GTT Featuring Derek Harp

Culture of Safety – How to Improve IT Security with Derek Harp at Cambios

Safety has always been essential. Security has moved up in importance, given the concern we have in the world today. Are you 100% certain that an employee can’t be duped to sharing their password to an outsider? Creating a culture of safety means that you are intentional about preparing your organization for anything that is a threat. Today’s guest on the podcast is Derek Harp, Founder of Cambios. We discuss the core elements of a culture of safety. We look beyond the traditional aspects of IT security. Derek brings us decades of experience and practical insight on creating a culture of safety.

Don't miss an episode. Subscribe to Growth Think Tank.

Derek Harp: The Transcript

Target Audience: Derek Harp is a Serial Entrepreneur, Cybersecurity Educator, and Adventurer. Today he serves as the CEO and founder of The Cyber List, aka the “Angie’s List” of Cybersecurity which is dedicated to connecting business leaders with the right cybersecurity services. Derek is also the Chairman and founder of a not-for-profit peer-to-peer networking cybersecurity organization called (CS)2AI with 17,000+ members worldwide.

Share the LOVE and TWEET about this episode.


Disclaimer: This transcript was created using YouTube’s translator tool and that may mean that some of the words, grammar, and typos come from a misinterpretation of the video.

Derek Harp
Yeah, I love to use the word culture, it’s something I’m giving a lot of thought to and the book that I’m writing, you know, we’re looking at that what is the secure culture? You know, what, how do we get it into the mindset of everyone? A new base level, here today, it’s unfortunate, very, very low. There’s a fair amount of awareness or knowledge of some of these things. But as I talk to more and more and more people and people, sophisticated people, I realized how low the setting is. And so if we can get the security culture just every year, we can start making progress on this, I believe, second-generation users, my children, I’m hoping they actually will, the big change will be they will not trust all these implicit connections and attachments in everything. They’ll distrust those, and they’ll make exceptions. What we do today is we accept everything and occasionally we just trust something if it flags, enough of us enough of our attention that something’s off in this. But you know, a lot of times those go right past we don’t have enough of that radar going. So I think we got to move from trusting culture to distrust in the connectivity, you know accepting things except for connections and an attachment from other people. So we have to work on that and reinforce it.

Intro [1:13]
Welcome to Growth Think Tank. This is the one and only place where you will get insight from the founders and the CEOs of the fastest-growing privately held companies. I am the host, my name is Jean hammock, I hope leaders and their teams navigate the defining moments of their growth. Are you ready to grow?

Gene Hammett [1:30]
Here’s a big question for you. Are you with absolute certainty that all of your employees are handling the emails and all of the other functions in the business to the highest level of security for the safety of your company? Well, if you’re not 100%, sure, then you want to make sure you tune in today because we’re talking about safety, specifically creating a culture of safety. And we’re looking at it through IT security. We have an expert with us today. He is Derek Harp with Cambios. He’s done a lot of presentations. and work with companies with technology, but also the human factors of security. So we talked about a culture of safety. One of the things I like about this, he has very specific mistakes that are being made that you can stop right away, but also what you should be doing, what are the next steps to create that culture of safety? Here’s the interview with Derek.

Commercial [2:19]
Before we dive into the interview, I wanted to remind you that you can actually get a tool that I’ve been working with clients with for the last couple of years, I’ve refined this tool has gone through several iterations. Now we have it completely automated, you can actually go online and fill out the leadership quiz. To get the leadership quiz. Just go to that’s pretty easy, right? what you will get when you do that is you will answer a few questions. You will see where you rate based on the core principles of fast-growth companies. If you’re ready to grow your company or you want to see where you are, then make sure you go to inside it. You will get insight to where you are, understand where you want to improve, and you will get them mapped into the 10 areas that are most specific to fast-growth companies. Again, go to, and you can get that right now.

Gene Hammett [3:12]
Hi, Derek, how are you?

Derek Harp [3:14]
I’m good. How are you?

Gene Hammett [3:16]
I’m very good. I’m excited to have you on the show here. Is that a topic? We’ve talked about? much and I know that you’re an expert in the world of all things security, online, and really protecting networks and protecting companies and protecting individuals. Tell us a little bit about Cambios that’s the company that you go by right.

Derek Harp [3:36]
Yeah, that’s a new one and not even a trade name. That’s in wide use yet. But we have been in the industry for a long time. I was a Navy officer in the mid-90s. And that kind of introduced me to security started my first company in 1997. And I’ve been going towards that. So this new one is really on offspring public speaking than I do and people are my own realization after years of building technology solutions to cybersecurity, which is clearly still important. I realized that the human problem is, you know, potentially our biggest problem. And so I’m focusing a lot of my efforts Cambios with the technology we’re building there, and with my speaking with a book, I’m writing all around the human behavior problem, things that we’ve got to stop doing.

