

ultimately takes the decision based on what he believes is

Nadia El Fertasi:

best for the organization on the information is available, right?

Nadia El Fertasi:

It's really, ultimately people want to feel heard and

Nadia El Fertasi:

validated, right? So they can show up. And with a lot of the

Nadia El Fertasi:

work that I do often I hear, you know, people that this, they

Nadia El Fertasi:

just they are tired of so many changes, I would add one more

Nadia El Fertasi:

element, which is very crucial, is communication. We over

Nadia El Fertasi:

perhaps me focus a lot on communication with our external

Nadia El Fertasi:

stakeholders, our customers, our shareholders. But you have to

Nadia El Fertasi:

start inside out when there's a lot of uncertainty outside it

Nadia El Fertasi:

acts exaggerates the uncertainty within your organization. So

Nadia El Fertasi:

internal communication policies and prosperity, even when you

Nadia El Fertasi:

don't know. One of the best leaders I've worked with, and I

Nadia El Fertasi:

see also in my clients are the ones that are vulnerable doesn't

Nadia El Fertasi:

mean that they share all their personal stuff, but they've seen

Nadia El Fertasi:

when things are not working, and that they don't have the answer

Nadia El Fertasi:

immediately. And they are looking right in there involving

Nadia El Fertasi:

the people are the ones that they get most support from the

Nadia El Fertasi:

workforce. And that is very important.

Dr. Dave Chatterjee:

Yeah, you know, I think you said

Dr. Dave Chatterjee:

something, which is so so important. You mentioned about

Dr. Dave Chatterjee:

being vulnerable. We often make the mistake of thinking that a

Dr. Dave Chatterjee:

leader who's always exuding great confidence, great belief

Dr. Dave Chatterjee:

and a leader, a strong leader. should not show any kind of

Dr. Dave Chatterjee:

vulnerability. But to your point, vulnerability, the way I

Dr. Dave Chatterjee:

look at it is essentially a feeling of, you know, a little

Dr. Dave Chatterjee:

bit maybe the maybe the word paranoia makes sense that

Dr. Dave Chatterjee:

there's always an element of paranoia that what could happen,

Dr. Dave Chatterjee:

that could break the current defense, are we really well

Dr. Dave Chatterjee:

secured? Or is there anything missing. And that kind of

Dr. Dave Chatterjee:

mindset is helpful, because it always keeps you on your toes,

Dr. Dave Chatterjee:

and doesn't allow you to be complacent. So maybe what I was

Dr. Dave Chatterjee:

getting at is vulnerability can often come across as like a

Dr. Dave Chatterjee:

reflection of weakness. But vulnerability can also be

Dr. Dave Chatterjee:

interpreted as somebody who is not complacent, who always

Dr. Dave Chatterjee:

believes in a high level of preparedness. And that's

Dr. Dave Chatterjee:

something that I've also found in my research, that leadership

Dr. Dave Chatterjee:

can play a hugely important role in not only mobilizing

Dr. Dave Chatterjee:

organization wide support towards the goals and the

Dr. Dave Chatterjee:

actions, but also help the organization reach a high level

Dr. Dave Chatterjee:

of preparedness. Another point you made, and you made it very

Dr. Dave Chatterjee:

well, it's a very powerful statement, you said, build a

Dr. Dave Chatterjee:

culture of empowerment, not fear. And that speaks to taking

Dr. Dave Chatterjee:

a very positive approach to many things, cyber, including cyber

Dr. Dave Chatterjee:

communication. And time and time again, when I talk to senior

Dr. Dave Chatterjee:

executives, when I review the literature, one of the

Dr. Dave Chatterjee:

consistent good practices is about letting the users know

Dr. Dave Chatterjee:

what they could do to further secure the organization. So

Dr. Dave Chatterjee:

you're taking the approach of saying what you can do and not

Dr. Dave Chatterjee:

taking the approach of what you can't do, yes, that's the fine

Dr. Dave Chatterjee:

line. But there's a way of saying things in a very positive

Dr. Dave Chatterjee:

vein. And still being able to communicate the things that

Dr. Dave Chatterjee:

users should be wary about. So it's a fine line. And it can be

Dr. Dave Chatterjee:

done by very skilled people. And you talked about the leadership

Dr. Dave Chatterjee:

that you've come across with a very high degree of a variety of

Dr. Dave Chatterjee:

different types of allegiance. Moving on to another question I

Dr. Dave Chatterjee:

have for you. And that is, you worked for an organization like

Dr. Dave Chatterjee:

NATO, very security driven organization. So you would

Dr. Dave Chatterjee:

expect security to be high on their priority when it comes to

Dr. Dave Chatterjee:

culture. But in a traditional private sector organization,

Dr. Dave Chatterjee:

where you yourself mentioned, often, the focus or priority of

Dr. Dave Chatterjee:

the executives are on realizing the business goals, their

Dr. Dave Chatterjee:

mission. And security is not that security is something

Dr. Dave Chatterjee:

unfortunately, they have to deal with. They wish they didn't. So

Dr. Dave Chatterjee:

in that kind of an environment, how do you get whether it's the

Dr. Dave Chatterjee:

leadership or whether it's the organization as a whole? How do

Dr. Dave Chatterjee:

you get the focus turned towards security, where there is growing

Dr. Dave Chatterjee:

recognition, that security is also a very important

Dr. Dave Chatterjee:

organizational capability, is also a very important

Dr. Dave Chatterjee:

organizational competency? How do you get that realization

Dr. Dave Chatterjee:

etched into the organization?

