Nadia El Fertasi, Human Readiness and Resilience Expert and former NATO senior executive, highlights the importance of leveraging emotional intelligence to create and sustain a healthy information security culture. During a very thought-provoking discussion, Nadja made some poignant statements and recommendations such as a) build a culture of empowerment and not fear, b) use empathy to counter social engineering attacks, c) make cyber hygiene practices non-technical and reduce human firewalls, and d) practice reason over fear.
Time Stamps
00:49 -- I'd like to begin by asking you to reflect on your experience at NATO.
09:25 -- How do you get organizational members at all levels, more committed to achieving a high level of cybersecurity performance?
19:38 -- There is growing recognition that security is an important organizational capability, a very important organizational competency? How do you get that realization shaping the organization's culture?
41:01 -- During our podcast planning discussion, you shared some very powerful quotes, such as a) practice reason over fear, and b) use empathy to counter social engineering attacks. Can you speak to them?
49:59 -- This discussion we've had speaks to human-related controls. The ability to effectively implement such controls requires a very different skill set. Can you speak to that, as we wrap up this conversation?
Memorable Nadja El Fertasi Quotes
"If you want to change mindsets and implement cyber hygiene, language is important."
Build a culture of empowerment, not fear."
"So how can you speak in a way that security is seen as an enabler and not as a barrier."
"Practice reason over fear."
"Use empathy to counter social engineering attacks."
Connect with Host Dr. Dave Chatterjee and Subscribe to the Podcast
Please subscribe to the podcast so you don't miss any new episodes! And please leave the show a rating if you like what you hear. New episodes release every two weeks.
Connect with Dr. Chatterjee on these platforms:
LinkedIn: https://www.linkedin.com/in/dchatte/
Website: https://dchatte.com/
Cybersecurity Readiness Book: https://www.amazon.com/Cybersecurity-Readiness-Holistic-High-Performance-Approach/dp/1071837338
Welcome to the Cybersecurity Readiness Podcast
Introducer:Series with Dr. Dave Chatterjee. Dr. Chatterjee is the author of
Cybersecurity Readiness:A Holistic and High-Performance
Cybersecurity Readiness:Approach, a recently published book by Sage publishing. He has
Cybersecurity Readiness:been studying cybersecurity for over a decade, authored and
Cybersecurity Readiness:edited scholarly papers, delivered talks, conducted
Cybersecurity Readiness:webinars and shops, consulted with companies and served on a
Cybersecurity Readiness:cybersecurity SWAT team with Chief Information Security
Cybersecurity Readiness:officers. Dr. Chatterjee is an Associate Professor of
Cybersecurity Readiness:Management Information Systems at the Terry College of
Cybersecurity Readiness:Business, the University of Georgia and Visiting Professor
Cybersecurity Readiness:at Duke University's Pratt School of Engineering.
Dr. Dave Chatterjee:Hello, everyone, I'm delighted to
Dr. Dave Chatterjee:welcome you to this episode of the Cybersecurity Readiness
Dr. Dave Chatterjee:Podcast Series. Today, I'll be talking with Nadia El Fertasi,
Dr. Dave Chatterjee:Human Readiness and Resilience Expert and former NATO senior
Dr. Dave Chatterjee:executive. NATO stands for North Atlantic Treaty Organization. It
Dr. Dave Chatterjee:is an international security hub, and is one of the world's
Dr. Dave Chatterjee:major international institutions. It is a political
Dr. Dave Chatterjee:and military alliance of 28 member countries from Europe and
Dr. Dave Chatterjee:North America. Nadia, welcome. It's great to have you as a
Dr. Dave Chatterjee:guest on the cybersecurity readiness podcast series. Thanks
Dr. Dave Chatterjee:for making time to share your expertise with the listeners.
Dr. Dave Chatterjee:The theme for our discussion today is the role of emotional
Dr. Dave Chatterjee:intelligence in building and sustaining a healthy and
Dr. Dave Chatterjee:high-performing information security culture. I'd like to
Dr. Dave Chatterjee:begin by asking you to reflect on your experience at NATO.
Nadia El Fertasi:Thank you, Dave, thank you for having me on
Nadia El Fertasi:today. It's my absolute pleasure. So I've worked at
Nadia El Fertasi:NATO, the world's largest security and crisis management
Nadia El Fertasi:organization for nearly two decades. That's that's a long
Nadia El Fertasi:time. And I worked in various countries and posts but always
Nadia El Fertasi:within the digital transformation and cybersecurity
Nadia El Fertasi:arena, I always held strategic customer relations and
Nadia El Fertasi:governance position. Now, how does this relate to what I
Nadia El Fertasi:currently do? As you know, NATO was founded just after its
Nadia El Fertasi:beginning, the end of the Second World War, it's the beginning of
Nadia El Fertasi:the Cold War, and where state sponsored attacks or where state
Nadia El Fertasi:enemy was very prevalent. So our culture or security culture was
Nadia El Fertasi:ingrained, to help us not fall for social engineering attacks
Nadia El Fertasi:in the sense of espionage. So I was also deployed in the field.
Nadia El Fertasi:But we always received a lot of training and awareness of
Nadia El Fertasi:programs on how not to fall for emotional manipulation
Nadia El Fertasi:techniques. So what is social engineering? It's basically
Nadia El Fertasi:criminals, not necessarily hackers, because there are a lot
Nadia El Fertasi:of ethical hackers, but criminals trying to manipulate
Nadia El Fertasi:people to get information out of them so they can hack into
Nadia El Fertasi:systems. Now, in our case, it was to get information out of us
Nadia El Fertasi:so they can use it for espionage, or get a
Nadia El Fertasi:competitive advantage because of the state to state relations. So
Nadia El Fertasi:in agriculture, being very aware of security was a given, right,
Nadia El Fertasi:it was really part of our DNA, which I think is very important.
Nadia El Fertasi:And this was with me for 20 years. And how does that so
Nadia El Fertasi:after 18 years, I decided to, to change and to resign and build
Nadia El Fertasi:my own EQ consultancy business and really help people and
Nadia El Fertasi:organizations deal with these digital disruption. What do I
Nadia El Fertasi:mean with digital disruptions? Because people think when we
Nadia El Fertasi:talk about the digital decade, it's a bit overreacted. But how
Nadia El Fertasi:many people are working online or processing payments, or
Nadia El Fertasi:processing data exchanging data online, especially after COVID?
