Nadia El Fertasi, Human Readiness and Resilience Expert and former NATO senior executive, highlights the importance of leveraging emotional intelligence to create and sustain a healthy information security culture. During a very thought-provoking discussion, Nadja made some poignant statements and recommendations such as a) build a culture of empowerment and not fear, b) use empathy to counter social engineering attacks, c) make cyber hygiene practices non-technical and reduce human firewalls, and d) practice reason over fear.

To access and download the entire podcast summary with discussion highlights --

https://www.dchatte.com/episode-16-role-of-emotional-intelligence-in-creating-a-healthy-information-security-culture/

Connect with Host Dr. Dave Chatterjee and Subscribe to the Podcast

Please subscribe to the podcast so you don't miss any new episodes! And please leave the show a rating if you like what you hear. New episodes release every two weeks.

Connect with Dr. Chatterjee on these platforms:

LinkedIn: https://www.linkedin.com/in/dchatte/

Website: https://dchatte.com/

Cybersecurity Readiness Book: https://www.amazon.com/Cybersecurity-Readiness-Holistic-High-Performance-Approach/dp/1071837338

Welcome to the Cybersecurity Readiness Podcast

Series with Dr. Dave Chatterjee. Dr. Chatterjee is the author of

A Holistic and High-Performance

Approach, a recently published book by Sage publishing. He has

been studying cybersecurity for over a decade, authored and

edited scholarly papers, delivered talks, conducted

webinars and shops, consulted with companies and served on a

cybersecurity SWAT team with Chief Information Security

officers. Dr. Chatterjee is an Associate Professor of

Management Information Systems at the Terry College of

Business, the University of Georgia and Visiting Professor

at Duke University's Pratt School of Engineering.

Hello, everyone, I'm delighted to

welcome you to this episode of the Cybersecurity Readiness

Podcast Series. Today, I'll be talking with Nadia El Fertasi,

Human Readiness and Resilience Expert and former NATO senior

executive. NATO stands for North Atlantic Treaty Organization. It

is an international security hub, and is one of the world's

major international institutions. It is a political

and military alliance of 28 member countries from Europe and

North America. Nadia, welcome. It's great to have you as a

guest on the cybersecurity readiness podcast series. Thanks

for making time to share your expertise with the listeners.

The theme for our discussion today is the role of emotional

intelligence in building and sustaining a healthy and

high-performing information security culture. I'd like to

begin by asking you to reflect on your experience at NATO.

Thank you, Dave, thank you for having me on

today. It's my absolute pleasure. So I've worked at

NATO, the world's largest security and crisis management

organization for nearly two decades. That's that's a long

time. And I worked in various countries and posts but always

within the digital transformation and cybersecurity

arena, I always held strategic customer relations and

governance position. Now, how does this relate to what I

currently do? As you know, NATO was founded just after its

beginning, the end of the Second World War, it's the beginning of

the Cold War, and where state sponsored attacks or where state

enemy was very prevalent. So our culture or security culture was

ingrained, to help us not fall for social engineering attacks

in the sense of espionage. So I was also deployed in the field.

But we always received a lot of training and awareness of

programs on how not to fall for emotional manipulation

techniques. So what is social engineering? It's basically

criminals, not necessarily hackers, because there are a lot

of ethical hackers, but criminals trying to manipulate

people to get information out of them so they can hack into

systems. Now, in our case, it was to get information out of us

so they can use it for espionage, or get a

competitive advantage because of the state to state relations. So

in agriculture, being very aware of security was a given, right,

it was really part of our DNA, which I think is very important.

And this was with me for 20 years. And how does that so

after 18 years, I decided to, to change and to resign and build

my own EQ consultancy business and really help people and

organizations deal with these digital disruption. What do I

mean with digital disruptions? Because people think when we

talk about the digital decade, it's a bit overreacted. But how

many people are working online or processing payments, or

processing data exchanging data online, especially after COVID?