Nadia El Fertasi:

It's a very good point. And I'll, I'll say

Nadia El Fertasi:

one word, and then I'll give an anecdote to explain that word

Nadia El Fertasi:

and then give, give my own thoughts. Vision. Right. You

Nadia El Fertasi:

need to have a vision, right, for your organization. Why is

Nadia El Fertasi:

that important? Let me go back to something we dealt at NATO.

Nadia El Fertasi:

Right. Because NATO, our mandate was Article Five is collective

Nadia El Fertasi:

defense. Right. And I don't know if you remember when 911 came

Nadia El Fertasi:

about. It was a lot of discussion. Why was NATO not

Nadia El Fertasi:

more on the forefront in countering terrorism, and the

Nadia El Fertasi:

risk for terrorist attacks was very evident, very prevalent in

Nadia El Fertasi:

across European cities and in North America. Now, the obvious

Nadia El Fertasi:

reason is it was not within our mandate, or primary mandate. You

Nadia El Fertasi:

had organizations like the UN and other organization was was

Nadia El Fertasi:

in their mandate. And we were always in support. So we were

Nadia El Fertasi:

active, but it wasn't our primary focus. Everyone who

Nadia El Fertasi:

worked at NATO and the culture was very much still aware of the

Nadia El Fertasi:

Cold War. And remember the Second World War, the impact of

Nadia El Fertasi:

a nuclear attack, it would be far more detrimental than a

Nadia El Fertasi:

terrorist attack. And I know it sounds perhaps a little bit

Nadia El Fertasi:

harsh when you hear it, because it's not statistics. When we I

Nadia El Fertasi:

think a lot of people in leadership within NATO

Nadia El Fertasi:

understood the vision of building a safe and secure

Nadia El Fertasi:

transatlantic democracy, we take our freedom for granted. Right?

Nadia El Fertasi:

We forget that there are capabilities out there, right,

Nadia El Fertasi:

that can eradicate entire cities. So the risk for what we

Nadia El Fertasi:

were protecting 1 billion citizens was much higher. So

Nadia El Fertasi:

every organization should ask themselves, right, right, what

Nadia El Fertasi:

is the risk, because the capabilities are there, and you

Nadia El Fertasi:

don't need to be a sophisticated cyber criminal, to participate

Nadia El Fertasi:

in the ransomware service model. And just, you know, get as fast

Nadia El Fertasi:

money as possible, was even more challenging. And again, I don't

Nadia El Fertasi:

want to play into fear, but it's just being aware is non

Nadia El Fertasi:

sponsored states, cyber attacks, and even inspired state

Nadia El Fertasi:

sponsored attacks. There are many different reasons why

Nadia El Fertasi:

someone does cyber crime. So every organization needs to

Nadia El Fertasi:

understand what is the vision for the organization in the 21st

Nadia El Fertasi:

century, this highly digitized? What would happen if our most

Nadia El Fertasi:

critical infrastructure would go down? What would happen if 5

Nadia El Fertasi:

million and you have many case studies in your book, customers

Nadia El Fertasi:

data, shareholders data that gets lost? You don't want to

Nadia El Fertasi:

think about it, because again, it is not very tangible. We live

Nadia El Fertasi:

very short term focused, right? Okay, what is in the immediate

Nadia El Fertasi:

and when you're driven by the immediate and don't include and

Nadia El Fertasi:

balance it with a long term vision, your preparedness

Nadia El Fertasi:

strategies and your ability to recover, because now we have to

Nadia El Fertasi:

assume we will be compromised, every organization, they don't

Nadia El Fertasi:

assume that they can, they are compromised, their survival rate

Nadia El Fertasi:

is likely to be very low, because even a brilliant article

Nadia El Fertasi:

in the Financial Times about this in this. And this is also

Nadia El Fertasi:

how you get confidence from your shareholders from your customers

Nadia El Fertasi:

that you know it you know, what to do, when you there is a cyber

Nadia El Fertasi:

breach, right? And you can recover and protect their data

Nadia El Fertasi:

in the most

Nadia El Fertasi:

less riskful way as possible. So I this is what I would give away

Nadia El Fertasi:

is really understand how much are you balancing long term

Nadia El Fertasi:

vision with short term vision? And how can you explain cyber

Nadia El Fertasi:

risk in people's map of the world; example: a developer

Nadia El Fertasi:

wants to bring out their app as fast as possible, they've put

Nadia El Fertasi:

their intellectual property right, they've put their blood

Nadia El Fertasi:

and sweat. So if you're just going to tell them, we can put

Nadia El Fertasi:

it off because there are still some security updates missing,

Nadia El Fertasi:

they're not going to resonate with it. But if you are

Nadia El Fertasi:

explaining that if the app is on the market, and someone can

Nadia El Fertasi:

actually replicate the app, or steal the data, and actually

Nadia El Fertasi:

bring it out earlier in the better version, without you

Nadia El Fertasi:

know, this is going on all the time, that will get their

Nadia El Fertasi:

attention, right. So how can you speak in a way that security is

Nadia El Fertasi:

seen as an enabler, another barrier, it also requires

Nadia El Fertasi:

information, cybersecurity and information technologies to

Nadia El Fertasi:

compromise in a way that to have an understanding what is the

Nadia El Fertasi:

minimum required security requirements, right, minimal

Nadia El Fertasi:

security requirements we had in NATO, and understand that some

Nadia El Fertasi:

security requirements are nice to have, but perhaps not

Nadia El Fertasi:

necessary, but they will prevent the developer or the marketing

Nadia El Fertasi:

or the research and development team to bring out their

Nadia El Fertasi:

application. This requires open dialogue. This requires

Nadia El Fertasi:

listening to each other without feeling personally, you know,

Nadia El Fertasi:

attacked or it's full, everyone has a valid point. How do we get

Nadia El Fertasi:

there from here? And this requires, again, the vision, the

Nadia El Fertasi:

strategy.

