Marco Ciappelli and Sean Martin bring you highlights from the Australian Cyber Conference Melbourne 2024, where industry thought leaders, including Jinan Budge from Forrester Research, explore emerging trends, challenges, and the human side of cybersecurity.
Guest: Jinan Budge, Vice President, Principal Analyst serving Security & Risk professionals, Forrester
On LinkedIn | https://www.linkedin.com/in/jinan-budge-2898132/
Hosts:
Sean Martin, Co-Founder at ITSPmagazine [@ITSPmagazine] and Host of Redefining CyberSecurity Podcast [@RedefiningCyber]
On ITSPmagazine | https://www.itspmagazine.com/sean-martin
Marco Ciappelli, Co-Founder at ITSPmagazine [@ITSPmagazine] and Host of Redefining Society Podcast & Audio Signals Podcast
On ITSPmagazine | https://www.itspmagazine.com/itspmagazine-podcast-radio-hosts/marco-ciappelli
____________________________
Episode Notes
The Australian Cyber Conference Melbourne 2024 is a dynamic hub of innovation, bringing together top cybersecurity professionals and thought leaders to tackle the industry’s most pressing challenges. On this On Location Recording Sean Martin and Marco Ciappelli have a conversation with Jinan Budge, Vice President at Forrester Research, focusing on the vital role of human-centered security in today’s evolving landscape.
Building a Human-Centered Cybersecurity Culture
One of the central themes of the discussion was the shift from traditional security awareness programs to human risk management. Jinan Budge emphasized the need to move beyond treating people as liabilities and instead design security practices that align with individual behaviors and motivations. This evolution toward human-centered cybersecurity is essential to addressing the unique risks posed by human behavior while fostering a culture of adaptability and trust.
Collaboration Between Enterprises and Vendors
The podcast highlighted the shared responsibility between enterprises and vendors to advance security practices. Enterprises must embrace adaptive security solutions tailored to their workforce, while vendors have a pivotal role in driving innovation and educating the market. This partnership is key to creating flexible, effective solutions that meet the needs of diverse organizations, from startups to global enterprises.
Understanding the Human Element in Data Breaches
Budge introduced a framework she calls the “wheel of human element breaches,” which categorizes risks such as social engineering, human error, and insider threats. This comprehensive approach pushes the conversation beyond the common narrative of phishing attacks, encouraging organizations to adopt holistic strategies that address the root causes of human-driven vulnerabilities.
Education and Continuous Learning
Marco Ciappelli and Jinan Budge underscored the importance of integrating cybersecurity education into early learning environments. Instilling digital safety habits at a young age helps build an instinctive understanding of cybersecurity, preparing future generations for the increasingly digital workplace. This foundation ensures smoother transitions into organizational cultures where cybersecurity is second nature.
Conclusion
The discussions at the Australian Cyber Conference Melbourne 2024 illuminated the industry’s growing focus on human-centered strategies and collaboration between enterprises and vendors. These efforts underscore the importance of proactively addressing human risks and integrating cybersecurity education into every level of society. Events like this continue to shape the future, offering invaluable insights and inspiration for those dedicated to advancing the field.
____________________________
This Episode’s Sponsors
Threatlocker: https://itspm.ag/threatlocker-r974
____________________________
Resources
Learn more and catch more stories from Australian Cyber Conference 2024 coverage: https://www.itspmagazine.com/australian-cyber-conference-melbourne-2024-cybersecurity-event-coverage-in-australia
Be sure to share and subscribe!
____________________________
Catch all of our event coverage: https://www.itspmagazine.com/technology-cybersecurity-society-humanity-conference-and-event-coverage
To see and hear more Redefining CyberSecurity content on ITSPmagazine, visit: https://www.itspmagazine.com/redefining-cybersecurity-podcast
To see and hear more Redefining Society stories on ITSPmagazine, visit:
https://www.itspmagazine.com/redefining-society-podcast
Want to tell your Brand Story Briefing as part of our event coverage?
Learn More 👉 https://itspm.ag/evtcovbrf
The present and future of Human-Centered Cybersecurity: Managing Risks and Fostering Digital Safety | An Australian Cyber Conference 2024 in Melbourne Conversation with Jinan Budge | On Location Coverage with Sean Martin and Marco Ciappelli
Please note that this transcript was created using AI technology and may contain inaccuracies or deviations from the original audio file. The transcript is provided for informational purposes only and should not be relied upon as a substitute for the original recording, as errors may exist. At this time, we provide it “as it is,” and we hope it can be helpful for our audience.
