Jan 8, 2025

From Awareness to Action: Building a Resilient Security Culture with Mauricio Duarte

TLDR

For the success of CyberSecurity Programs, Prioritization is the Key. Follow a Risk based approach for prioritization.
CyberSecurity awareness programs should be behavior based vs tool based. It should also cover both individual and organizational goals. Most importantly, programs should have clear objectives since the landscape changes frequently be it because of new tools like ChatGPT or new attacks.
In case of Incident Response, find the right balance between speed and accuracy. Analyzing the incident before acting on it helps a lot with Internal and external stakeholder communication.

Transcript

Host: Hi, everyone. This is Purusottam, and thanks for tuning into ScaleToZero podcast. Today's episode is with Mauricio Duarte. Mauricio is a cybersecurity practitioner with expertise in security awareness and incident management, and he has been at Pipedrive as a security awareness program manager in the past. He's passionate about making cybersecurity a human-centered practice, and he strives to bridge the gap between the technical and the human.

Mauricio, thank you so much for joining us in the podcast.

Mauricio: Hello, Purusottam. Hello, everyone. Thank you for having me.

Host: Absolutely. Before we get started, do you want to add anything to your journey of cybersecurity?

Mauricio: Absolutely. I want to highlight that I will say that I didn't get started into cyber security until like five years ago. Before that, I used to work in an IT company and at one point I decided that I need a change in my life and well… I Googled cybersecurity masters and I found out about this country called Estonia that had a cybersecurity masters and I learned more about Estonia's history, specifically in 2007, several of their government websites were under attack by the DDoS, a massive DDoS. So that's why I found it a really interesting country where I believed that there will be relevant experience to do my masters. So, In 2019 I applied and got accepted and that's where I studied for two years hen I finished my masters, again, I had the opportunity of joining PyRev. It turns out that two of the lecturers I had during my masters worked there. So I wanted to follow them because I felt like they were good lecturers and I was given this opportunity. I started as a security operations center analyst.

And then later on, maybe like one year and a half, two years after I joined, I was given this opportunity to switch to being a security awareness program manager as well as incident manager. So that's a little bit of my journey into cybersecurity.

Host: Lovely. So you have like real life experience what you have seen and you wanted to make an improvement in that. So that's why you chose cyber security. That's an interesting way of getting into cyber security. So now another question that comes to mind and we often ask this to all of our guests and we get unique answers is what does a day in your life look like?

Mauricio: Well, as a security awareness program manager, I think my life could look like something like, right, reviewing what's the status, what am I working on? It is common that you will have several initiatives at once executing at the same time. So you need to keep, you know… updated on what is it that the status where how is it going especially because you need to involve several stakeholders you might have to work with the internal communications team or you might need to work with the HR department so you need to be in sync with them also for example that one other case that comes to mind is when we were delivering training to our application developers, our software engineers, I had to sing with some people as well to give them update and tell them, hey, this is the status, this is how many people have completed it, we might need your help here or there. So that was, let's say, bit of part of the responsibilities, having these meetings, following up, staying in touch with people.

Another aspect would be more like I would say it's, I would like to say that I felt a bit like an influencer in the sense that I had the challenge of creating of course, because I need people to behave in a secure way. So I need to deliver them training. And I say influencer in the sense that content creation, but as well the added challenge of making it creative. I believe that being creative, approaching certain topics in a different way is gonna make it more relevant to your target audience. And if you make it more relevant and engaging, they are more likely to remember some of the information that you want them to remember.

And one last point that I had there about how it felt as well as analysts in the sense that depending on your technological stack that you might have, you will get some information that might point out, like, how is the current situation?

For example, I always had the curiosity from time to time to check, like, Google Workspace had this functionality where you could check, like, what is, how strong are the passwords of your coworkers? And that was something that I like to look from time to time.

Host: Okay, interesting. And you sort of play two roles, right? Security awareness program manager and also incident management. I'm interested how you perform both the roles and also how you marry them together. So today we are going to talk about that, right? Security awareness and incident management. So let's dig into. Yeah, maybe you want to add something to that. Go ahead.

Mauricio: Absolutely. basically the way it worked is we had a rotation for the incident manager role. So basically certain weeks I was going to be the point of contact. If a security incident happened, especially if that security incident happened to be of a more severe nature. If it was something that wasn't so serious, then I would just keep looking at the Slack channel to make sure that everything was going all right.