Nadia El Fertasi:Right? So and with all the challenges that are going on,
Nadia El Fertasi:you know, people's resilience and organizational resilience to
Nadia El Fertasi:stay not only survive, but thrive is is challenging. So
Nadia El Fertasi:this is what I do. And I use I leverage the practical crisis
Nadia El Fertasi:management, resilience, experience and readiness in
Nadia El Fertasi:NATO. We were either in conflict or preparing to being in one. So
Nadia El Fertasi:exercising our readiness is in our DNA, our bread and butter,
Nadia El Fertasi:but I also worked with people from 40 different countries at
Nadia El Fertasi:all levels. So emotional intelligence was key. Because at
Nadia El Fertasi:one part you have the technology, how do you get
Nadia El Fertasi:people to use it technology that is safe and secure and advances
Nadia El Fertasi:the organization at the same time, right. And there are a lot
Nadia El Fertasi:of different departments and business units when we look at
Nadia El Fertasi:the private sector that have a stake in it. So in our case in
Nadia El Fertasi:our agency, security was responsibility for all. And I
Nadia El Fertasi:wanted to bring that in my work with the private sector
Nadia El Fertasi:currently and small businesses. Now there is a lot of
Nadia El Fertasi:misconception about emotional intelligence because when we
Nadia El Fertasi:hear emotional intelligence, we think, Oh, this you know,
Nadia El Fertasi:emotions, they don't belong in the workplace, or we're very
Nadia El Fertasi:rational etc. Now, I recommend your listeners to look up Lisa
Nadia El Fertasi:Feldman Barrett, who is an author about how emotions are
Nadia El Fertasi:made. Secret Life of the Brains is one of the top percent, one
Nadia El Fertasi:top percent cited neuroscientist and psychologist who really has
Nadia El Fertasi:a lot of material and research to dispel this myth, right. So
Nadia El Fertasi:how she explains and the what I also use in my work, I use a
Nadia El Fertasi:scientifically validated model that the feelings is very
Nadia El Fertasi:different than emotions, feelings is when our brain makes
Nadia El Fertasi:sense of our energy levels. So imagine you are working in an
Nadia El Fertasi:enterprise model, and you have different business units, that
Nadia El Fertasi:all need amount of resources to be able to sustain the
Nadia El Fertasi:organization. Now, if acquisition has less resources
Nadia El Fertasi:than legal, for example, the marketing department of the
Nadia El Fertasi:research development is going to be in at the resource deficit or
Nadia El Fertasi:resource overload. Same thing with our body. So when our brain
Nadia El Fertasi:perceives that it is under high levels of stress, or something
Nadia El Fertasi:is not right, it creates a body energy deficit. And this is when
Nadia El Fertasi:we experience feelings of
Nadia El Fertasi:fear or frustration of you know, general, negative emotions. And
Nadia El Fertasi:emotions are actually constructed by our bias, by our
Nadia El Fertasi:stereotype beliefs, by our formative years, by our
Nadia El Fertasi:experiences, what we learned is emotional behaviors, which is
Nadia El Fertasi:different than different culture and is not universal. Now, why
Nadia El Fertasi:is this so important when it comes to cyber? First, if you
Nadia El Fertasi:want to change mindsets, and implement cyber hygiene, the
Nadia El Fertasi:language is important, right? Because if we talk to someone
Nadia El Fertasi:who's an information security specialist or technology, they
Nadia El Fertasi:may get very excited about cyber, they don't necessarily
Nadia El Fertasi:see it as something dark or negative or complicated. Someone
Nadia El Fertasi:who has no exposure to cyber only correlates with the ongoing
Nadia El Fertasi:ransomware attack and all the cyber breaches may feel a lot of
Nadia El Fertasi:fear, right? People who I loved in your book, you refer to
Nadia El Fertasi:people who, you know, developers for examples of applications,
Nadia El Fertasi:they want to get it out on the market as soon as possible.
Nadia El Fertasi:While the security people want to keep the US market is as long
Nadia El Fertasi:as possible, right? So that we have different concepts about
Nadia El Fertasi:cybersecurity and cyber safety in general, it is only normal to
Nadia El Fertasi:feel discomfort when you're dealing with a new concept. And
Nadia El Fertasi:how do you get people to do things differently in a way that
Nadia El Fertasi:secures not only the surface, not only the product, but also
Nadia El Fertasi:the user environment. And the way they work and live, you
Nadia El Fertasi:know, with the online world is to help them become comfortable
Nadia El Fertasi:with the discomfort. And this is where emotional intelligence
Nadia El Fertasi:comes in. It is relating to the immediate challenges to the
Nadia El Fertasi:behavioral aspects of people. cognitive intelligence is long
Nadia El Fertasi:term strategic, and you need both actually. And some people
Nadia El Fertasi:are more equipped with it because they've learned it.
Nadia El Fertasi:Other people who have trained to be very cerebral, and this is
Nadia El Fertasi:especially true for the STEAM (Science, Technology,
Nadia El Fertasi:Engineering, and Math) workforce. If you've been
Nadia El Fertasi:trained to be very technical, logical, and you know, data
Nadia El Fertasi:crunching for example, then it's a little bit more difficult to
Nadia El Fertasi:put words or to understand how your emotions affect your
Nadia El Fertasi:behavior.
Dr. Dave Chatterjee:Great. Fantastic. Thanks for that
Dr. Dave Chatterjee:introduction, that primer on emotional intelligence, the
Dr. Dave Chatterjee:significance of emotional intelligence, in bringing about
Dr. Dave Chatterjee:the desired information security culture. As you as you know that
Dr. Dave Chatterjee:when we look at cybersecurity, the challenges with
Dr. Dave Chatterjee:cybersecurity, we have to understand it from a people
Dr. Dave Chatterjee:process and technology standpoint. The good news is
Dr. Dave Chatterjee:there are lots of soft, sophisticated technologies out
Dr. Dave Chatterjee:there. The good news is there are great process
Dr. Dave Chatterjee:recommendations, great frameworks out there. The
Dr. Dave Chatterjee:challenge lies in the human factor. And you spoke to that
Dr. Dave Chatterjee:when you said that some of us are better trained than others,
Dr. Dave Chatterjee:or are better have better abilities than others, to deal
Dr. Dave Chatterjee:with uncertainty, to deal with, deal with challenges that are
Dr. Dave Chatterjee:not within our domain of expertise, or interest. So
Dr. Dave Chatterjee:therefore, managing the human factor effectively, to build and
Dr. Dave Chatterjee:sustain a strong cybersecurity culture is easier said than
Dr. Dave Chatterjee:done. It is often something organizations try to stay away
Dr. Dave Chatterjee:from, because it's very hard to show immediate results, the ROI
Dr. Dave Chatterjee:is not very tangible. But as more and more executives are
Dr. Dave Chatterjee:recognizing, at the end of the day, it's really about
Dr. Dave Chatterjee:execution, you can have the best plan, but if you are not able to
Dr. Dave Chatterjee:execute to precision, to the plan, you're unlikely to be very
Dr. Dave Chatterjee:successful; especially in the context of cybersecurity, where
Dr. Dave Chatterjee:an organization needs to be able to sustain an element of
Dr. Dave Chatterjee:stability in their management and performance of the cyber
Dr. Dave Chatterjee:secure defense measures. To be able to act and perform in a
Dr. Dave Chatterjee:precise and consistent manner, over a period of time, you need
Dr. Dave Chatterjee:the right kind of culture that needs to become part of the
Dr. Dave Chatterjee:organizational DNA. And that's where someone with your kind of
Dr. Dave Chatterjee:expertise comes in, and can be of immense benefit to
Dr. Dave Chatterjee:organizations who are trying to understand people, human
Dr. Dave Chatterjee:mindset, how to bring about changes in human behavior. So
Dr. Dave Chatterjee:let's get a little specific because I'm sure our listeners
Dr. Dave Chatterjee:are thinking, Yeah, this is all good. But what are your
Dr. Dave Chatterjee:recommendations? So from a recommendation standpoint, let's
Dr. Dave Chatterjee:have this discussion organized along some of the success
Dr. Dave Chatterjee:factors that I talked about in my book, and I appreciate you
Dr. Dave Chatterjee:having read the book. And we if we look at it from the
Dr. Dave Chatterjee:standpoint of the three highperformance cultural traits
Dr. Dave Chatterjee:of commitment, preparedness and discipline, if you could take
Dr. Dave Chatterjee:one of them, let's say commitment, and speak to that,
Dr. Dave Chatterjee:in terms of how do you get the organizational leadership? How
Dr. Dave Chatterjee:do you get organizational members at all levels, more
Dr. Dave Chatterjee:committed to achieving a high level of cybersecurity
Dr. Dave Chatterjee:performance?