Right? So and with all the challenges that are going on,

you know, people's resilience and organizational resilience to

stay not only survive, but thrive is is challenging. So

this is what I do. And I use I leverage the practical crisis

management, resilience, experience and readiness in

NATO. We were either in conflict or preparing to being in one. So

exercising our readiness is in our DNA, our bread and butter,

but I also worked with people from 40 different countries at

all levels. So emotional intelligence was key. Because at

one part you have the technology, how do you get

people to use it technology that is safe and secure and advances

the organization at the same time, right. And there are a lot

of different departments and business units when we look at

the private sector that have a stake in it. So in our case in

our agency, security was responsibility for all. And I

wanted to bring that in my work with the private sector

currently and small businesses. Now there is a lot of

misconception about emotional intelligence because when we

hear emotional intelligence, we think, Oh, this you know,

emotions, they don't belong in the workplace, or we're very

rational etc. Now, I recommend your listeners to look up Lisa

Feldman Barrett, who is an author about how emotions are

made. Secret Life of the Brains is one of the top percent, one

top percent cited neuroscientist and psychologist who really has

a lot of material and research to dispel this myth, right. So

how she explains and the what I also use in my work, I use a

scientifically validated model that the feelings is very

different than emotions, feelings is when our brain makes

sense of our energy levels. So imagine you are working in an

enterprise model, and you have different business units, that

all need amount of resources to be able to sustain the

organization. Now, if acquisition has less resources

than legal, for example, the marketing department of the

research development is going to be in at the resource deficit or

resource overload. Same thing with our body. So when our brain

perceives that it is under high levels of stress, or something

is not right, it creates a body energy deficit. And this is when

we experience feelings of

fear or frustration of you know, general, negative emotions. And

emotions are actually constructed by our bias, by our

stereotype beliefs, by our formative years, by our

experiences, what we learned is emotional behaviors, which is

different than different culture and is not universal. Now, why

is this so important when it comes to cyber? First, if you

want to change mindsets, and implement cyber hygiene, the

language is important, right? Because if we talk to someone

who's an information security specialist or technology, they

may get very excited about cyber, they don't necessarily

see it as something dark or negative or complicated. Someone

who has no exposure to cyber only correlates with the ongoing

ransomware attack and all the cyber breaches may feel a lot of

fear, right? People who I loved in your book, you refer to

people who, you know, developers for examples of applications,

they want to get it out on the market as soon as possible.

While the security people want to keep the US market is as long

as possible, right? So that we have different concepts about

cybersecurity and cyber safety in general, it is only normal to

feel discomfort when you're dealing with a new concept. And

how do you get people to do things differently in a way that

secures not only the surface, not only the product, but also

the user environment. And the way they work and live, you

know, with the online world is to help them become comfortable

with the discomfort. And this is where emotional intelligence

comes in. It is relating to the immediate challenges to the

behavioral aspects of people. cognitive intelligence is long

term strategic, and you need both actually. And some people

are more equipped with it because they've learned it.

Other people who have trained to be very cerebral, and this is

especially true for the STEAM (Science, Technology,

Engineering, and Math) workforce. If you've been

trained to be very technical, logical, and you know, data

crunching for example, then it's a little bit more difficult to

put words or to understand how your emotions affect your

behavior.

Great. Fantastic. Thanks for that

introduction, that primer on emotional intelligence, the

significance of emotional intelligence, in bringing about

the desired information security culture. As you as you know that

when we look at cybersecurity, the challenges with

cybersecurity, we have to understand it from a people

process and technology standpoint. The good news is

there are lots of soft, sophisticated technologies out

there. The good news is there are great process

recommendations, great frameworks out there. The

challenge lies in the human factor. And you spoke to that

when you said that some of us are better trained than others,

or are better have better abilities than others, to deal

with uncertainty, to deal with, deal with challenges that are

not within our domain of expertise, or interest. So

therefore, managing the human factor effectively, to build and

sustain a strong cybersecurity culture is easier said than

done. It is often something organizations try to stay away

from, because it's very hard to show immediate results, the ROI

is not very tangible. But as more and more executives are

recognizing, at the end of the day, it's really about

execution, you can have the best plan, but if you are not able to

execute to precision, to the plan, you're unlikely to be very

successful; especially in the context of cybersecurity, where

an organization needs to be able to sustain an element of

stability in their management and performance of the cyber

secure defense measures. To be able to act and perform in a

precise and consistent manner, over a period of time, you need

the right kind of culture that needs to become part of the

organizational DNA. And that's where someone with your kind of

expertise comes in, and can be of immense benefit to

organizations who are trying to understand people, human

mindset, how to bring about changes in human behavior. So

let's get a little specific because I'm sure our listeners

are thinking, Yeah, this is all good. But what are your

recommendations? So from a recommendation standpoint, let's

have this discussion organized along some of the success

factors that I talked about in my book, and I appreciate you

having read the book. And we if we look at it from the

standpoint of the three highperformance cultural traits

of commitment, preparedness and discipline, if you could take

one of them, let's say commitment, and speak to that,

in terms of how do you get the organizational leadership? How

do you get organizational members at all levels, more

committed to achieving a high level of cybersecurity

performance?

