Garrett O’Hara is the Principal Technical Consultant at Mimecast having joined in 2015 with the opening of the Sydney office, leading the growth and development of the local team. With over 20 years of experience across development, UI/UX, technology communication, training development and mentoring, Garrett now works to help organisations understand and manage their cyber resilience strategies and is a regular industry commentator on the cyber security landscape, data assurance approaches and business continuity.
The Get Cyber Resilient Show Episode #23
Cyber security leader, Chirag Joshi, joins Gar to discuss his career journey and what it means to be ‘cyber aware’. Chirag is the Director of ISACA’s Sydney Chapter and author of the 7 Rules to Influence Behaviour and Win at Cyber Security Awareness. Chirag has also created, rolled out and successfully managed cyber security risk awareness programs across multiple countries and is a much sought after speaker at cyber security events. During this interview, Chirag and Gar discuss a range of topics surrounding creating awareness in your workplace, including the dangers of being boring, why you shouldn’t rely on bad news stories, why context is important, how to use you allies, and most importantly — how to get the support of upper management.
Visit Chirag’s website to get your hands on a copy of his latest book: https://www.chiragdjoshi.com
The Get Cyber Resilient Show Episode #23 Transcript
Garret O'Hara: [00:00:00] Welcome to the The Get Cyber Resilient podcast. I'm Garret O'Hara. And this week we are joined by Chirag Joshi, security leader, director for ISACA's Sydney chapter and author of 7 Rules To Influence Behavior and Win at Cyber Security Awareness. During the course of Chirag's career which spans multiple countries he's created, rolled out and successfully managed cyber security, risk management and security awareness programs. He's done that through a solid focus on business priorities, being pragmatic on cyber threats and engaging stakeholders. Chirag's an engineer. So he gets the hands on tech stuff like networks, apps, database, and user computing, but he's also got that deep practical knowledge of quite a few frameworks and standards. In his words, it's an alphabet soup of NIST ISO PCI DSS, [inaudible 00:00:52] HIPAA ASD. You get the idea.
In the interview we do focus on the cyber awareness aspect of his expertise in cover amongst other things, the danger of being boring, what goes wrong when you rely on bad news to push cyber awareness, what context is important when building your cyber awareness program, how to you use your allies in the organization? We took through overlaying the smart goal approach for solid outcomes and cyber awareness. We talk about the importance of persistence and consistence, and then maybe the most important piece of the puzzle, getting the support of senior management. Chirag's a high energy guy, and he's got lots to say on this topic. So please enjoy.
Welcome to the Get Cyber Resilient podcast. I'm joined today by Chirag Joshi, who is an author of the book, 7 Rules To Influence Behavior and Win at Cyber Security Awareness. Welcome to the show Chirag.
Chirag Joshi: [00:01:44] Thank you Gar, pleasure being here and, uh, a big hello to your listeners.
Garret O'Hara: [00:01:49] Yeah. It's good to see you. We crossed paths it's a few years ago now and um, I think we're actually in a meeting together at one point discussing cyber security, and then I saw you, um, I think it was just after a talk at one of the conferences, so it's good to cross paths and finally get to chat on the podcast.
Chirag Joshi: [00:02:06] Absolutely. Uh, time flies, time flies when you're having fun.
Garret O'Hara: [00:02:10] [laughs] It certainly does. Um, do you mind just kind of running us through how you got to where you are today? You've obviously got a fairly varied and wide career and, uh, you know, culminating in writing a book, which is incredible. And congratulations on that. But can you just kind of run us through your kind of journey to, to where you are today?
Chirag Joshi: [00:02:29] Sure. Uh, thank you for the congratulations. So while I became, or officially became a cyber security author last year, uh, I've been building, implementing and managing cybersecurity risk compliance and awareness programs for over a decade, uh, primarily in Australia and the United States. So I started my career in the US uh, after getting my masters in telecommunications management. Uh, so I started off in more technical roles, so building, uh, and managing systems, uh, running firewalls, uh, and other security solutions, uh, and then, you know, got involved with PCI DSS in its early formative days. Uh, and then slowly, uh, through the years progressed into, you know, more organizational wide governance and risk roles. Uh, and, and I guess, uh, when I think about my career, uh, I did not plan it exactly the way it's panned out. And actually that's a good thing because, you know, cybersecurity world dramatically in the, in the last 10 years when I started out, the word cyber security, wasn't really a word, it was, uh, information security and previously IT security.
So it's gone through a few iterations. Uh, but from a personal perspective, you know, I really worked with a lot of different frameworks. So back in the US I used to be a HIPAA security officer. So for the folks not familiar, HIPAA is a United States law that relates to protection of health information. Uh, so that was, that was rather interesting. And then, you know, obviously with PCI DSS and other compliance frameworks. So after moving to Australia, you know, I've seen, uh, NIST cybersecurity framework get a lot of traction here. Uh, and the good thing was, I'd worked extensively with that in the US so I think the timing just aligned nicely with me being in this country and, and working on those initiatives.