Nadia El Fertasi:Yes, thank you, Dave. And I really enjoyed
Nadia El Fertasi:the book. Everyone talks about leadership, right? It needs to
Nadia El Fertasi:start at the top. But what does that look like? Right, and we
Nadia El Fertasi:forget the top leadership are also human beings as well.
Nadia El Fertasi:Right. And one of the biggest challenges we faced at NATO, and
Nadia El Fertasi:many organizations face is, we don't want to change people, we
Nadia El Fertasi:want to do get them to do things differently on the things on the
Nadia El Fertasi:job for sustainable period of time. So emotional, intelligent
Nadia El Fertasi:leadership is critical. I think there is a lot of focus on
Nadia El Fertasi:building agile systems on building agile technology. But
Nadia El Fertasi:how do we build agile people, right? People are not programs
Nadia El Fertasi:that can be flexible, there are different levels of flexibility.
Nadia El Fertasi:One excellent model called the Kubler Ross model really
Nadia El Fertasi:explains actually the different emotional states people go
Nadia El Fertasi:through before they, when they go through a loss, right. It was
Nadia El Fertasi:developed for grief, but the same emotions apply when change
Nadia El Fertasi:happens. Now, it's and I'll give an example of my own time when
Nadia El Fertasi:we were facing a lot of geopolitical uncertainty after
Nadia El Fertasi:911 after you know what happened also in in the border with
Nadia El Fertasi:Russia and Ukraine that put a lot of pressure on us in NATO
Nadia El Fertasi:and also created a lot of uncertainty in challenging time.
Nadia El Fertasi:Especially because cyber was really used as part of a hybrid
Nadia El Fertasi:warfare tactic. So we had a new general manager coming in at the
Nadia El Fertasi:time, he was from the Pentagon, brilliant, brilliant man. And he
Nadia El Fertasi:really had this, he had it right, he surrounded himself
Nadia El Fertasi:with the right people. But he also had people-centric
Nadia El Fertasi:leadership and people-centric mindset. So what he did in terms
Nadia El Fertasi:of, you know, demonstrating it from the top and emotional
Nadia El Fertasi:intelligence leadership, he understood that the chief
Nadia El Fertasi:surface line, so the people who were accountable and responsible
Nadia El Fertasi:for delivering the service and delivering the product, there
Nadia El Fertasi:was too much bureaucracy and too much power distance between them
Nadia El Fertasi:and himself. Right. And so he created a matrix organization as
Nadia El Fertasi:much as possible. So the people who were responsible and
Nadia El Fertasi:accountable for the full lifecycle of the services, they
Nadia El Fertasi:were responsible of the product, including security that was just
Nadia El Fertasi:ingrained, and cyber safety was ingrained in every aspect. We're
Nadia El Fertasi:directly responsible to them, what did that create? It created
Nadia El Fertasi:a sense of empowerment in these people, right? They were seen,
Nadia El Fertasi:they were validated, they were held accountable, they were
Nadia El Fertasi:given more empowerment, right? And they increased their buy-in,
Nadia El Fertasi:why should they go all the way? Right, it increased their kind
Nadia El Fertasi:of purpose, the getting up in the in the morning, and really,
Nadia El Fertasi:you know, moving in towards the same direction. The other
Nadia El Fertasi:element was he appointed chief operating officer, who was also
Nadia El Fertasi:another brilliant man, who had not only a high level of
Nadia El Fertasi:expertise in the technical arena in the business, brilliant
Nadia El Fertasi:diplomat, he came from diplomacy as well and had very good
Nadia El Fertasi:relationships with national delegations, with the
Nadia El Fertasi:ambassadors, with the decision makers, because when you look at
Nadia El Fertasi:policy, and strategy and governance, right, and you can
Nadia El Fertasi:compare it to the C suite in the business arena, there's often a
Nadia El Fertasi:disconnect when it comes to the information security culture,
Nadia El Fertasi:not that they don't understand, it's just they have many other
Nadia El Fertasi:fires, and business risks going on. So these relationships with
Nadia El Fertasi:him, made him very credible, and they had his trust, which made
Nadia El Fertasi:it easier to actually navigate building this culture within
Nadia El Fertasi:within the very uncertain and challenging environment we were
Nadia El Fertasi:working in. So both of these very senior people, right. They
Nadia El Fertasi:had high levels of cognitive intelligence, they had high
Nadia El Fertasi:levels of political intelligence, they had high
Nadia El Fertasi:level of technical intelligence, business intelligence, but what
Nadia El Fertasi:made the organization shift our agency shift our people, you
Nadia El Fertasi:know, the way we work shift,is the emotional intelligence part.
Nadia El Fertasi:Is the people, right, you need to inspire people to guide to
Nadia El Fertasi:hold them accountable, right? Emotional Intelligence doesn't
Nadia El Fertasi:mean
Nadia El Fertasi:how do I say soft, right? Being various not at all right? true
Nadia El Fertasi:leader, can listen to everyone can take into consideration but
Nadia El Fertasi:ultimately takes the decision based on what he believes is
Nadia El Fertasi:best for the organization on the information is available, right?
Nadia El Fertasi:It's really, ultimately people want to feel heard and
Nadia El Fertasi:validated, right? So they can show up. And with a lot of the
Nadia El Fertasi:work that I do often I hear, you know, people that this, they
Nadia El Fertasi:just they are tired of so many changes, I would add one more
Nadia El Fertasi:element, which is very crucial, is communication. We over
Nadia El Fertasi:perhaps me focus a lot on communication with our external
Nadia El Fertasi:stakeholders, our customers, our shareholders. But you have to
Nadia El Fertasi:start inside out when there's a lot of uncertainty outside it
Nadia El Fertasi:acts exaggerates the uncertainty within your organization. So
Nadia El Fertasi:internal communication policies and prosperity, even when you
Nadia El Fertasi:don't know. One of the best leaders I've worked with, and I
Nadia El Fertasi:see also in my clients are the ones that are vulnerable doesn't
Nadia El Fertasi:mean that they share all their personal stuff, but they've seen
Nadia El Fertasi:when things are not working, and that they don't have the answer
Nadia El Fertasi:immediately. And they are looking right in there involving
Nadia El Fertasi:the people are the ones that they get most support from the
Nadia El Fertasi:workforce. And that is very important.