Gene Hammett [4:18]
So that’s why I want to have you on the show. Derek, can you give us like the top two or three mistakes that you see companies making may be on the human side of security?

Derek Harp [4:29]
It’s easy, unfortunately. It’s easy and it’s ubiquitous. I you know, I now my exposure to case studies and experiences, direct experiences, and on a global basis leads me to believe that this what I call the problem of first-generation connected humans, we trust everything, even if we’ve had exposure to some training or read an article. We know most of us in business know that there are potential risks, you know, standing for cyber-secure But nonetheless, we turn right around and we click on links we shouldn’t we open attachments that we shouldn’t from people we don’t even know, let alone maybe suspicious ones for people we do know we begin sub-sector, we still open things for people we’ve never even met before. Just send it to us like, Hey, we got mail. And we jump on wireless networks wherever we go thinking that’s perfectly safe. And we even pick up USB thumb drives in the parking lot or at a bar because it has an interesting logo or label on it to see what’s on it can’t do any of these things. These are first-generation technology, users habits, like oh, yeah, this technology, this interface interweb under what was it called? You know, we’ve been doing this now for a couple of decades, and we just still trust all this stuff and hard habits to break.

Gene Hammett [5:45]
Well, I know you went through a few of those. One of the things you do before a speech is you do a little bit of a test. Tell me, tell us a little bit about that and the results behind it.

Derek Harp [5:54]
Yeah, it’s commonly when people engage me to talk and I’ve even now done this at some conferences. I run A phishing simulation as against, you know, basically the participants and however large the venue, they’re getting larger and, and it’s, it’s kind of the same. You know, when I, my, the group that I like to speak to the most although I speak to other groups, but I like business owners and getting 40 to 60% in any scenario so far over years of doing it and these are not clever fishing. These are not you know, really trying to trick people with doing intelligent work ahead of you know, forensics and figuring out who they are and went through with the college and tailoring the message which of course, there are bad actors do that minor in the middle there plenty of towels in them, and I’m still getting 40 to 60% of business leaders to you know, take the wrong step.

Gene Hammett [6:51]
I know that’s not part of security, but I’ve noticed an uptick from people sending me messages from things like clarity around me being an expert, me being an influence or something and they want me to help them get to rescue their money in some way. Have you seen that uptick come?

Derek Harp [7:10]
Uh, yeah, I mean, I think, you know, I’ve been in this a long time. And when I started, it was really I think the people spend the money and you’ve been working on this, and we were in the newspaper, all the same thing, big banks, you know, big government institutions. But now this problem is filtered down to, to everyone. And there’s no you know, I hate to say it, I’m not a fear monger. And there are people in my industry that are, I think we have to take appropriate, you know, cautionary steps. But the truth is, there’s no safety anymore in being small or security through obscurity, as we used to call it, you know, I’m so little or unknown, nobody will come after me or my company. That’s not true anymore. They’ll find you via automated ways. And I have to be looking for you specifically find you and then, you know, design and appropriate extraction of value from you.

Gene Hammett [8:01]
Derek, let’s take a turn in the direction of this as leaders of companies, you know, those guys and girls listening in to the podcast, what should we be looking at? or thinking about increasing the level of security in our own companies?

Derek Harp [8:16]
Yeah. So if you saw if you put aside technological solutions that you may need to consider and of course, there’s, there’s, there’s a, there’s due process or kind of due diligence, you have to do that there are things that people need to be using, I’ve started to focus solely on human behavior. And so that’s going to be you know, some sort of training, we’re taking Cambios a very different approach than what’s on the market today. But there are cybersecurity awareness training solutions. And so doing, doing one of those, you know, leading offerings, if not pursuing something like what we’re developing is is really critical. And that’s just from CEOs to interns, getting everybody on board. You know, this is how this stuff works. These are the behaviors that we take for granted, and maybe even if you kind of know you shouldn’t do it, you do it anyway, here’s why we should not be doing those.

Derek Harp [9:04]
Here’s the effect. And I, you know, I read something from phishing simulations for companies as well, not just for, you know, for my public talks, but for sometimes for end-users and for all their employees. And it’s, it’s revealing, it’s not it’s eye-opening. And I think companies should have a regimen of that there are quality providers around the globe that do those things. And people need to be embracing awareness training, you know, growing the awareness of every single person in the organization. And it’s not like, owners shouldn’t be thinking, yeah, I got to get this for Sally or Joe at the low end of my company. They guess some of the biggest, you know, offenders are owners, CEOs, senior managers, they have more access. So compromising one of those targets is far more valuable at times then, you know, then than an intern, so I think nobody’s immune to getting you to know, tuning up and getting better practices going

Commercial [10:00]
Hold on for a second, Derek just talked about training. Now, training is important for your employees to train them on the computer systems they use to train them on the processes to train them on how to serve customers how to sell, but you also want training in security. But you also don’t forget training them how to be leaders, how they can really evolve to be the leaders that will allow the company to grow more leaders, leaders develop leaders. If you really want to create a powerful company, then make sure you know that you’re investing in your employees the right way. Back to Derek.