_________________________________________
[00:00:00] Marco Ciappelli: Did you press play? I did.
I'll record.
[00:00:16] Marco Ciappelli: Play. Play the record.
Alright, sound check again.
[00:00:22] Marco Ciappelli: Sound check.
[00:00:22] Jinan Budge: Perfect. I don't get better at this.
That's cool. We
[00:00:31] Marco Ciappelli: don't prepare.
[00:00:32] Jinan Budge: No.
Yeah, this is why I always accept talking to these guys. Yeah, it's not script. It's organized chaos, isn't it? Exactly.
[00:00:45] Marco Ciappelli: There is a system to the madness, right? All right,
[00:00:52] Sean Martin: so is that part of this? I think we're rolling already. I
[00:00:56] Marco Ciappelli: feel like my life is on, uh, on record anyway.
[00:01:01] Sean Martin: Yeah, we're here at, uh, the ASA. CyberCon event in Melbourne.
[00:01:09] Jinan Budge: I think we just call it ASA
though. ASA?
Yeah, no one calls it A. I. S. A. I call it A I S A. No.
[00:01:14] Marco Ciappelli: Don't be that guy, Sean.
[00:01:16] Jinan Budge: No, just get into it. Get into it. It's been ASA since the beginning of time.
[00:01:20] Sean Martin: Alright, see. Yeah. That's why I'm here. To learn.
[00:01:22] Jinan Budge: Yeah.
That's important.
[00:01:24] Sean Martin: That's my learning of the day. We had a great chat with JJ. I learned a lot. A bunch of stuff from her too, which is really cool. But ASA, here we go. ASA, AU CyberCon in Melbourne. You're one of the first members.
[00:01:35] Jinan Budge: I am. I am.
[00:01:37] Sean Martin: What does that mean?
[00:01:39] Jinan Budge: Wow.
[00:01:40] Sean Martin: Who are you first off?
[00:01:43] Marco Ciappelli: What are we doing?
[00:01:44] Jinan Budge: I don't know.
Our good friend from Forest, so Janan BUN, vice President at Forster Research, I lead our security and risk research in Asia Pacific and globally. I'm spearheading a lot of our research on what we are now calling human centered security, which includes, uh, all manner of things such as human risk management, awareness, behavior, culture.
But also, very importantly, the culture of security teams themselves, leadership issues impacting SISOs, the future of the SISO, so on and so forth. It's, uh, the world is my oyster, I think, with that, uh, with that particular topic.
[00:02:26] Sean Martin: I love it. Yeah. I love it. I do a sub series, uh, Human Centered Cybersecurity with Julie Haney.
I don't know if you've seen that.
[00:02:33] Jinan Budge: No.
[00:02:33] Sean Martin: Sub series. She's from NIST. And we, we look specifically at the research of the human element connected to cyber. Yeah, maybe you'd be a guest on our,
[00:02:42] Marco Ciappelli: you know, years ago when I started working in cyber security with Sean, I was talking about the human element a lot and nobody listened to me and now everybody's just talking about the human element.
But I'm like, well, thank you.
[00:02:55] Jinan Budge: Thank you. The first time I interviewed. was when I first joined Forrester it was at RSA and in San Francisco and I think we talked about security culture at the time. And I remember I published my first report on security culture and, you know, one of the things we measure at Forrester is readership.
And it completely bombed, completely. And I remember doing this recon and asking our clients, what's wrong with that? I thought it was a great report. They were like, no, it's great, but the word culture. We updated it to talk about the human firewall and readership just shot through the roof. So culture, people, even seven years ago was so taboo.
But you know, didn't let that stop me. I kept on going. No, we gotta get going. We've now killed the human firewall terminology for, for lots of different reasons, uh, because I think the, no, I think I know that the space has progressed and it needed to have progressed and we are, uh, we say the future is now and, uh, you know, but the future really wasn't a long time ago, we're finally, finally starting to move there in the human centered.
[00:04:10] Sean Martin: So back to my first question. Thank you for all of that.
[00:04:12] Jinan Budge: Yes.
[00:04:13] Sean Martin: One of the first members of ASA.
[00:04:15] Jinan Budge: Yeah. Yeah. I think I've got my badge. So, um, ASA started out, I'm sure someone would have given you the history as the information security group. And it was just a bunch of well meanings. Cyber security citizens.