Dr. Dave Chatterjee:

Absolutely. Wonderful. You again,

Dr. Dave Chatterjee:

highlighted so many important things. Let me see if I can

Dr. Dave Chatterjee:

remember a few to add to it and also asked you to expand on a

Dr. Dave Chatterjee:

couple of other things as well. You spoke to the importance of

Dr. Dave Chatterjee:

recognizing the consequences of cyber attacks. Organizations can

Dr. Dave Chatterjee:

go under, organizations can go bankrupt, in fact, there is

Dr. Dave Chatterjee:

survey data that showcases that 60% of small to medium sized

Dr. Dave Chatterjee:

businesses are known to go under after they experience a

Dr. Dave Chatterjee:

cyberattack. Even for large companies, reputation is at

Dr. Dave Chatterjee:

stake. And there are many other consequences. It is interesting,

Dr. Dave Chatterjee:

I was having this discussion with the CEO of a billion dollar

Dr. Dave Chatterjee:

insurance company, and I asked him a similar question I said,

Dr. Dave Chatterjee:

how you get your peers in other organizations to be equally

Dr. Dave Chatterjee:

committed to cybersecurity as an enabler, as you said, very

Dr. Dave Chatterjee:

nicely, you said a security is an enabler, not a barrier. His

Dr. Dave Chatterjee:

spontaneous response was Dave, I'm assuming people read what's

Dr. Dave Chatterjee:

coming out every day in the media, there is one story or the

Dr. Dave Chatterjee:

other about an attack and the consequence of the attack. If

Dr. Dave Chatterjee:

after that, a senior executive doesn't recognize how important

Dr. Dave Chatterjee:

cyber is, how important cybersecurity competency is, I

Dr. Dave Chatterjee:

don't know what to tell you. And I couldn't agree more. But

Dr. Dave Chatterjee:

having said that, the unfortunate reality is every

Dr. Dave Chatterjee:

leadership has certain goals, they have to report to

Dr. Dave Chatterjee:

stakeholders. So there are challenges in their work life.

Dr. Dave Chatterjee:

So I understand if often the focus deviates away from having

Dr. Dave Chatterjee:

the best possible cyber defense in place. But then, there is a

Dr. Dave Chatterjee:

change in the minds mindset, there is a change, there's a

Dr. Dave Chatterjee:

shift in top executive attention and commitment. And fortunately,

Dr. Dave Chatterjee:

what I've been noticing, I've been studying the shift for the

Dr. Dave Chatterjee:

last 10 years, it's going in the right direction. And that's

Dr. Dave Chatterjee:

very, very encouraging.

Nadia El Fertasi:

Yeah, just intervene or say something to

Nadia El Fertasi:

what you just said. Please, I, I just want to add another

Nadia El Fertasi:

perspective. I think, you know, I saw this at NATO all the time

Nadia El Fertasi:

I see this, we assume we've seen people know, right. But we

Nadia El Fertasi:

forget, we see the world through our mental model, right? We have

Nadia El Fertasi:

our own experiences. On top of that, the average human brain

Nadia El Fertasi:

can make decisions maximum 7-8 at the time. So if you assume

Nadia El Fertasi:

this type of rule in NATO Never assume someone knows, right, is

Nadia El Fertasi:

not to sue. Because these people, it doesn't mean you

Nadia El Fertasi:

know, sometimes we even speak to them in a very patronizing way,

Nadia El Fertasi:

C suite, CFO or, you know, CEO, they know that cyber is

Nadia El Fertasi:

important, right? If they don't read the news, they're reminded

Nadia El Fertasi:

by others on a constant basis. But the way sometimes we speak

Nadia El Fertasi:

when I read some articles, it's very patronizing. Right, it's

Nadia El Fertasi:

like they don't know, what they tend to forget is that, you

Nadia El Fertasi:

know, these leaders are these people functions have a lot of

Nadia El Fertasi:

different fires going on at the same time. Our human brain can

Nadia El Fertasi:

only focus on so much we believe multitasking is a gift, it is

Nadia El Fertasi:

not a gift at all. And Daniel Kahneman Nobel Prize winner

Nadia El Fertasi:

wrote an excellent book about slow thinking slow and fast. I

Nadia El Fertasi:

don't know if you've read it. So I think from that perspective,

Nadia El Fertasi:

is to communicate from people's map of the world, just because

Nadia El Fertasi:

it's obvious to us because it feels so obvious. And we assume

Nadia El Fertasi:

that doesn't mean it's obvious someone else. Trigger the

Nadia El Fertasi:

emotional intensity you need that matches people's belief so

Nadia El Fertasi:

you can change their behavior. This is what I focus on. Just

Nadia El Fertasi:

because we speak to someone how many times we keep ramping up

Nadia El Fertasi:

the statistics, which is important. But statistics alone

Nadia El Fertasi:

are not going to change people's hearts, okay, you need to find

Nadia El Fertasi:

and this and this and this is actually a whole function, a

Nadia El Fertasi:

whole art, takes investment, takes effort, to learn how to

Nadia El Fertasi:

communicate from someone else's map of the world. And to really,

Nadia El Fertasi:

you know, think about the outcome you want and the words

Nadia El Fertasi:

you're going to use that really get people to actually retain

Nadia El Fertasi:

attention especially now, when the average attention span of

Nadia El Fertasi:

clarity is no longer than seven seconds. So I think it is it is

Nadia El Fertasi:

