Role of Emotional Intelligence in Creating a Healthy Information Security Culture
Nadia El Fertasi, Human Readiness and Resilience Expert and former NATO senior executive, highlights the importance of leveraging emotional intelligence to create and sustain a healthy information security culture. During a very thought-provoking discussion, Nadja made some poignant statements and recommendations such as a) build a culture of empowerment and not fear, b) use empathy to counter social engineering attacks, c) make cyber hygiene practices non-technical and reduce human firewalls, and d) practice reason over fear.
To access and download the entire podcast summary with discussion highlights --
https://www.dchatte.com/episode-16-role-of-emotional-intelligence-in-creating-a-healthy-information-security-culture/
Nadia El Fertasi, Human Readiness and Resilience Expert and former NATO senior executive, highlights the importance of leveraging emotional intelligence to create and sustain a healthy information security culture. During a very thought-provoking discussion, Nadja made some poignant statements and recommendations such as a) build a culture of empowerment and not fear, b) use empathy to counter social engineering attacks, c) make cyber hygiene practices non-technical and reduce human firewalls, and d) practice reason over fear.
To access and download the entire podcast summary with discussion highlights --
Connect with Host Dr. Dave Chatterjee and Subscribe to the Podcast
Please subscribe to the podcast so you don't miss any new episodes! And please leave the show a rating if you like what you hear. New episodes release every two weeks.
Connect with Dr. Chatterjee on these platforms:
LinkedIn: https://www.linkedin.com/in/dchatte/
Website: https://dchatte.com/
Cybersecurity Readiness Book: https://www.amazon.com/Cybersecurity-Readiness-Holistic-High-Performance-Approach/dp/1071837338
Introducer:
Welcome to the Cybersecurity Readiness Podcast
Introducer:
Series with Dr. Dave Chatterjee. Dr. Chatterjee is the author of
Cybersecurity Readiness:
A Holistic and High-Performance
Cybersecurity Readiness:
Approach, a recently published book by Sage publishing. He has
Cybersecurity Readiness:
been studying cybersecurity for over a decade, authored and
Cybersecurity Readiness:
edited scholarly papers, delivered talks, conducted
Cybersecurity Readiness:
webinars and shops, consulted with companies and served on a
Cybersecurity Readiness:
cybersecurity SWAT team with Chief Information Security
Cybersecurity Readiness:
officers. Dr. Chatterjee is an Associate Professor of
Cybersecurity Readiness:
Management Information Systems at the Terry College of
Cybersecurity Readiness:
Business, the University of Georgia and Visiting Professor
Cybersecurity Readiness:
at Duke University's Pratt School of Engineering.
Dr. Dave Chatterjee:
Hello, everyone, I'm delighted to
Dr. Dave Chatterjee:
welcome you to this episode of the Cybersecurity Readiness
Dr. Dave Chatterjee:
Podcast Series. Today, I'll be talking with Nadia El Fertasi,
Dr. Dave Chatterjee:
Human Readiness and Resilience Expert and former NATO senior
Dr. Dave Chatterjee:
executive. NATO stands for North Atlantic Treaty Organization. It
Dr. Dave Chatterjee:
is an international security hub, and is one of the world's
Dr. Dave Chatterjee:
major international institutions. It is a political
Dr. Dave Chatterjee:
and military alliance of 28 member countries from Europe and
Dr. Dave Chatterjee:
North America. Nadia, welcome. It's great to have you as a
Dr. Dave Chatterjee:
guest on the cybersecurity readiness podcast series. Thanks
Dr. Dave Chatterjee:
for making time to share your expertise with the listeners.
Dr. Dave Chatterjee:
The theme for our discussion today is the role of emotional
Dr. Dave Chatterjee:
intelligence in building and sustaining a healthy and
Dr. Dave Chatterjee:
high-performing information security culture. I'd like to
Dr. Dave Chatterjee:
begin by asking you to reflect on your experience at NATO.
Nadia El Fertasi:
Thank you, Dave, thank you for having me on
Nadia El Fertasi:
today. It's my absolute pleasure. So I've worked at
Nadia El Fertasi:
NATO, the world's largest security and crisis management
Nadia El Fertasi:
organization for nearly two decades. That's that's a long
Nadia El Fertasi:
time. And I worked in various countries and posts but always
Nadia El Fertasi:
within the digital transformation and cybersecurity
Nadia El Fertasi:
arena, I always held strategic customer relations and
Nadia El Fertasi:
governance position. Now, how does this relate to what I
Nadia El Fertasi:
currently do? As you know, NATO was founded just after its
Nadia El Fertasi:
beginning, the end of the Second World War, it's the beginning of
Nadia El Fertasi:
the Cold War, and where state sponsored attacks or where state
Nadia El Fertasi:
enemy was very prevalent. So our culture or security culture was
Nadia El Fertasi:
ingrained, to help us not fall for social engineering attacks
Nadia El Fertasi:
in the sense of espionage. So I was also deployed in the field.
Nadia El Fertasi:
But we always received a lot of training and awareness of
Nadia El Fertasi:
programs on how not to fall for emotional manipulation
Nadia El Fertasi:
techniques. So what is social engineering? It's basically
Nadia El Fertasi:
criminals, not necessarily hackers, because there are a lot
Nadia El Fertasi:
of ethical hackers, but criminals trying to manipulate
Nadia El Fertasi:
people to get information out of them so they can hack into
Nadia El Fertasi:
systems. Now, in our case, it was to get information out of us
Nadia El Fertasi:
so they can use it for espionage, or get a
Nadia El Fertasi:
competitive advantage because of the state to state relations. So
Nadia El Fertasi:
in agriculture, being very aware of security was a given, right,
Nadia El Fertasi:
it was really part of our DNA, which I think is very important.
Nadia El Fertasi:
And this was with me for 20 years. And how does that so
Nadia El Fertasi:
after 18 years, I decided to, to change and to resign and build
Nadia El Fertasi:
my own EQ consultancy business and really help people and
Nadia El Fertasi:
organizations deal with these digital disruption. What do I
Nadia El Fertasi:
mean with digital disruptions? Because people think when we
Nadia El Fertasi:
talk about the digital decade, it's a bit overreacted. But how
Nadia El Fertasi:
many people are working online or processing payments, or
Nadia El Fertasi:
processing data exchanging data online, especially after COVID?