Yes, thank you, Dave. And I really enjoyed

the book. Everyone talks about leadership, right? It needs to

start at the top. But what does that look like? Right, and we

forget the top leadership are also human beings as well.

Right. And one of the biggest challenges we faced at NATO, and

many organizations face is, we don't want to change people, we

want to do get them to do things differently on the things on the

job for sustainable period of time. So emotional, intelligent

leadership is critical. I think there is a lot of focus on

building agile systems on building agile technology. But

how do we build agile people, right? People are not programs

that can be flexible, there are different levels of flexibility.

One excellent model called the Kubler Ross model really

explains actually the different emotional states people go

through before they, when they go through a loss, right. It was

developed for grief, but the same emotions apply when change

happens. Now, it's and I'll give an example of my own time when

we were facing a lot of geopolitical uncertainty after

911 after you know what happened also in in the border with

Russia and Ukraine that put a lot of pressure on us in NATO

and also created a lot of uncertainty in challenging time.

Especially because cyber was really used as part of a hybrid

warfare tactic. So we had a new general manager coming in at the

time, he was from the Pentagon, brilliant, brilliant man. And he

really had this, he had it right, he surrounded himself

with the right people. But he also had people-centric

leadership and people-centric mindset. So what he did in terms

of, you know, demonstrating it from the top and emotional

intelligence leadership, he understood that the chief

surface line, so the people who were accountable and responsible

for delivering the service and delivering the product, there

was too much bureaucracy and too much power distance between them

and himself. Right. And so he created a matrix organization as

much as possible. So the people who were responsible and

accountable for the full lifecycle of the services, they

were responsible of the product, including security that was just

ingrained, and cyber safety was ingrained in every aspect. We're

directly responsible to them, what did that create? It created

a sense of empowerment in these people, right? They were seen,

they were validated, they were held accountable, they were

given more empowerment, right? And they increased their buy-in,

why should they go all the way? Right, it increased their kind

of purpose, the getting up in the in the morning, and really,

you know, moving in towards the same direction. The other

element was he appointed chief operating officer, who was also

another brilliant man, who had not only a high level of

expertise in the technical arena in the business, brilliant

diplomat, he came from diplomacy as well and had very good

relationships with national delegations, with the

ambassadors, with the decision makers, because when you look at

policy, and strategy and governance, right, and you can

compare it to the C suite in the business arena, there's often a

disconnect when it comes to the information security culture,

not that they don't understand, it's just they have many other

fires, and business risks going on. So these relationships with

him, made him very credible, and they had his trust, which made

it easier to actually navigate building this culture within

within the very uncertain and challenging environment we were

working in. So both of these very senior people, right. They

had high levels of cognitive intelligence, they had high

levels of political intelligence, they had high

level of technical intelligence, business intelligence, but what

made the organization shift our agency shift our people, you

know, the way we work shift,is the emotional intelligence part.

Is the people, right, you need to inspire people to guide to

hold them accountable, right? Emotional Intelligence doesn't

mean

how do I say soft, right? Being various not at all right? true

leader, can listen to everyone can take into consideration but

ultimately takes the decision based on what he believes is

best for the organization on the information is available, right?

It's really, ultimately people want to feel heard and

validated, right? So they can show up. And with a lot of the

work that I do often I hear, you know, people that this, they

just they are tired of so many changes, I would add one more

element, which is very crucial, is communication. We over

perhaps me focus a lot on communication with our external

stakeholders, our customers, our shareholders. But you have to

start inside out when there's a lot of uncertainty outside it

acts exaggerates the uncertainty within your organization. So

internal communication policies and prosperity, even when you

don't know. One of the best leaders I've worked with, and I

see also in my clients are the ones that are vulnerable doesn't

mean that they share all their personal stuff, but they've seen

when things are not working, and that they don't have the answer

immediately. And they are looking right in there involving

the people are the ones that they get most support from the

workforce. And that is very important.