I agree to a certain extent, but I also think that the way we

Nadia El Fertasi:

communicate in general and especially when it comes to

Nadia El Fertasi:

cyber risk, we cannot assume that people will read 50 page

Nadia El Fertasi:

Incident Response plan or crisis management procedures and

Nadia El Fertasi:

remember them in their map of the world. And when a cyber

Nadia El Fertasi:

breach is taking place, you cannot tell them, well, in the

Nadia El Fertasi:

service level agreement we had, or in the in the document you

Nadia El Fertasi:

signed off, it was clearly stated under paragraph 3.5. We

Nadia El Fertasi:

go into survival mode, fear mode, our brain capacity is

Nadia El Fertasi:

focused on keeping us safe. So our you know, we go there in

Nadia El Fertasi:

very short cut mental models. And I think it's important to

Nadia El Fertasi:

explain to practice this, right. So people don't take necessarily

Nadia El Fertasi:

very defensive, but really understand the human element in

Nadia El Fertasi:

the behavior, and then come up with strategies in the way of

Nadia El Fertasi:

communicating in a way that gets people not necessarily to change

Nadia El Fertasi:

their mind changing mindsets is very difficult. But to change

Nadia El Fertasi:

response options, do something differently, because you know,

Nadia El Fertasi:

it will advance your organization and keep the

Nadia El Fertasi:

organization safe and prepared and resilient.

Dr. Dave Chatterjee:

Yeah, you know, I wish to re emphasize

Dr. Dave Chatterjee:

what you just said about do not assume when you're

Dr. Dave Chatterjee:

communicating, because everyone has different experiences,

Dr. Dave Chatterjee:

different mental maps. And they would interpret a message they

Dr. Dave Chatterjee:

could interpret a message differently. It brings back

Dr. Dave Chatterjee:

another interesting story. So there was this Admiral Hyman

Dr. Dave Chatterjee:

Rickover, who was credited with running the US Naval Nuclear

Dr. Dave Chatterjee:

Propulsion Program, very successfully for 30 some years.

Dr. Dave Chatterjee:

And he was able to build an organizational culture, anchored

Dr. Dave Chatterjee:

on six key principles. And they were integrity, depth of

Dr. Dave Chatterjee:

knowledge, procedural compliance, forceful backup,

Dr. Dave Chatterjee:

questioning attitude, and formality and communications.

Dr. Dave Chatterjee:

Now, let me speak to formality and communications. I believe,

Dr. Dave Chatterjee:

the way it worked in the nuclear Navy, when you receive an order

Dr. Dave Chatterjee:

from your superior, you're supposed to repeat that order

Dr. Dave Chatterjee:

verbatim, before you execute it. Essentially, the process was

Dr. Dave Chatterjee:

meant to be foolproof. So nothing gets lost. There's no

Dr. Dave Chatterjee:

communication leakage, no communication loss. And maybe

Dr. Dave Chatterjee:

it's an extreme approach. Maybe it works in a in a military

Dr. Dave Chatterjee:

organization, but there is something to be learned from

Dr. Dave Chatterjee:

that, taken away from that, for even the private sector, for

Dr. Dave Chatterjee:

even the government organizations that when you are

Dr. Dave Chatterjee:

communicating, it is also your responsibility to make sure that

Dr. Dave Chatterjee:

the person receiving your your message, understands it the way

Dr. Dave Chatterjee:

you want it to be understood. But as we know, unfortunately,

Dr. Dave Chatterjee:

that's not the way the world works. We all experience mass

Dr. Dave Chatterjee:

communications, email blasts, one page email on security with

Dr. Dave Chatterjee:

a lot of detail and immediately when I see those, it it tells

Dr. Dave Chatterjee:

me, okay, here we go check the box, a communication was

Dr. Dave Chatterjee:

required as per certain regulations certain requirement,

Dr. Dave Chatterjee:

and the organization is complying with it. So yes, you

Dr. Dave Chatterjee:

are complying with the regulation, but are you

Dr. Dave Chatterjee:

effectively doing it? The answer is probably no, because when I

Dr. Dave Chatterjee:

see a one page email, I generally tend to overlook it,

Dr. Dave Chatterjee:

unless it is customized, it is tailored, and it is speaking to

Dr. Dave Chatterjee:

my needs. And you spoke to that when you said when you are

Dr. Dave Chatterjee:

communicating with people, when you're trying to get them to see

Dr. Dave Chatterjee:

things in a different way, you have to be very skilled about

Dr. Dave Chatterjee:

how you pitch it, so they can relate to it. And that's the

Dr. Dave Chatterjee:

training in itself. And that should not be considered

Dr. Dave Chatterjee:

obvious. Oh communication, that's fine. As long as we have

Dr. Dave Chatterjee:

the tools in place, we have hired the you know, the the

Dr. Dave Chatterjee:

right kind of professional expertise, we are all good to

Dr. Dave Chatterjee:

go. We are not all good to go because when there's a breach,

Dr. Dave Chatterjee:

and more often than not, it is the cause of a phishing

Dr. Dave Chatterjee:

campaign, the people who get breached are not the ones who

Dr. Dave Chatterjee:

are trained in a cybersecurity certificate program, they are

Dr. Dave Chatterjee:

people who are there to do their job, which is not security. But

Dr. Dave Chatterjee:

then they also have a certain responsibility to perform their

Dr. Dave Chatterjee:

jobs, and also comply with the security guidelines. To get them

Dr. Dave Chatterjee:

to recognize that to get them to do it well, it requires

Dr. Dave Chatterjee:

practice. In a previous podcast, I had an eminent professor talk

Dr. Dave Chatterjee:

about his simulation program, simulating organizational

Dr. Dave Chatterjee:

decision making under stress, under time pressure. And as you

Dr. Dave Chatterjee:

said, it is one thing to plan, it is one thing to prepare. But

Dr. Dave Chatterjee:

then when you are in action, when you are on the court, you

Dr. Dave Chatterjee:

are playing to use a tennis metaphor.

Dr. Dave Chatterjee:

You are all by yourself, you're having to make quick decisions

Dr. Dave Chatterjee:

on your feet. And those decisions have consequences. The

Dr. Dave Chatterjee:

only way of getting better at it, is by doing it over and over

Dr. Dave Chatterjee:

again. What does that mean, from a cybersecurity preparedness

Dr. Dave Chatterjee:

standpoint, running different types of simulations to the best

Dr. Dave Chatterjee:

in extent feasible and possible, every company has their

Dr. Dave Chatterjee:

constraints. And I recognize that. But you know, these were

Dr. Dave Chatterjee:

some thoughts that came to mind as you were speaking, let me ask

Dr. Dave Chatterjee:

you a question. As we were having our sidebar by way of

Dr. Dave Chatterjee:

prep for this talk, you shared some very powerful quotes, if I

Dr. Dave Chatterjee:

may. And one of them was, and this speaks to what we are

Dr. Dave Chatterjee:

talking right now. Practice reason over fear. And another

Dr. Dave Chatterjee:

one I want to bring into the discussion where you said, Use

Dr. Dave Chatterjee:

empathy to counter social engineering attacks. Can you

Dr. Dave Chatterjee:

speak to that?

Nadia El Fertasi:

Yes. Let me start, start first with practice

Nadia El Fertasi:

reason over fear. And I will use a very unusual analogy, but

Nadia El Fertasi:

stick with me, so you understand. imagine, and I'm

Nadia El Fertasi:

going to take you as example Dave, if you don't mind, imagine

Nadia El Fertasi:

you're not feeling very well, today, you're a bit low on

Nadia El Fertasi:

energy, your immune system is not on top, so you're really

Nadia El Fertasi:

not, at your best state. And then you turn around and there

Nadia El Fertasi:

is a tiger predator in the corner of your office. And let's

Nadia El Fertasi:

assume it's not a domesticated one. It's one that is really

Nadia El Fertasi:

going to chase you. So your brain is going to signal to your

Nadia El Fertasi:

body extreme danger, you're going to use all your energy and

Nadia El Fertasi:

run as fast as you can, I hope. Imagine the predator is the

Nadia El Fertasi:

colleague sending you that email, is the continuous attacks

Nadia El Fertasi:

that you receive on your screen, is the fear based leadership

Nadia El Fertasi:

because you're afraid to do something wrong because of the

Nadia El Fertasi:

culture, its meeting your deadlines, whatever it is; the

Nadia El Fertasi:

problem with fear right there it serves a function, we are human

Nadia El Fertasi:

beings to keep ourselves safe, right? So if we go outside, can

Nadia El Fertasi:

see a car and so we can you know, protect ourselves and not

Nadia El Fertasi:

get hit by a car. The problem is, our brain constantly

Nadia El Fertasi:

perceive things as fear puts us in a chronic state of stress,

Nadia El Fertasi:

which has disastrous consequences on our ability to

Nadia El Fertasi:

make decisions, on our ability to manage our energy, our focus,

Nadia El Fertasi:

and we get, I wrote a blog for Global Cyber Alliance and had

Nadia El Fertasi:

statistics in there for the UK in the US, how many people are

Nadia El Fertasi:

distracted and lack of focus and how that correlates with falling

Nadia El Fertasi:

for social engineering for phishing attacks, because which

Nadia El Fertasi:

brings me to your second point use empathy for mitigating

Nadia El Fertasi:

social engineering attacks. Now, empathy is another overused

Nadia El Fertasi:

buzzword it is very difficult to exercise because if you read the

Nadia El Fertasi:

book of Daniel Kahneman, slow thinking slow thinking fast, it

Nadia El Fertasi:

is another part of the of the system, it really requires being

Nadia El Fertasi:

sensitive to other people's needs and, and, and emotions.

