Speaking to Perry Carpenter, Chief Evangelist and Strategy Officer for KnowBe4, Aviva Zacks of Safety Detectives found out that his company’s focus is on the human layer and is determined to never give up its core values.
Safety Detective: Tell me how you got started in the cybersecurity industry and what you love about it.
Perry Carpenter: I had a non-traditional path into cyber. I have two bachelor’s degrees—one in philosophy and another in biblical studies with an emphasis on language. After I finished my degrees, I went to law school for a couple of years and then started a master’s degree in computer science and ended up getting hired out of that program to do computer programming.
I was doing a lot of email work and things that had directory structures and group permissions and all of that. I got drafted into the cybersecurity world and fell in love with it and became an advocate for everything related to security.
The thing that I love about it is that there is a cause, and when you have a cause that you can rally around, keeping the world safe or making something a better place, then that really helps to fuel your reason to get up every morning.
The other thing is that it’s constantly evolving. In one way it’s always the same, but in another way, all of the tactics and the technology that have been universally done for thousands of years on scamming people or tricking people or finding ways to get in and steal money—all of that has been evolving as the digital ecosystems evolve. Finding ways to combat that and to watch that evolution and to see the arms race take place and to be on the side of good within that arms race is a rewarding thing.
SD: What is the main service your company offers?
PC: We focus on the human side of security. One of the things that we’ve seen about the arms race I mentioned is that for the past couple of decades, people have been spending more and more money on security technologies. Over the past couple of decades, we’ve also seen a constant steady drip turn into a steady stream of data breaches.
People are spending money on security by trying to do their best to keep the bad actors out and to keep the data safe, but there’s been a missing piece. From our company’s perspective, that missing piece is an intentional focus on the human layer because of all the money being spent on security solutions, there is only about 3% being spent on anything that has to do with addressing the human layer, which is what we focus on. We do that through training and awareness, through technologies that help push the human into making better decisions that help shape behaviors and ultimately build a cybersecurity culture within an organizational culture.
The way that I would phrase that is that ultimately, we want to help people have the right security knowledge, beliefs, and value systems to security are woven throughout the fabric of their organizational culture.
SD: How does your company stay ahead in a world filled with cybersecurity companies?
PC: We stay ahead because of our unique focus—the human layer. There are a lot of startups now because I think we created a market category that other people are trying to emulate, but with that recognition, with that focus on the human layer, we also have a determination to never rest, to never believe that we’re good enough, that we’ve arrived in some area. So, we’re constantly scanning to see what the new threats are and how the human layer may be exploited. We have a determination not to become something that is not one of our core values or our core areas.
We want to equip the humans and the organizations to see where their gaps are so that they can move in and address those with that perfect combination of people, process, and technology.
SD: What do you think is the worst cyberthreat today?
PC: Over half of the cyberattacks today have some form of ransomware associated with it, and over 70% of ransomware attacks are exfiltrating data at this point. So, it is no longer just that ransomware is locking up data and then demanding payment. We’ve seen that ransomware has become very, very aggressive and nuclear in the way that they do it. Before they even demand payment, they’ve usually exfiltrated the data and then they say, “If you don’t pay us, we will leak this all over the dark web or we’ll embarrass you in some way.” Even if you do pay the ransom, there is no guarantee that that’s not going to get leaked because it’s already left your perimeter.
Ransomware is and has become the de facto attack de jour, and it’s just getting more and more destructive and more and more pervasive.
SD: How do you see cybersecurity developing now that we’re living through this pandemic?
PC: I think it’s pushed most organizations that were being dragged, kicking and screaming, into the new world of the fact that there is no real perimeter. It’s dragged them into that realization in a real and concrete way as they’ve had to send people to work from home. They’re dealing with distributed environments that they’ve never really embraced before. They’re dealing with people that are working different hours, using different devices on different networks that they haven’t before. All of that pushed a digital society into organizations that didn’t want to go there before.
It’s also created a lot of chaos for the workforce as well because they’re working from home, and they’re stressed. They’re dealing with a global pandemic, they’re dealing with economic fears, and they’re dealing with social pressures, fears, and strife around the world. Cybercriminals are taking advantage of all that stress, chaos, confusion, and distraction and crafting entirely new breeds of attacks that are phishing- or ransomware-based or based on the fact that we’re using consumer-grade hardware to do corporate-grade work at this point.