Dr. Dave Chatterjee:Yeah, you know, I think you said
Dr. Dave Chatterjee:something, which is so so important. You mentioned about
Dr. Dave Chatterjee:being vulnerable. We often make the mistake of thinking that a
Dr. Dave Chatterjee:leader who's always exuding great confidence, great belief
Dr. Dave Chatterjee:and a leader, a strong leader. should not show any kind of
Dr. Dave Chatterjee:vulnerability. But to your point, vulnerability, the way I
Dr. Dave Chatterjee:look at it is essentially a feeling of, you know, a little
Dr. Dave Chatterjee:bit maybe the maybe the word paranoia makes sense that
Dr. Dave Chatterjee:there's always an element of paranoia that what could happen,
Dr. Dave Chatterjee:that could break the current defense, are we really well
Dr. Dave Chatterjee:secured? Or is there anything missing. And that kind of
Dr. Dave Chatterjee:mindset is helpful, because it always keeps you on your toes,
Dr. Dave Chatterjee:and doesn't allow you to be complacent. So maybe what I was
Dr. Dave Chatterjee:getting at is vulnerability can often come across as like a
Dr. Dave Chatterjee:reflection of weakness. But vulnerability can also be
Dr. Dave Chatterjee:interpreted as somebody who is not complacent, who always
Dr. Dave Chatterjee:believes in a high level of preparedness. And that's
Dr. Dave Chatterjee:something that I've also found in my research, that leadership
Dr. Dave Chatterjee:can play a hugely important role in not only mobilizing
Dr. Dave Chatterjee:organization wide support towards the goals and the
Dr. Dave Chatterjee:actions, but also help the organization reach a high level
Dr. Dave Chatterjee:of preparedness. Another point you made, and you made it very
Dr. Dave Chatterjee:well, it's a very powerful statement, you said, build a
Dr. Dave Chatterjee:culture of empowerment, not fear. And that speaks to taking
Dr. Dave Chatterjee:a very positive approach to many things, cyber, including cyber
Dr. Dave Chatterjee:communication. And time and time again, when I talk to senior
Dr. Dave Chatterjee:executives, when I review the literature, one of the
Dr. Dave Chatterjee:consistent good practices is about letting the users know
Dr. Dave Chatterjee:what they could do to further secure the organization. So
Dr. Dave Chatterjee:you're taking the approach of saying what you can do and not
Dr. Dave Chatterjee:taking the approach of what you can't do, yes, that's the fine
Dr. Dave Chatterjee:line. But there's a way of saying things in a very positive
Dr. Dave Chatterjee:vein. And still being able to communicate the things that
Dr. Dave Chatterjee:users should be wary about. So it's a fine line. And it can be
Dr. Dave Chatterjee:done by very skilled people. And you talked about the leadership
Dr. Dave Chatterjee:that you've come across with a very high degree of a variety of
Dr. Dave Chatterjee:different types of allegiance. Moving on to another question I
Dr. Dave Chatterjee:have for you. And that is, you worked for an organization like
Dr. Dave Chatterjee:NATO, very security driven organization. So you would
Dr. Dave Chatterjee:expect security to be high on their priority when it comes to
Dr. Dave Chatterjee:culture. But in a traditional private sector organization,
Dr. Dave Chatterjee:where you yourself mentioned, often, the focus or priority of
Dr. Dave Chatterjee:the executives are on realizing the business goals, their
Dr. Dave Chatterjee:mission. And security is not that security is something
Dr. Dave Chatterjee:unfortunately, they have to deal with. They wish they didn't. So
Dr. Dave Chatterjee:in that kind of an environment, how do you get whether it's the
Dr. Dave Chatterjee:leadership or whether it's the organization as a whole? How do
Dr. Dave Chatterjee:you get the focus turned towards security, where there is growing
Dr. Dave Chatterjee:recognition, that security is also a very important
Dr. Dave Chatterjee:organizational capability, is also a very important
Dr. Dave Chatterjee:organizational competency? How do you get that realization
Dr. Dave Chatterjee:etched into the organization?
Nadia El Fertasi:It's a very good point. And I'll, I'll say
Nadia El Fertasi:one word, and then I'll give an anecdote to explain that word
Nadia El Fertasi:and then give, give my own thoughts. Vision. Right. You
Nadia El Fertasi:need to have a vision, right, for your organization. Why is
Nadia El Fertasi:that important? Let me go back to something we dealt at NATO.
Nadia El Fertasi:Right. Because NATO, our mandate was Article Five is collective
Nadia El Fertasi:defense. Right. And I don't know if you remember when 911 came
Nadia El Fertasi:about. It was a lot of discussion. Why was NATO not
Nadia El Fertasi:more on the forefront in countering terrorism, and the
Nadia El Fertasi:risk for terrorist attacks was very evident, very prevalent in
Nadia El Fertasi:across European cities and in North America. Now, the obvious
Nadia El Fertasi:reason is it was not within our mandate, or primary mandate. You
Nadia El Fertasi:had organizations like the UN and other organization was was
Nadia El Fertasi:in their mandate. And we were always in support. So we were
Nadia El Fertasi:active, but it wasn't our primary focus. Everyone who
Nadia El Fertasi:worked at NATO and the culture was very much still aware of the
Nadia El Fertasi:Cold War. And remember the Second World War, the impact of
Nadia El Fertasi:a nuclear attack, it would be far more detrimental than a
Nadia El Fertasi:terrorist attack. And I know it sounds perhaps a little bit
Nadia El Fertasi:harsh when you hear it, because it's not statistics. When we I
Nadia El Fertasi:think a lot of people in leadership within NATO
Nadia El Fertasi:understood the vision of building a safe and secure
Nadia El Fertasi:transatlantic democracy, we take our freedom for granted. Right?
Nadia El Fertasi:We forget that there are capabilities out there, right,
Nadia El Fertasi:that can eradicate entire cities. So the risk for what we
Nadia El Fertasi:were protecting 1 billion citizens was much higher. So
Nadia El Fertasi:every organization should ask themselves, right, right, what
Nadia El Fertasi:is the risk, because the capabilities are there, and you
Nadia El Fertasi:don't need to be a sophisticated cyber criminal, to participate
Nadia El Fertasi:in the ransomware service model. And just, you know, get as fast
Nadia El Fertasi:money as possible, was even more challenging. And again, I don't
Nadia El Fertasi:want to play into fear, but it's just being aware is non
Nadia El Fertasi:sponsored states, cyber attacks, and even inspired state
Nadia El Fertasi:sponsored attacks. There are many different reasons why
Nadia El Fertasi:someone does cyber crime. So every organization needs to
Nadia El Fertasi:understand what is the vision for the organization in the 21st
Nadia El Fertasi:century, this highly digitized? What would happen if our most
Nadia El Fertasi:critical infrastructure would go down? What would happen if 5
Nadia El Fertasi:million and you have many case studies in your book, customers
Nadia El Fertasi:data, shareholders data that gets lost? You don't want to
Nadia El Fertasi:think about it, because again, it is not very tangible. We live
Nadia El Fertasi:very short term focused, right? Okay, what is in the immediate
Nadia El Fertasi:and when you're driven by the immediate and don't include and
Nadia El Fertasi:balance it with a long term vision, your preparedness
Nadia El Fertasi:strategies and your ability to recover, because now we have to
Nadia El Fertasi:assume we will be compromised, every organization, they don't
Nadia El Fertasi:assume that they can, they are compromised, their survival rate
Nadia El Fertasi:is likely to be very low, because even a brilliant article
Nadia El Fertasi:in the Financial Times about this in this. And this is also
Nadia El Fertasi:how you get confidence from your shareholders from your customers
Nadia El Fertasi:that you know it you know, what to do, when you there is a cyber
Nadia El Fertasi:breach, right? And you can recover and protect their data
Nadia El Fertasi:in the most
Nadia El Fertasi:less riskful way as possible. So I this is what I would give away
Nadia El Fertasi:is really understand how much are you balancing long term
Nadia El Fertasi:vision with short term vision? And how can you explain cyber
Nadia El Fertasi:risk in people's map of the world; example: a developer
Nadia El Fertasi:wants to bring out their app as fast as possible, they've put
Nadia El Fertasi:their intellectual property right, they've put their blood
Nadia El Fertasi:and sweat. So if you're just going to tell them, we can put
Nadia El Fertasi:it off because there are still some security updates missing,
Nadia El Fertasi:they're not going to resonate with it. But if you are
Nadia El Fertasi:explaining that if the app is on the market, and someone can
Nadia El Fertasi:actually replicate the app, or steal the data, and actually
Nadia El Fertasi:bring it out earlier in the better version, without you
Nadia El Fertasi:know, this is going on all the time, that will get their
Nadia El Fertasi:attention, right. So how can you speak in a way that security is
Nadia El Fertasi:seen as an enabler, another barrier, it also requires
Nadia El Fertasi:information, cybersecurity and information technologies to
Nadia El Fertasi:compromise in a way that to have an understanding what is the
Nadia El Fertasi:minimum required security requirements, right, minimal
Nadia El Fertasi:security requirements we had in NATO, and understand that some
Nadia El Fertasi:security requirements are nice to have, but perhaps not
Nadia El Fertasi:necessary, but they will prevent the developer or the marketing
Nadia El Fertasi:or the research and development team to bring out their
Nadia El Fertasi:application. This requires open dialogue. This requires
Nadia El Fertasi:listening to each other without feeling personally, you know,
Nadia El Fertasi:attacked or it's full, everyone has a valid point. How do we get
Nadia El Fertasi:there from here? And this requires, again, the vision, the
Nadia El Fertasi:strategy.