But if the persons that were involved in this incident felt like they needed someone to help them, then… I will jump in. So basically, was this rotation where I would have that responsibility. And that meant that, certain weeks, if such event happened, I will have to stop my duties as a security awareness program manager and jump in as an incident manager. It is something challenging because you don't know really how an incident is going to evolve. It's a very dynamic kind of situation.

Sometimes it will happen that, okay, it was a false positive, nothing bad happened, all right. But other times it will be like, looks really bad, but then the solution was found really quickly and maybe the next day that's it, will be other. In other cases, it will take longer.

Host: But I see one advantage though, like one unique advantage that I see with working on both the sides is whatever incidents you see, you can learn from it and then you can feed it into your awareness programs, right? So that the employees and others are aware that what to expect or what to avoid, things like that. So I see a unique advantage with like playing both the roles in a way.

Mauricio: Absolutely, I agree with you. think traditionally security awareness professionals usually don't have those two roles or they might need to contact the incident response team to have that kind of information. I had it firsthand.

So yes, indeed, it did provide me some insights and it wasn't more than one occasion we had these kind of discussions after the incident and one of the key things that we decided was, like, we need a change in this aspect because it seems that people are not aware of this fact.

Host: Hmm, makes sense. So let's dig into some of these areas, right? So the first question that comes to my mind is security awareness program manager.

What does that look like? What is the primary role of a security awareness program manager?

Mauricio: So the security awareness program manager is the person responsible in our organization to make sure that people are working and behaving in a secure manner.

So you are in charge of not only pretty much understanding how your organization works, but also your target audiences and how to make sure that they are working in a secure way as a way to mitigate what we call human risks.

So basically, these are the risks that are caused by the way people are acting. So that is your main function there. You are in charge of developing this program and making it tailored to your organization because one key thing that I can tell you as a security awareness program manager is that your context is very important.

Not two organizations are alike, so what might work in one might not work in a different organization.

Host: Okay, so in that case, do you see any common themes? What are some of the challenges that you face in the role, which may be other practitioners or other awareness program managers can also learn from you?

Mauricio: Absolutely, think one common thing I would say is that you need to learn how to prioritize because you will face resource constraints, not only on your end, but also would say on your stakeholders.

Everyone has other work to do and sometimes it might be challenging to gain traction with these other stakeholders.

The other common theme I would say is that security awareness and again, and behavior change, these I will say are recent changes that are happening in cybersecurity. So sometimes what I felt was that you are changing this old mantra of people are the weak in slink and changing it into more like how Lance Spitzner, think, says it in this way of people are the attack vector.

And this is a change of mindset because I think it stops blaming people for what might happen and instead tries to see how you can make it so that they behave in a more secure way. And since this is a change of mindset. That means that sometimes you might have to convince not only other members of your security team, maybe even your CISO and the rest of the organization that, there is a new way of doing things. And any change, I think, runs a bit into opposition, not because it's a bad change, but because it means that you will do things in a different way.

Host: The question is, so we understand what are the challenges faced by the role. But you day in, day out strive to have a secure like awareness in the organization. What are the challenges you face in maintaining a continuous security awareness program?

Mauricio: Well, I think one challenge is it is related to when you work with technology, there is always new disruptions.

One that I can think of, and I'm pretty sure you can guess which one it is, is ChatGPT. It happened at PipeDrive that when ChatGPT was launched and it became quite popular, we decided that, of course, the whole organization should start using it to start improving not only the product, but the way we work.

But that meant that we had to prepare training for those people because the idea was, okay, before you get access to ChatGPT, you should understand these concepts, a little bit how to work in a secure way before gaining access. And that meant that we had to prepare that training.

And that meant that something that we hadn't planned, you know, had to be dealt. So sometimes there is this kind of disruptions, which means you have to be flexible and willing to adapt to changes circumstances.

So that's one challenge that you know can disrupt your flow. The other one as I said is you have to engage a lot of stakeholders and they have their plans of their own so that might mean that sometimes they are too busy they can help you so you have to you know figure out another way of doing things and that's the thing, that's challenge.