Nadia El Fertasi:
Right? So and with all the challenges that are going on,
Nadia El Fertasi:
you know, people's resilience and organizational resilience to
Nadia El Fertasi:
stay not only survive, but thrive is is challenging. So
Nadia El Fertasi:
this is what I do. And I use I leverage the practical crisis
Nadia El Fertasi:
management, resilience, experience and readiness in
Nadia El Fertasi:
NATO. We were either in conflict or preparing to being in one. So
Nadia El Fertasi:
exercising our readiness is in our DNA, our bread and butter,
Nadia El Fertasi:
but I also worked with people from 40 different countries at
Nadia El Fertasi:
all levels. So emotional intelligence was key. Because at
Nadia El Fertasi:
one part you have the technology, how do you get
Nadia El Fertasi:
people to use it technology that is safe and secure and advances
Nadia El Fertasi:
the organization at the same time, right. And there are a lot
Nadia El Fertasi:
of different departments and business units when we look at
Nadia El Fertasi:
the private sector that have a stake in it. So in our case in
Nadia El Fertasi:
our agency, security was responsibility for all. And I
Nadia El Fertasi:
wanted to bring that in my work with the private sector
Nadia El Fertasi:
currently and small businesses. Now there is a lot of
Nadia El Fertasi:
misconception about emotional intelligence because when we
Nadia El Fertasi:
hear emotional intelligence, we think, Oh, this you know,
Nadia El Fertasi:
emotions, they don't belong in the workplace, or we're very
Nadia El Fertasi:
rational etc. Now, I recommend your listeners to look up Lisa
Nadia El Fertasi:
Feldman Barrett, who is an author about how emotions are
Nadia El Fertasi:
made. Secret Life of the Brains is one of the top percent, one
Nadia El Fertasi:
top percent cited neuroscientist and psychologist who really has
Nadia El Fertasi:
a lot of material and research to dispel this myth, right. So
Nadia El Fertasi:
how she explains and the what I also use in my work, I use a
Nadia El Fertasi:
scientifically validated model that the feelings is very
Nadia El Fertasi:
different than emotions, feelings is when our brain makes
Nadia El Fertasi:
sense of our energy levels. So imagine you are working in an
Nadia El Fertasi:
enterprise model, and you have different business units, that
Nadia El Fertasi:
all need amount of resources to be able to sustain the
Nadia El Fertasi:
organization. Now, if acquisition has less resources
Nadia El Fertasi:
than legal, for example, the marketing department of the
Nadia El Fertasi:
research development is going to be in at the resource deficit or
Nadia El Fertasi:
resource overload. Same thing with our body. So when our brain
Nadia El Fertasi:
perceives that it is under high levels of stress, or something
Nadia El Fertasi:
is not right, it creates a body energy deficit. And this is when
Nadia El Fertasi:
we experience feelings of
Nadia El Fertasi:
fear or frustration of you know, general, negative emotions. And
Nadia El Fertasi:
emotions are actually constructed by our bias, by our
Nadia El Fertasi:
stereotype beliefs, by our formative years, by our
Nadia El Fertasi:
experiences, what we learned is emotional behaviors, which is
Nadia El Fertasi:
different than different culture and is not universal. Now, why
Nadia El Fertasi:
is this so important when it comes to cyber? First, if you
Nadia El Fertasi:
want to change mindsets, and implement cyber hygiene, the
Nadia El Fertasi:
language is important, right? Because if we talk to someone
Nadia El Fertasi:
who's an information security specialist or technology, they
Nadia El Fertasi:
may get very excited about cyber, they don't necessarily
Nadia El Fertasi:
see it as something dark or negative or complicated. Someone
Nadia El Fertasi:
who has no exposure to cyber only correlates with the ongoing
Nadia El Fertasi:
ransomware attack and all the cyber breaches may feel a lot of
Nadia El Fertasi:
fear, right? People who I loved in your book, you refer to
Nadia El Fertasi:
people who, you know, developers for examples of applications,
Nadia El Fertasi:
they want to get it out on the market as soon as possible.
Nadia El Fertasi:
While the security people want to keep the US market is as long
Nadia El Fertasi:
as possible, right? So that we have different concepts about
Nadia El Fertasi:
cybersecurity and cyber safety in general, it is only normal to
Nadia El Fertasi:
feel discomfort when you're dealing with a new concept. And
Nadia El Fertasi:
how do you get people to do things differently in a way that
Nadia El Fertasi:
secures not only the surface, not only the product, but also
Nadia El Fertasi:
the user environment. And the way they work and live, you
Nadia El Fertasi:
know, with the online world is to help them become comfortable
Nadia El Fertasi:
with the discomfort. And this is where emotional intelligence
Nadia El Fertasi:
comes in. It is relating to the immediate challenges to the
Nadia El Fertasi:
behavioral aspects of people. cognitive intelligence is long
Nadia El Fertasi:
term strategic, and you need both actually. And some people
Nadia El Fertasi:
are more equipped with it because they've learned it.
Nadia El Fertasi:
Other people who have trained to be very cerebral, and this is
Nadia El Fertasi:
especially true for the STEAM (Science, Technology,
Nadia El Fertasi:
Engineering, and Math) workforce. If you've been
Nadia El Fertasi:
trained to be very technical, logical, and you know, data
Nadia El Fertasi:
crunching for example, then it's a little bit more difficult to
Nadia El Fertasi:
put words or to understand how your emotions affect your
Nadia El Fertasi:
behavior.
Dr. Dave Chatterjee:
Great. Fantastic. Thanks for that
Dr. Dave Chatterjee:
introduction, that primer on emotional intelligence, the
Dr. Dave Chatterjee:
significance of emotional intelligence, in bringing about
Dr. Dave Chatterjee:
the desired information security culture. As you as you know that
Dr. Dave Chatterjee:
when we look at cybersecurity, the challenges with
Dr. Dave Chatterjee:
cybersecurity, we have to understand it from a people
Dr. Dave Chatterjee:
process and technology standpoint. The good news is
Dr. Dave Chatterjee:
there are lots of soft, sophisticated technologies out
Dr. Dave Chatterjee:
there. The good news is there are great process
Dr. Dave Chatterjee:
recommendations, great frameworks out there. The
Dr. Dave Chatterjee:
challenge lies in the human factor. And you spoke to that
Dr. Dave Chatterjee:
when you said that some of us are better trained than others,
Dr. Dave Chatterjee:
or are better have better abilities than others, to deal
Dr. Dave Chatterjee:
with uncertainty, to deal with, deal with challenges that are
Dr. Dave Chatterjee:
not within our domain of expertise, or interest. So
Dr. Dave Chatterjee:
therefore, managing the human factor effectively, to build and
Dr. Dave Chatterjee:
sustain a strong cybersecurity culture is easier said than
Dr. Dave Chatterjee:
done. It is often something organizations try to stay away
Dr. Dave Chatterjee:
from, because it's very hard to show immediate results, the ROI
Dr. Dave Chatterjee:
is not very tangible. But as more and more executives are
Dr. Dave Chatterjee:
recognizing, at the end of the day, it's really about
Dr. Dave Chatterjee:
execution, you can have the best plan, but if you are not able to
Dr. Dave Chatterjee:
execute to precision, to the plan, you're unlikely to be very
Dr. Dave Chatterjee:
successful; especially in the context of cybersecurity, where
Dr. Dave Chatterjee:
an organization needs to be able to sustain an element of
Dr. Dave Chatterjee:
stability in their management and performance of the cyber
Dr. Dave Chatterjee:
secure defense measures. To be able to act and perform in a
Dr. Dave Chatterjee:
precise and consistent manner, over a period of time, you need
Dr. Dave Chatterjee:
the right kind of culture that needs to become part of the
Dr. Dave Chatterjee:
organizational DNA. And that's where someone with your kind of
Dr. Dave Chatterjee:
expertise comes in, and can be of immense benefit to
Dr. Dave Chatterjee:
organizations who are trying to understand people, human
Dr. Dave Chatterjee:
mindset, how to bring about changes in human behavior. So
Dr. Dave Chatterjee:
let's get a little specific because I'm sure our listeners
Dr. Dave Chatterjee:
are thinking, Yeah, this is all good. But what are your
Dr. Dave Chatterjee:
recommendations? So from a recommendation standpoint, let's
Dr. Dave Chatterjee:
have this discussion organized along some of the success
Dr. Dave Chatterjee:
factors that I talked about in my book, and I appreciate you
Dr. Dave Chatterjee:
having read the book. And we if we look at it from the
Dr. Dave Chatterjee:
standpoint of the three highperformance cultural traits
Dr. Dave Chatterjee:
of commitment, preparedness and discipline, if you could take
Dr. Dave Chatterjee:
one of them, let's say commitment, and speak to that,
Dr. Dave Chatterjee:
in terms of how do you get the organizational leadership? How
Dr. Dave Chatterjee:
do you get organizational members at all levels, more
Dr. Dave Chatterjee:
committed to achieving a high level of cybersecurity
Dr. Dave Chatterjee:
performance?
Nadia El Fertasi:
Yes, thank you, Dave. And I really enjoyed
Nadia El Fertasi:
the book. Everyone talks about leadership, right? It needs to
Nadia El Fertasi:
start at the top. But what does that look like? Right, and we
Nadia El Fertasi:
forget the top leadership are also human beings as well.