Uh, but when I think about cybersecurity for me, it's, it's really a passion, uh, in the sense that I believe that it really enables human progress through trust in technology. I think the world we live in right now, and especially, you know, in aftermarket of COVID and the pandemic, uh, in the midst of which we are in right now, for organizations to work remotely and for us to sustain this level of productivity, while still keeping our sanity of being in touch with family and friends, wouldn't be possible without technology. And then this wouldn't be possible without trust in technology. So I think security plays a significant role in that. Uh, so it's, it's, it's been a big part of my, my interest, not just from a career perspective, but also from a personal perspective. Uh, and hence why, you know, I do a lot of talks, presentations conferences, and the book was kind of born out of, of that, uh, that idea as well.
Uh, so yeah, that's, uh, that's been my experience and the motivations, uh, for my cyber career. Uh, recently I've also taken up a directorship at ISACA Sydney chapter, uh, and ISACA is a global organization for, uh, IT audit, uh, risk and security professionals. And it's been a pivotal part in my own growth. You know, when I started pursuing certifications in industry, uh, started off at a Certified Information Security Manager, uh, then CISA, which is an audit and then CRISK, which is around risk management. You know, it's, it's been, uh, a key part of my growth. So that's another part I talk about when I talk about my career.
Garret O'Hara: [00:05:58] Fantastic. And as you say, the, the book came out last year and I really liked the layout of it. Um, 'cause I think it's sort of, I'm a big fan of kind of, um, call them structured sort of approaches to a problem. Um, and it definitely feels like that is kind of your approach, which, you know, I'm kind of definitely bought into and you actually hope in with the idea of stop relying on bad news, which I'm really bought into if I, um, if I was on Twitter or would have been part of the no more hoodies hashtag-
Chirag Joshi: [00:06:27] [laughs]
Garret O'Hara: [00:06:27] When that was going around. It's just, it's one of the most, yes, silly kind of memes I think that exists in cyber security, but your, your overall message there, I think is really important, which is the power of positive news to affect change versus the negative kind of approach. How do you, how do you think leaders can change or pivot into using more po-, you know, positive approaches to, to get good cyber security awareness outcomes?
Chirag Joshi: [00:06:51] Yeah, that's, that's such a key point Gar. I- I'm very, I feel very strongly about that point, uh, because I really feel the cybersecurity industry as a whole fell in bit of a group think, uh, where we started relying on, on fear and, uh, negative news coverage to promote cybersecurity. And look, I, I, I get the idea behind it. Uh, and obviously there are incidents and, and key, you know, developments, they need to be reported, but that's not the point. The point is us relying exclusively on that fear factor. And, uh, you know, and most of your listeners probably know this, but a vast majority of cybersecurity incidents happened because of human errors and mistakes. Uh, that's the key part. So I will reset, cyber security's fundamentally a human problem. And we need to see how human beings learn to solve this problem.
A lot of money is being spent on cybersecurity awareness and has been spent over the past few years. And we haven't seen a substantial change in human behaviors, so clearly something's off. And that, that was my point of point of view. And then I came across some really good research while I was researching for my book. And this was by, uh, Dr. Talley Jared, uh, out of UCL in the UK. And this talked about how human beings learned from good news versus bad news. And by bad news, I mean, mornings, you know, uh, things like negative news coverage and, and, and good news it's placed to positive reinforcement aspirations. And what, what came out of that was, you know, humans, uh, learn well from good news all through your lifespan. From a young age, you know, uh, you know, in our, in our teens all the way to, uh, you know, up to a 70, 80. And, uh, the impact of bad news while is reasonable, you know, in your twenties and thirties drops dramatically after midlife.
And, and, and if you look at all major statistics and reports, you see that people who end up becoming victims of cyber crime and lose most amount of money to cyber crime tend to be older folks. And there are obviously reasons for that, you know, ranging from them from where they are at this point in their life. Uh, you know, with families, potential losses of partners, uh, you know, more disposable income, lack of, uh, lack of inherent, uh, technology, uh, upbringing, I guess in some ways. Uh, so I think those factors contribute to it. Uh, so that was the Genesis of, you know, we need to move away from bad news. And, and when it comes to, how do we use good news? Well, look, I think there are, there are very some clear ways and we're going to leave them out in the book.
