I recently had the pleasure of speaking at the STRONGER conference on one of my favourite subjects – security culture.

Most of us have been taught that certain behaviours are considered “bad” and should be avoided. But what if we’ve been wrong all along? What if embracing our “bad” behaviour is the key to improving our security and resilience?

In this talk, I make the case for why it’s important to start separating actions from intentions and to stop conflating being “bad” with being playful. We need to start thinking like villains to better understand their motivations and learn how to defend against them.

Here are five specific steps that Geer says organizations can take to improve their cyber security:

-Don’t freak out when something breaks.

-Look at the circumstances and symptoms that caused the issue.

-Don’t blame the individual.

-Have a process in place to learn from mistakes.

-Embrace failure.

By taking these steps, we can create a culture of security in which everyone is incentivized to find and fix cyber security issues. And by making cyber security a continuous process, we can build stronger defences against the ever-evolving threats we face.

You can watch the complete talk now, over on Youtube