There was about 20 of them that got together and said, Hey, this security thing is becoming quite a thing. This was 25 years ago and we're all going to get together and create a community of practice. I wasn't part of that. I was the next generation that came in. Um, I think five years after. I think I remember number 71 or 77.
I've got the ASA badge with my membership number on it. It was adorable and I was in Sydney at the time and we used to have, we started doing events. Uh, I want to say such as this one, but they looked nothing like this one. We just got the community together and topics that were. Hot at the time and finding amazing speakers.
And then I ended up moving from the Sydney Organizing Committee to be on the board of what then became ASA. And my job was to grow the organization. I think we ended up at the time, by the time I left my tenure there, we grew the organization to 600 members and we thought that was amazing. So to look at it now, um, I don't know, 15 years later, What is today is pretty incredible.
[00:05:41] Marco Ciappelli: Yeah, yeah, for sure.
[00:05:43] Jinan Budge: It was just such an unheard of thing, security, back at the time, if you all remember, 25 years ago. And in Australia it was such a nascent thing. I remember going into meetings, into what we called the member meetings, and I would be literally one of the only women that would walk into a room of 200 people and be like, My other, my other friend and I would just link each other's arms and just, it was terrifying as a young person coming into this industry.
[00:06:16] Sean Martin: Interesting. It's sad that we have to think about that, but, but, uh, I want to thank you for doing that work then.
[00:06:23] Jinan Budge: Yeah. Because
[00:06:24] Sean Martin: it led us to this moment. I mean, nearly, I think around 5, 500 people or so at the conference this year. I can't remember how many. I don't know how many speakers there are, but tons of great topics, tons of great work taking place.
We're meeting a lot of people, we get to see, I don't want to say old friends, but long time friends. Long standing. Long standing friends. But um, so you've seen a lot of change, I don't know if you want to look at Australia specifically, or the greater APJ, APAC region.
[00:07:01] Jinan Budge: Or the greater world. Or the greater world.
Hey!
[00:07:03] Sean Martin: What, what are some of the things you've seen, uh, progress over the last few years or so?
[00:07:08] Jinan Budge: And, and some things that haven't as well. Yeah, perhaps, yeah. Yeah, I know. I mean, what has really progressed is how elevated cyber security has become in organizations. I know that's stating the blatantly obvious, but it really, that has been a progression that I never expected in my career.
You know, I remember when I first joined cyber security, I joined a team called Electronic Data Processing Audit. That was the beginning, which then evolved to Information Security. So it's had, it's had lots of different names. It wasn't always cyber security, obviously. Um, so board level attention, citizen attention, we're starting to really To really understand the impact of cyber security on citizens, with that comes the, uh, the much deeper understanding, and in Australia we're just beginning that understanding of the impact of geopolitics and geopolitical risks on all of us.
You know, this is no longer some kind of a back office function where you hire a security manager as a tick in the box, and that is definitely an evolution that I've seen. It's, uh, it's not a security function. Dude or do debt anymore, although it was never add to that. It was always a security dude This is a business level function that is Entrusted with building trust for the organization that's quite significant
[00:08:34] Marco Ciappelli: It is I'm gonna look at looking back when we started our ATSP magazine You know there was the idea of looking at society Cybersecurity then we added tools technology because you can't have technology without cyber security, or at least you shouldn't.
Let's put it that way. And you shouldn't not have technology. Without thinking about the consequences for society and that now it's all together. It could be a culture So maybe it was scary word years ago, but now that's what it's about. It's become part of who we are And and I think it's part of the investment on the business side.
It's about Making operational but also worrying about the future of our kids and our society and how we live our life
[00:09:20] Jinan Budge: Yep. Yep. And I still don't know, you know, it's so interesting. I love, I love the, the intersection of people, society, technology. I don't think just as yet, we know well enough about how our actions as security leaders And I think for me that is a commitment for myself for my next year's research agenda.
What is the CISO's role, if at all any, in ensuring cyber security, cyber safety of society? I know we each do it for our own organizations and, um, or at least we say we do, but I think that values led, human centered, knowing that Humans are at the center of every single thing that we do in cyber security, including the impact of society and so
[00:10:20] Sean Martin: on.
So I'm going to rip the human element out of this for a second. Yes. Thanks. Please. That's what I
[00:10:26] Marco Ciappelli: like. I always want to count on you on
[00:10:27] Sean Martin: that. I know. Do it. So, a couple things that I, that I've heard over the last number of months, um, a lot of focus on small medium business. Yes. So, we mentioned the CISO, we mentioned board.