Nadia El Fertasi:
Right. And one of the biggest challenges we faced at NATO, and
Nadia El Fertasi:
many organizations face is, we don't want to change people, we
Nadia El Fertasi:
want to do get them to do things differently on the things on the
Nadia El Fertasi:
job for sustainable period of time. So emotional, intelligent
Nadia El Fertasi:
leadership is critical. I think there is a lot of focus on
Nadia El Fertasi:
building agile systems on building agile technology. But
Nadia El Fertasi:
how do we build agile people, right? People are not programs
Nadia El Fertasi:
that can be flexible, there are different levels of flexibility.
Nadia El Fertasi:
One excellent model called the Kubler Ross model really
Nadia El Fertasi:
explains actually the different emotional states people go
Nadia El Fertasi:
through before they, when they go through a loss, right. It was
Nadia El Fertasi:
developed for grief, but the same emotions apply when change
Nadia El Fertasi:
happens. Now, it's and I'll give an example of my own time when
Nadia El Fertasi:
we were facing a lot of geopolitical uncertainty after
Nadia El Fertasi:
911 after you know what happened also in in the border with
Nadia El Fertasi:
Russia and Ukraine that put a lot of pressure on us in NATO
Nadia El Fertasi:
and also created a lot of uncertainty in challenging time.
Nadia El Fertasi:
Especially because cyber was really used as part of a hybrid
Nadia El Fertasi:
warfare tactic. So we had a new general manager coming in at the
Nadia El Fertasi:
time, he was from the Pentagon, brilliant, brilliant man. And he
Nadia El Fertasi:
really had this, he had it right, he surrounded himself
Nadia El Fertasi:
with the right people. But he also had people-centric
Nadia El Fertasi:
leadership and people-centric mindset. So what he did in terms
Nadia El Fertasi:
of, you know, demonstrating it from the top and emotional
Nadia El Fertasi:
intelligence leadership, he understood that the chief
Nadia El Fertasi:
surface line, so the people who were accountable and responsible
Nadia El Fertasi:
for delivering the service and delivering the product, there
Nadia El Fertasi:
was too much bureaucracy and too much power distance between them
Nadia El Fertasi:
and himself. Right. And so he created a matrix organization as
Nadia El Fertasi:
much as possible. So the people who were responsible and
Nadia El Fertasi:
accountable for the full lifecycle of the services, they
Nadia El Fertasi:
were responsible of the product, including security that was just
Nadia El Fertasi:
ingrained, and cyber safety was ingrained in every aspect. We're
Nadia El Fertasi:
directly responsible to them, what did that create? It created
Nadia El Fertasi:
a sense of empowerment in these people, right? They were seen,
Nadia El Fertasi:
they were validated, they were held accountable, they were
Nadia El Fertasi:
given more empowerment, right? And they increased their buy-in,
Nadia El Fertasi:
why should they go all the way? Right, it increased their kind
Nadia El Fertasi:
of purpose, the getting up in the in the morning, and really,
Nadia El Fertasi:
you know, moving in towards the same direction. The other
Nadia El Fertasi:
element was he appointed chief operating officer, who was also
Nadia El Fertasi:
another brilliant man, who had not only a high level of
Nadia El Fertasi:
expertise in the technical arena in the business, brilliant
Nadia El Fertasi:
diplomat, he came from diplomacy as well and had very good
Nadia El Fertasi:
relationships with national delegations, with the
Nadia El Fertasi:
ambassadors, with the decision makers, because when you look at
Nadia El Fertasi:
policy, and strategy and governance, right, and you can
Nadia El Fertasi:
compare it to the C suite in the business arena, there's often a
Nadia El Fertasi:
disconnect when it comes to the information security culture,
Nadia El Fertasi:
not that they don't understand, it's just they have many other
Nadia El Fertasi:
fires, and business risks going on. So these relationships with
Nadia El Fertasi:
him, made him very credible, and they had his trust, which made
Nadia El Fertasi:
it easier to actually navigate building this culture within
Nadia El Fertasi:
within the very uncertain and challenging environment we were
Nadia El Fertasi:
working in. So both of these very senior people, right. They
Nadia El Fertasi:
had high levels of cognitive intelligence, they had high
Nadia El Fertasi:
levels of political intelligence, they had high
Nadia El Fertasi:
level of technical intelligence, business intelligence, but what
Nadia El Fertasi:
made the organization shift our agency shift our people, you
Nadia El Fertasi:
know, the way we work shift,is the emotional intelligence part.
Nadia El Fertasi:
Is the people, right, you need to inspire people to guide to
Nadia El Fertasi:
hold them accountable, right? Emotional Intelligence doesn't
Nadia El Fertasi:
mean
Nadia El Fertasi:
how do I say soft, right? Being various not at all right? true
Nadia El Fertasi:
leader, can listen to everyone can take into consideration but
Nadia El Fertasi:
ultimately takes the decision based on what he believes is
Nadia El Fertasi:
best for the organization on the information is available, right?
Nadia El Fertasi:
It's really, ultimately people want to feel heard and
Nadia El Fertasi:
validated, right? So they can show up. And with a lot of the
Nadia El Fertasi:
work that I do often I hear, you know, people that this, they
Nadia El Fertasi:
just they are tired of so many changes, I would add one more
Nadia El Fertasi:
element, which is very crucial, is communication. We over
Nadia El Fertasi:
perhaps me focus a lot on communication with our external
Nadia El Fertasi:
stakeholders, our customers, our shareholders. But you have to
Nadia El Fertasi:
start inside out when there's a lot of uncertainty outside it
Nadia El Fertasi:
acts exaggerates the uncertainty within your organization. So
Nadia El Fertasi:
internal communication policies and prosperity, even when you
Nadia El Fertasi:
don't know. One of the best leaders I've worked with, and I
Nadia El Fertasi:
see also in my clients are the ones that are vulnerable doesn't
Nadia El Fertasi:
mean that they share all their personal stuff, but they've seen
Nadia El Fertasi:
when things are not working, and that they don't have the answer
Nadia El Fertasi:
immediately. And they are looking right in there involving
Nadia El Fertasi:
the people are the ones that they get most support from the
Nadia El Fertasi:
workforce. And that is very important.
