Preview Mode Links will not work in preview mode

Defense in Depth

Aug 29, 2019

All links and images for this episode can be found on CISO Series (

A cyber professional needs their staff, non-IT workers, and the board to take certain actions to achieve the goals of their security program. Should a CISO use the hacking mindset on their own people?

Check out this post for the discussion that is the basis of our conversation on this week’s episode co-hosted by me, David Spark (@dspark), the creator of CISO Series and Allan Alford (@AllanAlfordinTX). Our guest for this episode is Yael Nagler (@MavenYael), consultant.

Thanks to this week’s podcast sponsor, Anomali.


Anomali harnesses threat data, information, and intelligence to drive effective cyber security decisions.

On this episode of Defense in Depth, you'll learn:

  • Employee hacking is an effort to get employees to do what you need them to do in order to pull off your security program
  • There's a grand debate as to whether you should be hacking employees (use the tools you've got) or working with them (don't trick).
  • Many listeners likened this motivation technique to be no different than sales persuasion methods. But these methods are focused on getting individuals to take a single action, to purchase. This is not the case for a CISO who must change a wide ranging set of behaviors that are often not connected to individual desires.
  • To complicate matters even more, a CISO must sell a process and culture change, NOT a product. It's not easy to change human behavior.
  • Manipulation is a tainted word. You need to respect differences and find a common ground to motivate employees to show concern to want to stay with a security program.
  • One way to get people to care about security is to internally explain what do big security news items have to do with your business and how a similar breach could or couldn't happen to your business.
  • While you're trying to win someone over, it's not a selfish interest. It's of interest to the individual and the company. It's just the individual has to understand why they're changing behavior and see value in making that change.