Yeah. Those two things don't always, well maybe the board, but they don't always apply to the smaller businesses. Yeah. They don't have cyber security teams, they may or may not have IT. Yeah. Which may or may not provide cyber services as part of the IT services. Um, your view on that, that part of the ecosystem of delivering capabilities to society and in there.
Because the supply chain, there's been a lot, at least in the U. S., a lot of talk about supply chain, which these third party, or these smaller organizations, or third parties, is part of the bigger picture. So some of your views on that space, that Completely underrepresented, completely
[00:11:25] Jinan Budge: underrepresented, including So I talk, I serve enterprise clients, uh, and I don't, my coverage isn't so focused on supply chain issues, but I think just generally in cyber security, we are completely, um, not paying enough attention to that particular situation.
Um, National Cyber Security Strategy that was published last year has got significant focus in Australia on small to medium businesses, and I appreciate that. We welcome that. In terms of what is happening in practice though, I don't, I don't know, but I don't think that there is enough happening.
Because I know I've been looking at third party risk management for a long time, personally.
And to me, it's, it's a culture. So I'm going to bring the, yeah, you're bringing it back. Because it is a culture, it is people understanding their role within the ecosystem. Do you think that it's an enterprise driven thing? Do you think the enterprise has the opportunity to extend their understanding of systems?
Cybersecurity and risk management to their third party partners and government's role perhaps in that. I
[00:12:43] Jinan Budge: don't know that it's just an opportunity, I think it's an obligation, right? It's a, it's an obligation. It's and again, extending this focus that cyber security, it's not just about the immediate team, the immediate technology, it extends well, well beyond ourselves.
And the more we can understand about those whom we serve. And the more of those that whom we are connected with and how everything is interconnected, the better we all will be.
[00:13:13] Marco Ciappelli: So from a global perspective, you know, you have different culture again, I like that word. And a different involvement for political reason on how much it's driven by regulation, how much the government get involved.
Um, I know Australia has a pretty deep involvement of the government in kind of leading the way for small medium business, I believe,
[00:13:39] Jinan Budge: which is very recent. It hasn't always right. So yeah,
[00:13:43] Marco Ciappelli: some other country. They're not even there yet. The European community may be a little bit more hands on up to the GDPR.
So, um, Well, you can't already answer my question. We're not there yet.
[00:13:56] Jinan Budge: No, we're not there yet. And it's so important, you know, you asked before about what perspectives do I have on Asia Pacific as a region and I, it's just sometimes when my vendors ask me questions, when my multinational corporations ask me questions, it's really difficult to even call APJ or Asia Pacific, whatever you call it, a region.
There are so many different regulations, cultures, languages. Business practices. When I run roundtables or keynotes in each of the countries in, um, in Asia Pacific, it is incredible how different and how diverse they are. So I was in Indonesia, um, a few months ago and it was just remarkable to see some of the issues that are impacting them.
They had their first ever Data Protection Act. So the CISOs there who were probably more like what we called CISOs in Australia 15 years ago and maybe in the US 25 years ago. So, you know, still developing, um, their management, their leadership, their business skills. So they were spending all of their time actually responding to the new Data Protection Act and doing a series of, um, Compliance related activities, which to me was quite remarkable considering what I think some of the, the threats in that particular region are.
So, uh, Indonesia is one of the most popular, populous countries on earth. They've had democratic elections. The, uh, impact and the potential for misinformation, disinformation campaigns is huge in that particular country. And we've still got a long way to go. Regulations that are coming up to speed, business cultures that are coming up to speed, security practices that are coming up to speed.
It's really interesting, um, and then how we all operate and how we can all support the different, uh, geographies and practices. I think it's going to be really important.
[00:16:02] Sean Martin: Having, uh, built products and, and even more importantly bringing them to market, I'm always An argument in my head of, is the market ready for certain things?
[00:16:15] Jinan Budge: Yes.
[00:16:15] Sean Martin: Yep. And I see this changing all over, uh, different regions as well. Um, data protection might be important. Yep. Um, AI, securities, a topic that seems to get a lot of attention, maybe some investments. Yep. Um, network's still a thing. Do we focus enough there? Yep. Um, SIM, I don't know, there's lots of technologies and categories, and I guess my question is, how do you see the future?
Vendors responding to these changes of what do we build, is the market ready for what we've built? Is there money available to buy the stuff that we built?