And one other challenge that I can think of is the nature of change. And when I was working as a security analyst, felt that it was... You could see the impact of some of the changes you made. more rapidly.

For example, if you configure a new alert on your sim in less than a week, you will get new alerts and that meant that your work will change. But when you're working with people, especially when you're working about changing how they are behaving, this might take longer to reflect.

And I believe that that's part of the challenge because sometimes you might feel like you are not making progress, but it could be that it's more about that, you know, it's going to take a while and you need to be patient.

Host: Yeah, no, that's a very good point. particularly when you're working with technology, you see the change right away or maybe in a week or so or a couple of weeks. But when it comes to humans, it's that constant training and you have new attack vectors. So you constantly have to stay up to date and you have to keep them up to date and also to see the value of it also takes time. So yeah, that's a very good call out actually!

So you mentioned about technology which impacts your programs and staying up to date and keeping the continuous security awareness up to date. There is also a recent trend which is seen around security awareness training programs, which is phishing simulation.

What are your thoughts on such training programs?

Mauricio: Well, I will say that phishing simulations have a place in your security awareness program, but I also think they need to be executed properly.

What do I mean by proper execution? For me, It means you have to be transparent about them. At least I like to be transparent about them and tell people, inform people, say, listen, we are running phishing simulation. So from time to time, you will get a phishing email from the security team. This is not an exercise of, gotcha, you failed, haha. It's more like letting them know this is part of the way of working today that people are being targeted through email.

Mauricio: So that's one thing I think. And the other as well that I'm also an advocate for is not to make it, yeah, not to punish your coworkers in the sense that I think for some people it might make sense like, hey, this person clicked. So that's why I'm going to assign him additional one hour, two hour training.

And I think that at least to me, that's not the right approach because that's what's going to make it. It's people avoid this kind of simulations because they will feel like they're being punished. So those are two things that for me are very important. That's why I say that the phishing simulations have to be executed properly. It's not just about sending phishing emails and that's it. You have to take into account other things. And these are two aspects that I will consider.

Host: And I think punishing is never the best way to train someone, right? you train and the moment you punish, sort of guard themselves. They become defensive and it doesn't help with the overall security program.

So in that scenario, how do you encourage employees so that they develop positive security habits or they like, it all training or you have other ways you make them follow a positive security habbit?

Mauricio: Well, it's important to note that I think there is misconception that what people need is more information and that's why they need more training.

When in fact, according to, well… behavior science, that is not the case. Sometimes people know, have the right information, they just cannot bridge that gap between knowledge and action.

So indeed, training is just one part of the whole security awareness program. But other parts might be as well, simple communications, you know, to remind people like what they should do in a certain situation.

And one other aspect of it that is most important as well is making sure that you are working with the rest of the security team to ensure that security is something that is simple and with little friction as possible

What comes to mind a little bit as an example of this is a while ago, the Bank of England had a case where one person, unfortunately, emailed a reporter from The Guardian with some confidential information about the plans for Brexit, something like that.

And it happened because this person used autocomplete, you know, and it has happened, I think, to all of us that you have several contacts with the same name, you just hit autocomplete and you forget about to check which one did you send it to. It happened to me as well, like once.

But, the point is what was the measure that the Bank of England did when they had this case? They removed autocomplete for all employees. So everyone, when they were needed to send an email, they had to type it in manually. And for me, this is the kind of thing that I see that it's a very logical sequence that it might seem like, hey, this is the feature that caused it, let's disable it.

But there is not this perspective from behavioral science about like, okay, is this really gonna help you with that or is it gonna add so much friction that indeed people are gonna perhaps have an adverse feeling towards the security department say like, hey, this is the department of no, this is the department of blocking everything. I don't want to engage with them.

So that's one thing I would say that is very important is since you are dealing with changes to how people behave, the simpler the change is, the easier it will be.

And one last consideration as well, you this aspect is that I really tried to make it for them is to make it relevant, not only on a personal level, but also say on a team level on with the organization. What do I mean by this?

Personal level is I can put this clear example, phishing. If you learn how to spot fishing at work, this is a benefit. You will carry it to your personal life. You will be able to spot the same fishing. You might have to report in a different way. But, this is something that it's relevant to you because you are going to get phished also as a person outside of whatever company you work with. So that's one thing.

