Cybersecurity as Culture Change: Why Tech Alone Won't Protect You
The Meridian Point Podcast
Host: Kumar Dattatreyan
Guest: Oksana Denesiuk
Episode Date: November 18, 2024
---
Kumar Dattatreyan: Hi, everyone. Kumar Dattatreyan here with the Meridian Point. And today I'm pleased to introduce you all to Oksana Denesiuk, who is a product and technology transformation leader with over fifteen years of experience driving enterprise-scale changes across healthcare, high tech, and Fortune 500 companies. As a cybersecurity advocate and an industry speaker, she's presented at over fifteen conferences on the intersection of innovation, security, law, and compliance.
Originally from Ukraine, Oksana brings a unique perspective on cyber warfare and geopolitical threats, having witnessed the first major conflict where cybersecurity became a critical infrastructure battleground. She's the founder of Innovation Frontier Newsletter and serves as a board advisor for Information Systems Security Association. She has a master's in comparative literature, and Oksana really is uniquely qualified in how she combines humanities insight with technical expertise to drive organizational change.
So without further ado, let me welcome Oksana to the stage here. Hi Oksana, it's really great to have you.
Oksana Denesiuk: Hi Kumar, pleasure to be here today. Thank you for inviting me to participate.
Kumar: Of course. So you mentioned in our last conversation that cybersecurity has become an organizational issue, not just a technical one. Can you walk us through what you mean by that?
Oksana: Yes, I think now with the current geopolitical challenges and in terms of technology cultures and how modern threats are evolving, especially with AI, companies are becoming more and more aware—not just tech companies, but any companies pretty much—about threats and also about issues with trust, about customer loyalty. So cybersecurity plays a huge role in all of those.
I think understanding that and also being aware of the threat landscape, of the current challenges in cybersecurity and evolution related to AI, is extremely important. Because if we are not evolving, or organizations are not evolving in terms of the use of AI tools, they are staying behind and exposing themselves to the threats that are currently evolving.
Kumar: Interesting. So you're saying that companies that are slow to adopt AI are more vulnerable to cybersecurity threats?
Oksana: Definitely, yes. It depends on the maturity, organizational maturity. So if certain organizations don't feel like they need to use AI right now, they are weakening their cybersecurity posture.
Kumar: Can you explain to me—I wasn't aware, I thought these are two separate things. I know AI is a part and parcel of pretty much everything now, but I thought cybersecurity was something sort of uniquely separate that you just sort of implement the tools and then you're done. Can you explain to me, I'm not really very educated in this, what's the relationship between AI and cybersecurity?
Oksana: Certainly. I think AI, if you look at it right now, it can be used for pretty much anything. So if an organization has certain goals that it's trying to achieve in terms of reaching certain ROI or sales, whatever, organizations can use those tools, AI tools, to be able to be more efficient in achieving those goals.
The same is with bad actors. So if you look at the bad actors now, their ability to use AI tools in terms of the attack surface and amplifications of those cybersecurity attacks—it made it very easy and also very available for even single bad actors to use those tools. Hence, organizations became more vulnerable, especially those that are not using them to protect themselves or to modernize their architecture and infrastructure.
Kumar: So you're using AI to protect yourself against bad actors that are using AI?
Oksana: Exactly. Yep.
Kumar: Okay, interesting. Very interesting. And so the companies that don't have AI and rely on just the systems and the people, they're more vulnerable?
Oksana: Yes, that's correct. Just because they don't understand how those tools work. And it's really about, I guess, maturity in terms of the AI tools. And that impacts cybersecurity posture because those organizations that are using AI tools, even to achieve their day-to-day business goals, they're more likely to also adopt them with the cybersecurity.
Kumar: Interesting. Okay. So in terms of cybersecurity being an organizational issue, I assume that security in general and cybersecurity in particular is an every-person thing, right? It just doesn't belong to the cybersecurity team.
Oksana: Definitely.
Kumar: And how do you implement that kind of change, a culture change across an organization where everyone should be aware of the threats that are out there and how to protect themselves and the company information, the data, things like that?