Dr. Dave Chatterjee:
Yeah, you know, I think you said
Dr. Dave Chatterjee:
something, which is so so important. You mentioned about
Dr. Dave Chatterjee:
being vulnerable. We often make the mistake of thinking that a
Dr. Dave Chatterjee:
leader who's always exuding great confidence, great belief
Dr. Dave Chatterjee:
and a leader, a strong leader. should not show any kind of
Dr. Dave Chatterjee:
vulnerability. But to your point, vulnerability, the way I
Dr. Dave Chatterjee:
look at it is essentially a feeling of, you know, a little
Dr. Dave Chatterjee:
bit maybe the maybe the word paranoia makes sense that
Dr. Dave Chatterjee:
there's always an element of paranoia that what could happen,
Dr. Dave Chatterjee:
that could break the current defense, are we really well
Dr. Dave Chatterjee:
secured? Or is there anything missing. And that kind of
Dr. Dave Chatterjee:
mindset is helpful, because it always keeps you on your toes,
Dr. Dave Chatterjee:
and doesn't allow you to be complacent. So maybe what I was
Dr. Dave Chatterjee:
getting at is vulnerability can often come across as like a
Dr. Dave Chatterjee:
reflection of weakness. But vulnerability can also be
Dr. Dave Chatterjee:
interpreted as somebody who is not complacent, who always
Dr. Dave Chatterjee:
believes in a high level of preparedness. And that's
Dr. Dave Chatterjee:
something that I've also found in my research, that leadership
Dr. Dave Chatterjee:
can play a hugely important role in not only mobilizing
Dr. Dave Chatterjee:
organization wide support towards the goals and the
Dr. Dave Chatterjee:
actions, but also help the organization reach a high level
Dr. Dave Chatterjee:
of preparedness. Another point you made, and you made it very
Dr. Dave Chatterjee:
well, it's a very powerful statement, you said, build a
Dr. Dave Chatterjee:
culture of empowerment, not fear. And that speaks to taking
Dr. Dave Chatterjee:
a very positive approach to many things, cyber, including cyber
Dr. Dave Chatterjee:
communication. And time and time again, when I talk to senior
Dr. Dave Chatterjee:
executives, when I review the literature, one of the
Dr. Dave Chatterjee:
consistent good practices is about letting the users know
Dr. Dave Chatterjee:
what they could do to further secure the organization. So
Dr. Dave Chatterjee:
you're taking the approach of saying what you can do and not
Dr. Dave Chatterjee:
taking the approach of what you can't do, yes, that's the fine
Dr. Dave Chatterjee:
line. But there's a way of saying things in a very positive
Dr. Dave Chatterjee:
vein. And still being able to communicate the things that
Dr. Dave Chatterjee:
users should be wary about. So it's a fine line. And it can be
Dr. Dave Chatterjee:
done by very skilled people. And you talked about the leadership
Dr. Dave Chatterjee:
that you've come across with a very high degree of a variety of
Dr. Dave Chatterjee:
different types of allegiance. Moving on to another question I
Dr. Dave Chatterjee:
have for you. And that is, you worked for an organization like
Dr. Dave Chatterjee:
NATO, very security driven organization. So you would
Dr. Dave Chatterjee:
expect security to be high on their priority when it comes to
Dr. Dave Chatterjee:
culture. But in a traditional private sector organization,
Dr. Dave Chatterjee:
where you yourself mentioned, often, the focus or priority of
Dr. Dave Chatterjee:
the executives are on realizing the business goals, their
Dr. Dave Chatterjee:
mission. And security is not that security is something
Dr. Dave Chatterjee:
unfortunately, they have to deal with. They wish they didn't. So
Dr. Dave Chatterjee:
in that kind of an environment, how do you get whether it's the
Dr. Dave Chatterjee:
leadership or whether it's the organization as a whole? How do
Dr. Dave Chatterjee:
you get the focus turned towards security, where there is growing
Dr. Dave Chatterjee:
recognition, that security is also a very important
Dr. Dave Chatterjee:
organizational capability, is also a very important
Dr. Dave Chatterjee:
organizational competency? How do you get that realization
Dr. Dave Chatterjee:
etched into the organization?
Nadia El Fertasi:
It's a very good point. And I'll, I'll say
Nadia El Fertasi:
one word, and then I'll give an anecdote to explain that word
Nadia El Fertasi:
and then give, give my own thoughts. Vision. Right. You
Nadia El Fertasi:
need to have a vision, right, for your organization. Why is
Nadia El Fertasi:
that important? Let me go back to something we dealt at NATO.
Nadia El Fertasi:
Right. Because NATO, our mandate was Article Five is collective
Nadia El Fertasi:
defense. Right. And I don't know if you remember when 911 came
Nadia El Fertasi:
about. It was a lot of discussion. Why was NATO not
Nadia El Fertasi:
more on the forefront in countering terrorism, and the
Nadia El Fertasi:
risk for terrorist attacks was very evident, very prevalent in
Nadia El Fertasi:
across European cities and in North America. Now, the obvious
Nadia El Fertasi:
reason is it was not within our mandate, or primary mandate. You
Nadia El Fertasi:
had organizations like the UN and other organization was was
Nadia El Fertasi:
in their mandate. And we were always in support. So we were
Nadia El Fertasi:
active, but it wasn't our primary focus. Everyone who
Nadia El Fertasi:
worked at NATO and the culture was very much still aware of the
Nadia El Fertasi:
Cold War. And remember the Second World War, the impact of
Nadia El Fertasi:
a nuclear attack, it would be far more detrimental than a
Nadia El Fertasi:
terrorist attack. And I know it sounds perhaps a little bit
Nadia El Fertasi:
harsh when you hear it, because it's not statistics. When we I
Nadia El Fertasi:
think a lot of people in leadership within NATO
Nadia El Fertasi:
understood the vision of building a safe and secure
Nadia El Fertasi:
transatlantic democracy, we take our freedom for granted. Right?
Nadia El Fertasi:
We forget that there are capabilities out there, right,
Nadia El Fertasi:
that can eradicate entire cities. So the risk for what we
Nadia El Fertasi:
were protecting 1 billion citizens was much higher. So
Nadia El Fertasi:
every organization should ask themselves, right, right, what
Nadia El Fertasi:
is the risk, because the capabilities are there, and you
Nadia El Fertasi:
don't need to be a sophisticated cyber criminal, to participate
Nadia El Fertasi:
in the ransomware service model. And just, you know, get as fast
Nadia El Fertasi:
money as possible, was even more challenging. And again, I don't
Nadia El Fertasi:
want to play into fear, but it's just being aware is non
Nadia El Fertasi:
sponsored states, cyber attacks, and even inspired state
Nadia El Fertasi:
sponsored attacks. There are many different reasons why
Nadia El Fertasi:
someone does cyber crime. So every organization needs to
Nadia El Fertasi:
understand what is the vision for the organization in the 21st
Nadia El Fertasi:
century, this highly digitized? What would happen if our most
Nadia El Fertasi:
critical infrastructure would go down? What would happen if 5
Nadia El Fertasi:
million and you have many case studies in your book, customers
Nadia El Fertasi:
data, shareholders data that gets lost? You don't want to
Nadia El Fertasi:
think about it, because again, it is not very tangible. We live
Nadia El Fertasi:
very short term focused, right? Okay, what is in the immediate
Nadia El Fertasi:
and when you're driven by the immediate and don't include and
Nadia El Fertasi:
balance it with a long term vision, your preparedness
Nadia El Fertasi:
strategies and your ability to recover, because now we have to
Nadia El Fertasi:
assume we will be compromised, every organization, they don't
Nadia El Fertasi:
assume that they can, they are compromised, their survival rate
Nadia El Fertasi:
is likely to be very low, because even a brilliant article
Nadia El Fertasi:
in the Financial Times about this in this. And this is also
Nadia El Fertasi:
how you get confidence from your shareholders from your customers
Nadia El Fertasi:
that you know it you know, what to do, when you there is a cyber
Nadia El Fertasi:
breach, right? And you can recover and protect their data
Nadia El Fertasi:
in the most
Nadia El Fertasi:
less riskful way as possible. So I this is what I would give away
Nadia El Fertasi:
is really understand how much are you balancing long term
Nadia El Fertasi:
vision with short term vision? And how can you explain cyber
Nadia El Fertasi:
risk in people's map of the world; example: a developer
Nadia El Fertasi:
wants to bring out their app as fast as possible, they've put
Nadia El Fertasi:
their intellectual property right, they've put their blood
Nadia El Fertasi:
and sweat. So if you're just going to tell them, we can put
Nadia El Fertasi:
it off because there are still some security updates missing,
Nadia El Fertasi:
they're not going to resonate with it. But if you are
Nadia El Fertasi:
explaining that if the app is on the market, and someone can
Nadia El Fertasi:
actually replicate the app, or steal the data, and actually
Nadia El Fertasi:
bring it out earlier in the better version, without you
Nadia El Fertasi:
know, this is going on all the time, that will get their
Nadia El Fertasi:
attention, right. So how can you speak in a way that security is
Nadia El Fertasi:
seen as an enabler, another barrier, it also requires
Nadia El Fertasi:
information, cybersecurity and information technologies to
Nadia El Fertasi:
compromise in a way that to have an understanding what is the
Nadia El Fertasi:
minimum required security requirements, right, minimal
Nadia El Fertasi:
security requirements we had in NATO, and understand that some
Nadia El Fertasi:
security requirements are nice to have, but perhaps not
Nadia El Fertasi:
necessary, but they will prevent the developer or the marketing
Nadia El Fertasi:
or the research and development team to bring out their
Nadia El Fertasi:
application. This requires open dialogue. This requires
Nadia El Fertasi:
listening to each other without feeling personally, you know,
Nadia El Fertasi:
attacked or it's full, everyone has a valid point. How do we get
Nadia El Fertasi:
there from here? And this requires, again, the vision, the
Nadia El Fertasi:
strategy.
