Matt Stamper, CISA, CISM, CIPP/US, ITIL, brings a broad, multi-disciplinary understanding of cybersecurity best practices. His diverse domain knowledge spans IT service management (ITSM), cybersecurity, cloud services, control design and assessment (Sarbanes-Oxley, HIPAA-HITECH), privacy (GDPR, CCPA), enterprise risk management (ERM), and IT risk management (ITRM).

Matt excels at conveying complex cybersecurity and IT concepts to boards of directors, executive management, as well as professional service providers. His executive and board-level experience with managed services, cybersecurity, data centers, networks services, and ITSM provide a unique perspective on the fast-changing world of enterprise IT, IoT, and cloud services.

Stamper was a Research Director within the Security and Risk Management Practice at Gartner (NYSE:IT). During his time at Gartner, Stamper met with CISOs and CIOs across the globe to address cybersecurity program development, security incident response, and other security topics. Matt was the co-author on the Magic Quadrant for IT Risk Management Solutions and wrote research on incident response and covered breach and attack simulation technologies. Matt is also the co-author of the CISO Desk Reference Guide (Volumes 1 & 2).

You can connect with Matt on LinkedIn at: https://www.linkedin.com/in/stamper/

• Associate Publisher

  Jim Minatel

• Editorial Manager

  Pete Gaughan

• Production Manager

  Kathleen Wisor

• Project Editor

  Tom Dinse

• Production Editor

  Athiyappan Lalith Kumar

• Technical Editor

  Matt Stamper

• Copy Editor

  Kim Wimpsett

• Proofreader

  Evelyn Wellborn

• Indexer

  Johnna VanHoose Dinse

• Cover Designer

  Wiley

• Cover Image

  © wildpixel/iStockphoto

Wow! Writing a book is such a big process; draining at times, and life-giving at others. During the writing of this book I had times of intense focus and productivity when it felt like words and information were gleefully flying from my fingertips to my keyboard and onto my screen, sitting there virtually smiling back at me. And there were other times when, frankly, I felt like finding a box of toothpicks and stabbing the entire contents of the box, toothpick by toothpick, into my eyes just to make it end.

Ok … that's a bit of an exaggeration. But you wanna' know what's not an exaggeration? Sure you do. So, I say this in all seriousness: Though my name adorns the wonderfully designed cover of this book, it is only able to do so because of a list of countless other names. The names of people who have provided me with so much help and encouragement throughout my life and career.

I'll start with the most important group in my life: my family. To my amazing wife, Siobhan: Thank you for always believing in me; for dealing with my craziness; and for helping me become a better version of myself, every day. You have the biggest heart of anyone I know. I'm so lucky to call you my bride and my friend. To my kids, Sage and Lily: I love you more than words can express. You make me prouder than you'll ever know.

Thanks to my mom and dad for always encouraging me to be multidisciplinary in my thinking and skills development. That multidisciplinary thinking is at the core of this book.

There are so many great people who've helped me throughout my career; many of whom I've never thanked. First and foremost are George Brooks and David Newton, two managers who took chances hiring a young, relatively inexperienced guy who dropped out of law school because he wanted to plunge into the wonderful world of software development. If not for your faith in me, the chances you took, and the responsibilities that you gave me nearly 20 years ago, this book would certainly not exist.

By far the two people who shaped the way that I've approached my security career more than anyone else are Greg Schaffer and Whitney Bell. I have no idea how you both put up with me, but you did. I think of your patience, guidance, trust, and mentorship often. And I hope that, in some little way each day, I'm able to reflect your values back into the world.

During my time at Gartner, I had the privilege to make great friends, have wonderful managers, and work with some of the brightest folks on the planet. To Ray Wagner, Andrew Walls, Ash Ahuja, Michele Caminos, Joanna Huisman, Tom Scholtz, Jeffrey Wheatman, Paul Proctor, Neil Wynne, Neil MacDonald, Ant Allan, Gregg Kreizman, Earl Perkins, Terry Hicks, and countless more, thank you for your friendship, guidance, and mentorship.