Oksana: I think it requires widespread organizational change, and it would require certain things that organizations need to implement in terms of training, education of the employees. Things that are—I often see when cybersecurity team is siloed or more isolated, right? They don't do enough work in terms of advocacy and change management. And that's a problem because when you have a product team that works on the product delivery or creating products and they don't understand basic cybersecurity concepts, it means that the features, the products that they are delivering are not protecting customers per se.
So it should be an organizational goal, and that would require change. So I think training, just making sure that this is communicated through leadership, making sure that the governance—it's a part of the governance process. The board is aware about those goals and just including, you know, cybersecurity goals in the organizational goals and making sure they're tracked somehow. I think bringing visibility to that area is extremely important.
Kumar: Yeah, it seems like everything is a big change initiative these days, right? Because companies have become bigger and bigger and more complex. And the company I'm serving right now, it is siloed. The cybersecurity team is separate. And I see what you're saying as being a problem. It's problematic because the things that people want to build—cybersecurity is sort of like, it's not top of mind. You're not designing systems to be secure until sometime later. It's like, oh, we gotta think about whatever X, Y, or Z. And then it requires some rework or some rethought, which is wasteful. It takes more time.
So it's almost like one of those—what do they call it?—non-functional requirements. Cybersecurity should be considered something that's an NFR from the very beginning, like, okay, how will we secure this from cyber threats? Whatever it is that we build. So yeah, I mean, it makes sense to me.
So speaking of change management, you know, I recall a story that you talked about in our last conversation about you spending six months trying to convince a team to adopt a new tool. This team was stuck in manual spreadsheets. They were frustrated, resistant to change. What did that experience teach you about the relationship between technology and human behavior?
Oksana: That's a great question. So yes, I had this experience working at one of the previous companies. And we were going through a very complex agile transformation involving multiple departments and business units. And I guess my experience was education and bringing issues into the surface, meaning first of all, understanding which team is a driver for this cultural change. Because sometimes when we focus on the change dynamics, we don't really understand who would be able to move this forward in the organization. And sometimes these dynamics are not very explicit. So understanding who has that ability.
In that particular case, it was a release team that was managing releases across multiple business units. Very small team, but extremely powerful. So it was maybe like six people in the entire team. And the dynamic was that they would do all this manual work and they would work basically day and night during the release, and it would be like maybe six or five days in a row. Every week there would be a release. And the leadership would come and do all these, you know, executive summaries and all the reports, and this team was working day and night.
So this new transformation, it would mean they could stop doing that. They didn't have to stay and work on the weekends. And I was like, come to the training. It's really easy. I can help you. And it took them, I think, like three months to even admit that they don't know how to use this tool. And they never came to the first training. They came a little bit to the second training, but they didn't actually go through the process, right?
So it took them maybe six months to learn and start using this tool. And the transformation was it took them like probably minutes to do all the work that was taking days before. But it took so much patience, so much like, you know, being there, just like staying with the team, just like reminding them. And honestly, it was not my role. My role was different. I was an agile coach. But I knew it's important.
And they didn't have—the transformation office, they didn't have time to do it. So I knew it's going to be important for the transformation to succeed. I just spent time with this team. And the moment they learned and this transformation happened, a manager of this team, he invited me to the offsite with the team because he was so appreciative of the work. And they became the advocates for this transformation because they were able to change. And then they would go and tell all the product teams, development teams, testing teams, "Hey, that's a really cool tool. Just look, we can create all those cool reports." And they became the movers and shakers. So that was one very important experience for me in terms of how change management plays a huge role when we go through transformation.
Kumar: Yeah, that's a great story. Yeah. I mean, I've, you know, been doing this for a long time and, you know, I've always had that same experience where, you know, finding those, those people who you could turn into advocates is a huge part of transformation. And sort of finding those key people and taking the time to get them past their resistance and their fear, and then once they're converted, you know, they become your biggest advocates. So that's a great story. Wonderful.