Dr. Dave Chatterjee:Absolutely. Wonderful. You again,
Dr. Dave Chatterjee:highlighted so many important things. Let me see if I can
Dr. Dave Chatterjee:remember a few to add to it and also asked you to expand on a
Dr. Dave Chatterjee:couple of other things as well. You spoke to the importance of
Dr. Dave Chatterjee:recognizing the consequences of cyber attacks. Organizations can
Dr. Dave Chatterjee:go under, organizations can go bankrupt, in fact, there is
Dr. Dave Chatterjee:survey data that showcases that 60% of small to medium sized
Dr. Dave Chatterjee:businesses are known to go under after they experience a
Dr. Dave Chatterjee:cyberattack. Even for large companies, reputation is at
Dr. Dave Chatterjee:stake. And there are many other consequences. It is interesting,
Dr. Dave Chatterjee:I was having this discussion with the CEO of a billion dollar
Dr. Dave Chatterjee:insurance company, and I asked him a similar question I said,
Dr. Dave Chatterjee:how you get your peers in other organizations to be equally
Dr. Dave Chatterjee:committed to cybersecurity as an enabler, as you said, very
Dr. Dave Chatterjee:nicely, you said a security is an enabler, not a barrier. His
Dr. Dave Chatterjee:spontaneous response was Dave, I'm assuming people read what's
Dr. Dave Chatterjee:coming out every day in the media, there is one story or the
Dr. Dave Chatterjee:other about an attack and the consequence of the attack. If
Dr. Dave Chatterjee:after that, a senior executive doesn't recognize how important
Dr. Dave Chatterjee:cyber is, how important cybersecurity competency is, I
Dr. Dave Chatterjee:don't know what to tell you. And I couldn't agree more. But
Dr. Dave Chatterjee:having said that, the unfortunate reality is every
Dr. Dave Chatterjee:leadership has certain goals, they have to report to
Dr. Dave Chatterjee:stakeholders. So there are challenges in their work life.
Dr. Dave Chatterjee:So I understand if often the focus deviates away from having
Dr. Dave Chatterjee:the best possible cyber defense in place. But then, there is a
Dr. Dave Chatterjee:change in the minds mindset, there is a change, there's a
Dr. Dave Chatterjee:shift in top executive attention and commitment. And fortunately,
Dr. Dave Chatterjee:what I've been noticing, I've been studying the shift for the
Dr. Dave Chatterjee:last 10 years, it's going in the right direction. And that's
Dr. Dave Chatterjee:very, very encouraging.
Nadia El Fertasi:Yeah, just intervene or say something to
Nadia El Fertasi:what you just said. Please, I, I just want to add another
Nadia El Fertasi:perspective. I think, you know, I saw this at NATO all the time
Nadia El Fertasi:I see this, we assume we've seen people know, right. But we
Nadia El Fertasi:forget, we see the world through our mental model, right? We have
Nadia El Fertasi:our own experiences. On top of that, the average human brain
Nadia El Fertasi:can make decisions maximum 7-8 at the time. So if you assume
Nadia El Fertasi:this type of rule in NATO Never assume someone knows, right, is
Nadia El Fertasi:not to sue. Because these people, it doesn't mean you
Nadia El Fertasi:know, sometimes we even speak to them in a very patronizing way,
Nadia El Fertasi:C suite, CFO or, you know, CEO, they know that cyber is
Nadia El Fertasi:important, right? If they don't read the news, they're reminded
Nadia El Fertasi:by others on a constant basis. But the way sometimes we speak
Nadia El Fertasi:when I read some articles, it's very patronizing. Right, it's
Nadia El Fertasi:like they don't know, what they tend to forget is that, you
Nadia El Fertasi:know, these leaders are these people functions have a lot of
Nadia El Fertasi:different fires going on at the same time. Our human brain can
Nadia El Fertasi:only focus on so much we believe multitasking is a gift, it is
Nadia El Fertasi:not a gift at all. And Daniel Kahneman Nobel Prize winner
Nadia El Fertasi:wrote an excellent book about slow thinking slow and fast. I
Nadia El Fertasi:don't know if you've read it. So I think from that perspective,
Nadia El Fertasi:is to communicate from people's map of the world, just because
Nadia El Fertasi:it's obvious to us because it feels so obvious. And we assume
Nadia El Fertasi:that doesn't mean it's obvious someone else. Trigger the
Nadia El Fertasi:emotional intensity you need that matches people's belief so
Nadia El Fertasi:you can change their behavior. This is what I focus on. Just
Nadia El Fertasi:because we speak to someone how many times we keep ramping up
Nadia El Fertasi:the statistics, which is important. But statistics alone
Nadia El Fertasi:are not going to change people's hearts, okay, you need to find
Nadia El Fertasi:and this and this and this is actually a whole function, a
Nadia El Fertasi:whole art, takes investment, takes effort, to learn how to
Nadia El Fertasi:communicate from someone else's map of the world. And to really,
Nadia El Fertasi:you know, think about the outcome you want and the words
Nadia El Fertasi:you're going to use that really get people to actually retain
Nadia El Fertasi:attention especially now, when the average attention span of
Nadia El Fertasi:clarity is no longer than seven seconds. So I think it is it is
Nadia El Fertasi:I agree to a certain extent, but I also think that the way we
Nadia El Fertasi:communicate in general and especially when it comes to
Nadia El Fertasi:cyber risk, we cannot assume that people will read 50 page
Nadia El Fertasi:Incident Response plan or crisis management procedures and
Nadia El Fertasi:remember them in their map of the world. And when a cyber
Nadia El Fertasi:breach is taking place, you cannot tell them, well, in the
Nadia El Fertasi:service level agreement we had, or in the in the document you
Nadia El Fertasi:signed off, it was clearly stated under paragraph 3.5. We
Nadia El Fertasi:go into survival mode, fear mode, our brain capacity is
Nadia El Fertasi:focused on keeping us safe. So our you know, we go there in
Nadia El Fertasi:very short cut mental models. And I think it's important to
Nadia El Fertasi:explain to practice this, right. So people don't take necessarily
Nadia El Fertasi:very defensive, but really understand the human element in
Nadia El Fertasi:the behavior, and then come up with strategies in the way of
Nadia El Fertasi:communicating in a way that gets people not necessarily to change
Nadia El Fertasi:their mind changing mindsets is very difficult. But to change
Nadia El Fertasi:response options, do something differently, because you know,
Nadia El Fertasi:it will advance your organization and keep the
Nadia El Fertasi:organization safe and prepared and resilient.