[00:16:51] Jinan Budge: And it's so, so I am very deeply covering what we're now calling the human risk management market at Forrester globally. It was security awareness and training in February this year, we made the call to transition back to human risk management.
Which is almost an entirely updated mindset and technological shift from the olden day security awareness and training solutions. Really really cool disruption is happening, particularly coming out of the UK, the Nordics and the US. How are the vendors responding in Australia? Um, I don't know, do we even exist?
I know some of the big ones operate here, but they will operate here under their traditional security, legacy security awareness and training, not the updated capabilities. Um, are they in Asia Pacific? Nope. There is not enough money to be made there. So the vendors are chasing not what society needs, not what industry needs.
I don't want to say this generally, but generally that is what's happening. And I can come Completely understand it in some ways, but in other ways, it's like, come on, you, you could actually make so much more money if you focus on what people need rather than your immediate, you know, what's going to make you money at the end of this year.
And that's been, at least in the market that I cover, that's been very, very disappointing because Asia Pacific is completely underserved in more, um, innovative ways. Technologies and Solutions,
[00:18:32] Sean Martin: so, I've seen some posts on social media, so I want to get your perspective on this. Around security awareness training. And some, I don't know where the data came from, but there's some chatter on LinkedIn that it's not working.
[00:18:48] Jinan Budge: Yeah.
[00:18:49] Sean Martin: Um, so I don't know if that's what you are seeing, that it's not achieving whatever success was defined as, or it's achieving what it was designed to do, but not what it really should do.
Maybe to your point, or it, the future is coming and we just need to kind of hold on and see where things are going to really achieve what we want it to. So I don't know. So your thoughts on where, where we stand with that.
[00:19:20] Jinan Budge: So they're not, they're not thoughts. This is, this is seven years of research now that, um, that has led us to this point.
Um, one of the things, so in 2022, we published the future of security awareness and training after research that we did on the, the regulations and frameworks that ask organizations around the world to do security awareness and training. And we, we discovered many things that I think are Potentially the root cause of the lack of effectiveness of security awareness and training as we knew it.
One of them is when we looked, we actually examined 45, and by we I mean one of my poor researchers, his name is Kevin, unfortunately no longer with us, not my fault, but he went through 45 of these things and We know why then. Yeah, it was, it was a pretty tough research project for the poor guy. Right. Uh, and I'll always be grateful to him, but we looked across those 45 and we looked at the purpose of the control of security awareness and training.
And the purpose was to make people aware, to train them. The word behavior change was mentioned zero times in all 45. The word culture, zero times. And that to me was a, it was a red flag. It's like, we're training people, why? Have we all forgotten why we're training people? We also looked at the dates that these things were published and 17 of them were published over a decade ago.
Um, Uh, a lot of them, most of them, uh, not most of them, a lot of them were also published over two decades ago before iPhones were invented. So this is not cool. We're trying to solve a problem, an old problem, but one that is really changing, particularly with the advancement of AI technology in a really old way.
So we can't do that. We just can't do it. Then when you ask people, how do you measure the effect of Security awareness and training. What are you doing? And I have done this myself, by the way. So this is zero criticism of all of us. I have been there. We measure effectiveness, according to this study, uh, by completion rates.
How many people have completed their training program? And that's kind of the equivalent of saying, Ah, Janan has read, All of the books on diet and she is now thin and beautiful and fit. It's like, it's not how it works. Reading something and behavior change. They're very different things.
[00:21:53] Sean Martin: Or how many hours do you have flying a plane?
For example, all of those things. But no tests completed.
[00:21:59] Jinan Budge: And then when I received the book. Really I received briefings from some vendors, and this was in the early days, and I am looking at their awareness and training things, and I am like, this isn't effective. like, what do you mean? People gave it 4. 85 stars, and it's like, we are not in the business of entertainment.
[00:22:16] Marco Ciappelli: I think the issue is are you memorizing, or are you actually understanding?
[00:22:20] Jinan Budge: Correct. Are they changing behavior?
[00:22:23] Marco Ciappelli: Exactly.
[00:22:23] Jinan Budge: So they they were the original Things that we put forward and we, and at the same time I started talking to some smaller startups and we were very fortunate at Forrester at the time that I was able to include startups in my evaluative research and so I did because the startups were showing me this thing and I'm like what is this amazing technology?