So one thing I wanted to cover next is, you know, you're from Ukraine and you have witnessed, you know, in that conflict, you know, cyber warfare. How has that informed your thinking in terms of cybersecurity and organizational change?
Oksana: Yeah, that's a very interesting question. I guess for me, this war, it opened my eyes on different things. Like when it started, like first of all, I never thought in my life I'm going to see something like this. I was born in independent Ukraine. My whole life I spent there. I didn't see a war, and all of a sudden like there is a war. And I didn't even know anyone in my family who is like in the military. Like we never had military connection.
And cybersecurity, cyber warfare plays a huge role. And I think it's extremely important in terms of modern wars, in terms of modern conflicts. And what I witnessed there—what I witnessed in terms of how governments and even NATO, right, and all these different organizations are supporting Ukraine right now—one of the big issues is cyber warfare and how the Russian government, but also North Korean government, Chinese government, they're attacking Ukrainian infrastructure. They're attacking critical systems on the daily basis.
And Ukraine, basically all these teams, they need to fight against very powerful adversaries in terms of the cyber war. So the whole infrastructure, electric grids, communication systems, transportation, it's all under attack. And that's where, you know, when I came to the U.S., one of the things that I was interested in understanding is like, are we prepared? Are organizations prepared for something like this to happen? Because in terms of the wars that are happening, I feel like all those other countries, they're very interested in what is happening in Ukraine. And the lessons learned, the knowledge that is created there, the teams, they are basically fighting, but also learning. And hopefully someday we can share this experience with other organizations.
But the way I see it is that many executives in the U.S., they're not even aware about these things that are happening. And they are not taking it seriously. And I think right now it's a great opportunity for those organizations to use the expertise and use the knowledge that was created during this conflict in Ukraine to prepare for their organizations for the potential conflicts. Because I feel like globally the situation is very tense right now. And there is a lot of new conflicts that are emerging. And I think just being aware and being prepared is extremely important.
Kumar: Yeah, I mean, I think that's a really, really important point. And, you know, when you think about the United States and our infrastructure and how, you know, critical our power grids and our water systems and things of that nature, I mean, I hope that there are people within the government that are aware of this and are taking this seriously. But I think from a business standpoint, you know, there's a lot of lessons to be learned from what you're saying, from what you've witnessed. And, you know, organizations need to be aware that, you know, this is not just some movie plot, you know, this is actually happening. And, you know, they need to prepare themselves for, you know, potential cyber attacks on their infrastructure.
Oksana: Definitely. And I think also one of the things that's very important is collaboration between different organizations, between government and private companies. Because I feel like sometimes those silos exist, right, between government organizations and private companies. But in reality, I think it's so important to collaborate and share the knowledge and share the expertise.
And what I've seen right now in the U.S., there are some companies that are very proactive about this. They understand, and they want to help. But I feel like there should be more collaboration in that area. And maybe even creating some kind of organizational forces that can work on the critical infrastructure and making it more secure and also sharing those lessons learned. Because I think it's very important not just to prepare, but also to have those exercises where they can test different scenarios and see what's going to happen if something goes wrong. Because I think when people are prepared, they're less likely to panic and they know what to do.
Kumar: Yeah, absolutely. I mean, I think that's a really, really important point. And I think, you know, organizations need to start thinking about this more seriously and, you know, start preparing themselves. So that's, that's really good insight. Thank you for sharing that.
So let's talk a little bit about, you know, how organizations can make cybersecurity everyone's responsibility. You know, you work across healthcare and high compliance environments. How do you get executives, product teams, and engineering to see security not as a security team problem, but as everyone's responsibility? What frameworks or approaches work best?
Oksana: I think it's a great question because when you work in healthcare or in different highly regulated industries, you need to have very specific frameworks and very specific approaches. And I think what works the best is creating those cross-functional teams or councils where different stakeholders can come together and have those conversations.
So for example, when we talk about AI governance, right, creating AI council where you would have representation from legal, from product, from engineering, from security, from compliance, and having those conversations about what are the risks, what are the opportunities, what are the things that we need to consider when we are implementing new AI tools or when we are building new products. I think that's extremely important.