We don't have to start, you know, promoting a false sense of euphoria around things. I think we can just talk about what we essentially started talking about is how technology has helped us, uh, in, in our lives and how it continues to change the way our civilizations work, how we communicate better, how we collaborate better, how we can actually do business in countries where we wouldn't have been able to, unless we were physically there. So to sustain all of this, we need to ensure that people can trust technology. People can stay secure online. And if you start with, you know, what the positive intention is of the organization, what are we trying to strive for as a company? And most companies have that they have their missions, they have their values, they have the strategic objectives, and then tying how security tangibly plays a role. It's not just lip service to security, oh we need to be secure. We need to protect against tax, not really. For us to sustain as businesses, we need to ensure that we have security and all of us have a role to play.
Uh, what happens is when we start scaring people too much people, uh, there's a, there's a term which is used in sports, which is chocking under pressure. Um, people choke under pressure and fear causes us to freeze. It does not strive us to take action, uh, or positive action anyway. And that's, that comes from positive aspirations. It also comes from having a sense of control around things. If we can control some outcomes and we believe we can control outcomes, people generally will act towards it. So giving people, some meaningful things to act towards and showing how that contributes to the overall success is a key here. And that, that really comes down to the aspect of, you know, if you move away from bad news and fear and actually have positive motivations and specific things that put people in control, we can, we can start tackling some of those real cyber issues.
Garret O'Hara: [00:11:25] Absolutely. And one of the other points there, I would say is his certainly being positive and, and that's, um, yeah, I mean, if you look at the, the people who train animals and, you know, and fundamentally we are animals, these clickers, and they figure out what the animal's motivation is, it's often food. So, you know, with a clicker and the right sort of motivation, you can trace them, train most animals to do the right things. So it's, it's not hitting them. It's not fear, it's positive motivation. And that's what professional change sorry trainers would do. And the other part is this-
Chirag Joshi: [00:11:54] You've seen that. Absolutely. And you've seen that through other, you know, other, other areas. And that's, that's part of my, my thinking it on the book also was that we need to think of areas outside of IT and cyber, and exactly what you just mentioned is an example of that People have solved this problems in other areas. This is not unique to us in terms of how to change behaviors. Uh, this is being done well in public health campaigns. They've evolved over the years. Uh, we have lot more data now from neuroscience and behavioral psychology that, that we didn't have previously. And all of that talks about these issues. And that's where this comes from, uh, where I still see, you know, people, uh, come and the feedback I get as well, incidents and cyber attacks get attention, and that's fine. It gets attention, but does this sustainably change behavior? And the answer to the previous, the first one is yes, get attention, but does not change behavior. At least it hasn't yet.
Garret O'Hara: [00:12:49] Yep. And that is, that's kind of the key point. And you talk in the, the sort of second rule that don't be boring. And which I 100% bought into.
Chirag Joshi: [00:12:57] [laughs]
Garret O'Hara: [00:12:57] I think he's done a few of those things. I've done a talks where I use a print ad from a CSO, you know, a pretend CISO with tips on how to be secure, change your passwords. Don't leave your laptop open, but it's, it's a traditional missive that you would see from a security professional, very wordy. And, um, the idea is that I put those on the seats before the talk and in one of the bullet points, it says, if you've read this far, roll up the piece of paper and throw it at the stage when you see the picture, blah, blah, blah.
Chirag Joshi: [00:13:28] [laughs]
Garret O'Hara: [00:13:29] And it's sort of an amazing moment in the top because, you know, some people stand up and throw this piece of paper, but everybody else, and most people haven't read the wordy security bulletin. So there's this beautiful moment in the top. But I think it sort of perfectly to me sums up the problem with a lot of security awareness training and programs is that they just don't stick in people's minds. Where do you see it going wrong?
Chirag Joshi: [00:13:54] Well, I, I think, uh, it goes wrong when you have primarily security people and, and technology people. And I don't mean to, to denigrate, uh, intelligence and, you know, general capabilities of our, of our professionals. It's really, the idea is when we have people who we, assume understand this intuitively, uh, right content, I think that's where we start going wrong. Uh, via not writing it, or we are not producing content or creating awareness content that is looking at it from a completely layman's perspective. We don't need to insult people's intelligence, uh, by, by dumbing the message down so much that it does not have any resonance. At the same time we need to reach out to people in a way they can actually understand the absorbed information.
Uh, people's attention spans are diminishing, and there've been diminishing consistently. You will see all studies on, you know, our human attention span now is close to a Gold fish, which is, you know, few seconds really. And that is, that has progressively worsened over the years. So even if something worked 10 years back, it's not going to work now. So that's, that's the, that's another area. The thing on boring content also, I feel is just sheer laziness, uh, is, you know, repurposing a lot of content, which was developed, you know, like I said way back, you see, we still see, you know, who do you reading pitchers? We've talked about the still see core from, you know, similar to the movie matrix, which was in the nineties now it's those to close to 20 odd years. And we still use imagery like that, which, which it just is not going to resonate with people. Uh, you know, we're just trying to pack the secure behaviors.