At the team level is also again, using this phishing example is when you report phishing, you're just not just protecting your work. You're also protecting your coworkers, your friends that you might. And the last one about mission. And this is again, another anecdote that I had.

Host: Okay. Organization. Yeah.

Mauricio: At Pipedrive was that we were ISO 27001 certified. And the comment I had with some people when I started to make sure that in my communication for trainings, I started to say like, hey, this training is part of us trying to maintain the certification was like, I didn't know that the training was part of some of the requirements for ISO.

And more importantly, what to me was a bit of revelation was that the need to have this certification didn't come from the security department that one day say like, hey, let us get certified. came from customers asking us get certified.

Host: Yeah! So when you connected, it sort of gives the sense to the team that, maybe it is important. Like often, like trainings in general or security trainings, we try to skip, right? Or we try to see how I can like move fast and just complete the answers and then I am done.

But when you connect to it with maybe the business goals, then it gives a sense of ownership or responsibility to the individuals outside of security as well. So yeah, that's a good, tip.

Now that, that sort of, is a good segue to my next question, which is security is not about just the team which is working on it, right? It is responsibility of the entire organization. It's HR, finance, like leadership, engineering, everyone, right?

And everyone needs to be aware of the security practices that align with their work and how they should handle some of the situations. How do you tailor your security awareness program so that different audiences of the organization get the sort of same message, but in a different way? How do you do that?

Mauricio: One way you can do that is, well, I would say that is to get to know your audience. If possible, I would say even shadow them, see them, how they work. At Pipedrive, we have this, it wasn't a security initiative. It was just something that the customer support team did is what they had this thing called IDA in our shoes. So basically you could completely optional thing volunteer to be a customer support representative.

For let's say a day. And that's what I did because that way I was able to understand more how they work and what possible challenges and risks they were facing. So I think that is key.

Another thing that you can do as well to get to know them, perhaps in a more impersonal way is to use whatever tech stack you have available to see how is it that they are behaving. what are the people that report the most? What are the people that are getting more emails, etc. Because that also allows you to see, what is it that they are behaving and maybe where they might need, have a need for improvement. And of course, there is no doubt that you can use surveys or just, you know, talking with them and trying to understand.

But I think it's very important to, the best way you can put yourself in your shoes. And not only just like I mentioned, the way they work, but also like the culture.

Pipedrive has offices, for example, in the US and in Estonia and Germany, just as an example. And I think that the messaging that you might or the approach that you might have with people from the US would be different from the people that you have in Germany or that people there have in Estonia.

So it's important to note that just because maybe everyone talks the same language doesn't mean that everyone has the same background.

Host: Yeah, I think location also you added, that's also a key factor. Like it's not just about the department, but also you need to know based on the location, you might have to tailor your messaging as well. So yeah, know your audiences is the best way to sort of tailor, right? So yeah, that's a good, good feedback.

Now, what format have you seen of delivering security awareness training works the best? Like, have you tried different, like in person or online or different simulations?

Mauricio: What I've seen is that, as I alluded before, is context is very important and context is gonna kinda guide a bit on which method for delivery is gonna have the better impact for you.

And also your context is gonna tell you like, okay, the advantage of doing an in-person training will be that it's more interactive in the sense that, okay, there is a person and I think people have an easier time to focus when they're physically present in a room and there is a physical instructor.

But it might not be an option for you if, for example, the security department is in a X location, but your people that you need to reach are in a completely different location.

So in that sense, I will say I will move beyond necessarily the delivery method and I will look more at the principles on who you are designing this training.

So like, are you making it engaging? Are you making it relevant? Are you making it also in a way interactive? That's how I would first ask myself these questions and then perhaps see which how I can fit those principles in the delivery method that might be accessible to me.

In my case, at least at Pipedrive, what I tried to do was that we have this onboarding training, which I try to deliver in person or at least online so people would have a face someone that they can reach to at least to put a face and say okay this person is from the security team and for the let's say more let's say the other trainings I would do them more like on this platforms to deliver them. They wouldn't be delivered in person. But that was more because of the resource constraints that we had.

Host: Okay, no, it's understandable. Like not every organization would have all the resources to let's say, fly the trainers to all the locations, all the geographies and do the training. In some cases you have to do remote. So in that case, having like an engaging interactive training makes it much easier to consume and much easier to sort of remember what I learned. Right.