Dr. Dave Chatterjee:Yeah, you know, I wish to re emphasize
Dr. Dave Chatterjee:what you just said about do not assume when you're
Dr. Dave Chatterjee:communicating, because everyone has different experiences,
Dr. Dave Chatterjee:different mental maps. And they would interpret a message they
Dr. Dave Chatterjee:could interpret a message differently. It brings back
Dr. Dave Chatterjee:another interesting story. So there was this Admiral Hyman
Dr. Dave Chatterjee:Rickover, who was credited with running the US Naval Nuclear
Dr. Dave Chatterjee:Propulsion Program, very successfully for 30 some years.
Dr. Dave Chatterjee:And he was able to build an organizational culture, anchored
Dr. Dave Chatterjee:on six key principles. And they were integrity, depth of
Dr. Dave Chatterjee:knowledge, procedural compliance, forceful backup,
Dr. Dave Chatterjee:questioning attitude, and formality and communications.
Dr. Dave Chatterjee:Now, let me speak to formality and communications. I believe,
Dr. Dave Chatterjee:the way it worked in the nuclear Navy, when you receive an order
Dr. Dave Chatterjee:from your superior, you're supposed to repeat that order
Dr. Dave Chatterjee:verbatim, before you execute it. Essentially, the process was
Dr. Dave Chatterjee:meant to be foolproof. So nothing gets lost. There's no
Dr. Dave Chatterjee:communication leakage, no communication loss. And maybe
Dr. Dave Chatterjee:it's an extreme approach. Maybe it works in a in a military
Dr. Dave Chatterjee:organization, but there is something to be learned from
Dr. Dave Chatterjee:that, taken away from that, for even the private sector, for
Dr. Dave Chatterjee:even the government organizations that when you are
Dr. Dave Chatterjee:communicating, it is also your responsibility to make sure that
Dr. Dave Chatterjee:the person receiving your your message, understands it the way
Dr. Dave Chatterjee:you want it to be understood. But as we know, unfortunately,
Dr. Dave Chatterjee:that's not the way the world works. We all experience mass
Dr. Dave Chatterjee:communications, email blasts, one page email on security with
Dr. Dave Chatterjee:a lot of detail and immediately when I see those, it it tells
Dr. Dave Chatterjee:me, okay, here we go check the box, a communication was
Dr. Dave Chatterjee:required as per certain regulations certain requirement,
Dr. Dave Chatterjee:and the organization is complying with it. So yes, you
Dr. Dave Chatterjee:are complying with the regulation, but are you
Dr. Dave Chatterjee:effectively doing it? The answer is probably no, because when I
Dr. Dave Chatterjee:see a one page email, I generally tend to overlook it,
Dr. Dave Chatterjee:unless it is customized, it is tailored, and it is speaking to
Dr. Dave Chatterjee:my needs. And you spoke to that when you said when you are
Dr. Dave Chatterjee:communicating with people, when you're trying to get them to see
Dr. Dave Chatterjee:things in a different way, you have to be very skilled about
Dr. Dave Chatterjee:how you pitch it, so they can relate to it. And that's the
Dr. Dave Chatterjee:training in itself. And that should not be considered
Dr. Dave Chatterjee:obvious. Oh communication, that's fine. As long as we have
Dr. Dave Chatterjee:the tools in place, we have hired the you know, the the
Dr. Dave Chatterjee:right kind of professional expertise, we are all good to
Dr. Dave Chatterjee:go. We are not all good to go because when there's a breach,
Dr. Dave Chatterjee:and more often than not, it is the cause of a phishing
Dr. Dave Chatterjee:campaign, the people who get breached are not the ones who
Dr. Dave Chatterjee:are trained in a cybersecurity certificate program, they are
Dr. Dave Chatterjee:people who are there to do their job, which is not security. But
Dr. Dave Chatterjee:then they also have a certain responsibility to perform their
Dr. Dave Chatterjee:jobs, and also comply with the security guidelines. To get them
Dr. Dave Chatterjee:to recognize that to get them to do it well, it requires
Dr. Dave Chatterjee:practice. In a previous podcast, I had an eminent professor talk
Dr. Dave Chatterjee:about his simulation program, simulating organizational
Dr. Dave Chatterjee:decision making under stress, under time pressure. And as you
Dr. Dave Chatterjee:said, it is one thing to plan, it is one thing to prepare. But
Dr. Dave Chatterjee:then when you are in action, when you are on the court, you
Dr. Dave Chatterjee:are playing to use a tennis metaphor.
Dr. Dave Chatterjee:You are all by yourself, you're having to make quick decisions
Dr. Dave Chatterjee:on your feet. And those decisions have consequences. The
Dr. Dave Chatterjee:only way of getting better at it, is by doing it over and over
Dr. Dave Chatterjee:again. What does that mean, from a cybersecurity preparedness
Dr. Dave Chatterjee:standpoint, running different types of simulations to the best
Dr. Dave Chatterjee:in extent feasible and possible, every company has their
Dr. Dave Chatterjee:constraints. And I recognize that. But you know, these were
Dr. Dave Chatterjee:some thoughts that came to mind as you were speaking, let me ask
Dr. Dave Chatterjee:you a question. As we were having our sidebar by way of
Dr. Dave Chatterjee:prep for this talk, you shared some very powerful quotes, if I
Dr. Dave Chatterjee:may. And one of them was, and this speaks to what we are
Dr. Dave Chatterjee:talking right now. Practice reason over fear. And another
Dr. Dave Chatterjee:one I want to bring into the discussion where you said, Use
Dr. Dave Chatterjee:empathy to counter social engineering attacks. Can you
Dr. Dave Chatterjee:speak to that?
Nadia El Fertasi:Yes. Let me start, start first with practice
Nadia El Fertasi:reason over fear. And I will use a very unusual analogy, but
Nadia El Fertasi:stick with me, so you understand. imagine, and I'm
Nadia El Fertasi:going to take you as example Dave, if you don't mind, imagine
Nadia El Fertasi:you're not feeling very well, today, you're a bit low on
Nadia El Fertasi:energy, your immune system is not on top, so you're really
Nadia El Fertasi:not, at your best state. And then you turn around and there
Nadia El Fertasi:is a tiger predator in the corner of your office. And let's
Nadia El Fertasi:assume it's not a domesticated one. It's one that is really
Nadia El Fertasi:going to chase you. So your brain is going to signal to your
Nadia El Fertasi:body extreme danger, you're going to use all your energy and
Nadia El Fertasi:run as fast as you can, I hope. Imagine the predator is the
Nadia El Fertasi:colleague sending you that email, is the continuous attacks
Nadia El Fertasi:that you receive on your screen, is the fear based leadership
Nadia El Fertasi:because you're afraid to do something wrong because of the
Nadia El Fertasi:culture, its meeting your deadlines, whatever it is; the
Nadia El Fertasi:problem with fear right there it serves a function, we are human
Nadia El Fertasi:beings to keep ourselves safe, right? So if we go outside, can
Nadia El Fertasi:see a car and so we can you know, protect ourselves and not
Nadia El Fertasi:get hit by a car. The problem is, our brain constantly
Nadia El Fertasi:perceive things as fear puts us in a chronic state of stress,
Nadia El Fertasi:which has disastrous consequences on our ability to
Nadia El Fertasi:make decisions, on our ability to manage our energy, our focus,
Nadia El Fertasi:and we get, I wrote a blog for Global Cyber Alliance and had
Nadia El Fertasi:statistics in there for the UK in the US, how many people are
Nadia El Fertasi:distracted and lack of focus and how that correlates with falling
Nadia El Fertasi:for social engineering for phishing attacks, because which
Nadia El Fertasi:brings me to your second point use empathy for mitigating
Nadia El Fertasi:social engineering attacks. Now, empathy is another overused
Nadia El Fertasi:buzzword it is very difficult to exercise because if you read the
Nadia El Fertasi:book of Daniel Kahneman, slow thinking slow thinking fast, it
Nadia El Fertasi:is another part of the of the system, it really requires being
Nadia El Fertasi:sensitive to other people's needs and, and, and emotions.