Dr. Dave Chatterjee:
Absolutely. Wonderful. You again,
Dr. Dave Chatterjee:
highlighted so many important things. Let me see if I can
Dr. Dave Chatterjee:
remember a few to add to it and also asked you to expand on a
Dr. Dave Chatterjee:
couple of other things as well. You spoke to the importance of
Dr. Dave Chatterjee:
recognizing the consequences of cyber attacks. Organizations can
Dr. Dave Chatterjee:
go under, organizations can go bankrupt, in fact, there is
Dr. Dave Chatterjee:
survey data that showcases that 60% of small to medium sized
Dr. Dave Chatterjee:
businesses are known to go under after they experience a
Dr. Dave Chatterjee:
cyberattack. Even for large companies, reputation is at
Dr. Dave Chatterjee:
stake. And there are many other consequences. It is interesting,
Dr. Dave Chatterjee:
I was having this discussion with the CEO of a billion dollar
Dr. Dave Chatterjee:
insurance company, and I asked him a similar question I said,
Dr. Dave Chatterjee:
how you get your peers in other organizations to be equally
Dr. Dave Chatterjee:
committed to cybersecurity as an enabler, as you said, very
Dr. Dave Chatterjee:
nicely, you said a security is an enabler, not a barrier. His
Dr. Dave Chatterjee:
spontaneous response was Dave, I'm assuming people read what's
Dr. Dave Chatterjee:
coming out every day in the media, there is one story or the
Dr. Dave Chatterjee:
other about an attack and the consequence of the attack. If
Dr. Dave Chatterjee:
after that, a senior executive doesn't recognize how important
Dr. Dave Chatterjee:
cyber is, how important cybersecurity competency is, I
Dr. Dave Chatterjee:
don't know what to tell you. And I couldn't agree more. But
Dr. Dave Chatterjee:
having said that, the unfortunate reality is every
Dr. Dave Chatterjee:
leadership has certain goals, they have to report to
Dr. Dave Chatterjee:
stakeholders. So there are challenges in their work life.
Dr. Dave Chatterjee:
So I understand if often the focus deviates away from having
Dr. Dave Chatterjee:
the best possible cyber defense in place. But then, there is a
Dr. Dave Chatterjee:
change in the minds mindset, there is a change, there's a
Dr. Dave Chatterjee:
shift in top executive attention and commitment. And fortunately,
Dr. Dave Chatterjee:
what I've been noticing, I've been studying the shift for the
Dr. Dave Chatterjee:
last 10 years, it's going in the right direction. And that's
Dr. Dave Chatterjee:
very, very encouraging.
Nadia El Fertasi:
Yeah, just intervene or say something to
Nadia El Fertasi:
what you just said. Please, I, I just want to add another
Nadia El Fertasi:
perspective. I think, you know, I saw this at NATO all the time
Nadia El Fertasi:
I see this, we assume we've seen people know, right. But we
Nadia El Fertasi:
forget, we see the world through our mental model, right? We have
Nadia El Fertasi:
our own experiences. On top of that, the average human brain
Nadia El Fertasi:
can make decisions maximum 7-8 at the time. So if you assume
Nadia El Fertasi:
this type of rule in NATO Never assume someone knows, right, is
Nadia El Fertasi:
not to sue. Because these people, it doesn't mean you
Nadia El Fertasi:
know, sometimes we even speak to them in a very patronizing way,
Nadia El Fertasi:
C suite, CFO or, you know, CEO, they know that cyber is
Nadia El Fertasi:
important, right? If they don't read the news, they're reminded
Nadia El Fertasi:
by others on a constant basis. But the way sometimes we speak
Nadia El Fertasi:
when I read some articles, it's very patronizing. Right, it's
Nadia El Fertasi:
like they don't know, what they tend to forget is that, you
Nadia El Fertasi:
know, these leaders are these people functions have a lot of
Nadia El Fertasi:
different fires going on at the same time. Our human brain can
Nadia El Fertasi:
only focus on so much we believe multitasking is a gift, it is
Nadia El Fertasi:
not a gift at all. And Daniel Kahneman Nobel Prize winner
Nadia El Fertasi:
wrote an excellent book about slow thinking slow and fast. I
Nadia El Fertasi:
don't know if you've read it. So I think from that perspective,
Nadia El Fertasi:
is to communicate from people's map of the world, just because
Nadia El Fertasi:
it's obvious to us because it feels so obvious. And we assume
Nadia El Fertasi:
that doesn't mean it's obvious someone else. Trigger the
Nadia El Fertasi:
emotional intensity you need that matches people's belief so
Nadia El Fertasi:
you can change their behavior. This is what I focus on. Just
Nadia El Fertasi:
because we speak to someone how many times we keep ramping up
Nadia El Fertasi:
the statistics, which is important. But statistics alone
Nadia El Fertasi:
are not going to change people's hearts, okay, you need to find
Nadia El Fertasi:
and this and this and this is actually a whole function, a
Nadia El Fertasi:
whole art, takes investment, takes effort, to learn how to
Nadia El Fertasi:
communicate from someone else's map of the world. And to really,
Nadia El Fertasi:
you know, think about the outcome you want and the words
Nadia El Fertasi:
you're going to use that really get people to actually retain
Nadia El Fertasi:
attention especially now, when the average attention span of
Nadia El Fertasi:
clarity is no longer than seven seconds. So I think it is it is
Nadia El Fertasi:
I agree to a certain extent, but I also think that the way we
Nadia El Fertasi:
communicate in general and especially when it comes to
Nadia El Fertasi:
cyber risk, we cannot assume that people will read 50 page
Nadia El Fertasi:
Incident Response plan or crisis management procedures and
Nadia El Fertasi:
remember them in their map of the world. And when a cyber
Nadia El Fertasi:
breach is taking place, you cannot tell them, well, in the
Nadia El Fertasi:
service level agreement we had, or in the in the document you
Nadia El Fertasi:
signed off, it was clearly stated under paragraph 3.5. We
Nadia El Fertasi:
go into survival mode, fear mode, our brain capacity is
Nadia El Fertasi:
focused on keeping us safe. So our you know, we go there in
Nadia El Fertasi:
very short cut mental models. And I think it's important to
Nadia El Fertasi:
explain to practice this, right. So people don't take necessarily
Nadia El Fertasi:
very defensive, but really understand the human element in
Nadia El Fertasi:
the behavior, and then come up with strategies in the way of
Nadia El Fertasi:
communicating in a way that gets people not necessarily to change
Nadia El Fertasi:
their mind changing mindsets is very difficult. But to change
Nadia El Fertasi:
response options, do something differently, because you know,
Nadia El Fertasi:
it will advance your organization and keep the
Nadia El Fertasi:
organization safe and prepared and resilient.
Dr. Dave Chatterjee:
Yeah, you know, I wish to re emphasize
Dr. Dave Chatterjee:
what you just said about do not assume when you're
Dr. Dave Chatterjee:
communicating, because everyone has different experiences,
Dr. Dave Chatterjee:
different mental maps. And they would interpret a message they
Dr. Dave Chatterjee:
could interpret a message differently. It brings back
Dr. Dave Chatterjee:
another interesting story. So there was this Admiral Hyman
Dr. Dave Chatterjee:
Rickover, who was credited with running the US Naval Nuclear
Dr. Dave Chatterjee:
Propulsion Program, very successfully for 30 some years.