For those who helped lead awareness efforts with me at my previous employers. Thank you! Roy Eggensperger for being my partner in crime way back in the 2006-ish timeframe and wanting to help move our awareness program forward in new, interesting, and crazy ways. And to Amber Styles-Emberson, Vladimir Skoric, and Kym Patterson, thank you for your tireless efforts in creating and running an innovative large-scale program under enormous internal pressure and external scrutiny.

I have so many great coworkers at KnowBe4 that I work with every day and who encouraged me to tackle this project. First and foremost, I need to thank Roger Grimes. Thank you for believing that I can not only have a book proposal accepted, but also believing that I can deliver on my mission for the book.

To Stu Sjouwerman for giving me the go-ahead to effectively split my attention for six months and for reading and providing encouraging feedback on my earliest drafts. You are an amazing CEO, leader, mentor, and friend.

Thanks to Kevin Mitnick for your friendship and encouragement. I learn something interesting and fun (and often, scary) every time we get together.

And, thank you to Kathy Wattman, Kendra Irimie, Mary Owen, Laurie Haynes, Roger Grimes, Erich Kron, Amanda Tarantino, Rob Henley, Greg Kras, and Alin Irimie. I could not ask for a better or more supportive group of folks to work with daily. Each of you are amazing and inspiring in so many ways.

Thanks to Jim Shields, Rob McCollum, Richard Leverton and all the amazing people at Twist & Shout for being the creative force and production expertise behind The Inside Man. This video series was a dream realized for me and was probably the most fun project I've worked on in my career.

Believe it or not, even though I work for a vendor serving the security awareness market, I've received a ton of encouragement and support from other vendors in this space as I let them know about this book. Special thanks to Lance Spitzner (SANS Security Awareness), Lisa Plaggemier (InfoSec Institute), Tom Pendergast (MediaPro), and Masha Sedova (Elevate Security). Your faith in my handling of the material and encouragement throughout this project mean more to me than you can possibly know.

Thanks to Beth Beerman and Kathy Michael of the International Association of Security Awareness Professionals (IASAP) for your support and for sending some of your members my way to be interviewed. Having the voices of practitioners as part of this book helps ensure that the concepts are connected to how they can be implemented in the real world.

A HUGE thank you to BJ Fogg and Stephanie Weldy for reviewing the sections on the Fogg Behavior Model and for working through several iterations of text and graphics to ensure that I've captured the essence of the model faithfully and that it is applied accurately. Your support and input shine through and will make the behavior-related aspects of this book have the gravitas they deserve.

This book wouldn't have been possible without the constant help and encouragement provided by the folks at Wiley Publishing. Jim Minatel, Tom Dinse: you both made this process as painless as possible. In everything from first-timer, newbie questions to schedule issues, to strange requests about wording, graphics, and more, you were constantly encouraging and supporting. Thank you! Thank you also, to Athiyappan Lalith Kumar for being a thorough and thoughtful editor. Additionally, there is an amazing team of professionals who believe that the printed word is still incredibly powerful. These people do all the heavy lifting to ensure that a project like this is successful. Thank you! It was fantastic working with you all!

And, finally, thanks to my technical editor and reviewer, Matt Stamper. I'm so glad you were able to lend your CISO and executive strategy lens to this work. I appreciate all the thoughtful comments, suggested edits, points to ponder, and encouragement that you lent along the way. This project was a great excuse to work together and to get to know you better.

-Perry Carpenter

Perry Carpenter is a highly respected cybersecurity guru who I’ve gotten to know over the last two years. He has 15+ years of experience in the field both as a practitioner and as an analyst. He’s sharp, is incredibly analytical, has a knack for psychology, and is a prolific writer. I first met Perry when he started working at KnowBe4, but I’d heard of him when he was an analyst at Gartner through KnowBe4’s CEO Stu Sjouwerman. Perry and I always play off of one another on webinars that we put on together for KnowBe4. We have a natural chemistry that is sometimes hard to find. A big reason for that natural chemistry is one of the first things that drew me to him—our mutual love of magic. We both have such a fascination with it that we took turns showing each other magic tricks one day.