What is it doing? It didn't have a name and it was so different from just training people so what I started seeing is this technology. That would integrate with security solutions to see people's behaviors. So are you, um, Sean, does he, uh, uh, does he use multi factor authentication? Does he enable his VPN?
Does he do all of the good things that we train him on? Uh, if you don't at that point, then we can intervene via training or via a policy update. Like, oh my God, this is a game changer. So we can go from training. So we're educating all of the people on all of the security things that they may or may not care about, that may or may not be relevant to them,
to being
really contextualized and adaptive in our training.
Uh, with loads and loads, hundreds of conversations with my vendor community, with my clients, with end user community. We announced then the name of the market, which is human risk management. Far from perfect, but it represents that. the idea that there is a risk that is posed by and to humans, and that we need to support humans through that risk.
And we do so via training them at the right time, the right context, for the right person, or sometimes we can support them by intervening via policy change. And that is, for me, this is a key. Very early infancy, like this is, you know, this is the space for innovators and early adopters at the moment, both from vendor and enterprise side.
And we expect from the future, Four to eight years time that evolves to then what we are terming adaptive people protection, which is the idea that the concept, this amazing idea that technology, people, processes all come together to protect humans with minimal or no effort on their part. That's
a lot.
And that's good.
[00:25:01] Marco Ciappelli: That connect with the first conversation we had today with JJ.
Yeah.
You know, 10 things that, 10 skills you need to have that nothing to do with technology in order to be cyber secure. And, and she used the, the, the reference to training, teaching kids how to behave on the road. And then finally they get the, the driver license.
Go around, but they've been on the road for a while. You can't expect somebody to just learn everything in one shot.
[00:25:30] Jinan Budge: Have you guys done a security awareness and training course? I still do them every year and I fail all the time. I've got two university degrees. I've got all my security qualifications. I work in this space and I've failed them.
I can't, I can't, I cannot.
[00:25:47] Marco Ciappelli: We expect too much from people maybe.
[00:25:50] Jinan Budge: We absolutely do and I used to, I used to walk around repeating in organizations that I'd worked at and security teams that are there, security is everyone's responsibility. I'm taking that back and that that has been very controversial in the community because of course it is that's how you build a culture.
I'm not saying kill that but let's just be a little bit more reasonable on our experience. Expectations of people's role in this.
[00:26:16] Sean Martin: Let me ask you this,
[00:26:17] Jinan Budge: talk to me.
[00:26:20] Sean Martin: My general view of the relationship between vendors and enterprise is vendors are innovators and they bring new technologies and they try to fit it into an organization.
Yeah. Where I've seen, and back in the day, I built Symantec, Sim, and I connected with some organizations that were trying to build their own. Yeah. And that, that understanding of what they were trying to build, connected to what I was trying to build, helped me build something better. Yeah. But, and, I don't know if you know Laz, but Laz was at Sears, uh, I guess Demetrius was at Sears, he was a CISO there, built.
Basically an enterprise grade sim that fit his culture, fit his operations. Nothing I could build with Symantec would do that and also serve the rest of the market. So my question to you is, do you hear from enterprises, programs that work for With human risk management in mind, that perhaps vendors can't meet unless it's a bespoke thing.
Or are there innovations that you're hearing that, that support a culture for the enterprise that might apply to a broader CQS?
[00:27:33] Jinan Budge: For me, human risk management is a broad term. is the, it's highly adaptive to the people it's serving and to the organizations it's serving. Where I think one of the downfalls of security awareness and training is it's not, and it had to be highly customized, if that makes sense.
Whereas when you're adapting everything to every single individual based on their risk profile, the risk they're exposed to, exposing themselves to, exposing the organization to, that's a game changer. And then it becomes a little bit less. about the, it becomes actually 100 percent about the needs of the organization and the individuals.
[00:28:13] Sean Martin: Because the example I'm thinking as we're talking here is, there's security you can layer on top, there's security you can shim in, there's security you can put on the back end to catch stuff. And then there's within the HR system. Within the workflow, there's security, right? And that's, or within finance, or within product development, or within sale, or whatever, marketing.
And, so I guess my point is that, almost that the business applications need to have security, awareness, training in there.
[00:28:52] Jinan Budge: Awareness and training, or security
[00:28:54] Sean Martin: in there. Awareness, security and awareness. When behavior is not matching the policy, it's within the process.
[00:29:02] Jinan Budge: Absolutely. And wouldn't it be amazing if it happens at the right time, at the point of behavior.