Gene Hammett [10:37]
You’re the expert here. Derek, I am kind of curious, what are the steps we should be taking to give an internal audit or how do we actually you know, start to protect ourselves.

Derek Harp [10:49]
Yet Well, you know, you use the word audit and i would say, you know, putting technical nuances aside and assessment of where you are and where you’re enterprise stands is generally a good step. And that’s something I refer other people to. I’ve chosen not to do that with my new company. But I have a number of relationships. And there are many quality providers in the market, just do your homework and make sure they are credentialed and have good, you know, good backgrounds and reference accounts and things like that. And that they can come in and do that. And so when I connect somebody with, you know, somebody is going to come and do an assessment, that’s where they come and look at the entire situation. And they’re able to generate a report with you know, usually with green, yellow and red things you can imagine, everybody’s got lots of low-level risks, and most people have some moderate risks and what you find from company to company, depending on what they have historically been doing around cybersecurity, there may be a lot of none or a lot or a few of the high-level risks and it’s occasionally it’s alarming. were like, Oh my gosh, the keys to the kingdom are laying all over the place. But hopefully, you know, hopefully there’ll be less of that over time. And people just start moving down the prioritization stack and hardening their environment, so to speak. So, assessments, the first step where do we stand?

Gene Hammett [12:12]
Well, what’s the next step?

Derek Harp [12:16]
Obviously, once you get one of those reports, is in a good company that’s doing the assessing will not say you should do all this. And here’s the price tag, they’ll say, Here’s prioritization, here’s a path to choosing which ones you can do first, for the biggest return on your investment, the biggest risk mitigation in your enterprise. That is the only methodology out there and if you’re interviewing anybody, for any kind of work in the cybersecurity realm, if they don’t talk that way, you know, run for the hills, they’re, they’re going to try to get you for as much money as they can get out of you. But if they’re an integrity-based, high-quality provider, they’ll be saying, we know you can’t do everything. So we’re going to help you through a process of figuring out which ones you should do first, whether you do them with us or somebody else they should, they should talk like that. If they gain your trust you maybe you’ll have them mitigate some of those high-level risks first, and you kind of work yourself down the stack.

Derek Harp [13:06]
Separate from that. Always, it’s just an annual commitment to keeping everybody’s knowledge awareness, whatever term you want to use your, your whole user base moving forward. Another quick walkway that I give people, you know, in meetings before they’ve ever, whether they hire me or not, as I said, you make it very clear to everyone in your organization and everyone you work with, that you are never going to email them a financial transaction structure, you never key wire this money today. It’s just never going to happen to come from us. There’s never been an email. So you’d have to wonder. This is really clever. Maybe it is the CEO, maybe I should wire the money. No, we’re never going to do that. We’re going to communicate with you through another communication channel if it’s an official financial transaction related communication. just nip that in the bud. So no one’s ever tricked or confused into moving money around on the sale of an email.

Gene Hammett [14:00]
I appreciate that. When do you run to a lot of companies that are probably doing some things, okay? What are the things that that are so nonobvious that we’re missing as, you know, leaders of companies to create that culture of safety?

Derek Harp [14:19]
Yeah, I love to use the word culture it’s something I’m giving a lot of thought to and the book that I’m writing you know, we’re looking at that what is the secure culture? You know, what, what, how do we get it into the mindset of everyone? A new base level, you know, here today, it’s unfortunately very, very low. There’s a fair amount of awareness and knowledge of some of these things. But as I talked to more and more and more people and people, sophisticated people, I realized how low the setting is. And so if we can get the security culture just every year for concerned making progress on this, I believe, second-generation users, my children, I’m hoping they actually will the big change will be they will not trust all these years. implicit connections and attachments and everything, they’ll distrust those, and they’ll make exceptions. What we do today is we accept everything. And occasionally we distrust something, if it flags, enough of us enough of our attention that something’s off in this, but you know, a lot of times those go right past we don’t have enough of that radar going. So I think we got to move from a trusting you know, culture to distrust in the connectivity, you know, accepting things, accepting connections and attachments from other people. So we work we have to work on that and reinforce it, you know, and that I think is the biggest bang for the buck. You may be considering technologies and doing things like segmenting your network, all things you should consider doing. Especially depending on what your business is your vulnerability might be very high, depending on your height, your type of business, you got to do those things. But I suspect that the biggest return on investment is working on working on the human problem. Now I would say ideally, you’re going to do both.