Uh, the other bit, I feel is a bit of a scattershot approach in, in how you've talked about cyber. We try to throw everything and the kitchen sink and just try to communicate everything. Whereas if we truly get our messaging, right, if it's, it's interesting, it has a nice image if it's in walking emotions and people, and if it's targeted to something specific that we need to get out of them, I think that's where the value is. I don't think in today's time, we seeing a lack of awareness. People are generally aware or more so than they were previously. What we are seeing is lack of application of that knowledge. And that comes with specific, uh, with specific messaging, which is targeted the key risks that matter to us. Uh, I also think there are ways we can improve that whole, you know, don't be boring idea and that's by competitions. The, you can actually have healthy peer pressure.
And I was cited some, some, you know, some interesting case studies in the book, which talk about how, you know, the in, in the UK, uh, the, the tax agency there was able to, you know, get more people to comply by just, you know, positive peer pressure, uh, and the same with, you know, competitions when you run them. And you actually are creating healthy competitions amongst the people, uh, and is [inaudible 00:16:45] is to kind of make it fun and interesting. I think it works a lot better, uh, than if you're just going off putting all the one way comms. Uh, it needs to be, it needs to be two way. It can't be one way. And so far we seen predominantly one way comms coming out of our security teams and marketing team has been corporate comms team with very little in the way of, you know, taking back from our people.
Uh, and sometimes people are just, uh, intimidated when they see, you know, security, people are telling them things to do, and we never really listen. Right. I think that's the problem is we are, we need to listen better. Uh, people are not stupid when they make mistakes, they are human. And, and sometimes they have 50,000 things going on that we need to account for. And especially in this time, you know, where there are so many stressors on us beyond, uh, beyond just our work. I think it's even more so important that we listen to people and see what the concerns are and tailor our messages. And people, if they ask them properly, they'll usually come back and tell us.
Garret O'Hara: [00:17:40] Yep. No, I totally agree with you. And, and, you know, getting the messaging part is obviously critical. And the other part is, uh, the idea and in your book, you about the being smart in your approach and, you know, smart being the, kind of the goal setting, um, approach, I think you said in the book, it's from the eighties and it feels like it's definitely been around that long.
Chirag Joshi: [00:17:59] [laughs]
Garret O'Hara: [00:17:59] 'Cause I know I've been using it for, for quite some time, but, you know, it's specific, measurable, achievable, realistic time-based, yeah.
Chirag Joshi: [00:18:08] Relevant. Yeah. It, it, they have a few versions of that, but they all kind of talk about the same thing is, you know, setting the smart, smart objectives, smart goals. And look, I think it's really important when it comes to cyber security awareness, specifically awareness training culture, uh, because I, for far too long, we run cyber awareness programs being sort intuitions and you know, what the right thing to do and throwing everything at the, uh, you know, at the problem in terms of, you know, even people who, who, who have better awareness programs in terms of, you know, doing phishing simulation campaigns or, or doing training still, haven't really tried to figure out what is the key outcome they are trying to get at. And that's what I refer to in this rule is by using the smart methodology, if you can actually get to achievable outcomes.
An example of that is, you know, after three months of, uh, of, of, of training on identifying suspicious emails, uh, the click rate in the organization will drop below 10%. Very simple example, but just showing you that this is very specific, you know, it talks about a use case that if identifying suspicious emails is a time bound is three months. It has criteria of being measurable because it's just 10%, you know, you're trying to get below that. If you start with that, you can, you can focus your energies on primarily, you know, getting that outcome. The other thing is, I think we need to move beyond just, you know, click rates and click rates implies, you know, number of people who click on phishing emails. We need to move beyond that actually into more into reporting as well. How many people actually recognize and report those emails? Because that's, that's another factor of sh is more positive, I guess, you know, it's not just recognizing and taking on staff, but are you helping your mates? Are you being a good corporate citizen by reporting malicious in front of you in activity?
So that's another angle we can take. So I feel those are really important because they also force you to tie different things. They force you to kind of introspect closely what are the key cyber risks that each unique organization faces and while some of them are consistent, some, some are really different for different organizations, depending on the space you operate, if you're an eCommerce company and I lost services massive for you, if you're a small, you know, health clinic, which just has a static website telling your eyes of operations, well, maybe not as much, right. Uh, in terms of revenue. Uh, so I think it's, it's a combination of those of those factors.
So, uh, that's where the smart objective comes in. And, and this is also me and I talk about awareness and, uh, an education it's we sometimes feel that this is all rocket science. It's really odd because, you know, for our antivirus, antivirus solutions for other security solutions, we've had this for awhile. You know, if a lot of viruses are, are, you know, uh, coming through, despite our malware protection solutions, well, something's off. And we know we know the metrics for that. So we need to look at cybersecurity awareness and training in the same way and not find it on Duchenne and, you know, just broad objectives without specificity.