Yeah, you know, I think you said

something, which is so so important. You mentioned about

being vulnerable. We often make the mistake of thinking that a

leader who's always exuding great confidence, great belief

and a leader, a strong leader. should not show any kind of

vulnerability. But to your point, vulnerability, the way I

look at it is essentially a feeling of, you know, a little

bit maybe the maybe the word paranoia makes sense that

there's always an element of paranoia that what could happen,

that could break the current defense, are we really well

secured? Or is there anything missing. And that kind of

mindset is helpful, because it always keeps you on your toes,

and doesn't allow you to be complacent. So maybe what I was

getting at is vulnerability can often come across as like a

reflection of weakness. But vulnerability can also be

interpreted as somebody who is not complacent, who always

believes in a high level of preparedness. And that's

something that I've also found in my research, that leadership

can play a hugely important role in not only mobilizing

organization wide support towards the goals and the

actions, but also help the organization reach a high level

of preparedness. Another point you made, and you made it very

well, it's a very powerful statement, you said, build a

culture of empowerment, not fear. And that speaks to taking

a very positive approach to many things, cyber, including cyber

communication. And time and time again, when I talk to senior

executives, when I review the literature, one of the

consistent good practices is about letting the users know

what they could do to further secure the organization. So

you're taking the approach of saying what you can do and not

taking the approach of what you can't do, yes, that's the fine

line. But there's a way of saying things in a very positive

vein. And still being able to communicate the things that

users should be wary about. So it's a fine line. And it can be

done by very skilled people. And you talked about the leadership

that you've come across with a very high degree of a variety of

different types of allegiance. Moving on to another question I

have for you. And that is, you worked for an organization like

NATO, very security driven organization. So you would

expect security to be high on their priority when it comes to

culture. But in a traditional private sector organization,

where you yourself mentioned, often, the focus or priority of

the executives are on realizing the business goals, their

mission. And security is not that security is something

unfortunately, they have to deal with. They wish they didn't. So

in that kind of an environment, how do you get whether it's the

leadership or whether it's the organization as a whole? How do

you get the focus turned towards security, where there is growing

recognition, that security is also a very important

organizational capability, is also a very important

organizational competency? How do you get that realization

etched into the organization?

It's a very good point. And I'll, I'll say

one word, and then I'll give an anecdote to explain that word

and then give, give my own thoughts. Vision. Right. You

need to have a vision, right, for your organization. Why is

that important? Let me go back to something we dealt at NATO.

Right. Because NATO, our mandate was Article Five is collective

defense. Right. And I don't know if you remember when 911 came

about. It was a lot of discussion. Why was NATO not

more on the forefront in countering terrorism, and the

risk for terrorist attacks was very evident, very prevalent in

across European cities and in North America. Now, the obvious

reason is it was not within our mandate, or primary mandate. You

had organizations like the UN and other organization was was

in their mandate. And we were always in support. So we were

active, but it wasn't our primary focus. Everyone who

worked at NATO and the culture was very much still aware of the

Cold War. And remember the Second World War, the impact of

a nuclear attack, it would be far more detrimental than a

terrorist attack. And I know it sounds perhaps a little bit

harsh when you hear it, because it's not statistics. When we I

think a lot of people in leadership within NATO

understood the vision of building a safe and secure

transatlantic democracy, we take our freedom for granted. Right?

We forget that there are capabilities out there, right,

that can eradicate entire cities. So the risk for what we

were protecting 1 billion citizens was much higher. So

every organization should ask themselves, right, right, what

is the risk, because the capabilities are there, and you

don't need to be a sophisticated cyber criminal, to participate

in the ransomware service model. And just, you know, get as fast

money as possible, was even more challenging. And again, I don't

want to play into fear, but it's just being aware is non

sponsored states, cyber attacks, and even inspired state

sponsored attacks. There are many different reasons why

someone does cyber crime. So every organization needs to

understand what is the vision for the organization in the 21st

century, this highly digitized? What would happen if our most

critical infrastructure would go down? What would happen if 5

million and you have many case studies in your book, customers

data, shareholders data that gets lost? You don't want to

think about it, because again, it is not very tangible. We live

very short term focused, right? Okay, what is in the immediate

and when you're driven by the immediate and don't include and

balance it with a long term vision, your preparedness

strategies and your ability to recover, because now we have to

assume we will be compromised, every organization, they don't

assume that they can, they are compromised, their survival rate

is likely to be very low, because even a brilliant article

in the Financial Times about this in this. And this is also

how you get confidence from your shareholders from your customers

that you know it you know, what to do, when you there is a cyber

breach, right? And you can recover and protect their data

in the most

less riskful way as possible. So I this is what I would give away

is really understand how much are you balancing long term

vision with short term vision? And how can you explain cyber

risk in people's map of the world; example: a developer

wants to bring out their app as fast as possible, they've put

their intellectual property right, they've put their blood

and sweat. So if you're just going to tell them, we can put

it off because there are still some security updates missing,

they're not going to resonate with it. But if you are

explaining that if the app is on the market, and someone can

actually replicate the app, or steal the data, and actually

bring it out earlier in the better version, without you

know, this is going on all the time, that will get their

attention, right. So how can you speak in a way that security is

seen as an enabler, another barrier, it also requires

information, cybersecurity and information technologies to

compromise in a way that to have an understanding what is the

minimum required security requirements, right, minimal

security requirements we had in NATO, and understand that some

security requirements are nice to have, but perhaps not

necessary, but they will prevent the developer or the marketing

or the research and development team to bring out their

application. This requires open dialogue. This requires

listening to each other without feeling personally, you know,

attacked or it's full, everyone has a valid point. How do we get

there from here? And this requires, again, the vision, the

strategy.

