The Security Culture Playbook

Book description

Mitigate human risk and bake security into your organization’s culture from top to bottom with insights from leading experts in security awareness, behavior, and culture.

The topic of security culture is mysterious and confusing to most leaders. But it doesn’t have to be. In The Security Culture Playbook, Perry Carpenter and Kai Roer, two veteran cybersecurity strategists deliver experience-driven, actionable insights into how to transform your organization’s security culture and reduce human risk at every level. This book exposes the gaps between how organizations have traditionally approached human risk and it provides security and business executives with the necessary information and tools needed to understand, measure, and improve facets of security culture across the organization.

The book offers:

  • An expose of what security culture really is and how it can be measured
  • A careful exploration of the 7 dimensions that comprise security culture
  • Practical tools for managing your security culture program, such as the Security Culture Framework and the Security Culture Maturity Model
  • Insights into building support within the executive team and Board of Directors for your culture management program

Also including several revealing interviews from security culture thought leaders in a variety of industries, The Security Culture Playbook is an essential resource for cybersecurity professionals, risk and compliance managers, executives, board members, and other business leaders seeking to proactively manage and reduce risk.

Table of contents

  1. Cover
  2. Title Page
  3. Introduction
    1. What Lies Ahead?
    2. Reader Support for This Book
  4. Part I: Foundation
    1. Chapter 1: You Are Here
      1. Why All the Buzz?
      2. What Is Security Culture, Anyway?
      3. Takeaways
    2. Chapter 2: Up-leveling the Conversation: Security Culture Is a Board-level Concern
      1. A View from the Top
      2. The Implication
      3. Getting It Right
      4. Takeaways
    3. Chapter 3: The Foundations of Transformation
      1. The Core Thesis
      2. Program Focus
      3. Extending the Discussion
      4. You Are Always Either Building Strength or Allowing Atrophy
      5. Takeaways
  5. Part II: Exploration
    1. Chapter 4: Just What Is Security Culture, Anyway?
      1. Lessons from Safety Culture
      2. A Jumble of Terms
      3. Security Culture in the Modern Day
      4. Takeaways
    2. Chapter 5: Critical Concepts from the Social Sciences
      1. What's the Real Goal—Awareness, Behavior, or Culture?
      2. Coming to Terms with Our Irrational Nature
      3. We Are Lazy
      4. Why Don't We Just Give Up?
      5. Security Culture—A Part of Organizational Culture
      6. Takeaways
    3. Chapter 6: The Components of Security Culture
      1. A Problem of Definition
      2. Defining Security Culture
      3. The Seven Dimensions of Security Culture
      4. The Security Culture Survey
      5. Example Findings from Measuring the Seven Dimensions
      6. Last Thought
      7. Takeaways
      8. Note
    4. Chapter 7: Interviews with Organizational Culture Experts and Academics
      1. John R. Childress, PYXIS Culture Technologies Limited
      2. Professor John McAlaney, Bournemouth University, UK
      3. Dejun “Tony” Kong, PhD, Muma College of Business, University of South Florida
      4. Michael Leckie, Silverback Partners, LLC
  6. Part III: Transformation
    1. Chapter 8: Introducing the Security Culture Framework
      1. The Power of Three
      2. Benefits of Using the Security Culture Framework
      3. Takeaways
    2. Chapter 9: The Secrets to Measuring Security Culture
      1. Connecting Awareness, Behavior, and Culture
      2. How Can You Measure the Unseen?
      3. Using Existing Data
      4. The Right Way to Use Data
      5. Methods of Measuring Culture
      6. A/B Testing
      7. Multiple Metrics, Single Score
      8. Trends
      9. A Note Regarding Completion Rates
      10. Takeaways
    3. Chapter 10: How to Influence Culture
      1. Resistance to Change
      2. Be Proactive
      3. Using the Seven Dimensions to Influence Your Security Culture
      4. How Do You Know Which Dimension to Target?
      5. Takeaways
      6. Notes
    4. Chapter 11: Culture Sticking Points
      1. Does Culture Change Have to Be Difficult?
      2. Using Norms Is a Double-Edged Sword
      3. Failing to Plan Is Planning to Fail
      4. If You Try to Work Against Human Nature, You Will Fail
      5. Not Seeing the Culture You Are Embedded In
      6. Takeaways
    5. Chapter 12: Planning and Maturing Your Program
      1. Taking Stock of What We've Covered
      2. View Your Culture Through Your Employees' Eyes
      3. Culture Carriers
      4. Building and Modeling Maturity
      5. A Seat at the Table
      6. Takeaways
    6. Chapter 13: Quick Tips for Gaining and Maintaining Support
      1. You Are a Guide
      2. Sell by Using Stories
      3. Lead with Empathy, Know Your Audience
      4. Set Expectations
      5. Takeaways
    7. Chapter 14: Interviews with Security Culture Thought Leaders
      1. Alexandra Panaretos, Ernst & Young
      2. Dr. Jessica Barker, Cygenta
      3. Kathryn Djebbar, Jaguar Land Rover
      4. Lauren Zink, Boeing
      5. Mark Majewski, Rock Central
      6. Mo Amin, moamin.com
    8. Chapter 15: Parting Thoughts
      1. Engage the Community
      2. Be a Lifelong Learner
      3. Be a Realistic Optimist
      4. Conclusion
  7. Bibliography
  8. Index
  9. Copyright
  10. Dedication
  11. About the Authors
  12. Acknowledgments
  13. End User License Agreement

Product information

  • Title: The Security Culture Playbook
  • Author(s): Perry Carpenter, Kai Roer
  • Release date: April 2022
  • Publisher(s): Wiley
  • ISBN: 9781119875239