Garret O'Hara: [00:21:08] Yep. Totally agree with that. And even in the book, you have the question, what happens if the awareness program, program doesn't meet its objectives? I think that's a really interesting way to think about it because I think quite often that's just never a consideration, you know, but there is, there's an impact if we don't get this stuff right. If it's not done well, there's an actual material impact to the organization, to the business.
Chirag Joshi: [00:21:32] Yeah, absolutely. And look, that's, that's where it comes down to being part of a holistic cyber risk management process, right? So we need to view awareness as a key control for certain cyber risks. And if this control is not working effectively, we are more exposed to those risks. You know, we talk about fishing, that's an obvious one, but just in this, uh, the times we're talking Gar, we've seen some significant cyber attacks hit a few major organizations recently, and a lot of that attribute attribute them to ransomware. Uh, and, and, you know, again, a lot of information is not available, but it's fair to assume that a lot of, uh, you know, attacks start with a phishing email or a phishing message. And as we get beyond phising, uh, we start thinking about deep fakes where people can actually fake, you know, videos or fake audio, uh, uh, people's voices, you know, CEO faces, uh, and recordings. I think that becomes even harder.
So that's where I talk about, you know, the impact of this could be really, really severe if we don't look at awareness as a key control for specific cyber risks. And also I'll just throw in one more thing there, I mean, a big problem facing his budgets, right? I mean, and I think if you're not able to justify investments in this space, you're on the, you run the risk of not supporting the program and too often, you know, so far because everybody is going to, what about the cyber posture? We're seeing investments thankfully coming into space, but at some point boards will start to question more and more on the returning of getting. And if we haven't tied awareness back to those objectives, I think it becomes harder to justify.
Garret O'Hara: [00:23:09] Yep. I 100% agree. And one of the things is the, that idea of, you know, one size barely fits all is the name of the chapter, but it's that idea that we maybe have an overfocus on vanilla training and rather than being contextual and tailored. And you've mentioned that things like phising campaigns is a really good way to, I think, test a, an end user base. But there is this idea that actually security is much broader. And you've mentioned some of that already, but things like not plugging in a USB drive, not leaving your laptop unlocked, uh, when you walk away, even if you're within a secure office, like the, the idea of culture and security is very contextual based on the type of organization, the size of organization, um, your role within that organization, which I think you, you covered in the book as well. Um, what, what do you like, what are your thoughts there in terms of like how to be much more, um, bespoke, maybe, but much more targeted in terms of the training that's delivered and then some of the practical things that organizations can do?
Chirag Joshi: [00:24:13] Yeah. Look, I think that's where, uh, breaking down our, our organizational cohorts are stakeholders is really important and understanding what matters more to certain groups than others will help us kind of tailor training. So we've seen tailored trainings for a long time now, when it comes to training, you know, system administrators or developers, uh, that's, that's good. But what I'm really talking about is, you know, go beyond that, that are, uh, there's a cohort in our organizations, which is more frequently targeted or is more frequently at risk of, of accidental data exposure than others. Uh, these, these kind of typically are folks in HR, finance, uh, executive assistants, uh, for key senior leadership, uh, senior leaders themselves. And we need to build out a risk profile that correlates to these stakeholder groups. And I think then delivering sharp training to these, these groups based on the risks, they're more exposed to will resonate better because the, and you, you, you already addressed this, but, you know, there's so much to discuss in security, uh, everything from using password managers to, you know, uh, not connecting to public wifi for sensitive transactions.
And at some point people just get overwhelmed. And if, and that's another problem we face is over-communication. Uh, people can get overwhelmed and start ignoring us. So if you are, you know, if one of the, one of the things I talk about when it comes to all this training is also just in time training. It needs to be available to people just in time that action is actually happening. So, you know, with executive assistants, I said this before that the other gatekeepers to a lot of key data and did not have key contacts, uh, and training them on specifically social engineering type attacks, it goes a long way. And these folks also, uh, you know, handled calendars, uh, work in collaboration, tools, training them in those areas. You know, it really helps avoid that, uh, data breach type scenario, especially accidental.
So you take those aspects and then, you know, you can take it to, and that's where I think a stakeholder analysis super important. And you, you might need to run a few focus groups with the new organizations to get a sense of, you know, what, what people believe could be the risks, which we haven't thought about. Like we are thinking top down, we're thinking from our perspective and from the industry, uh, what this case stakeholders are. Uh, by view might, as we can have have more conversations realized that we haven't, we have some blind spots we haven't considered before. And there's some processes that are inherently not run in a secure manner and can just be addressed by a few training initiatives. And as, as we rely more and more on third parties and trusted partners to manage our systems, to collaborate with us, I think, uh, this, this just becomes even more so important.