[00:29:08] Sean Martin: So we see that in email to some degree. Yes, we do. Do we see it anywhere else? Yeah,
[00:29:13] Jinan Budge: not yet.
[00:29:14] Sean Martin: Not yet.
[00:29:14] Jinan Budge: No, no, not yet. And that's, and we will, we will start seeing that. We'll start seeing, we see that sometimes in DLP, uh, in data. So, you know, you're sending yourself, uh, an email to your email account. Uh, but you know, you've got to think when it comes to humans.
So we, we're writing research with my colleague, Jess Byrne. I don't know if you've spoken to her ever. She's amazing. Um, but we're writing research on deconstructing human element breaches. What do you think of when you think of human element breaches?
[00:29:46] Marco Ciappelli: Click on something that's not supposed to click and fill out the form or whatever.
[00:29:51] Jinan Budge: Anything else?
[00:29:55] Sean Martin: I don't know. I just think generally data exposure.
[00:29:58] Jinan Budge: Yeah. It's really interesting. So we, most people think of social engineering, phishing, clicking links, the human error sometimes. So you expose data and you have data exposure. We, and certainly when you look at things like the, the DBIR or the, in Australia, the office of information, uh, can do that.
Commissioner, they release a, an annual breach, notifiable breach reports, uh, human element breaches are defined differently by NISA, OAIC, DBIR. And you know that percentage, 64 percent of breaches are related to the human element, 98%. I have been incorrectly misquoted as saying something like 90 percent of human, it's like, oh my God, where are you getting these figures?
And I suspected that there's a lot more to human element. And just clicking on links and, and lo and behold, we're about to publish that research early next year. We have created the wheel of human element breaches. There are eight categories. One of them is social engineering. One of them is the human error.
But there's, uh, six others, including the way that currently humans can misuse generative AI, for example, by entering PII in CHAT GPT, including, um, humans being targeted with deepfakes, malinformation, misinformation, and several insider risks.
[00:31:25] Marco Ciappelli: Manipulation. Yeah.
[00:31:26] Jinan Budge: So this is the problem, and it's a sizable problem, and it's one that we don't, we don't really You know, how deep it is, how broad it is, and we really need to, before we start diving to a solution, we've got to anchor ourselves in the problem.
[00:31:42] Marco Ciappelli: So from all these, it almost, and you, you went there, I mean, and you're shown talking now, like it's almost look like the training is just, you know, the moment that you get into the business environment. Now we need to teach people how not to click on email, not to do things. But then I go back to, it's not just when you're studying for the car, it should come from much earlier, from an education that it becomes a culture before you even go into the working environment.
Because, I mean, the human element risk is in your life, as well, is in your family, is in your personal life. It will exist. It's teaching to kids in school, hygiene, cyber hygiene, and not to do certain things and who is up to that too. So what I'm saying is maybe if people will come a little bit more prepared before entering the workforce.
I'm not going to say it's going to be easy, but easier, maybe.
[00:32:40] Jinan Budge: Or maybe if we, if we coach people as they go through life. Yeah, exactly. When they're making decisions that are less than optimal. There's always going to be room for proactive education, communication, but as you're making, and I'll give you, I'll give you an example, and I'm going to be delivering this at our keynote.
All right. in Baltimore in a couple of weeks time. Um, so I have a, I have a, an issue with sleeping. I haven't slept for a decade and, you know, and I've tried, I've tried reading all of the books about sleeping. Am I better slept? No. I invested in a continuous glucose monitor that showed the relationship between glucose spikes, sleeping, that whole data driven approach to showing you exactly what behaviors.
You need to change in order to achieve goal. Game changer for me. And in the keynote, I talk about the example of my husband who love him to pieces, but he's so annoying sometimes. And one of his most annoying traits, he sleeps for nine and a half hours every bloody night. He was once in Japan and he slept through it.
earthquake in Tokyo. I can do that. But imagine, yes well bless you, but imagine if we gave you and my husband a book about sleeping when what you really need, or what he needs, is a book on how to be a less annoying husband. And that's, that sounds like my wife. And that, yes, and that then becomes the data driven conversation, right?
Do you see the difference? But what we're doing in security, we're giving everybody books on sleeping.
[00:34:19] Marco Ciappelli: Not everybody needs It's not
[00:34:21] Jinan Budge: everybody needs to learn to sleep. Some people, uh, exhibit amazing cyber safe behavior. We do not need to train these people on all the things all the time. And how do you know who is exhibiting cyber safe behavior and who's not?