Nadia El Fertasi:Criminals, they use the same emotional manipulation
Nadia El Fertasi:techniques right to trigger either emotions of fear. So if
Nadia El Fertasi:someone is worried about their health, they will use specific
Nadia El Fertasi:language related to COVID to get them to click on a spoofed
Nadia El Fertasi:account or medical record whatever it is. Someone is
Nadia El Fertasi:worried about taxes, alright, it will use words or spoof counts
Nadia El Fertasi:to do that. So they really use words and pretext to speak to
Nadia El Fertasi:people's fear. The opposite is also true. There are a lot of
Nadia El Fertasi:one of the prevailing challenge currently is loneliness,
Nadia El Fertasi:isolation, right because of the pandemic, but even before but
Nadia El Fertasi:it's just exaggerated. So unfortunately, criminals with no
Nadia El Fertasi:ethical standards use to prey on these emotions to create
Nadia El Fertasi:emotions of trust, right, to build this relationship. There's
Nadia El Fertasi:another excellent book by
Nadia El Fertasi:Robert Cialdini, The Psychology of Persuasion, 1984, where he
Nadia El Fertasi:lists six principles of persuasion -- scarcity,
Nadia El Fertasi:authority, commitment, consistency, liking, and
Nadia El Fertasi:consensus. Liking, when we like someone, our defense mechanisms
Nadia El Fertasi:go down, right, the first time when we see someone, we ask for
Nadia El Fertasi:questions, subconsciously, who is this? What do they want? How
Nadia El Fertasi:long does it take? And are they a threat? So they know to to use
Nadia El Fertasi:tactics to lower people's defense mechanisms. So they can
Nadia El Fertasi:use these techniques. Well, it is important to be aware and to
Nadia El Fertasi:use empathy, not to be afraid or to be paranoid, but to
Nadia El Fertasi:recognize, because let me give an example why emotional
Nadia El Fertasi:intelligence and empowerment is important. If you have an
Nadia El Fertasi:organization where people don't feel empowered, if you have an
Nadia El Fertasi:assistant or receptionist or support staff or customer
Nadia El Fertasi:support agents, that will is asked whether to email whether
Nadia El Fertasi:to deep fake technology by replicating the voice of the CEO
Nadia El Fertasi:to make a million dollar transfer in bitcoins, which
Nadia El Fertasi:happens, right? If they fear the reaction of their CEO or the
Nadia El Fertasi:leadership being reprimanded or disciplined, they will act based
Nadia El Fertasi:on that impulse, right? So it is really important to understand
Nadia El Fertasi:not only empathy, but emotional intelligence or the human
Nadia El Fertasi:element to not be paranoia. Fear is just a consequence of what we
Nadia El Fertasi:don't know. When we when there is a gap in our mind, the mind
Nadia El Fertasi:doesn't like it. So it goes into survival mode. Remember the
Nadia El Fertasi:tiger, and everyone is so many people currently, no one, say
Nadia El Fertasi:everyone are under constant pursuit of a predator. But it's
Nadia El Fertasi:not a predator, but the effect is the same. Right? And you can
Nadia El Fertasi:follow Andrew Huberman Stanford professor and neuroscientist,
Nadia El Fertasi:who has loads of research and podcasts about the effect on
Nadia El Fertasi:this on the brain and how we need to create cultures where
Nadia El Fertasi:empowerment where you know, of course, stress is healthy in a
Nadia El Fertasi:certain way. It is all about how we perceive stress. And it's all
Nadia El Fertasi:about chronic fear, chronic stress, we need to find the
Nadia El Fertasi:right balance of intense emotion that people are alert. But also
Nadia El Fertasi:okay, practical, how do I react? No. Right? And this is something
Nadia El Fertasi:that that needs to be the exercise. And one last thing I
Nadia El Fertasi:will say based on our just previous discussion on how do
Nadia El Fertasi:you communicate because one of the challenges we faced at NATO
Nadia El Fertasi:is that project manager, scientist, IT, cybersecurity,
Nadia El Fertasi:rightfully didn't think it was their job to become PR
Nadia El Fertasi:communication experts. So an organization's would really
Nadia El Fertasi:invest in the person or an office as part of the office
Nadia El Fertasi:that actually gathered all the information translated in a very
Nadia El Fertasi:structured way for decision makers for the people that
Nadia El Fertasi:needed to know for the resources community committee. So we took
Nadia El Fertasi:the information and tailored it in different messaging in
Nadia El Fertasi:people's language for defense planning policy committee, the
Nadia El Fertasi:resources and governance, the Military Committee, the
Nadia El Fertasi:ambassadors made this highest decision making everyone had a
Nadia El Fertasi:different interest. And I think it is unfair or unrealistic to
Nadia El Fertasi:ask your people to become first cyber experts, because it's just
Nadia El Fertasi:another layer of information and burden that they won't implement
Nadia El Fertasi:or do. But it's to have this this this bridge between these
Nadia El Fertasi:different business units communication bridge, both
Nadia El Fertasi:preparing messages for external and internal stakeholders. And
Nadia El Fertasi:the last thing I will say very last thing is not your
Nadia El Fertasi:spokesperson or your communication person is not
Nadia El Fertasi:necessarily always the best place person for stakeholder
Nadia El Fertasi:engagement right? Here. It comes to the principle of liking. If
Nadia El Fertasi:you want to incentivize behaviors, you also need change
Nadia El Fertasi:agents within your organizations that people can resonate. Even
Nadia El Fertasi:your most critical person would be a great model, right? To
Nadia El Fertasi:start with them, and then they can help you influence and
Nadia El Fertasi:change behaviors with people that relate to them
Dr. Dave Chatterjee:Absolutely, in fact, there is a lot of
Dr. Dave Chatterjee:research on the role of change agents in helping organizations
Dr. Dave Chatterjee:deal with different levels and types of change. And that could
Dr. Dave Chatterjee:probably be a discussion for another day. Another point I'd
Dr. Dave Chatterjee:like to make, which aligns with what you said. And that goes
Dr. Dave Chatterjee:back to this assumption about people, about workers, we
Dr. Dave Chatterjee:definitely don't expect everyone to be a cybersecurity expert.
Dr. Dave Chatterjee:But we do want to raise the overall level of awareness,
Dr. Dave Chatterjee:overall level of knowledge, because each person is a
Dr. Dave Chatterjee:potential point of vulnerability. But the whole
Dr. Dave Chatterjee:approach to mobilizing support, to incentivizing the right kinds
Dr. Dave Chatterjee:of behavior has to be anchored by the belief that the when
Dr. Dave Chatterjee:people come to work, they come to work with good intentions,
Dr. Dave Chatterjee:they come to work to do good things. And this I, you know,
Dr. Dave Chatterjee:I'm stealing this quote, I'm paraphrasing this quote, from a
Dr. Dave Chatterjee:good friend of mine, who is a CEO of a major corporation, and
Dr. Dave Chatterjee:who said it very well. He said, Dave, I always will believe will
Dr. Dave Chatterjee:assume that people come to work to help to do good things to do
Dr. Dave Chatterjee:great things. So we are not talking about people who are
Dr. Dave Chatterjee:unwilling to change, unwilling to, you know, adjust their
Dr. Dave Chatterjee:behaviors, it's a matter of how you communicate how you how you
Dr. Dave Chatterjee:relate to them. But recognition of these factors, becoming aware
Dr. Dave Chatterjee:of all the or at least becoming knowledgeable in the field that
Dr. Dave Chatterjee:allows you to bring about this change in mindset, this change
Dr. Dave Chatterjee:in culture, or to enhance the level of human capability,
Dr. Dave Chatterjee:that's an area that organizations need to more
Dr. Dave Chatterjee:carefully think about, needs to look for the right kinds of
Dr. Dave Chatterjee:expertise to guide them. Because it is not something that I see
Dr. Dave Chatterjee:organizations normally gravitating to. It's more like,
Dr. Dave Chatterjee:here are these cybersecurity trained professionals, they know
Dr. Dave Chatterjee:how to apply the controls, and they're gonna guide us. But this
Dr. Dave Chatterjee:discussion we've had, it is still speaks to a human related
Dr. Dave Chatterjee:control. But the ability to effectively implement implement
Dr. Dave Chatterjee:it requires, I believe, a very different skill set. Can you
Dr. Dave Chatterjee:speak to that, as we wrap up this conversation?
