Effective cybersecurity strategy requires creating a culture of security awareness. As remote work and new technologies transform our digital landscape, security risks have multiplied. A comprehensive security awareness program is required to ensure everyone understands how to avoid risks.
Welcome to the Author Hour Podcast. I’m your host, Hussein Al-Baiaty, and I’m joined by Lise Lapointe, who is here to talk about her newest book called, The Human Fix to Human Risk. Let’s flip through it.
Hello, friends, and welcome back to the show. I’m super excited today to have my friend, Lise Lapointe here to talk about her new book. I’m super excited to have you. Thank you for your time today.
Lise Lapointe: Thank you for having me, really happy to be here.
Hussein Al-Baiaty: Yeah, absolutely. The book is called, The Human Fix to Human Risk, and honestly, it’s one of those books that at first I’m like, “Oh, here we go, cybersecurity. I know it’s important, I don’t know what the hell I’m talking about or doing, and it’s going to be really techy,” but it’s not. It’s actually really easy. Now, I don’t want to say easy to read, but it kind of pulls you in and simplifies the context.
But before we get into the book, I want to get to know you a little bit more and our audience to get to know you a little bit more. So Lise, can you tell us a little bit about your personal background, where you grew up, perhaps, and maybe a person or an event that led you to the path that you’re on now?
Lise Lapointe: I’ve been born in Montreal, Quebec, Canada, and I lived all my life here. I’ve been raised by my grandmother because my mother died when I was really young, and my grandmother was an entrepreneur in the 20s and the 30s. So that was pretty exceptional, she didn’t make any difference for me or my brother to be women in business, and my father has been raised by a mother like that.
So they really encouraged me, of course, to go to school. My father was an entrepreneur also. He preferred us being professionals because he thought it was very difficult to be an entrepreneur, but we all finished, the three of us, being entrepreneurs even though we went to university and I studied to be a teacher.
The way it happened, it’s funny, but my brother used to work in IBM, and he was selling computers, and they had those new computers, display writers that were 80, 86 computers. So you could program them, and that was pretty new at the time because that was like in the 1980s, beginning of 1980s, and he saw an opportunity of developing and counting software on that platform that was dedicated to word processing, and he was selling computers to a school, and the college said, “Okay, but we don’t know really that new computer, we need a teacher. Nobody knows that computers could teach.”
“So I know a teacher.” So he came to my house with this computer. He said, “I think you can be the perfect person.” You know, being a salesperson. I said, “Oh yeah, okay, I’ll do that on one condition. If I get trained for it.” You know? So they trained me, I developed the course, and that’s the way I started in IT. I taught that course for a little while, and after we started our first business, which was developing accounting software, and I started a training company after that, included in the company, that was Micro Code that I sold like in the 2000s, beginning of the 2000s.
After that, I really wanted to go on to product, be international. So since I was in IT and I knew e-learning, I was like [this is] a natural path for me. So I started Terranova and security awareness, and after that, all the markets started to change, and the Internet and everything, so it began to be quite a journey.
How the Cyber Security Landscape has Changed
Hussein Al-Baiaty: Wow, what a journey, and I think starting off young — and I always ask these questions specifically to kind of connect the dots between where you are now and sort of what influenced you, and it sounds like your grandmother having an entrepreneurial spirit, there were computers probably while she was growing up, but they were not nearly what they are today.
Lise Lapointe: No, no.
Hussein Al-Baiaty: Of course, but this idea of leaping into something very new, very cutting-edge, and then going ahead and teaching it and training courses and then, of course, it folds into the Internet, and it just gets bigger from there, I found fascinating but you kind of started leaning into the landscape of cybersecurity and I think, today in our world, I can’t imagine the Internet without cybersecurity.
Like, I just, I can’t imagine putting anything into the world without [it]. The more I feel like I learn about cybersecurity, the more I’m like, “How does the Internet exist without this thing?” You know? And it’s so important, but I am sure you have seen the security landscape change over the past decade or so. How has that impacted the way organizations approach security and awareness and training?
Lise Lapointe: It’s been, yes, very different, of course. It started like 20 years ago, and the organizations that were doing security awareness at that time were very large organizations, banks, and insurance companies that really saw the importance of doing that. Year after year, there were more laws and regulations coming in that, of course, including that there was a need for security awareness, but it took years and years to convince people about the importance of security awareness.
They were doing more technical stuff to protect themselves and thinking it was enough, and security awareness was always last on the budget, so it was hard. Small businesses were not really into it for a long time, and I think what changed that in 2014 or ‘15, Gartner came out with a magic wand in security awareness and started to talk about it a lot, and we were lucky enough to be considered like a world leader in security awareness at that time.
That really changed everything. Everybody started to talk about it and see the importance and putting budget [towards it]. Today, more and more, there’s integration between technology and security awareness to identify who is at risk and who will put the business at risk, and how we should have a specific path for the diffident type of users depending on the type of information they have, and depending also on where they are in the company, and it changed quite a bit.