Uh, and I talk about, you know, reducing friction in insecurity, we need to start reducing the effort people have to go through. Everybody wants to do the right thing. Look, I don't think, you know, most people don't want to do the right thing. I start with a premise. Everybody wants to help. We just have to make it super easy for them to help us. And that kind of comes down to, uh, us creating packages or creating trainings that are simple as short, sharp, you know, not putting a couple of slides if you want to use slides and just give it to people when they absolutely need it. And, you know, having this boring, uh, long, uh, you know, 30, 40 minute training when people are just joining the organization and then just making them redo the training after every two years and checking off a box, right. Uh, it's not going to work. And there are two ways to look at awareness and training. I feel the first one is informing and educating. The second one is actually influencing behavior. Most of the things we do is informing people. And I think we need this kind of mood was the second part more.
Garret O'Hara: [00:28:02] And how does that play it in practical terms, in terms of the influencing behavior I'm on board into, I think in the book you say, look, the messaging should be simple. The length of a couple of tweets. I think it was the way you could've made it real. Um, which like, to me makes sense. I think that's a big mistake that is made is that we include too much messaging in a single, you know, communication, and it just gets confusing and overwhelming as an end user, as an employee, you don't know which one you're supposed to do and you end up not remembering anything. So I definitely kind of buy into to that. But in terms of, you made the distinction between kind of, you know, knowledge and understanding, but actually then applying the knowledge, like what, what are your bullets and how to actually get the employees really practicing this stuff, you know, in a, in a meaningful way, physically locking machines, not, you know, doing the things that we talk about, they know they shouldn't be doing.
Chirag Joshi: [00:28:56] Yeah. Look, I, and okay, I think this is, this is the key point. I think that this is the heart of the conversation in terms of how do we get people to do things. Uh, and look, I feel a way which I have proposed is making it personal to people is making the impact truly real to people. Uh, and this starts with more, and that's where I talked about the idea of e-safety, uh, in Australia obviously has an ECF commissioner and they do a great job, but idea of online safety and the idea that safety and security are interlinked in today's day and time. Uh, what we talk about in our offices, be it, you know, physical security of our machines, devices, uh, patching, you know, password protection, using password managers, all of that applies in people's private lives. And, and every person in our organizations is the chief information security officer of their own homes because their families and their kids, uh, you know, rely on them to practice secure behaviors, you know, even things like which we haven't talked about before, which are really important in today's time, as, you know, sort of outer security in people's homes, right?
I mean, at the very least go and refresh it alter every few months, change your vendor default password, you know, things like that. Uh, so I think if you start making that connection and help people understand that if you keep them safe at home, they'll bring those practices into work as well. So I think that making it personal is really, really important. And also talking about it, talking about data breaches and privacy in more personal terms. So we, we all know that, you know, sensitive information, if, if it gets leaked out and cause reputational damage compliance fines. But I think we also need to talk about trauma and emotional distress, our customers and our stakeholders go to when the customer, when their personal information is leaked out.
And imagine if, you know, if somebody escaped a domestic violence situation and now their, their information is out in the public, you are exposing people to real physical harm. Uh, and also, you know, if you have older folks, people who are, people who are unwell and they're health information is leaked out and the personal information is compromised. I think if you're going to make these kinds of connections and then tell people it's not about, this is not about fear anymore. This is about actually the personal impact to all of us. And then a couple of simple things we all can do to prevent that people will relate to it and people will action that. I mean, once you can bring it in those terms and you make a very simple message, okay, how can I help understand this? How can I help? Well, can you please not write down passwords? Can you please just use a password manager? You know, I think that has a better traction than, than just using, you know, broad data breaches, and reputation damage without making it truly personal for people.
Garret O'Hara: [00:31:42] Yep. And, uh, yeah, the password manager, when I'm, I'm, I'm slowly but surely converting. Everybody I know to use password managers, uh, I think there apart from anything they're just way easier to, to go through life within trying to remember them all. So, um-
Chirag Joshi: [00:31:58] Hopefully we will live in a world, uh, you know, at some point where we won't passwords, uh, and you know, but, but, you know, while that's away, uh, you know, and that's where, you know, having multifactor authentication or two step verification for our services plays a key role because people will make mistakes with passwords, but I suggest, you know, password managers are getting better too. Some of them are just lifesavers in many ways, you know, it's just make life so easy. So I definitely recommend them.
Garret O'Hara: [00:32:24] And that's it. And then security as a way to kind of remove friction, which I think is important. So you just mentioned, um, getting help or how can I help her, I think was the sentence that you just said that said potentially a thing that could be applied more widely in cyber security and the use of other teams within organizations. So one of the things that I personally believe is that you can be really amazingly good at security that doesn't make you very good at messaging or communications. It doesn't make you good at change management. It just means you're incredibly talented person at security.
Chirag Joshi: [00:32:55] Well said.
Garret O'Hara: [00:32:56] What are like, from your perspective, like what are some of the way security leaders can change the outcomes that they're seeing through, well, really what you've described as allies. Um, but in the business or the organization that they work in?