So now Another question that often comes to mind right after training is how do you measure that? Like how do you measure that the training that you are delivering is bearing the fruits that you are looking for?

Mauricio: I begin first by establishing what are going to be my learning objectives for a specific training. And out of those learning objectives, I also try to define, okay, when I'm saying that this is what I would like to teach people, how do I expect this behavior to be seen? And how do I expect this behavior to be seen on an individual level and maybe let's say more of an organizational level?

So... Let's put an example here like… All right. On phishing, what will be the expected behavior? What I would write in the case of phishing is I'm more interested in making sure that people report the phishing email rather than if they're going to click, if they're going to check necessary the email address it was sent to, something like that.

My logic was that, okay, having people to do this kind of analysis is putting a bit of a burden on them, and they might have already a heavy workload. So why not just tell them, like, listen, leave it to the professionals to analyze an email instead of you having to go through this.

But... please report it, report it regardless if you have clicked on it, if you submitted credentials, whatever, just report it because that is the way you can ensure that you're gonna get help.

And then when you have established like what is the expected behavior, then I will look at what tools do I have available for this, like what will allow me to check if people are indeed reporting this. So in the case you could have that you decided that phishing reports will be by forwarding an email to a certain inbox. So maybe you have access to the email logs that will be able to tell you like, hey, this is how many emails this inbox is getting. And that will allow you to see like, for example, if the expected behavior is okay, we want people to report, how is the reporting trend going? That will be one way to approach it. So first establish what you want people to do how to behave and then check how your technological stack can support you on this.

Last case, you can always do surveys, but the challenge I will say with surveys is always that maybe people will not respond to the surveys and you have to make sure that you phrase the questions in the right way.

Host: Yeah. Yeah, so I like how you structured it right like during the training or what should be the goal like defining the objectives really well and then also you need to it should be focused on behavior based and also like focusing on individual and also organizational goals while training and also post training how to track like how to sort of track the behavior of the employees to see whether they are reporting or not. And service, yeah, you're right. Like often the number of folks who sort of provide their feedback to services, like historically always low, right?

Because you have so many things going on in your work life. Now there is one more survey that you need to fill in. So you often don't get that kind of a participation. So it makes sense.

Now, one thing that I wanted to do is I want to pivot to incident management. I know that you touch on both the areas, right? So earlier you highlighted that you sometimes determine what is the severity of a particular security incident. And based on that, you have a different playbook and things like that.

So often when a security incident happens, the incident manager, so the team who is working on it, they might feel overwhelmed if it is a.. if they are dealing it for the first time or if it is a new type of attack that is going on. How do you determine what is the level of that event? If it is like a mild or a very severe or you have to get into an emergency mode, how do you determine that?

Mauricio: You determine it usually by looking at the impact the incident is having. to elaborate a little bit more on that is one of the questions that I will ask myself during an incident is, okay, is this stopping? Is this a complete stop or this is maybe just a degradation?

And the other thing I will ask also myself or maybe ask other stakeholders because as a security incident manager, it's not your duty to have all the answers. Sometimes it might be that you know the right people that need to be involved so that they can provide the right information. But I will also ask, like, okay, which if I have been able to determine the asset that's being impacted, I will also ask like a how important is this asset. Is this something that the business needs and it's affecting the revenue or is this something more along the lines of, okay, it's bad that it's being affected, but we are still operational because depending on this, then you might need to act differently.

Let's put an example, you are under a DDoS attack. All right, there is degradation in the performance of your platform. That would be bad, but it would be worse if, for example, you could have a case of, let's say, a ransomware who is preventing people, your customers, from accessing their data. That would be more bad.

And last question that I also think it's important to keep in mind in this kind of situation is as well, are there any legal requirements about the impact? For example, under GDPR, certain information, if it gets disclosed, it might put a pressure on you to report this and make a certain announcement to certain people, for example, regulatory authorities, whereas other information, let's say, as far as I know, just to use an example, passwords, as far as I know, password, if they get leaked, is not such a legal requirement that will say like, okay, in this given timeframe, you need to tell people that their password were leaked.

But on the other hand, something about their personal information like, I don't know, gender, blood type, this kind of medical information maybe, that will be more severe. So that's another way of you looking at it. like I said, you don't need necessarily to know these things, but you might need to engage, for example, legal department and tell them like, listen, this is the information that has been affected. Is there any legal requirement about it?