Absolutely. Wonderful. You again,

highlighted so many important things. Let me see if I can

remember a few to add to it and also asked you to expand on a

couple of other things as well. You spoke to the importance of

recognizing the consequences of cyber attacks. Organizations can

go under, organizations can go bankrupt, in fact, there is

survey data that showcases that 60% of small to medium sized

businesses are known to go under after they experience a

cyberattack. Even for large companies, reputation is at

stake. And there are many other consequences. It is interesting,

I was having this discussion with the CEO of a billion dollar

insurance company, and I asked him a similar question I said,

how you get your peers in other organizations to be equally

committed to cybersecurity as an enabler, as you said, very

nicely, you said a security is an enabler, not a barrier. His

spontaneous response was Dave, I'm assuming people read what's

coming out every day in the media, there is one story or the

other about an attack and the consequence of the attack. If

after that, a senior executive doesn't recognize how important

cyber is, how important cybersecurity competency is, I

don't know what to tell you. And I couldn't agree more. But

having said that, the unfortunate reality is every

leadership has certain goals, they have to report to

stakeholders. So there are challenges in their work life.

So I understand if often the focus deviates away from having

the best possible cyber defense in place. But then, there is a

change in the minds mindset, there is a change, there's a

shift in top executive attention and commitment. And fortunately,

what I've been noticing, I've been studying the shift for the

last 10 years, it's going in the right direction. And that's

very, very encouraging.

Yeah, just intervene or say something to

what you just said. Please, I, I just want to add another

perspective. I think, you know, I saw this at NATO all the time

I see this, we assume we've seen people know, right. But we

forget, we see the world through our mental model, right? We have

our own experiences. On top of that, the average human brain

can make decisions maximum 7-8 at the time. So if you assume

this type of rule in NATO Never assume someone knows, right, is

not to sue. Because these people, it doesn't mean you

know, sometimes we even speak to them in a very patronizing way,

C suite, CFO or, you know, CEO, they know that cyber is

important, right? If they don't read the news, they're reminded

by others on a constant basis. But the way sometimes we speak

when I read some articles, it's very patronizing. Right, it's

like they don't know, what they tend to forget is that, you

know, these leaders are these people functions have a lot of

different fires going on at the same time. Our human brain can

only focus on so much we believe multitasking is a gift, it is

not a gift at all. And Daniel Kahneman Nobel Prize winner

wrote an excellent book about slow thinking slow and fast. I

don't know if you've read it. So I think from that perspective,

is to communicate from people's map of the world, just because

it's obvious to us because it feels so obvious. And we assume

that doesn't mean it's obvious someone else. Trigger the

emotional intensity you need that matches people's belief so

you can change their behavior. This is what I focus on. Just

because we speak to someone how many times we keep ramping up

the statistics, which is important. But statistics alone

are not going to change people's hearts, okay, you need to find

and this and this and this is actually a whole function, a

whole art, takes investment, takes effort, to learn how to

communicate from someone else's map of the world. And to really,

you know, think about the outcome you want and the words

you're going to use that really get people to actually retain

attention especially now, when the average attention span of

clarity is no longer than seven seconds. So I think it is it is

I agree to a certain extent, but I also think that the way we

communicate in general and especially when it comes to

cyber risk, we cannot assume that people will read 50 page

Incident Response plan or crisis management procedures and

remember them in their map of the world. And when a cyber

breach is taking place, you cannot tell them, well, in the

service level agreement we had, or in the in the document you

signed off, it was clearly stated under paragraph 3.5. We

go into survival mode, fear mode, our brain capacity is

focused on keeping us safe. So our you know, we go there in

very short cut mental models. And I think it's important to

explain to practice this, right. So people don't take necessarily

very defensive, but really understand the human element in

the behavior, and then come up with strategies in the way of

communicating in a way that gets people not necessarily to change

their mind changing mindsets is very difficult. But to change

response options, do something differently, because you know,

it will advance your organization and keep the

organization safe and prepared and resilient.