Nadia El Fertasi:

Criminals, they use the same emotional manipulation

Nadia El Fertasi:

techniques right to trigger either emotions of fear. So if

Nadia El Fertasi:

someone is worried about their health, they will use specific

Nadia El Fertasi:

language related to COVID to get them to click on a spoofed

Nadia El Fertasi:

account or medical record whatever it is. Someone is

Nadia El Fertasi:

worried about taxes, alright, it will use words or spoof counts

Nadia El Fertasi:

to do that. So they really use words and pretext to speak to

Nadia El Fertasi:

people's fear. The opposite is also true. There are a lot of

Nadia El Fertasi:

one of the prevailing challenge currently is loneliness,

Nadia El Fertasi:

isolation, right because of the pandemic, but even before but

Nadia El Fertasi:

it's just exaggerated. So unfortunately, criminals with no

Nadia El Fertasi:

ethical standards use to prey on these emotions to create

Nadia El Fertasi:

emotions of trust, right, to build this relationship. There's

Nadia El Fertasi:

another excellent book by

Nadia El Fertasi:

Robert Cialdini, The Psychology of Persuasion, 1984, where he

Nadia El Fertasi:

lists six principles of persuasion -- scarcity,

Nadia El Fertasi:

authority, commitment, consistency, liking, and

Nadia El Fertasi:

consensus. Liking, when we like someone, our defense mechanisms

Nadia El Fertasi:

go down, right, the first time when we see someone, we ask for

Nadia El Fertasi:

questions, subconsciously, who is this? What do they want? How

Nadia El Fertasi:

long does it take? And are they a threat? So they know to to use

Nadia El Fertasi:

tactics to lower people's defense mechanisms. So they can

Nadia El Fertasi:

use these techniques. Well, it is important to be aware and to

Nadia El Fertasi:

use empathy, not to be afraid or to be paranoid, but to

Nadia El Fertasi:

recognize, because let me give an example why emotional

Nadia El Fertasi:

intelligence and empowerment is important. If you have an

Nadia El Fertasi:

organization where people don't feel empowered, if you have an

Nadia El Fertasi:

assistant or receptionist or support staff or customer

Nadia El Fertasi:

support agents, that will is asked whether to email whether

Nadia El Fertasi:

to deep fake technology by replicating the voice of the CEO

Nadia El Fertasi:

to make a million dollar transfer in bitcoins, which

Nadia El Fertasi:

happens, right? If they fear the reaction of their CEO or the

Nadia El Fertasi:

leadership being reprimanded or disciplined, they will act based

Nadia El Fertasi:

on that impulse, right? So it is really important to understand

Nadia El Fertasi:

not only empathy, but emotional intelligence or the human

Nadia El Fertasi:

element to not be paranoia. Fear is just a consequence of what we

Nadia El Fertasi:

don't know. When we when there is a gap in our mind, the mind

Nadia El Fertasi:

doesn't like it. So it goes into survival mode. Remember the

Nadia El Fertasi:

tiger, and everyone is so many people currently, no one, say

Nadia El Fertasi:

everyone are under constant pursuit of a predator. But it's

Nadia El Fertasi:

not a predator, but the effect is the same. Right? And you can

Nadia El Fertasi:

follow Andrew Huberman Stanford professor and neuroscientist,

Nadia El Fertasi:

who has loads of research and podcasts about the effect on

Nadia El Fertasi:

this on the brain and how we need to create cultures where

Nadia El Fertasi:

empowerment where you know, of course, stress is healthy in a

Nadia El Fertasi:

certain way. It is all about how we perceive stress. And it's all

Nadia El Fertasi:

about chronic fear, chronic stress, we need to find the

Nadia El Fertasi:

right balance of intense emotion that people are alert. But also

Nadia El Fertasi:

okay, practical, how do I react? No. Right? And this is something

Nadia El Fertasi:

that that needs to be the exercise. And one last thing I

Nadia El Fertasi:

will say based on our just previous discussion on how do

Nadia El Fertasi:

you communicate because one of the challenges we faced at NATO

Nadia El Fertasi:

is that project manager, scientist, IT, cybersecurity,

Nadia El Fertasi:

rightfully didn't think it was their job to become PR

Nadia El Fertasi:

communication experts. So an organization's would really

Nadia El Fertasi:

invest in the person or an office as part of the office

Nadia El Fertasi:

that actually gathered all the information translated in a very

Nadia El Fertasi:

structured way for decision makers for the people that

Nadia El Fertasi:

needed to know for the resources community committee. So we took

Nadia El Fertasi:

the information and tailored it in different messaging in

Nadia El Fertasi:

people's language for defense planning policy committee, the

Nadia El Fertasi:

resources and governance, the Military Committee, the

Nadia El Fertasi:

ambassadors made this highest decision making everyone had a

Nadia El Fertasi:

different interest. And I think it is unfair or unrealistic to

Nadia El Fertasi:

ask your people to become first cyber experts, because it's just

Nadia El Fertasi:

another layer of information and burden that they won't implement

Nadia El Fertasi:

or do. But it's to have this this this bridge between these

Nadia El Fertasi:

different business units communication bridge, both

Nadia El Fertasi:

preparing messages for external and internal stakeholders. And

Nadia El Fertasi:

the last thing I will say very last thing is not your

Nadia El Fertasi:

spokesperson or your communication person is not

Nadia El Fertasi:

necessarily always the best place person for stakeholder

Nadia El Fertasi:

engagement right? Here. It comes to the principle of liking. If

Nadia El Fertasi:

you want to incentivize behaviors, you also need change

Nadia El Fertasi:

agents within your organizations that people can resonate. Even

Nadia El Fertasi:

your most critical person would be a great model, right? To

Nadia El Fertasi:

start with them, and then they can help you influence and

Nadia El Fertasi:

change behaviors with people that relate to them

Dr. Dave Chatterjee:

Absolutely, in fact, there is a lot of

Dr. Dave Chatterjee:

research on the role of change agents in helping organizations

Dr. Dave Chatterjee:

deal with different levels and types of change. And that could

Dr. Dave Chatterjee:

probably be a discussion for another day. Another point I'd

Dr. Dave Chatterjee:

like to make, which aligns with what you said. And that goes

Dr. Dave Chatterjee:

back to this assumption about people, about workers, we

Dr. Dave Chatterjee:

definitely don't expect everyone to be a cybersecurity expert.