I would say that there’s still a lot to be done because it’s still a lot of times under budget, and there’s not a lot of resources for security awareness, and it’s the largest, most important threat. So there’s still a lot to be done.
Hussein Al-Baiaty: Sure, definitely. It’s like, sort of like a continual journey, right? The more, I guess, the more advanced the cybersecurity teams become, of course, that is only opposed by the criminals on the other side, right? And how advanced they become, and I feel like this continual unfortunate battle. However, we love our good guys.
So can you describe a time when you saw a dramatic improvement? I know you talk about in your book, this security awareness program. Can you describe a time when you saw a dramatic improvement in organization security about the strategy result of implementing what you teach in your security awareness program, and factors that you think contributed to that success?
Lise Lapointe: Yeah, so I think there’s a different type of – sorry, experts in security at that time. There are technical people, and there are people that are more oriented toward the policies and regulations. So they deal with it in a different way, and there’s been a lot for a long time that we say, just ticking the box and saying, “Okay, we’re meeting the regulations and what is asked by us, but we don’t do more than that.”
And there are the companies that have invested a lot in security awareness and making sure that they know, you know, what’s going on, what type of breaches they have. They look at the audit reports, they do quizzes and surveys to understand. So we talk about that in the book in the analysis phase where it’s very important to analyze the situation, and the situation of one organization is not going to be the same as the next organization, right?
So you really have to do that to understand, “What do I have to change? What are my goals?” If you want to change that, it’s not like a project that you do once a year and it’s done. It’s an ongoing thing. Security is ongoing, and you have to evaluate your results, compare it to your objective, and you have to make it better every time. So the companies that have been successful are the ones that have been that.
So they analyze, really, what’s going on, they do a specific program for different type of employees, different departments, different parts of the world. They also have training in the languages that are easier for their employees in the different parts of the world. So it depends a lot on all of those criteria, the success at the end, but I would say objectives and measurement are always very, very important.
Hussein Al-Baiaty: It’s really powerful, because that experience that you sort of compounded over the years, I’m sure, played a big role, especially as the COVID pandemic affected organizations. Talk about like, this approach to security and awareness, particularly with the rise of remote work, how has that impacted organizations? What do you think in the long-term implications that are beneficial to sort of remote work and the things that we, you know, as organizations can at least kind of map out and figure out how to approach that?
Lise Lapointe: Yeah, so it changed a lot because some of our clients from day one to day two went, for the pandemic they had 20,000; 50,000; to 100,000 people going home, and that they weren’t organized for that. People didn’t know what to do, they were used to a work environment completely secure, then they go home. So it took a while before the organizations could turn around.
So what we did at that time is we really develop like packages, I would say short trainings, very specific to what are you supposed to do at home to help the employees and the users really understand the risks at home and know what to do. In the timeframe at most companies, they organize them with security measures at home but at the beginning, you really had to train them on that.
There were a lot of scams on the internet and by email during the pandemic and all kinds of stuff, it was very important to train people right away to avoid those risks.
Tips for Building Cyber Security Awareness
Hussein Al-Baiaty: In your experience, what are some of the most common misconceptions or challenges that organizations face when trying to implement a security awareness program?
Lise Lapointe: I would say lack of resources like a budget, a lot. It seems easy, you know. You could put a course online or a video online, and you think you’re doing security awareness, but if you really want to do it right and do all the steps you need to take time and overtime, and really look at the information and reports that you get from your security department or your audit department, or your policy department.
So the challenges at that time, the resources, where when you built the security awareness, you don’t build that in a vacuum, alone in your IT department or your security department. You have to work with your HR, you have to work with the change, if you want to change behavior or change management, you have to work with finance, you have to work with marketing because it is a marketing campaign, right?
It’s a communication campaign, you could put a course online or have a technical defense mechanism in place, but you need to tell your people. You need to communicate all the time so security is top of mind. If you want to change behaviors, you need to do that on a regular basis. So I would say to be successful, you have to do that, and it’s a lot of work at the beginning if you want to do it right.
So a lot of companies when they do it for the first time, they will ask for some help from professionals to think that to help them. So they will put their first campaigns, and what we say is that when you build your campaign the first time, you have to be careful not to overdo it, right? You don’t want to give too much information, you don’t want to customize too much. You know how it is, 10 people could be writing the same sentence in 10 different ways.
So just don’t change the sentence just to change it, just change it if the meaning to the user is not the right one, right? So it’s a lot of work, and you have to work in a group, and you have to build this common group, and ideally, you even have people in different departments, different countries that will be working on the project to make sure that the culture change in Japan, in Canada, in the US, in France is not the same.
So you need to make sure that the messaging is good also for the employees and where they’re working from. So once the analysis space is done and the planning phase is done, you need to plan it because in each organization, there are a lot of things going on, and if you launch your campaign when something else very important is going on it’s going to be a problem. So you really need to plan it correctly.