Host: Now, let's say after you determine the level of the attack, how do you ensure that the damage is minimum? Like, what can you do to make sure that, let's say, if it is a data theft kind of an attack, how do you ensure that your data is secured as quickly as you can and the damage is limited?

Mauricio: I would say that the main thing that will help to drive down the impact is to act in a prompt manner. This is not an invitation to rush into actions or something like that, but it is the case that you need to deal with an incident and not leave it there waiting for a long period of time. Some cases, unfortunately, the truth is that let's put this again, this case of, you made a mistake, you emailed the wrong person and you sent them the wrong information that was not determined, that was not destined for them.

Then in that case, there is very little you can do about, you know, retrieving that information because if it already left your inbox, then there's little you can do. But another aspect that can help is also communication. know, I think the more transparent you are, even internally in the organization, can help in making sure that the impact does not get worse.

Host: Yeah, makes sense. Communication often plays a major role. And also, it's not only about internal, right? You might have external stakeholders, as you highlighted. Like if you have a legal obligation to notify some regulatory authorities or your customers, then that communication has to be as transparent as you can. Otherwise, that will lead to even more confusion, right? And you might lose trust with other stakeholders. So yeah, absolutely.

Now, one follow-up question to that is, let's say you went through the incident, you sort of limited the damage, you mitigated it. Often after that is done, do you recommend performing any kind of review of what exactly happened with the incident? And how do you use that information also if you do?

Mauricio: Absolutely, I think you need to review that what happened during an incident because your priority when you are dealing with a security incident is to mitigate uncontained impact. So whatever actions you take there might at the moment address the situation, but it might not prevent it from happening again in the future.

So that's why post-incident reviews are very important because they allow you to take a look at what happened and what needs to be improved so that this will not be something that is reoccurring. Aand you need to do that after you have dealt with the incident, not during because that's not the right time.

Another thing that happens that is very important during post-incident reviews is that you might be able to engage other stakeholders, that they will provide you different perspectives. And the quality, I will say, of not only establishing the root cause, but also the measures that you're going to put in place, it's very linked to the quality of the questions you ask.

Sometimes you have to be very curious, but also very insistent on getting some answers so that you can be able to better establish what really happened and how you can do better next time.

Host: Yeah, yeah. So now connecting both the phases, right, in a way, during the incident, post the incident analysis. I'm assuming all of this feeds into the incident response process. Now, let's say you had defined incident response process. Everybody is following that during an incident. How do you measure the effectiveness of your incident response process? Is there any particular metrics that you look for?

Mauricio: I will say that you pretty much laid out the answer. If you have a plan and you have established the process, then how I would measure the improvement or how my incident response and management process is going is by looking at how people are behaving according to the plan.

Let's say that you have established that one hour or whatever timeframe after a security incident has been declared, there should be an update from the incident manager about like what is the incident about? What do we know? What is the work that is being done? Then you could check afterwards to see if incident managers are actually sticking to that process if indeed after the timeframe that you said that you established is that information coming.

A bit related to that as well is that maybe you have agreed with different stakeholders about the response time in the sense that you have established that, for example, when you tag your legal coworker, that my assist, they will list reply between again this timeframe. And again, this is another thing you can check to see like, okay, are people behaving according to what you established? know, are they doing it? So yes, that's how you could measure it. I will question against perhaps measuring your incident management.

Host: okay.

Mauricio: process with metrics like, for example, the resolution time of our security instance. And the reason why I will caution against that is first, every security incident will have different aspects that might mean that, okay, and the resolution time was different. For example, I can think of DDoS. Sometimes you are on the DDoS and it stops. It could be that perhaps the attackers run out of money or the change of interest.

So what does DDoS that you were able to say resolve in two days versus one that took one week tell you? I would be, think you couldn't even resolution time will not give you a valuable information on how is it that your process is going. It's just gonna tell you like how it was resolved and not necessarily I say how well were you able to resolve it.

So that's one thing that I will caution against. kind of maybe it's a good idea, I think, to track how long is it that it takes you to resolve an incident because this information is something that you can also use later when engaging the board or when engaging the CISO to say like, hey, the reason why you might want to take a look at this human risk is because it's causing this kind of incidents and it takes us an average this amount of time and this amount of time cost us did much. So, yeah.