Dr. Dave Chatterjee:
And he was able to build an organizational culture, anchored
Dr. Dave Chatterjee:
on six key principles. And they were integrity, depth of
Dr. Dave Chatterjee:
knowledge, procedural compliance, forceful backup,
Dr. Dave Chatterjee:
questioning attitude, and formality and communications.
Dr. Dave Chatterjee:
Now, let me speak to formality and communications. I believe,
Dr. Dave Chatterjee:
the way it worked in the nuclear Navy, when you receive an order
Dr. Dave Chatterjee:
from your superior, you're supposed to repeat that order
Dr. Dave Chatterjee:
verbatim, before you execute it. Essentially, the process was
Dr. Dave Chatterjee:
meant to be foolproof. So nothing gets lost. There's no
Dr. Dave Chatterjee:
communication leakage, no communication loss. And maybe
Dr. Dave Chatterjee:
it's an extreme approach. Maybe it works in a in a military
Dr. Dave Chatterjee:
organization, but there is something to be learned from
Dr. Dave Chatterjee:
that, taken away from that, for even the private sector, for
Dr. Dave Chatterjee:
even the government organizations that when you are
Dr. Dave Chatterjee:
communicating, it is also your responsibility to make sure that
Dr. Dave Chatterjee:
the person receiving your your message, understands it the way
Dr. Dave Chatterjee:
you want it to be understood. But as we know, unfortunately,
Dr. Dave Chatterjee:
that's not the way the world works. We all experience mass
Dr. Dave Chatterjee:
communications, email blasts, one page email on security with
Dr. Dave Chatterjee:
a lot of detail and immediately when I see those, it it tells
Dr. Dave Chatterjee:
me, okay, here we go check the box, a communication was
Dr. Dave Chatterjee:
required as per certain regulations certain requirement,
Dr. Dave Chatterjee:
and the organization is complying with it. So yes, you
Dr. Dave Chatterjee:
are complying with the regulation, but are you
Dr. Dave Chatterjee:
effectively doing it? The answer is probably no, because when I
Dr. Dave Chatterjee:
see a one page email, I generally tend to overlook it,
Dr. Dave Chatterjee:
unless it is customized, it is tailored, and it is speaking to
Dr. Dave Chatterjee:
my needs. And you spoke to that when you said when you are
Dr. Dave Chatterjee:
communicating with people, when you're trying to get them to see
Dr. Dave Chatterjee:
things in a different way, you have to be very skilled about
Dr. Dave Chatterjee:
how you pitch it, so they can relate to it. And that's the
Dr. Dave Chatterjee:
training in itself. And that should not be considered
Dr. Dave Chatterjee:
obvious. Oh communication, that's fine. As long as we have
Dr. Dave Chatterjee:
the tools in place, we have hired the you know, the the
Dr. Dave Chatterjee:
right kind of professional expertise, we are all good to
Dr. Dave Chatterjee:
go. We are not all good to go because when there's a breach,
Dr. Dave Chatterjee:
and more often than not, it is the cause of a phishing
Dr. Dave Chatterjee:
campaign, the people who get breached are not the ones who
Dr. Dave Chatterjee:
are trained in a cybersecurity certificate program, they are
Dr. Dave Chatterjee:
people who are there to do their job, which is not security. But
Dr. Dave Chatterjee:
then they also have a certain responsibility to perform their
Dr. Dave Chatterjee:
jobs, and also comply with the security guidelines. To get them
Dr. Dave Chatterjee:
to recognize that to get them to do it well, it requires
Dr. Dave Chatterjee:
practice. In a previous podcast, I had an eminent professor talk
Dr. Dave Chatterjee:
about his simulation program, simulating organizational
Dr. Dave Chatterjee:
decision making under stress, under time pressure. And as you
Dr. Dave Chatterjee:
said, it is one thing to plan, it is one thing to prepare. But
Dr. Dave Chatterjee:
then when you are in action, when you are on the court, you
Dr. Dave Chatterjee:
are playing to use a tennis metaphor.
Dr. Dave Chatterjee:
You are all by yourself, you're having to make quick decisions
Dr. Dave Chatterjee:
on your feet. And those decisions have consequences. The
Dr. Dave Chatterjee:
only way of getting better at it, is by doing it over and over
Dr. Dave Chatterjee:
again. What does that mean, from a cybersecurity preparedness
Dr. Dave Chatterjee:
standpoint, running different types of simulations to the best
Dr. Dave Chatterjee:
in extent feasible and possible, every company has their
Dr. Dave Chatterjee:
constraints. And I recognize that. But you know, these were
Dr. Dave Chatterjee:
some thoughts that came to mind as you were speaking, let me ask
Dr. Dave Chatterjee:
you a question. As we were having our sidebar by way of
Dr. Dave Chatterjee:
prep for this talk, you shared some very powerful quotes, if I
Dr. Dave Chatterjee:
may. And one of them was, and this speaks to what we are
Dr. Dave Chatterjee:
talking right now. Practice reason over fear. And another
Dr. Dave Chatterjee:
one I want to bring into the discussion where you said, Use
Dr. Dave Chatterjee:
empathy to counter social engineering attacks. Can you
Dr. Dave Chatterjee:
speak to that?
Nadia El Fertasi:
Yes. Let me start, start first with practice
Nadia El Fertasi:
reason over fear. And I will use a very unusual analogy, but
Nadia El Fertasi:
stick with me, so you understand. imagine, and I'm
Nadia El Fertasi:
going to take you as example Dave, if you don't mind, imagine
Nadia El Fertasi:
you're not feeling very well, today, you're a bit low on
Nadia El Fertasi:
energy, your immune system is not on top, so you're really
Nadia El Fertasi:
not, at your best state. And then you turn around and there
Nadia El Fertasi:
is a tiger predator in the corner of your office. And let's
Nadia El Fertasi:
assume it's not a domesticated one. It's one that is really
Nadia El Fertasi:
going to chase you. So your brain is going to signal to your
Nadia El Fertasi:
body extreme danger, you're going to use all your energy and
Nadia El Fertasi:
run as fast as you can, I hope. Imagine the predator is the
Nadia El Fertasi:
colleague sending you that email, is the continuous attacks
Nadia El Fertasi:
that you receive on your screen, is the fear based leadership
Nadia El Fertasi:
because you're afraid to do something wrong because of the
Nadia El Fertasi:
culture, its meeting your deadlines, whatever it is; the
Nadia El Fertasi:
problem with fear right there it serves a function, we are human
Nadia El Fertasi:
beings to keep ourselves safe, right? So if we go outside, can
Nadia El Fertasi:
see a car and so we can you know, protect ourselves and not
Nadia El Fertasi:
get hit by a car. The problem is, our brain constantly
Nadia El Fertasi:
perceive things as fear puts us in a chronic state of stress,
Nadia El Fertasi:
which has disastrous consequences on our ability to
Nadia El Fertasi:
make decisions, on our ability to manage our energy, our focus,
Nadia El Fertasi:
and we get, I wrote a blog for Global Cyber Alliance and had
Nadia El Fertasi:
statistics in there for the UK in the US, how many people are
Nadia El Fertasi:
distracted and lack of focus and how that correlates with falling
Nadia El Fertasi:
for social engineering for phishing attacks, because which
Nadia El Fertasi:
brings me to your second point use empathy for mitigating
Nadia El Fertasi:
social engineering attacks. Now, empathy is another overused
Nadia El Fertasi:
buzzword it is very difficult to exercise because if you read the
Nadia El Fertasi:
book of Daniel Kahneman, slow thinking slow thinking fast, it
Nadia El Fertasi:
is another part of the of the system, it really requires being
Nadia El Fertasi:
sensitive to other people's needs and, and, and emotions.