After when you launch, you have to make sure everything is working, your systems, your lists, people received the emails, it’s easy for them to get to the computer and do the course, but there are a lot of things to think about, and that’s what I list in the book. For me, it was like, “Okay, what do I share, and what do I keep to myself?” But I said, “Okay, no, I can’t do that. I have to share everything.” Because that’s giving some ways of doing things that are different than what we think.
So if you’re very technical and you’re used to doing projects, and you are used to implementing systems, security awareness is quite difficult for you to think about because it is not in your secure zone, you know? So you have to get people around you and your group that will help you do that.
Hussein Al-Baiaty: Yeah, that’s very powerful. Can you share an example of a particularly like either creative or effective awareness-raising activity that you’ve seen an organization use in their security awareness program, but what made that so successful?
Lise Lapointe: I think it is having a variety of different content and different types that makes it successful, because people my age, people in the 30s and the 50s and the 20s, they don’t see it the same way. So if you give the same thing to everybody, it doesn’t really work. So you need to have really different types of content, and present them in different ways. It could be videos, it could be serious games, it could be interactive games.
It could be different, it could be something to read. Some people like to read still today, but some others don’t. So we need very short videos with messaging that is powerful. So I think a variety of tools is more important than one specific, and games are pretty successful these days. It’s not just the game, you have to integrate it into your campaign. What are you going to do next? You’re going to have to test people, you’re going to do phishing simulations. You could do other types of simulations also in the office.
Hussein Al-Baiaty: Yeah, that’s very powerful. I like your approach in that every environment is going to have its sort of culture, and how you approach that is actually what’s most important and how it aligns with like the basic structure, the foundation in which you can build the security awareness on, it won’t be as successful if you are not paying attention to the environment in hopes that you are actually kind of implement this in.
So I like this like idea of awareness and really just understanding where that lives. What was your favorite part of pulling this book together? What did you learn from that journey? Because I know it’s no easy feat. Of course, writing a book is extremely hard, and like you said, that tumultuous time of like, “Oh, what do I put in this book? What do I leave out? I have to put everything in.” You know what I mean? And then that refining, but what was your favorite part of putting this book together?
Lise Lapointe: I think it was sharing all this information, you know? I’ve been doing this for so long that I thought it was important to share that, and I’ve never written a book before the first one, you know, [this is] the second one. The second time around it was easier. Of course, the first time around was rewriting a lot of things, but I liked the teamwork we have done with that. You know, putting all of our ideas together at Terranova with the different people that were involved, making sure that we didn’t forget anything. So it was really teamwork, and that was fun.
Hussein Al-Baiaty: I love that. I think with projects like writing a book, it’s very powerful to know that it’s a very collaborative effort. It is extremely collaborative, and I think for me, it highlighted where my strengths are when it comes to collaborating with others, and I think in your case, you know, being a teacher in a lot of ways, and one I think from this environmental perspective, it’s really powerful to leave your book in that direction.
When your readers pick up your book — I know I did — I felt a little hint of like, “Okay, like I get the direction of this.” Obviously, it is not designed for me specifically, but there are a lot of things in the book that I found very interesting as far as how I think about just my online security and what that looks like, but what would you say like your readers pick up your book and begin to read through it and then they walk away from it?
Having learned a few things, what would you hope they really feel after putting it down?
Lise Lapointe: I think it’s not a book that you really read through and put down. I don’t see it that way. I see it in a way that you will go back to the book to answer questions depending on where you’re at, and you do that for the first time, you would do it again and forget. So you go back and you get old tips and have ideas on how to do it. I sit more like that than like reading through it, you know?
Reading through it, it’s like I would say more difficult. It’s not like a story, but it is more a book that gives you information on how to do things or how to make you think about how to do things. It’s more thinking, and so I think you have to go back to it regularly.
Hussein Al-Baiaty: I like that. I would like that as a guidebook, right? Because at different stages of your progress, you will meet different obstacles, and with those obstacles comes a way to refer back to the book to say, “Okay, how is this approach?” I love that, I love when there are books that I can always refer to. There is always one or two on my desk that I am constantly referring to, so I appreciate that about your book.
I wanted to highlight that because I knew that was one of the points of writing this specific, in a way, guidebook but Lise, thank you so much for sharing your stories and experiences with me today and our audience as well. The book is called, The Human Fix to Human Risk: 5 Steps to Fostering a Culture of Cyber Security Awareness. Besides checking out the book on Amazon, where can people find you and connect with you?
Lise Lapointe: They could connect with me through LinkedIn, Facebook, Instagram. I have different places where they could connect, and if they want to know more about the book, they could also go on Terranova Security, by forward your website.
Hussein Al-Baiaty: Well, thank you so much, Lise, for coming on the show today. I really appreciate you, it’s been fantastic. Thank you.
Lise Lapointe: Thank you. Thank you for inviting me, it’s really fun.
Hussein Al-Baiaty: Yeah, absolutely.
Lise Lapointe: Thanks.