Host: Yeah. It's sort of the balance of speed versus accuracy, right? If you want to move fast, but you do not do enough analysis of your incident in an accurate way, that might impact your plan and also the future incidence response as well. Similarly, if you do not do accurate work. So yeah, it's the balance between speed and accuracy, which makes a lot of sense.

Now, one of the things that I see with your work is you have that unique advantage of looking at both sides, right? The awareness programs and also the incident response.

So we reached out to a few of our friends and Cassie Clark has a question for you. One is what kind of data do incident response teams have that would be useful for security awareness and culture teams?

Mauricio: Well, I would say that incident response teams will have a lot of data about incidents, not only just about the causes, the root cause, but also what was the behavior during the incident. And that is very valuable for security awareness and culture change people because the goal of security awareness on culture changes is to address human risks, right? And so you need that kind of input to be able to understand, okay, what was actual cause of this incident? What was the behavior if applicable? Because not all security incidents will have a human component.

DDoS, for example, that comes to mind, it's an attack, really, there is no human component there because the human component is on the criminals but you don't have access to them so there is nothing there to do.

For example phishing or something like ransomware there is indeed a human element there about like hey did this person report it why were they perhaps I don't know downloading something that they shouldn't or visiting a website that they shouldn't and that information you know comes from the information yes the incident response teams. That's one way that they can help to give that information to security awareness and culture change people.

Host: So root cause analysis, behavior data, and whether there was any human involvement or not so that it can be used for security awareness programs or culture for the teams. Now, if I flip that question, what do security awareness and culture teams offer to IR teams? So this is also, again, from Cassie Clav.

Mauricio: Absolutely. think that the main thing that they can offer is basically in a way tell them like, hey, I can help you drive down certain human risks and that will result in less incidents for you to manage. Another aspect that they can contribute that I think is very important is I mentioned earlier that the quality of the questions during post-incident review is very important. And I think something that happens is that if you look at an incident just from a technical perspective, then you're only going to address the technical aspects.

But when you add people that might contribute or might see it from a behavioral or human centric perspective, then they will also be able to point out when was it or what could be addressed from the human behavior side of things. But also if the measures that you are putting in place are appropriate, if maybe they will cost too much friction.

Again, a bit to this case of the bank and Inblad comes to mind again, that it was very logic for the people who dealt with that to say like, hey, let's disable this feature, but not to look at other aspects. At least to me, it sounds to me that there wasn't a person or maybe or if there was, they were not able to make a good case of like saying, hey, let's keep people in mind about this solution. Maybe the other complete is disabling, it's not going to have the impact that we seek. Maybe there are other ways of addressing that.

Host: Makes sense. So in a way, it's not just about swift action, but also analyzing what is the impact to others in the organization and based on that, taking a decision. And that's what like incident response teams will get from like security awareness and cultural, like part of the organization from security.

Another question that, and this is a very interesting one. So one of the key statistics presented at Gartner Security Conference this year that around 73 % of security leaders and CISOs feel burnout at some level in their work life?

I see that you are playing multiple roles, so it's applicable to you a lot. What's your take on this?

Mauricio: My take on it is that indeed, burnout is quite prevalent in cybersecurity. I will say that one of the main factors that is affecting this is all resource constraints. And I think the resource constraints come up because of two things. One of them is... Is there enough demand by customers for security?

I think when most of us evaluate a product or a service, usually we don't really put that much value on the security and privacy side of things. We usually like it more for the convenience, price, I don't know, other aspects. And it's not like, this new webcam that I'm gonna install, it doesn't encrypt the data. I'm not gonna buy it. Usually I don't think that's how we evaluate products, right?

So there is in a way not so much the environmental aspect it seems that it's changing for certain things. And the other is always the challenge of it, I will say, areas like cybersecurity. Cybersecurity usually does not drive the profit in organization. It helps preventing losses, but it doesn't help with profit.

So I think sometimes what happened is more okay, maybe we don't need to make that much investment in security and that results in okay, a security team that is a little bit outstretched and that of course drives out a lot of work to do, you know, and that is what might drive people to burn out.