And also making sure that this is not just one person's responsibility. Because what I've seen sometimes, like CISO would be responsible for everything, right? And they would make all the decisions. But in reality, I think it should be a collaborative effort. And different stakeholders should be involved in those conversations because they have different perspectives, they have different expertise. And when you bring them together, you can create better solutions and you can also create better risk management strategies.
So I think cross-functional collaboration, creating those councils, creating those working groups where people can come together and have those conversations, I think that's extremely important. And also making sure that this is visible at the board level. Because when the board is aware about those initiatives and when they are tracking those initiatives, I think that creates accountability and that creates also the culture of security within the organization.
Kumar: Yeah, I agree. I think that's a really good approach. And I think, you know, the idea of having these cross-functional teams and councils where, you know, different stakeholders can come together and have these conversations is really important. Because, you know, as you said, CISO can't do it all by themselves. And, you know, they need the support of, you know, the entire organization to be successful.
So, you know, one thing I wanted to ask you about is, you know, AI governance. You mentioned AI councils. Can you talk a little bit more about that? You know, what should an AI council look like? Who should be on it? What should they be doing?
Oksana: Yeah, I think that's a very important question right now because AI is becoming such a huge part of our lives and such a huge part of the organizations. And I think when we talk about AI council, it should include different stakeholders. So it should include CTO, it should include head of legal, it should include CFO, it should include CISO.
But also I think it's important to have people who are actually working on the products, right? So maybe executive directors or people who are actually implementing those AI tools. Because I think when you have both perspectives—when you have executive perspective and when you have execution perspective—you can create better strategies.
And what I think AI council should be focused on is first of all, understanding what are the AI tools that we are using in our organization, what are the risks associated with those tools, what are the opportunities. And also creating very specific roadmap. Like what is the roadmap for our specific company, and what do we want to track? Like, how are we going to track model drift if we are using any AI models within our organization? What are the specific OKRs or specific metrics that we are using to track those goals? How are we tracking risks? What is the risk appetite?
I think that's extremely important and how it's communicated to the board. Because that's going to reflect on the risks for the organization. And I think in that AI council, probably it would be great if there would be CTO, you know, legal, head of legal, CFO probably, people who are responsible from the executive suite, but maybe someone who is in the execution, like executive directors and people who are actually working on the products.
So having those internal conversations with CISO who should be a part of that council as well—not having one person who makes the decisions. Because what I've seen right now when I was attending multiple conferences, sometimes conversations between CISO who is basically putting themselves in the position to handle these risks by themselves and say, "Oh, we're going to do this or we're not going to do this," this is a very risky situation.
Kumar: Yeah. CISO, for those of you who don't know what that means, is the Chief Information Security Officer, right?
Oksana: Exactly. Yeah.
Kumar: Okay. One thing we haven't covered is the insider threats. We did talk about culture before, that security should be everyone's concern. How much of cybersecurity is really about organizational culture and employee engagement versus technical controls? Or is there a balance there?
Oksana: I think there is a balance. I feel like culture always plays a more important role. If you have disgruntled employees, if you have someone—if you don't have checks and balances, or if you have poor management—that will contribute to heightened insider threats. Because we're all humans, right?
Even if you look at the aviation industry, most of the—you know, if you look at the air crash investigations, like that was one of the things that I was interested in watching because it's a very complex, again, very complex system. And when something goes wrong, like you want to understand like why it went wrong. Most of those air crash investigations and issues are people errors, which is very interesting, right? You would think it would be technical, but it's really people errors. So, you know, someone didn't do proper technical checks or didn't follow a checklist and things like that.
So I think culture, that's where culture plays a huge role.
Kumar: Yeah, I agree. I mean, you can't have one without the other, right? If you have a poor culture and you have a bunch of technical controls, it's not necessarily going to catch everything because people are disengaged, they're not happy, right? You know, insider threats may end up damaging the company as a whole. So yeah, really good point.
So I thought we could end this with some short, you know, rapid-fire questions just to quiz you and, and of course, you know, make it a little bit more fun. So first one, what's the best cybersecurity practice most organizations ignore?