Chirag Joshi: [00:33:10] Yeah. Look, I mean security in IT, I mean, thankfully we are now at a point where we don't have to say that word over and over that cyber security is a business problem, not a technology problem. I think most people understand that now. Uh, but it also now comes to, we, we have people in, in business who play very similar roles to what we play in cyber security. You know, part of it is also assurance. So we have some natural allies, uh, when it comes to, you know, risk practitioners, audit professionals, compliance teams, who just are part of the assurance group. Uh, but there are also allies in corporate communications, in marketing who, who live in and breathe in the space. Uh, they know how to target stakeholders. They know how to create catchy messages. And I think we need to take, we need to take their help as much as possible.
But we also need to kind of, you know, what I talk about as an approach of cheat sheets and what I mean by a cheat sheet is, you know, can you kind of articulate a security message, you know, in just a simple five or six bullet points, which any team leader or a manager can read through before starting a meeting. So, you know, I think that helps cascade the message better. And, uh, security champions, uh, initiatives, which are quite popular, you know, relates to having security advocates within the businesses, uh, that, that, that absolutely holds true. But I feel sometimes these programs fail because we haven't truly articulated what they're trying to achieve. Yes, find our security champions, but what are really going on? What is the thing that you want to get out of them? I think having these cheat sheets, having specific targeted outcomes, helping those areas.
So there are groups within your organizations you can, you can take assistance from. I think, legal, HR, are also key players in this game because they have a stake as well in this problem. So I think that's where we need to harness the power of allies and use them to cascade our messages. Because a lot of messaging already happens in organizations. [inaudible 00:35:06] can just tag along on them. We don't have to create new channels all the time. I think if we create a message, which is very simple, like all of the rules we've talked about so far, is that on simplicity and targeted messages, if you can create that, then you can take advantage of the existing channels.
So that's internal allies, but then also external allies. I mentioned, ISACA which I'm a member of and you know, [inaudible 00:35:27] but there are other organizations like Australian Information Security Association, ISC squared, you know, others who, who have a lot of good content. I think those memberships help you grow and help you kind of solve some problems, which other organizations have tackled. Uh, and then there are government resources. I think in Australia view being fortunate to have government has put out a lot of good, uh, cyber awareness and cyber information materials, uh, be it stay smart online, Scamwatch, I mentioned e-safety commissioner, you know, we there's so much free content out there, absolutely free and really good content out there. So I suggest we should, we should not feel isolated and try not to solve this problem in isolation as a security team. I mean, there are people willing to help and people in an organization outside who, who we can absolutely leverage.
Garret O'Hara: [00:36:14] Yep. No great, uh, great points. And you know, we've sort of talked about this a little bit earlier, and it's an idea that I'm a big fan of the, I think you described it as just in time training and, you know, there's this idea of when you've got a call it a coachable moments or a learning opportunity, that's really the best time that somebody can be presented with some sort of educational information and, you know, there's gonna be a repetition there. Um, what are some of the kind of practical ways that an average business can do that? I think you mentioned, you know, executive assistance earlier, but what are some other ways that kind of a business could approach that just in time education?
Chirag Joshi: [00:36:53] Well look, I think it's, uh, there are a few practical things, you know, like when you're trying to change your password, having a banner there in a simple way, talking about, oh, if you had a password manager, uh, it wouldn't have remembered this password, you know, like your download one, you know, that's a very simple example, but there are others where, you know, when it comes to collaboration tools or, you know, when somebody is trying to, like a lot of organizations are now leveraging Office 365 or, or, or Google solutions for the collaboration document sharing, I think having a clear kind of a banner there or training popup there, which tells people, hey, did, you know, a lot of native regions happened because people accidentally send emails to, or accidentally share information, you know, use this data prediction labeling or monitor says confidential or double checked, send address. I think those are, are the areas which we can practically start doing now.
And if you thought about what our key risks are and what are the outcomes we are trying to drive at this becomes, this becomes quite a useful exercise. Uh, one of the, one of the things that, you know, I recently worked on is, uh, getting people to start using, uh, data protection labels. So, you know, in the organization, I work if physically use those labels, not just the watermarks will appear, but also, you know, it will be encrypted by default. It will have access permissions by default. And all of that is fairly frictionless because all people need to do is click on, click on a label icon and just mark the thing as confidential. But, you know, it's not intuitive. It does not happen automatically. Uh, and that's where, you know, having to kind of just in time training, people don't need to learn about that in the induction training, right. I mean, it's fine. We can talk about it maybe, but when they will actually need it is when they start using it.
And just before an email for quick popup comes up, you know, don't have to annoy people. Uh, but you know, at least showing them the first time they're logging onto a system or, you know, maybe refreshing it every few months, I think that helps. So basically those, those are the things I'm driving yet. It doesn't have to be complicated. It can start with something as simple as the things I've talked about.