Human risk management. You do so by integrating, by understanding the entirety of the person's identity, the person's behavior, the person's susceptibility to exposure, and the person's knowledge of cyber security. Yeah. Do you see what I mean?
[00:34:56] Marco Ciappelli: Absolutely. I mean, I had a conversation about, about the education also.
Yeah. With the use of technology to become more targeted according to the need of the kids in the class. It's exactly like that. Not everybody needs to learn the same thing, the same way. In the same way. It's the same thing. In the same way. We just assume that everybody is learning.
[00:35:19] Jinan Budge: Yep.
[00:35:19] Marco Ciappelli: And that's what we teach.
[00:35:21] Jinan Budge: Correct. And when you look, when, this is when I get excited. So human risk management is right now, like we're still just in the education pieces. Like, you know, you need pictures, I need to explain to you, but where the vendors are at, where the disruption is at, They're now starting to be able to correlate people's behaviors, but also how they're responding to different interventions.
So you, Marco, are you going to be better if I give you a two hour training course or just a little nudge and a coach, or to leave you alone? What's going to work better for you, which is exactly what you're saying about in the classroom. It's like different people have different learning needs. That is so cool.
Imagine scaling that in the old security awareness.
[00:36:06] Marco Ciappelli: And imagine that coming up on a personal level by a behavioral study, maybe through AI. So my iPhone is going to tell me, Hey, don't, don't, don't click on that, or
[00:36:20] Jinan Budge: that's it. Or on the computer. Yeah. Hey, did you mean to send everybody that file titled redundancy or, you know, yeah, let's I love it because it's really
[00:36:40] Marco Ciappelli: the convergence of understanding the human psyche
[00:36:44] Jinan Budge: and doing it technologically.
[00:36:46] Marco Ciappelli: Using technology for research. for what can be improving our humanity, right? And extension of our capabilities and not either fighting it or leveling. I love this. I love where you're going with this. Yes.
[00:37:02] Jinan Budge: Well, not where, it's where the, it's where the market needs to go. You know, you asked me about that.
I've had some really interesting questions before about, well, you know, vendors, uh, should vendors push this on enterprise? And I'm of the view that vendors do need to push a little bit harder, actually. So in, we've just published the evaluation of human risk management, the nine vendors that matter the most, uh, I think that was two months ago.
And one of the, one of the things that really came up is, so we've innovated, we've just Two years, the vendors have innovated, they've got these shiny new products that we're still educating the market on. It's really exciting. But where rubber is going to hit the fan is how are they going to help enterprise adopt?
Um, how are they going to help convince enterprise that actually, can you, can you just stop doing this the old way? There is a better new way. Um, and I, I do think that is the responsibility of vendors, which some vendors vehemently disagree with me on. They're like, Oh, but our clients aren't asking us for this, and I don't, it's, yeah, I don't know, it's true.
They're not asking us for this. I don't know where the budget is going to come from. It's not the security awareness and training team will figure it out, because we need
[00:38:21] Marco Ciappelli: this. I'm sorry, but the market sometimes doesn't ask for the better things.
[00:38:24] Jinan Budge: No, no, it wants faster horses. Exactly. It does, and it's really, you know.
Yeah, exactly. It's, uh, it's difficult for them, though. I'm sitting here in a privileged position of being an analyst. I don't have to make money out of a product. I don't have to make some of these go to market decisions that they're making. But I, I, I would love to see us do better.
Yep. And I think with that, I know we're going to have to wrap.
I have questions all around the CISO's responsibility. We'll have Janine back
[00:38:55] Marco Ciappelli: again. Yeah. There's technology. We can connect with her even when we're not here. Although it is very nice to be here.
[00:39:05] Jinan Budge: In person. It's so good to be in person. It's so good.
[00:39:10] Sean Martin: You're invited back. I'll try to remember all the questions in my head.
We'll bring those up again. We
[00:39:15] Jinan Budge: didn't even touch on burnout. I mean, I want to say cool stuff, but no. We'll do a follow up.
[00:39:23] Sean Martin: You're welcome anytime, as you know. But we'll make it a point to get something on the calendar. Thank you. And we'll keep this conversation going. For now, that's, uh, that's it for us here.
Uh, with Jianan, anyway. Uh, from AU CyberCon.
Thanks for, uh, Thank you for joining us here and listening and watching. Please do share and subscribe. Stay tuned for more.