Nadia El Fertasi:Yes, of course, I couldn't agree more
Nadia El Fertasi:with with actually everything you said. I mean, I will speak
Nadia El Fertasi:to this from from, you know, expertise, but mostly from
Nadia El Fertasi:experience. I think we think the change is linear, right? So we
Nadia El Fertasi:have we used this change program models like John Kotter, we do
Nadia El Fertasi:all the steps, and then we're done. Right? Change happens to
Nadia El Fertasi:us, transitions happen within people, right? There's a
Nadia El Fertasi:different process within people you need. There's no way around
Nadia El Fertasi:this Dave, you need leadership, to drive sustainable change, you
Nadia El Fertasi:need healthy organizational culture. People want to know
Nadia El Fertasi:people don't wake up in the morning, and they want to
Nadia El Fertasi:sabotage their work, they want to sabotage their computer.
Nadia El Fertasi:They're just overloaded, often, right? People want to do good.
Nadia El Fertasi:If you have people working for your organization, because they
Nadia El Fertasi:feel committed to your values, right? They will be a part of
Nadia El Fertasi:something bigger. And if you really play into that, in a
Nadia El Fertasi:sense, if you really build a genuinely build it and not only
Nadia El Fertasi:have training, right, not only bring outside expertise is to
Nadia El Fertasi:really make healthy organizational culture and
Nadia El Fertasi:security is ingrained in it because we are working online,
Nadia El Fertasi:right? It's not something ad hoc. It should be basic stuff.
Nadia El Fertasi:If people would do basic cyber hygiene, they don't need to
Nadia El Fertasi:become a cybersecurity expert, they can reduce up to 80% of
Nadia El Fertasi:cyber risk, right? So it is but how can you expect people to do
Nadia El Fertasi:something extra? They don't know how it looks like they don't
Nadia El Fertasi:know what it is they perceive it as a burden. They think it's
Nadia El Fertasi:command and control. They don't do it, they will get disciplined
Nadia El Fertasi:or bad mark on there, etc, etc, etc. Or is everyone going to do
Nadia El Fertasi:it? No, but it really needs to be at the top. The second thing
Nadia El Fertasi:I will say Is every organization needs to have an incident
Nadia El Fertasi:response team or crisis management team. And you need to
Nadia El Fertasi:survey those people who you put in there, their levels of
Nadia El Fertasi:emotional intelligence in the sense on what is the function?
Nadia El Fertasi:What is the requirement they would need to improve? Do if you
Nadia El Fertasi:have someone who has low levels of assertiveness, for example,
Nadia El Fertasi:so they don't necessarily speak up, especially when they feel
Nadia El Fertasi:discomfort, if that person is part of your crisis management
Nadia El Fertasi:or incident response team, it is unlikely they will ring the
Nadia El Fertasi:alarm bell when they see something. right, because they
Nadia El Fertasi:will perceive it as very uncomfortable, right. And then
Nadia El Fertasi:the alarm bell is rang too late. And I think one of the
Nadia El Fertasi:complaints of the senior leadership I worked with in NATO
Nadia El Fertasi:was that people didn't tell them early enough the problem because
Nadia El Fertasi:they were so high up, or they were you know, they thought that
Nadia El Fertasi:didn't want to burden them or they didn't want to look bad on
Nadia El Fertasi:them. Right. And here's where my Dutch mindset came good in
Nadia El Fertasi:because I always spoke my mind, which they appreciated because
Nadia El Fertasi:very few people right? Speak their mind for reasons or
Nadia El Fertasi:because they also feel frustrated when they don't see
Nadia El Fertasi:any action. So I think it requires leadership and culture,
Nadia El Fertasi:and when you invest in those, that's how you change.
Nadia El Fertasi:Transformation is a journey. It's not a one thing, don't
Nadia El Fertasi:don't think we're gonna do an organizational change as a as a
Nadia El Fertasi:one year program or two year program. Yes, you can have
Nadia El Fertasi:models and change management processes that get you there.
Nadia El Fertasi:But you always need to have you know, you need to have a core
Nadia El Fertasi:foundation and have enough flexibility to stay relevant in
Nadia El Fertasi:today's age and to support the people. So also when you hire
Nadia El Fertasi:and attract talent, make sure it's the right mindset, right,
Nadia El Fertasi:the right values as well, because those people will go
Nadia El Fertasi:above and beyond. And even when the last thing I will say there
Nadia El Fertasi:was a study that said one of the top reasons why people have low
Nadia El Fertasi:levels of engagement or are reluctant to change is they
Nadia El Fertasi:don't feel recognized. They don't feel appreciated. So it's
Nadia El Fertasi:not even the paycheck that is the most important parameter. It
Nadia El Fertasi:is recognizing your people. And I don't mean just patting them
Nadia El Fertasi:on the back. But truly recognizing and appreciating and
Nadia El Fertasi:having programs and doing it you know, in the way that we treat
Nadia El Fertasi:people as human beings, right, there's nothing soft about that.
Nadia El Fertasi:It is a sense of business survival. You cannot treat
Nadia El Fertasi:people as numbers anymore, no matter where they come from, or
Nadia El Fertasi:no matter how their mind is wired. And I think this is what
Nadia El Fertasi:separates us from AI machines.
Dr. Dave Chatterjee:Fabulous. Well, Nadia, I wish we could go
Dr. Dave Chatterjee:on. But in the interest of time, we have to pause here with the
Dr. Dave Chatterjee:intent of picking it back up sometime in the future again.
Dr. Dave Chatterjee:It's been truly a pleasure. Thank you for your time.
Nadia El Fertasi:Thank you Dave. It was my pleasure.
Dr. Dave Chatterjee:A special thanks to Nadia El Fertasi for
Dr. Dave Chatterjee:her time and insights. If you liked what you heard, please
Dr. Dave Chatterjee:leave the podcast a rating and share it with your network.
Dr. Dave Chatterjee:Also, subscribe to the show, so you don't miss any new episodes.
Dr. Dave Chatterjee:Thank you for listening, and I'll see you in the next
Dr. Dave Chatterjee:episode.
Introducer:The information contained in this podcast is for
Introducer:general guidance only. The discussants assume no
Introducer:responsibility or liability for any errors or omissions in the
Introducer:content of this podcast. The information contained in this
Introducer:podcast is provided on an as is basis with no guarantee of
Introducer:completeness, accuracy, usefulness, or timeliness. The
Introducer:opinions and recommendations expressed in this podcast are
Introducer:those of the discussants and not of any organization.