Gene Hammett [15:58]
when you think about the leadership mindset around this, what blind spots come to mind that that really needs to be questioned and their own, you know, setting up this culture of safety.

Derek Harp [16:10]
You know that that’s interesting, it’s going to vary from company to company a thing flashes to mind immediately. I’m very, very expensive wire transfer fraud, you know, it’s been perpetrated now billions of dollars are being wired out and not recovered. It’s a scheme and you know may go to a reputable bank, it’s very shortly that after it goes to some non-reputable bank, it’s gone. If you don’t catch it, you know, immediately. There are some cultures. And you know, and I think owners and senior managers have to look at this are some cultures where if the perpetrator is able to regret to construct a communication that appears to be coming from you, and you’ve built a culture of, I told you to do this and I’m going to board meeting you cannot reach me or I’m in Europe and you cannot reach me. But I need this money to be wired today. If you’ve built a culture of that no one can stand up to that.

Derek Harp [17:00]
No, it could be like, You know what? I don’t that doesn’t make sense. I think I’m going to ask about that. And you’re asking to be bitten, you’re going to want to have people to be able to be skeptical in your organization, even if it looks like an order from the boss. That is a very popular technique. You do not want to have a culture of like, well, I can’t say anything. It looks like the boss wants me to do it. Even though I don’t think the smell of this thing. I’d like to raise a red flag but I better not. That’s something to fix right away if you’ve got that sort of poisonous culture.

Gene Hammett [17:28]
I share in my own speeches sometimes Derek about what happened on that United Airlines Flight. It’s not necessarily safety. But when the guy has dragged off the plane in Chicago, it was you know, they were following the rules. They were following the guidelines of what was set forth and no one stopped it no one felt safe enough to go You know what, maybe we shouldn’t do that. Now that we have these cell phones and, and whatever else, maybe we should find another way for this to work out. It would have saved that company. You millions upon millions. If someone would have said, You know what, I just, I need we need to question this. And yeah, I finished this with, you know, fast-growth leaders typically have a culture where people have ownership of it and they think like owners in that they should be questioning these things. It’s okay to question and really, because you’re trying to look out for the whole safety of the organization, and that’s what you’re talking about, we should have a culture of safety like that.

Derek Harp [18:28]
Yeah, if we can, if we can bring a culture of security to our, to our, you know, to our businesses, and by the way, these things transcend business. These same practices apply to your family, and we’re gonna see more and more families and individuals being targeted so that you know, you can get a ransom that’s appropriate for you $2,000 get all your photos, your whole lifetime of digital photos back. So these are not things that are just business. These are practices that we all just need to say this is what it is to live in a connected a hyperplane connected now community and society. These are the new standards don’t we can’t do things we’ve done forever. And we just got to start being suspicious. And that’s weird for me to say I’m an optimist, and I’m generally open. And I like meeting new people. So it seems almost counter against the grain for me. But it’s what we have to be is to say, You know what? This seems weird, or there’s something that doesn’t smell right to this. I’m gonna ask I’m gonna stop interacting with what just got sent to me and maybe I’ll send a text message or a phone call. I’m trying to verify the validity of this the safety of this some other way besides replying to the email, which of course could be a self-fulfilling prophecy of negative response. You try, test Be wary, be cautious. It’s time for it.

Gene Hammett [19:44]
Well, wrapping this up, Derek, I appreciate you sharing your insight on creating a culture of safety and you guys can find him at

Derek Harp [19:55]
It’s a Cambio’s tech. And right now the company’s name is but it will be shortly becoming Cambio’s tech.

Gene Hammett [20:04]
Well, we appreciate you being here.

Derek Harp [20:06]
Thank you very much. I enjoyed it.

Gene Hammett [20:07]
Great interview, love having people on the show to give you some insight, give you some steps, you can take away actionable content for your business. Creating that culture of safety is something I believe is important. It gives you a chance to really connect with employees give them the training they deserve so that they can grow as individuals. My name is Gene Hammett. I love working with leaders, founders, and their teams on the defining moments of their growth. If you are looking and thinking about how you can grow faster, you’re wondering why it’s not happening or you’re running into specific challenges. I’d love to connect with you. Make sure you reach out to me [email protected] as always leave with courage. We’ll see you next time.


Disclaimer: This transcript was created using YouTube’s translator tool and that may mean that some of the words, grammar, and typos come from a misinterpretation of the video.


GTT Featuring Derek Harp



And lastly, please leave a rating and review for the Growth Think Tank on iTunes (or Stitcher) – it will help us in many ways, but it also inspires us to keep doing what we are doing here. Thank you in advance!

If you want more from us check out more interviews:

Transformational Leadership
Productivity Tips
Best Selling Author Interviews