Yeah, you know, I wish to re emphasize

what you just said about do not assume when you're

communicating, because everyone has different experiences,

different mental maps. And they would interpret a message they

could interpret a message differently. It brings back

another interesting story. So there was this Admiral Hyman

Rickover, who was credited with running the US Naval Nuclear

Propulsion Program, very successfully for 30 some years.

And he was able to build an organizational culture, anchored

on six key principles. And they were integrity, depth of

knowledge, procedural compliance, forceful backup,

questioning attitude, and formality and communications.

Now, let me speak to formality and communications. I believe,

the way it worked in the nuclear Navy, when you receive an order

from your superior, you're supposed to repeat that order

verbatim, before you execute it. Essentially, the process was

meant to be foolproof. So nothing gets lost. There's no

communication leakage, no communication loss. And maybe

it's an extreme approach. Maybe it works in a in a military

organization, but there is something to be learned from

that, taken away from that, for even the private sector, for

even the government organizations that when you are

communicating, it is also your responsibility to make sure that

the person receiving your your message, understands it the way

you want it to be understood. But as we know, unfortunately,

that's not the way the world works. We all experience mass

communications, email blasts, one page email on security with

a lot of detail and immediately when I see those, it it tells

me, okay, here we go check the box, a communication was

required as per certain regulations certain requirement,

and the organization is complying with it. So yes, you

are complying with the regulation, but are you

effectively doing it? The answer is probably no, because when I

see a one page email, I generally tend to overlook it,

unless it is customized, it is tailored, and it is speaking to

my needs. And you spoke to that when you said when you are

communicating with people, when you're trying to get them to see

things in a different way, you have to be very skilled about

how you pitch it, so they can relate to it. And that's the

training in itself. And that should not be considered

obvious. Oh communication, that's fine. As long as we have

the tools in place, we have hired the you know, the the

right kind of professional expertise, we are all good to

go. We are not all good to go because when there's a breach,

and more often than not, it is the cause of a phishing

campaign, the people who get breached are not the ones who

are trained in a cybersecurity certificate program, they are

people who are there to do their job, which is not security. But

then they also have a certain responsibility to perform their

jobs, and also comply with the security guidelines. To get them

to recognize that to get them to do it well, it requires

practice. In a previous podcast, I had an eminent professor talk

about his simulation program, simulating organizational

decision making under stress, under time pressure. And as you

said, it is one thing to plan, it is one thing to prepare. But

then when you are in action, when you are on the court, you

are playing to use a tennis metaphor.

You are all by yourself, you're having to make quick decisions

on your feet. And those decisions have consequences. The

only way of getting better at it, is by doing it over and over

again. What does that mean, from a cybersecurity preparedness

standpoint, running different types of simulations to the best

in extent feasible and possible, every company has their

constraints. And I recognize that. But you know, these were

some thoughts that came to mind as you were speaking, let me ask

you a question. As we were having our sidebar by way of

prep for this talk, you shared some very powerful quotes, if I

may. And one of them was, and this speaks to what we are

talking right now. Practice reason over fear. And another

one I want to bring into the discussion where you said, Use

empathy to counter social engineering attacks. Can you

speak to that?

Yes. Let me start, start first with practice

reason over fear. And I will use a very unusual analogy, but

stick with me, so you understand. imagine, and I'm

going to take you as example Dave, if you don't mind, imagine

you're not feeling very well, today, you're a bit low on

energy, your immune system is not on top, so you're really

not, at your best state. And then you turn around and there

is a tiger predator in the corner of your office. And let's

assume it's not a domesticated one. It's one that is really

going to chase you. So your brain is going to signal to your

body extreme danger, you're going to use all your energy and

run as fast as you can, I hope. Imagine the predator is the

colleague sending you that email, is the continuous attacks

that you receive on your screen, is the fear based leadership

because you're afraid to do something wrong because of the

culture, its meeting your deadlines, whatever it is; the

problem with fear right there it serves a function, we are human

beings to keep ourselves safe, right? So if we go outside, can

see a car and so we can you know, protect ourselves and not

get hit by a car. The problem is, our brain constantly

perceive things as fear puts us in a chronic state of stress,

which has disastrous consequences on our ability to

make decisions, on our ability to manage our energy, our focus,

and we get, I wrote a blog for Global Cyber Alliance and had

statistics in there for the UK in the US, how many people are

distracted and lack of focus and how that correlates with falling

for social engineering for phishing attacks, because which

brings me to your second point use empathy for mitigating

social engineering attacks. Now, empathy is another overused

buzzword it is very difficult to exercise because if you read the

book of Daniel Kahneman, slow thinking slow thinking fast, it

is another part of the of the system, it really requires being

sensitive to other people's needs and, and, and emotions.