Nadia El Fertasi:
Criminals, they use the same emotional manipulation
Nadia El Fertasi:
techniques right to trigger either emotions of fear. So if
Nadia El Fertasi:
someone is worried about their health, they will use specific
Nadia El Fertasi:
language related to COVID to get them to click on a spoofed
Nadia El Fertasi:
account or medical record whatever it is. Someone is
Nadia El Fertasi:
worried about taxes, alright, it will use words or spoof counts
Nadia El Fertasi:
to do that. So they really use words and pretext to speak to
Nadia El Fertasi:
people's fear. The opposite is also true. There are a lot of
Nadia El Fertasi:
one of the prevailing challenge currently is loneliness,
Nadia El Fertasi:
isolation, right because of the pandemic, but even before but
Nadia El Fertasi:
it's just exaggerated. So unfortunately, criminals with no
Nadia El Fertasi:
ethical standards use to prey on these emotions to create
Nadia El Fertasi:
emotions of trust, right, to build this relationship. There's
Nadia El Fertasi:
another excellent book by
Nadia El Fertasi:
Robert Cialdini, The Psychology of Persuasion, 1984, where he
Nadia El Fertasi:
lists six principles of persuasion -- scarcity,
Nadia El Fertasi:
authority, commitment, consistency, liking, and
Nadia El Fertasi:
consensus. Liking, when we like someone, our defense mechanisms
Nadia El Fertasi:
go down, right, the first time when we see someone, we ask for
Nadia El Fertasi:
questions, subconsciously, who is this? What do they want? How
Nadia El Fertasi:
long does it take? And are they a threat? So they know to to use
Nadia El Fertasi:
tactics to lower people's defense mechanisms. So they can
Nadia El Fertasi:
use these techniques. Well, it is important to be aware and to
Nadia El Fertasi:
use empathy, not to be afraid or to be paranoid, but to
Nadia El Fertasi:
recognize, because let me give an example why emotional
Nadia El Fertasi:
intelligence and empowerment is important. If you have an
Nadia El Fertasi:
organization where people don't feel empowered, if you have an
Nadia El Fertasi:
assistant or receptionist or support staff or customer
Nadia El Fertasi:
support agents, that will is asked whether to email whether
Nadia El Fertasi:
to deep fake technology by replicating the voice of the CEO
Nadia El Fertasi:
to make a million dollar transfer in bitcoins, which
Nadia El Fertasi:
happens, right? If they fear the reaction of their CEO or the
Nadia El Fertasi:
leadership being reprimanded or disciplined, they will act based
Nadia El Fertasi:
on that impulse, right? So it is really important to understand
Nadia El Fertasi:
not only empathy, but emotional intelligence or the human
Nadia El Fertasi:
element to not be paranoia. Fear is just a consequence of what we
Nadia El Fertasi:
don't know. When we when there is a gap in our mind, the mind
Nadia El Fertasi:
doesn't like it. So it goes into survival mode. Remember the
Nadia El Fertasi:
tiger, and everyone is so many people currently, no one, say
Nadia El Fertasi:
everyone are under constant pursuit of a predator. But it's
Nadia El Fertasi:
not a predator, but the effect is the same. Right? And you can
Nadia El Fertasi:
follow Andrew Huberman Stanford professor and neuroscientist,
Nadia El Fertasi:
who has loads of research and podcasts about the effect on
Nadia El Fertasi:
this on the brain and how we need to create cultures where
Nadia El Fertasi:
empowerment where you know, of course, stress is healthy in a
Nadia El Fertasi:
certain way. It is all about how we perceive stress. And it's all
Nadia El Fertasi:
about chronic fear, chronic stress, we need to find the
Nadia El Fertasi:
right balance of intense emotion that people are alert. But also
Nadia El Fertasi:
okay, practical, how do I react? No. Right? And this is something
Nadia El Fertasi:
that that needs to be the exercise. And one last thing I
Nadia El Fertasi:
will say based on our just previous discussion on how do
Nadia El Fertasi:
you communicate because one of the challenges we faced at NATO
Nadia El Fertasi:
is that project manager, scientist, IT, cybersecurity,
Nadia El Fertasi:
rightfully didn't think it was their job to become PR
Nadia El Fertasi:
communication experts. So an organization's would really
Nadia El Fertasi:
invest in the person or an office as part of the office
Nadia El Fertasi:
that actually gathered all the information translated in a very
Nadia El Fertasi:
structured way for decision makers for the people that
Nadia El Fertasi:
needed to know for the resources community committee. So we took
Nadia El Fertasi:
the information and tailored it in different messaging in
Nadia El Fertasi:
people's language for defense planning policy committee, the
Nadia El Fertasi:
resources and governance, the Military Committee, the
Nadia El Fertasi:
ambassadors made this highest decision making everyone had a
Nadia El Fertasi:
different interest. And I think it is unfair or unrealistic to
Nadia El Fertasi:
ask your people to become first cyber experts, because it's just
Nadia El Fertasi:
another layer of information and burden that they won't implement
Nadia El Fertasi:
or do. But it's to have this this this bridge between these
Nadia El Fertasi:
different business units communication bridge, both
Nadia El Fertasi:
preparing messages for external and internal stakeholders. And
Nadia El Fertasi:
the last thing I will say very last thing is not your
Nadia El Fertasi:
spokesperson or your communication person is not
Nadia El Fertasi:
necessarily always the best place person for stakeholder
Nadia El Fertasi:
engagement right? Here. It comes to the principle of liking. If
Nadia El Fertasi:
you want to incentivize behaviors, you also need change
Nadia El Fertasi:
agents within your organizations that people can resonate. Even
Nadia El Fertasi:
your most critical person would be a great model, right? To
Nadia El Fertasi:
start with them, and then they can help you influence and
Nadia El Fertasi:
change behaviors with people that relate to them
Dr. Dave Chatterjee:
Absolutely, in fact, there is a lot of
Dr. Dave Chatterjee:
research on the role of change agents in helping organizations
Dr. Dave Chatterjee:
deal with different levels and types of change. And that could
Dr. Dave Chatterjee:
probably be a discussion for another day. Another point I'd
Dr. Dave Chatterjee:
like to make, which aligns with what you said. And that goes
Dr. Dave Chatterjee:
back to this assumption about people, about workers, we
Dr. Dave Chatterjee:
definitely don't expect everyone to be a cybersecurity expert.
Dr. Dave Chatterjee:
But we do want to raise the overall level of awareness,
Dr. Dave Chatterjee:
overall level of knowledge, because each person is a
Dr. Dave Chatterjee:
potential point of vulnerability. But the whole
Dr. Dave Chatterjee:
approach to mobilizing support, to incentivizing the right kinds
Dr. Dave Chatterjee:
of behavior has to be anchored by the belief that the when
Dr. Dave Chatterjee:
people come to work, they come to work with good intentions,
Dr. Dave Chatterjee:
they come to work to do good things. And this I, you know,
Dr. Dave Chatterjee:
I'm stealing this quote, I'm paraphrasing this quote, from a
Dr. Dave Chatterjee:
good friend of mine, who is a CEO of a major corporation, and
Dr. Dave Chatterjee:
who said it very well. He said, Dave, I always will believe will
Dr. Dave Chatterjee:
assume that people come to work to help to do good things to do
Dr. Dave Chatterjee:
great things. So we are not talking about people who are
Dr. Dave Chatterjee:
unwilling to change, unwilling to, you know, adjust their
Dr. Dave Chatterjee:
behaviors, it's a matter of how you communicate how you how you
Dr. Dave Chatterjee:
relate to them. But recognition of these factors, becoming aware
Dr. Dave Chatterjee:
of all the or at least becoming knowledgeable in the field that
Dr. Dave Chatterjee:
allows you to bring about this change in mindset, this change
Dr. Dave Chatterjee:
in culture, or to enhance the level of human capability,
Dr. Dave Chatterjee:
that's an area that organizations need to more
Dr. Dave Chatterjee:
carefully think about, needs to look for the right kinds of
Dr. Dave Chatterjee:
expertise to guide them. Because it is not something that I see
Dr. Dave Chatterjee:
organizations normally gravitating to. It's more like,
Dr. Dave Chatterjee:
here are these cybersecurity trained professionals, they know
Dr. Dave Chatterjee:
how to apply the controls, and they're gonna guide us. But this
Dr. Dave Chatterjee:
discussion we've had, it is still speaks to a human related
Dr. Dave Chatterjee:
control. But the ability to effectively implement implement
Dr. Dave Chatterjee:
it requires, I believe, a very different skill set. Can you
Dr. Dave Chatterjee:
speak to that, as we wrap up this conversation?