Social engineering threats have been around since before I was born. Con artists continue to get better. That’s a big reason why I look at security awareness as an absolute necessity—because humans can be easily influenced to reveal confidential information or to perform actions through manipulation and deception. Regardless of what the software does, humans can be tricked to do whatever another human wants. There’s no software in the world that can protect a system against a pretext. People must realize that technology alone won’t protect them. That’s why it’s crucial to implement entertaining, relevant, and informative security training to make it matter to employees personally (appeal to self-interest), which helps change behavior.

Perry has put together a comprehensive book about security awareness programs that every security professional should read. It covers a variety of topics related to security awareness including the psychology of the behaviors behind getting someone to perform a certain act or care about a certain topic, the use of marketing and communications tactics to enhance security awareness training, leveraging social pressures to change culture, and more. He’s also added a compilation of voices from the cybersecurity industry who provide their advice about how to put on your best security awareness training.

Not only does Perry address the “how” behind putting together a comprehensive and effective security awareness training program, he addresses the ever important “why.” Why should people care about it? Why would it appeal to him/her personally? He even breaks it down to simplify why you should have a security awareness training program in the first place. Knowing the ultimate purpose and goal of your security awareness program is important because it correlates directly to the impact of your program.

One thing that I particularly enjoyed about his book was that he talked in detail about the importance of repetition when it comes to effectively getting a message across, and then he proceeds to summarize and repeat the most important points at the end of each chapter in the book. Perry also uses a line throughout the book that I’m a big fan of: “Just because I’m aware doesn’t mean I care.” Keep that in mind as you develop your security awareness program. Plan for it and work with human nature rather than against it to make your program more effective and to go beyond mere awareness. When we connect with people on an emotional level, the chance of them actually caring increases dramatically. Your ultimate goal should be to change end-user behavior and to shape the organization’s overall security culture.

We can’t argue that the world is in desperate need of better equipped security awareness leaders. And the human element is the most important one when it comes to your cybersecurity program. Beyond technology, beyond software, people are truly your last line of defense. At the end of the day, it all comes down to people. Perry has a way of masterfully exploring how people think and why they act the way they do. This is a fascinating read and, once again, something I’d recommend to everyone in the cybersecurity field.

—Kevin Mitnick

I have a confession to make. This may sound strange, but pondering human thought and behavior is one of my favorite things to do. I think it's always been that way for me. I've wanted to know what makes people tick. Because of that, I've gone down a few interesting roads of study, from music, to religious studies, to magic and misdirection, to social engineering, to training as a street hypnotist and theatrical mind-reader, to taking classes in pickpocketing, to learning the ins and outs of public speaking and influence tactics, to graphic design, and more.

In all of this, I think I've actually been trying to understand why I do the things that I do and think the things that I think. You see, I've always felt a bit different. And that difference was confirmed to me late in life when I was diagnosed with Asperger's syndrome (a neurological difference also known as autism spectrum disorder, or ASD). In many aspects of life, this neurodiversity has served me well. I see the world in a different way. And that off-centered view of things has helped me find solutions or phrase answers in ways that can sometimes elude others. And, often, I'm sure that my way of approaching things has resonated not because it is better or more insightful; rather, it can resonate because it is quirky enough to cut through someone's pre-established filters.

In other areas of life, the social areas, I often felt (and sometime still feel) like an alien or a social anthropologist seeking to better understand the strange and wonderful inhabitants of this world. That seeking to understand is something that I still do every day. So, pondering human thought (psychology), our behavior (behavior science), and group dynamics (culture) is ceaselessly interesting and fun. The best part of it (professionally) is that I've had the opportunity in my career to make this quest part of the mandate for my daily job.

In This Part

• Chapter 1: You Know Why…
• Chapter 2: Choosing a Transformational Approach