Criminals, they use the same emotional manipulation

techniques right to trigger either emotions of fear. So if

someone is worried about their health, they will use specific

language related to COVID to get them to click on a spoofed

account or medical record whatever it is. Someone is

worried about taxes, alright, it will use words or spoof counts

to do that. So they really use words and pretext to speak to

people's fear. The opposite is also true. There are a lot of

one of the prevailing challenge currently is loneliness,

isolation, right because of the pandemic, but even before but

it's just exaggerated. So unfortunately, criminals with no

ethical standards use to prey on these emotions to create

emotions of trust, right, to build this relationship. There's

another excellent book by

Robert Cialdini, The Psychology of Persuasion, 1984, where he

lists six principles of persuasion -- scarcity,

authority, commitment, consistency, liking, and

consensus. Liking, when we like someone, our defense mechanisms

go down, right, the first time when we see someone, we ask for

questions, subconsciously, who is this? What do they want? How

long does it take? And are they a threat? So they know to to use

tactics to lower people's defense mechanisms. So they can

use these techniques. Well, it is important to be aware and to

use empathy, not to be afraid or to be paranoid, but to

recognize, because let me give an example why emotional

intelligence and empowerment is important. If you have an

organization where people don't feel empowered, if you have an

assistant or receptionist or support staff or customer

support agents, that will is asked whether to email whether

to deep fake technology by replicating the voice of the CEO

to make a million dollar transfer in bitcoins, which

happens, right? If they fear the reaction of their CEO or the

leadership being reprimanded or disciplined, they will act based

on that impulse, right? So it is really important to understand

not only empathy, but emotional intelligence or the human

element to not be paranoia. Fear is just a consequence of what we

don't know. When we when there is a gap in our mind, the mind

doesn't like it. So it goes into survival mode. Remember the

tiger, and everyone is so many people currently, no one, say

everyone are under constant pursuit of a predator. But it's

not a predator, but the effect is the same. Right? And you can

follow Andrew Huberman Stanford professor and neuroscientist,

who has loads of research and podcasts about the effect on

this on the brain and how we need to create cultures where

empowerment where you know, of course, stress is healthy in a

certain way. It is all about how we perceive stress. And it's all

about chronic fear, chronic stress, we need to find the

right balance of intense emotion that people are alert. But also

okay, practical, how do I react? No. Right? And this is something

that that needs to be the exercise. And one last thing I

will say based on our just previous discussion on how do

you communicate because one of the challenges we faced at NATO

is that project manager, scientist, IT, cybersecurity,

rightfully didn't think it was their job to become PR

communication experts. So an organization's would really

invest in the person or an office as part of the office

that actually gathered all the information translated in a very

structured way for decision makers for the people that

needed to know for the resources community committee. So we took

the information and tailored it in different messaging in

people's language for defense planning policy committee, the

resources and governance, the Military Committee, the

ambassadors made this highest decision making everyone had a

different interest. And I think it is unfair or unrealistic to

ask your people to become first cyber experts, because it's just

another layer of information and burden that they won't implement

or do. But it's to have this this this bridge between these

different business units communication bridge, both

preparing messages for external and internal stakeholders. And

the last thing I will say very last thing is not your

spokesperson or your communication person is not

necessarily always the best place person for stakeholder

engagement right? Here. It comes to the principle of liking. If

you want to incentivize behaviors, you also need change

agents within your organizations that people can resonate. Even

your most critical person would be a great model, right? To

start with them, and then they can help you influence and

change behaviors with people that relate to them

Absolutely, in fact, there is a lot of

research on the role of change agents in helping organizations

deal with different levels and types of change. And that could

probably be a discussion for another day. Another point I'd

like to make, which aligns with what you said. And that goes

back to this assumption about people, about workers, we

definitely don't expect everyone to be a cybersecurity expert.

But we do want to raise the overall level of awareness,

overall level of knowledge, because each person is a

potential point of vulnerability. But the whole

approach to mobilizing support, to incentivizing the right kinds

of behavior has to be anchored by the belief that the when

people come to work, they come to work with good intentions,

they come to work to do good things. And this I, you know,

I'm stealing this quote, I'm paraphrasing this quote, from a

good friend of mine, who is a CEO of a major corporation, and

who said it very well. He said, Dave, I always will believe will

assume that people come to work to help to do good things to do

great things. So we are not talking about people who are

unwilling to change, unwilling to, you know, adjust their

behaviors, it's a matter of how you communicate how you how you

relate to them. But recognition of these factors, becoming aware

of all the or at least becoming knowledgeable in the field that

allows you to bring about this change in mindset, this change

in culture, or to enhance the level of human capability,

that's an area that organizations need to more

carefully think about, needs to look for the right kinds of

expertise to guide them. Because it is not something that I see

organizations normally gravitating to. It's more like,

here are these cybersecurity trained professionals, they know

how to apply the controls, and they're gonna guide us. But this

discussion we've had, it is still speaks to a human related

control. But the ability to effectively implement implement

it requires, I believe, a very different skill set. Can you

speak to that, as we wrap up this conversation?