Nadia El Fertasi:
Yes, of course, I couldn't agree more
Nadia El Fertasi:
with with actually everything you said. I mean, I will speak
Nadia El Fertasi:
to this from from, you know, expertise, but mostly from
Nadia El Fertasi:
experience. I think we think the change is linear, right? So we
Nadia El Fertasi:
have we used this change program models like John Kotter, we do
Nadia El Fertasi:
all the steps, and then we're done. Right? Change happens to
Nadia El Fertasi:
us, transitions happen within people, right? There's a
Nadia El Fertasi:
different process within people you need. There's no way around
Nadia El Fertasi:
this Dave, you need leadership, to drive sustainable change, you
Nadia El Fertasi:
need healthy organizational culture. People want to know
Nadia El Fertasi:
people don't wake up in the morning, and they want to
Nadia El Fertasi:
sabotage their work, they want to sabotage their computer.
Nadia El Fertasi:
They're just overloaded, often, right? People want to do good.
Nadia El Fertasi:
If you have people working for your organization, because they
Nadia El Fertasi:
feel committed to your values, right? They will be a part of
Nadia El Fertasi:
something bigger. And if you really play into that, in a
Nadia El Fertasi:
sense, if you really build a genuinely build it and not only
Nadia El Fertasi:
have training, right, not only bring outside expertise is to
Nadia El Fertasi:
really make healthy organizational culture and
Nadia El Fertasi:
security is ingrained in it because we are working online,
Nadia El Fertasi:
right? It's not something ad hoc. It should be basic stuff.
Nadia El Fertasi:
If people would do basic cyber hygiene, they don't need to
Nadia El Fertasi:
become a cybersecurity expert, they can reduce up to 80% of
Nadia El Fertasi:
cyber risk, right? So it is but how can you expect people to do
Nadia El Fertasi:
something extra? They don't know how it looks like they don't
Nadia El Fertasi:
know what it is they perceive it as a burden. They think it's
Nadia El Fertasi:
command and control. They don't do it, they will get disciplined
Nadia El Fertasi:
or bad mark on there, etc, etc, etc. Or is everyone going to do
Nadia El Fertasi:
it? No, but it really needs to be at the top. The second thing
Nadia El Fertasi:
I will say Is every organization needs to have an incident
Nadia El Fertasi:
response team or crisis management team. And you need to
Nadia El Fertasi:
survey those people who you put in there, their levels of
Nadia El Fertasi:
emotional intelligence in the sense on what is the function?
Nadia El Fertasi:
What is the requirement they would need to improve? Do if you
Nadia El Fertasi:
have someone who has low levels of assertiveness, for example,
Nadia El Fertasi:
so they don't necessarily speak up, especially when they feel
Nadia El Fertasi:
discomfort, if that person is part of your crisis management
Nadia El Fertasi:
or incident response team, it is unlikely they will ring the
Nadia El Fertasi:
alarm bell when they see something. right, because they
Nadia El Fertasi:
will perceive it as very uncomfortable, right. And then
Nadia El Fertasi:
the alarm bell is rang too late. And I think one of the
Nadia El Fertasi:
complaints of the senior leadership I worked with in NATO
Nadia El Fertasi:
was that people didn't tell them early enough the problem because
Nadia El Fertasi:
they were so high up, or they were you know, they thought that
Nadia El Fertasi:
didn't want to burden them or they didn't want to look bad on
Nadia El Fertasi:
them. Right. And here's where my Dutch mindset came good in
Nadia El Fertasi:
because I always spoke my mind, which they appreciated because
Nadia El Fertasi:
very few people right? Speak their mind for reasons or
Nadia El Fertasi:
because they also feel frustrated when they don't see
Nadia El Fertasi:
any action. So I think it requires leadership and culture,
Nadia El Fertasi:
and when you invest in those, that's how you change.
Nadia El Fertasi:
Transformation is a journey. It's not a one thing, don't
Nadia El Fertasi:
don't think we're gonna do an organizational change as a as a
Nadia El Fertasi:
one year program or two year program. Yes, you can have
Nadia El Fertasi:
models and change management processes that get you there.
Nadia El Fertasi:
But you always need to have you know, you need to have a core
Nadia El Fertasi:
foundation and have enough flexibility to stay relevant in
Nadia El Fertasi:
today's age and to support the people. So also when you hire
Nadia El Fertasi:
and attract talent, make sure it's the right mindset, right,
Nadia El Fertasi:
the right values as well, because those people will go
Nadia El Fertasi:
above and beyond. And even when the last thing I will say there
Nadia El Fertasi:
was a study that said one of the top reasons why people have low
Nadia El Fertasi:
levels of engagement or are reluctant to change is they
Nadia El Fertasi:
don't feel recognized. They don't feel appreciated. So it's
Nadia El Fertasi:
not even the paycheck that is the most important parameter. It
Nadia El Fertasi:
is recognizing your people. And I don't mean just patting them
Nadia El Fertasi:
on the back. But truly recognizing and appreciating and
Nadia El Fertasi:
having programs and doing it you know, in the way that we treat
Nadia El Fertasi:
people as human beings, right, there's nothing soft about that.
Nadia El Fertasi:
It is a sense of business survival. You cannot treat
Nadia El Fertasi:
people as numbers anymore, no matter where they come from, or
Nadia El Fertasi:
no matter how their mind is wired. And I think this is what
Nadia El Fertasi:
separates us from AI machines.
Dr. Dave Chatterjee:
Fabulous. Well, Nadia, I wish we could go
Dr. Dave Chatterjee:
on. But in the interest of time, we have to pause here with the
Dr. Dave Chatterjee:
intent of picking it back up sometime in the future again.
Dr. Dave Chatterjee:
It's been truly a pleasure. Thank you for your time.
Nadia El Fertasi:
Thank you Dave. It was my pleasure.
Dr. Dave Chatterjee:
A special thanks to Nadia El Fertasi for
Dr. Dave Chatterjee:
her time and insights. If you liked what you heard, please
Dr. Dave Chatterjee:
leave the podcast a rating and share it with your network.
Dr. Dave Chatterjee:
Also, subscribe to the show, so you don't miss any new episodes.
Dr. Dave Chatterjee:
Thank you for listening, and I'll see you in the next
Dr. Dave Chatterjee:
episode.
Introducer:
The information contained in this podcast is for
Introducer:
general guidance only. The discussants assume no
Introducer:
responsibility or liability for any errors or omissions in the
Introducer:
content of this podcast. The information contained in this
Introducer:
podcast is provided on an as is basis with no guarantee of
Introducer:
completeness, accuracy, usefulness, or timeliness. The
Introducer:
opinions and recommendations expressed in this podcast are
Introducer:
those of the discussants and not of any organization.
Listen On