Oksana: I think having organization-wide conversations about cybersecurity, having advocates, right? Having those movers and shakers in different teams who would be able to bring these conversations to surface and ask great questions.
Kumar: Okay, so really just sort of seeding the organization with these advocates for cybersecurity. I like that. A book every leader should read about security or transformation?
Oksana: Oh, that's a good one. I need to think about that. I'm probably going to get back to you on this one. I read a lot of books, to be honest. And the last one that I read, I'm actually reading it now. And it's not about cybersecurity, but it's more about systems thinking. It's a book that Charlie Munger wrote. He's a great ambassador and he worked with Warren Buffett for a long time. And it's called Poor Charlie's Almanac.
I love the book because it's about systems thinking and how he basically transitioned from being an attorney to being an investor. And what are the different forces that are influencing dynamics, and what are also our common mistakes in terms of critical thinking. So I really enjoyed that book. I recommend it not just to cybersecurity or technical experts, but for someone who is interested in developing their mind. Just having that systems-level view, I think that's an amazing thing.
Kumar: Very nice. I'm definitely going to take a look at that and maybe add it to my book list. Let's see. One overhyped security trend right now?
Oksana: Great point. I think Zero Trust concept is abused and overused as a buzzword because it means different things for different organizations. So when you say the term, be very specific what it means. And also try to understand for a specific organization, just like with any transformation—
Kumar: What is Zero Trust? I've heard it, but I don't really know what it means.
Oksana: So basically it's assuming that no one can be trusted, no person can be trusted, no system can be trusted, and everything should go through checks and balances. So just in the wide understanding, frame of understanding of the term.
Kumar: Yeah, all right, cool. Coffee or tea? What's your favorite beverage of choice? Or something else?
Oksana: I love coffee. I love cappuccinos. Yeah. So I just visited Italy and I love their coffee.
Kumar: Yeah. Yeah. Italian coffee is great. I think it's probably the best, but yeah. Your go-to strategy when facing executives resistant to change?
Oksana: Okay. Trying to understand why. So I think asking those questions. Why, right? This is very important because when you work with someone—executive or just a team—understanding their resistance points. And sometimes people would obviously when you're going through transformation, many teams and specific individuals, they have their own fears. And I feel like it's also part of a good culture being transparent about those fears and being proactive about addressing them. Yeah, creating a safe environment. So understanding why would be my go-to.
Kumar: All right. Wonderful. So last question. How can people reach you to, you know, for advice, for consultation, maybe to find out more about your newsletter?
Oksana: Oh, thank you. Yes. My LinkedIn. So just go to my LinkedIn profile. I am there and I would be happy to answer. I also have my newsletter, Innovation Frontier, and people can go and sign up for it on LinkedIn.
Kumar: Okay. Wonderful. So we'll include those links in the show notes for this episode. So if you're watching, please visit LinkedIn and visit Oksana's profile and you will find all that information that she just mentioned there. And do you have anything that I didn't ask that you'd like to share?
Oksana: I guess right now what I wanted to share is just continue educating yourself. I hear a lot from the product managers, from the cybersecurity experts that with AI, the market is not as good, the job market, there are a lot of layoffs. But if you continue educating yourself, especially at that systems level, having critical thinking, understanding the tools, you're always going to be irreplaceable. So understanding that and also continuing your education, it's a lifelong process. So I highly recommend that for everyone—reading, expanding your mind, and just, you know, be open to new ideas.
Kumar: Yeah. And that's great advice in today's world where technology is changing so rapidly. You have to stay on the cutting edge. You've got to keep educating yourself to stay relevant. All right, well, thank you so much for joining us today, Oksana, and for all of you that are watching, please like, subscribe, share this channel. We're on YouTube, we're on LinkedIn, and we're on all major podcast outlets. So love your support. And thank you so much for watching or listening. And we'll see you next week. Bye-bye, everyone.
Oksana: Thank you, Kumar.
Kumar: You're welcome. Thank you. Bye.
---
End of Transcript