Yes, of course, I couldn't agree more

with with actually everything you said. I mean, I will speak

to this from from, you know, expertise, but mostly from

experience. I think we think the change is linear, right? So we

have we used this change program models like John Kotter, we do

all the steps, and then we're done. Right? Change happens to

us, transitions happen within people, right? There's a

different process within people you need. There's no way around

this Dave, you need leadership, to drive sustainable change, you

need healthy organizational culture. People want to know

people don't wake up in the morning, and they want to

sabotage their work, they want to sabotage their computer.

They're just overloaded, often, right? People want to do good.

If you have people working for your organization, because they

feel committed to your values, right? They will be a part of

something bigger. And if you really play into that, in a

sense, if you really build a genuinely build it and not only

have training, right, not only bring outside expertise is to

really make healthy organizational culture and

security is ingrained in it because we are working online,

right? It's not something ad hoc. It should be basic stuff.

If people would do basic cyber hygiene, they don't need to

become a cybersecurity expert, they can reduce up to 80% of

cyber risk, right? So it is but how can you expect people to do

something extra? They don't know how it looks like they don't

know what it is they perceive it as a burden. They think it's

command and control. They don't do it, they will get disciplined

or bad mark on there, etc, etc, etc. Or is everyone going to do

it? No, but it really needs to be at the top. The second thing

I will say Is every organization needs to have an incident

response team or crisis management team. And you need to

survey those people who you put in there, their levels of

emotional intelligence in the sense on what is the function?

What is the requirement they would need to improve? Do if you

have someone who has low levels of assertiveness, for example,

so they don't necessarily speak up, especially when they feel

discomfort, if that person is part of your crisis management

or incident response team, it is unlikely they will ring the

alarm bell when they see something. right, because they

will perceive it as very uncomfortable, right. And then

the alarm bell is rang too late. And I think one of the

complaints of the senior leadership I worked with in NATO

was that people didn't tell them early enough the problem because

they were so high up, or they were you know, they thought that

didn't want to burden them or they didn't want to look bad on

them. Right. And here's where my Dutch mindset came good in

because I always spoke my mind, which they appreciated because

very few people right? Speak their mind for reasons or

because they also feel frustrated when they don't see

any action. So I think it requires leadership and culture,

and when you invest in those, that's how you change.

Transformation is a journey. It's not a one thing, don't

don't think we're gonna do an organizational change as a as a

one year program or two year program. Yes, you can have

models and change management processes that get you there.

But you always need to have you know, you need to have a core

foundation and have enough flexibility to stay relevant in

today's age and to support the people. So also when you hire

and attract talent, make sure it's the right mindset, right,

the right values as well, because those people will go

above and beyond. And even when the last thing I will say there

was a study that said one of the top reasons why people have low

levels of engagement or are reluctant to change is they

don't feel recognized. They don't feel appreciated. So it's

not even the paycheck that is the most important parameter. It

is recognizing your people. And I don't mean just patting them

on the back. But truly recognizing and appreciating and

having programs and doing it you know, in the way that we treat

people as human beings, right, there's nothing soft about that.

It is a sense of business survival. You cannot treat

people as numbers anymore, no matter where they come from, or

no matter how their mind is wired. And I think this is what

separates us from AI machines.

Fabulous. Well, Nadia, I wish we could go

on. But in the interest of time, we have to pause here with the

intent of picking it back up sometime in the future again.

It's been truly a pleasure. Thank you for your time.

Thank you Dave. It was my pleasure.

A special thanks to Nadia El Fertasi for

her time and insights. If you liked what you heard, please

leave the podcast a rating and share it with your network.

Also, subscribe to the show, so you don't miss any new episodes.

Thank you for listening, and I'll see you in the next

episode.

The information contained in this podcast is for

general guidance only. The discussants assume no

responsibility or liability for any errors or omissions in the

content of this podcast. The information contained in this

podcast is provided on an as is basis with no guarantee of

completeness, accuracy, usefulness, or timeliness. The

opinions and recommendations expressed in this podcast are

those of the discussants and not of any organization.