Dr. Dave Chatterjee:

But we do want to raise the overall level of awareness,

Dr. Dave Chatterjee:

overall level of knowledge, because each person is a

Dr. Dave Chatterjee:

potential point of vulnerability. But the whole

Dr. Dave Chatterjee:

approach to mobilizing support, to incentivizing the right kinds

Dr. Dave Chatterjee:

of behavior has to be anchored by the belief that the when

Dr. Dave Chatterjee:

people come to work, they come to work with good intentions,

Dr. Dave Chatterjee:

they come to work to do good things. And this I, you know,

Dr. Dave Chatterjee:

I'm stealing this quote, I'm paraphrasing this quote, from a

Dr. Dave Chatterjee:

good friend of mine, who is a CEO of a major corporation, and

Dr. Dave Chatterjee:

who said it very well. He said, Dave, I always will believe will

Dr. Dave Chatterjee:

assume that people come to work to help to do good things to do

Dr. Dave Chatterjee:

great things. So we are not talking about people who are

Dr. Dave Chatterjee:

unwilling to change, unwilling to, you know, adjust their

Dr. Dave Chatterjee:

behaviors, it's a matter of how you communicate how you how you

Dr. Dave Chatterjee:

relate to them. But recognition of these factors, becoming aware

Dr. Dave Chatterjee:

of all the or at least becoming knowledgeable in the field that

Dr. Dave Chatterjee:

allows you to bring about this change in mindset, this change

Dr. Dave Chatterjee:

in culture, or to enhance the level of human capability,

Dr. Dave Chatterjee:

that's an area that organizations need to more

Dr. Dave Chatterjee:

carefully think about, needs to look for the right kinds of

Dr. Dave Chatterjee:

expertise to guide them. Because it is not something that I see

Dr. Dave Chatterjee:

organizations normally gravitating to. It's more like,

Dr. Dave Chatterjee:

here are these cybersecurity trained professionals, they know

Dr. Dave Chatterjee:

how to apply the controls, and they're gonna guide us. But this

Dr. Dave Chatterjee:

discussion we've had, it is still speaks to a human related

Dr. Dave Chatterjee:

control. But the ability to effectively implement implement

Dr. Dave Chatterjee:

it requires, I believe, a very different skill set. Can you

Dr. Dave Chatterjee:

speak to that, as we wrap up this conversation?

Nadia El Fertasi:

Yes, of course, I couldn't agree more

Nadia El Fertasi:

with with actually everything you said. I mean, I will speak

Nadia El Fertasi:

to this from from, you know, expertise, but mostly from

Nadia El Fertasi:

experience. I think we think the change is linear, right? So we

Nadia El Fertasi:

have we used this change program models like John Kotter, we do

Nadia El Fertasi:

all the steps, and then we're done. Right? Change happens to

Nadia El Fertasi:

us, transitions happen within people, right? There's a

Nadia El Fertasi:

different process within people you need. There's no way around

Nadia El Fertasi:

this Dave, you need leadership, to drive sustainable change, you

Nadia El Fertasi:

need healthy organizational culture. People want to know

Nadia El Fertasi:

people don't wake up in the morning, and they want to

Nadia El Fertasi:

sabotage their work, they want to sabotage their computer.

Nadia El Fertasi:

They're just overloaded, often, right? People want to do good.

Nadia El Fertasi:

If you have people working for your organization, because they

Nadia El Fertasi:

feel committed to your values, right? They will be a part of

Nadia El Fertasi:

something bigger. And if you really play into that, in a

Nadia El Fertasi:

sense, if you really build a genuinely build it and not only

Nadia El Fertasi:

have training, right, not only bring outside expertise is to

Nadia El Fertasi:

really make healthy organizational culture and

Nadia El Fertasi:

security is ingrained in it because we are working online,

Nadia El Fertasi:

right? It's not something ad hoc. It should be basic stuff.

Nadia El Fertasi:

If people would do basic cyber hygiene, they don't need to

Nadia El Fertasi:

become a cybersecurity expert, they can reduce up to 80% of

Nadia El Fertasi:

cyber risk, right? So it is but how can you expect people to do

Nadia El Fertasi:

something extra? They don't know how it looks like they don't

Nadia El Fertasi:

know what it is they perceive it as a burden. They think it's

Nadia El Fertasi:

command and control. They don't do it, they will get disciplined

Nadia El Fertasi:

or bad mark on there, etc, etc, etc. Or is everyone going to do

Nadia El Fertasi:

it? No, but it really needs to be at the top. The second thing

Nadia El Fertasi:

I will say Is every organization needs to have an incident

Nadia El Fertasi:

response team or crisis management team. And you need to

Nadia El Fertasi:

survey those people who you put in there, their levels of

Nadia El Fertasi:

emotional intelligence in the sense on what is the function?

