For the past five years I’ve been researching how to take human security beyond just security awareness and into the world of security culture. Concepts such as what is a security culture, what does a strong culture look like, how can organizations build and measure one, and, ultimately, what value does it have?  

Far too often we feel that since the technologies we use in cybersecurity are new, so, too, must be our problems.  But that is not always the case. Finding answers to these questions led me outside the world of cybersecurity and explore fields such as organizational change, behavioral economics, human psychology and behavior modeling. All of this research has culminated in the new two-day course: SANS MGT521: Driving Cybersecurity Change - Establishing a Culture of Protect, Detect and Respond.

Since the class has been released one of the most common questions I’ve been asked is what books did I read and  is there a suggested order in which to read them. While I feel strongly that you start with the first book on the list, the order is less important for the rest. I suggested the following order because these books tend to jump from individual focus to organizational focus, back to individual, back to organizational, and reading in this sequence helps keep things mixed up while also reinforcing how everything relates together.

Please note: In no way is this list comprehensive. The field of organizational change and culture is rich with research, science and amazing authors and leaders. I’m merely sharing with you the research that influenced me the most. One thing that struck me as I read these books is how they often reinforce the same concepts but in different ways. That is the essence of the new SANS MGT521 course: it synthesizes and simplifies all of this research and applies it to the world of cybersecurity.  

With no further ado, my recommended reading list.

    switch book
    Switch: Start with this book by the brothers Chip and Dan Heath. I love this book, as it’s one of the simplest to read and understand while laying the foundation for changing human behavior and organizational culture. You will find the concepts covered here time and time again in the following - books.

  2. start with why book
    Start with Why: Written by Simon Sinek, this book explains the concept of the Golden Circle. Far too many organizations and leaders start communicating with the WHAT and the HOW of a product or initiative. However, the most effective companies and inspiring leaders start any communications or initiatives with the WHY — why is what engages and motivates people. It’s also what I consider the number one thing missing in almost any security initiative.
  3. leading change
    Leading Change: This is considered by many the founding bible of organizational change. Published over 20 years ago by John Kotter, this book details the eight steps many organizations go through for organization-wide change. Based on hundreds of case studies, it was one of the first attempts to codify the process. John Kotter has published numerous books since then. While I feel his process is a bit too prescriptive and “heavy” for many security initiatives, it’s a fantastic introduction to the world of organizational change.
  4. influence book
    Influence: Authored by the well-known researcher Dr. Richard Cialdini, the book covers the six core fundamentals that influence human behavior. What is amazing is how you can influence change without people realizing that they are being manipulated. A favorite book for sales people.

  5. nudge book
    Nudge: Published by two scholars from University of Chicago, Thaler and Sunstein, this book dives into the science and research of architecting environments, in which it’s much easier for people to make the choices you want them to make as you are “nudging” them into the direction you want.

  6. made to stick book
    Made to Stick: Once again we return to our friends Dan and Chip Heath. This book covers not so much how to communicate, but how to communicate ideas that stick, somewhat similar to Influence, but less of a scientific approach and more of a marketing approach. Key takeaway for me from this book: emotion sticks.

  7. blink book
    Blink: Published by the famous author Malcom Gladwell, this book covers the idea of how intuition and gut feeling can beat out and be more accurate than the most detailed, rational analysis (what Kahneman calls System 1 and System 2).

  8. never eat alone book
    Never Eat Alone: This book is not about human behavior; it’s all about networking. A fantastic book if you are an entrepreneur wanting to build up your network. And how well you partner with others is key to organizational change. You can follow all the steps in all the books covered here, but if you don’t build relationships with people throughout your organization, your efforts will most likely fail.
  9. thinking fast and slow book
    Thinking Fast and Slow: Okay, this is the grand kahuna of behavioral economics books. In fact, Daniel Kahneman won a Nobel prize for this book. It is long and information dense. It is also one of the most fascinating and enlightening books I’ve ever read. Every page seems to explore a whole new topic drawing on research and published articles from numerous scholars from around the world. The reason I recommend reading it last is because it is such a heavy lift. Also, I found the book references and reinforces everything else you have already read.  If you like a challenge, by all means feel free to jump in and read this first. For slower minds like me, I found this worked best as one of the last books I read.

Please keep in mind that books are not the only sources of information. There are two models I highly recommend you research and learn about, as they contribute significantly to this field: The B.J. Fogg Behavior model and the Procsi ADKAR Organizational Change model.  Also, I found the Harvard Business Review a rich resource on organizational change and culture, starting with the 2018 study on The Culture Factor.

Finally, a couple of suggestions for reading. First: use your eyes, not your ears. I tried using audiobooks at first and failed.  Many of these books are information dense, and I found I had trouble both comprehending and remembering the information from them. I had to resort to old-fashion reading with my eyes. Second: pace yourself and avoid burn-out. Many people challenge themselves to read a book a week or several books a month. Once again, I failed there. At best I could only read a book a month. For Kahneman’s Thinking Fast and Slow, that book alone took me two months!  

Happy reading! And if you have any suggested books, resources or research, I would love to hear from you.