Host: haha! And like you hit a good point, like often cybersecurity security in general is seen as insurance unless there is some something bad happens. It's not valued that much. And like unless you have a unless you build a security culture or the leadership has that security culture, it's a little difficult to get a buy in from stakeholders to drive security programs, run security programs in an effective manner. So yeah, that definitely would add to the stress of the security teams already they have.

So what do you do? How do you handle stress and burnout? Do you have any tips for other security leaders?

Mauricio: Yes, I do. I would just like to really go back on a little bit thing that I forgot to mention about what we were discussing previously is also I think that one of the challenges that cybersecurity overall has is like… There are so many things that might seem that you need to address that you really need to prioritize.

And I think this is overall the challenge a little bit about like moving cybersecurity into a more of a risk management kind of approach. Because the truth is you will always face some kind of limitation you really need to manage to see like, okay, these are my priorities. There is a lot of things that we could do, but these are the key ones.

And this of course is something of a discussion that needs to be had. But coming back to what you said about what is my approach to all this, I think one of them is that I'm very strong advocate for mental health in the sense that I... go to therapy and I think this helps because you face a lot of pressure from work and you need sometimes to have this safe space to discuss with a health professional about this. So I think that's something really important that can help.

The other one is to take time to rest. If you have scheduled vacations, then rest on those vacations. Don't make the mistake of, you know, I'm going to check Slack or I'm going to check my email. No really, take some time to rest, even if that means doing absolutely nothing, that's important. And last but not least, I will say, have some hobbies. I think work has a place on life, but you should have also these other activities that feed you.

And in my case, for example, I really like doing exercise. I think it helps. You don't have to do anything extreme. Even walking around can help. I also like video games, so when I'm not working, then I also take my time to, of course, enjoy what I like doing with my life. And I think this is something important that you might think that when you're off from work, you might say, like, I'm going to study and I get certified. That is good. But also take some time to do something that is not related to your work.

Host: Yeah, I mean, we all of us do that mistake, right? Even if when we are taking a day off or on vacation, we often fall into like, let me check my Slack. Maybe there is something urgent that I need to address and things like that. So yeah, that's a good point that you highlighted. And I think we started with prioritization. We sort of ended the podcast with higher prioritization as well. I like how you said that it should be a risk-based approach because you cannot fix all the security challenges in your organization. You have to stack rank them based on what big of a risk does this pose and then based on that you sort of check them off one by one.

Host: But before we end the podcast, before I let you go, one last question that we ask everyone is, do you have any recommendation, reading recommendation? can be like not reading recommendation, any recommendation. It can be a blog or a book or a podcast or anything that you would want our audience to go and learn.

Mauricio: Absolutely. have a couple of recommendations.

One of them is a book and it's called Myths of Leadership by Joe Owen. I really like it because he takes his approach of taking these myths and looking at them and checking if indeed is it truly a myth or is it something that is true about all these different aspects of leadership. And I think that when you work in field of cybersecurity, most of the time you cannot have to these whole initiatives because usually, unfortunately, you have to push people to do things differently, regardless if you are on security awareness or not. So in that aspect, I recommend that book.

The other one that I recommend, and which is a little bit more cybersecurity side of things, and it's also, again, I like the approach of the authors because, again, they look at these different myths related to cybersecurity. And the name of the book is Cybersecurity Myths and Misconceptions by Eugene Spafford, Leigh Metcalf, and Josiah Dijkstra.

And like I said, I'd like this approach of them of looking at the different means that are related to cyber security and looking are they true or not so that's my other recommendation. I do have to be transparent that I haven't finished the second book so I'm going through it but so far I really like what they have been discussing in it.

Host: Even though you have not finished it, you still liked it so much that you are recommending, right? That means the book would be good. So what we will do is when we publish the episode, we'll tag both of these books so that our audience can go in and buy the books or rent the books and read these books as well. With that, we come to the end of the podcast.

Thank you so much, Mauricio, for coming to the podcast and teaching us in a way cybersecurity awareness programs, how to run them in an effective manner and also incident management. So yeah, thank you so much.

Mauricio: Thank you. I'm grateful for this opportunity to have been here. And yes, I hope that the audience got something new out of it. So thank you so much.

Host: Yeah, absolutely. And to our audience, thank you so much for watching. See you in the next episode. Thank you.