Nadia El Fertasi:

What is the requirement they would need to improve? Do if you

Nadia El Fertasi:

have someone who has low levels of assertiveness, for example,

Nadia El Fertasi:

so they don't necessarily speak up, especially when they feel

Nadia El Fertasi:

discomfort, if that person is part of your crisis management

Nadia El Fertasi:

or incident response team, it is unlikely they will ring the

Nadia El Fertasi:

alarm bell when they see something. right, because they

Nadia El Fertasi:

will perceive it as very uncomfortable, right. And then

Nadia El Fertasi:

the alarm bell is rang too late. And I think one of the

Nadia El Fertasi:

complaints of the senior leadership I worked with in NATO

Nadia El Fertasi:

was that people didn't tell them early enough the problem because

Nadia El Fertasi:

they were so high up, or they were you know, they thought that

Nadia El Fertasi:

didn't want to burden them or they didn't want to look bad on

Nadia El Fertasi:

them. Right. And here's where my Dutch mindset came good in

Nadia El Fertasi:

because I always spoke my mind, which they appreciated because

Nadia El Fertasi:

very few people right? Speak their mind for reasons or

Nadia El Fertasi:

because they also feel frustrated when they don't see

Nadia El Fertasi:

any action. So I think it requires leadership and culture,

Nadia El Fertasi:

and when you invest in those, that's how you change.

Nadia El Fertasi:

Transformation is a journey. It's not a one thing, don't

Nadia El Fertasi:

don't think we're gonna do an organizational change as a as a

Nadia El Fertasi:

one year program or two year program. Yes, you can have

Nadia El Fertasi:

models and change management processes that get you there.

Nadia El Fertasi:

But you always need to have you know, you need to have a core

Nadia El Fertasi:

foundation and have enough flexibility to stay relevant in

Nadia El Fertasi:

today's age and to support the people. So also when you hire

Nadia El Fertasi:

and attract talent, make sure it's the right mindset, right,

Nadia El Fertasi:

the right values as well, because those people will go

Nadia El Fertasi:

above and beyond. And even when the last thing I will say there

Nadia El Fertasi:

was a study that said one of the top reasons why people have low

Nadia El Fertasi:

levels of engagement or are reluctant to change is they

Nadia El Fertasi:

don't feel recognized. They don't feel appreciated. So it's

Nadia El Fertasi:

not even the paycheck that is the most important parameter. It

Nadia El Fertasi:

is recognizing your people. And I don't mean just patting them

Nadia El Fertasi:

on the back. But truly recognizing and appreciating and

Nadia El Fertasi:

having programs and doing it you know, in the way that we treat

Nadia El Fertasi:

people as human beings, right, there's nothing soft about that.

Nadia El Fertasi:

It is a sense of business survival. You cannot treat

Nadia El Fertasi:

people as numbers anymore, no matter where they come from, or

Nadia El Fertasi:

no matter how their mind is wired. And I think this is what

Nadia El Fertasi:

separates us from AI machines.

Dr. Dave Chatterjee:

Fabulous. Well, Nadia, I wish we could go

Dr. Dave Chatterjee:

on. But in the interest of time, we have to pause here with the

Dr. Dave Chatterjee:

intent of picking it back up sometime in the future again.

Dr. Dave Chatterjee:

It's been truly a pleasure. Thank you for your time.

Nadia El Fertasi:

Thank you Dave. It was my pleasure.

Dr. Dave Chatterjee:

A special thanks to Nadia El Fertasi for

Dr. Dave Chatterjee:

her time and insights. If you liked what you heard, please

Dr. Dave Chatterjee:

leave the podcast a rating and share it with your network.

Dr. Dave Chatterjee:

Also, subscribe to the show, so you don't miss any new episodes.

Dr. Dave Chatterjee:

Thank you for listening, and I'll see you in the next

Dr. Dave Chatterjee:

episode.

Introducer:

The information contained in this podcast is for

Introducer:

general guidance only. The discussants assume no

Introducer:

responsibility or liability for any errors or omissions in the

Introducer:

content of this podcast. The information contained in this

Introducer:

podcast is provided on an as is basis with no guarantee of

Introducer:

completeness, accuracy, usefulness, or timeliness. The

Introducer:

opinions and recommendations expressed in this podcast are

Introducer:

those of the discussants and not of any organization.

Next Episode All Episodes Previous Episode

About the Podcast

Show artwork for The Cybersecurity Readiness Podcast Series
The Cybersecurity Readiness Podcast Series
with Dr. Dave Chatterjee

Listen for free

About your host

Profile picture for Dave Chatterjee

Dave Chatterjee

Dr. Debabroto 'Dave' Chatterjee is tenured professor in the Management Information Systems (MIS) department, at the Terry College of Business, The University of Georgia (UGA). He is also a Visiting Scholar at Duke University, affiliated with the Master of Engineering in Cybersecurity program in the Pratt School of Engineering. An accomplished scholar and technology thought leader, Dr. Chatterjee’s interest and expertise lie in the various facets of information technology management – from technology sense-making to implementation and change management, data governance, internal controls, information security, and performance measurement. His work has been accepted and published in prestigious outlets such as The Wall Street Journal, MIT Sloan Management Review, California Management Review, Business Horizons, MIS Quarterly, and Journal of Management Information Systems. Dr. Chatterjee’s research has been sponsored by industry and cited over two thousand times. His book Cybersecurity Readiness: A Holistic and High-Performance Approach was published by SAGE Publishing in March 2021.