Garret O'Hara: [00:38:56] Yep. Phenomenal. And all of the things we've talked about so far, and they're all gonna need the support of senior management, of the ex-co, you're going to need the support of the people who are going to buy into and sign off on a program of works for change management or awareness training, like the, the million dollar question is how do you, how do you get the buy in and the continued buy in from senior management?
Chirag Joshi: [00:39:20] Well, that's, that's the key one, right? I mean, without that nothing, nothing's going to succeed. Uh, and, and this is where, uh, I, all of these rules, you know, in a way are linked, and it all comes back to remember how we talked about, you know, what happens if the org- organization objectives or awareness objectives are not achieved. And I talked about the fact that, you know, at some point the funding is going to come in question. And, and, and executive support is not just about funding. It's also about walking the talk and actually being visible and advocating security practices openly. Uh, how do you get that? As you know, I think that starts with engagement at the right level. And it starts with clear tying in with our strategic organizational objectives, uh, and, and security needs to do a better job of that. We cannot talk in generalities about these type of issues. If our objective is to, you know, hypothetically be future-proof by leveraging best in breed of emerging technologies. Well, security needs to kind of show how they're going to tie into this picture. Well, probably by, you know, changing an operating model or changing our device model. And, you know, uh, I think that that's the kind of conversation that needs to go into security is one strategy and principles.
So once we create that linkage that helps get the initial buy in, but then we also need to kind of progress bit to our reporting, need to demonstrate how our efforts and investments are shaping up. And that's where, you know, the smart objectives and metrics will help, you know, what gets measured gets managed, what gets managed shows value. And I think that's where you start showing value. So that needs to happen. But then the big execs also, and the senior leadership ultimately to be visible and they need to talk about security, not just in general is again, I think they need to be seen doing specific things, that I've kind of talked in the book, you know, like have them [inaudible 00:41:14] like have them show security practice, maybe how easy it is to download, you know, a- a secure app on your phone.
If you, when people see this in action, I think that drives the right outcome. Uh, and, and look, if you're in some industries, there is a concept of safety moments, right? Especially, you know, in the energy industry where take physical safety very seriously, uh, through the years when, because we had people in the field in many of these areas, I think that same idea coming in, where if you start a meeting, you know, and you talk about, you know, an online safety moment, for example, I think it's a powerful message we're sending. So I think it's, it's, it's a two way street, one, we need to demonstrate value as security professionals, but then I think the other side is equally important. They need to understand that senior leadership needs to understand that how critical they are, their role is in this picture and they need to be seen visibly actually exhibiting these behaviors.
Garret O'Hara: [00:42:08] Fantastic. So I think we've jumped from the, the sort of microscope into the helicopter, and I think that's a perfect-
Chirag Joshi: [00:42:15] [laughs]
Garret O'Hara: [00:42:15] Perfect place to, to finish. I think we can, we can tie a bow on that and call that done. Um, sure. I, I want to thank you so much for taking the time out. I know you're obviously very busy and have a lot on, so it's very much appreciated that you've taken the time to, to talk to us today and yeah, look forward to continuing, to, to read more of what you write. Hopefully there's, there's more, uh, I don't, I don't know. Is there, is there another book in the works, do you think?
Chirag Joshi: [00:42:41] Well, well, we'll see, we'll see. [laughs] no, I, at this point, I'm focusing a lot of my, my work and actually, you know, if you go on my website, chiragdjoshi.com, uh, I, I regularly post, you know, uh, webinars that I do. I'm actually starting to get more involved in, in kind of a deep untangling AI and machine learning and what it means for security. We've seen a lot of hype and buzz around it, but I think people need to actually see what is real. I think that's really my, my next, uh, objective. So you'll probably hear me talking about that in the near future, but look, I'm really, really grateful Gar, for the opportunity to come and speak with you and thank you to all your listeners, uh, for this, you know, for listening to our conversation. I appreciate it.
Garret O'Hara: [00:43:28] Yeah. You're most welcome. And we will include in the show notes, a link to your website, so people can go and find, hear where you're speaking. And then we'll obviously also include a link to, to the book as well, which I can definitely recommend, um, it really kind of well-written well put together book, so, and that's it. We'll leave it there. And thank you again, Chirag.
Chirag Joshi: [00:43:47] Thank you. Cheers.
Garret O'Hara: [00:43:51] Thanks so much to Chirag for the great conversation there. We'll include a link to his book, 7 Rules To Influence Behavior and Win at Cyber Security Awareness in the show notes. So I'd recommend getting a copy of that for sure. And thank you for listening to the Get Cyber Resilient podcast. Our back catalog of episodes is growing. So please do have a listen to those and I look forward to catching you on the next episode.