Perry Carpenter, author of “Transformational Security Awareness: What Neuroscientists, Storytellers, and Marketers Can Teach Us About Driving Secure Behaviors” from Wiley Publishing, currently serves as Chief Evangelist and Strategy Officer for KnowBe4, the world’s most popular security awareness and simulated phishing platform.
Previously, Perry led security awareness, security culture management, and anti-phishing behavior management research at Gartner Research, in addition to covering areas of IAM strategy, CISO Program Management mentoring, and Technology Service Provider success strategies. With a long career as a security professional and researcher, Mr. Carpenter has broad experience in North America and Europe, providing security consulting and advisory services for many of the best-known global brands.
Perry holds a Master of Science in Information Assurance (MSIA) from Norwich University in Vermont and is a Certified Chief Information Security Officer (C|CISO).
Get to know Perry Carpenter
What’s the most meaningful part about serving on the NCA Board of Directors?
There are two big things that I feel are really meaningful about serving. The first is that the NCA’s mission is all about raising the bar for cybersecurity, awareness, career opportunities, and more. That’s a great mission to be part of. The second meaningful part of serving on an NCA committee is the cross-industry/organization relationships that are formed and cultivated. There are so many great people and organizations involved in the NCA, and it is an honor to work alongside them towards a shared goal.
How does KnowBe4’s cybersecurity interests align with our mission?
KnowBe4’s stated mission is to help employees make smarter security decisions, every day. So, there’s obvious alignment here. The NCA is the originator of Cybersecurity Awareness Month, multiple programs to help small business and enterprises be more secure, and programs to help educate the next generation of security professionals and digital citizens. As I see it, KnowBe4 and the National Cybersecurity Alliance are amazing partners helping each other achieve a more secure planet Earth.
You’ve been in the cybersecurity industry since you finished school. How did you know so early on that this was the right career for you?
I actually came into cybersecurity through a bit of a sideways route. My undergraduate degrees were in Philosophy and Biblical Studies… and I completed part of a Law degree before dropping out and going into computer science. I spent my early career years as a computer programmer in an R&D role and then moved on to programming and systems implementation for email, directories, and Identity and Access Management systems. That work with email, directories, and IAM was a gateway into security, and security quickly became an all-consuming passion.
I love that there are so many angles that you can study to help improve an organization’s security. You have the development angle, implementation, policies, processes, people, and the intersections between all of those. And, most importantly, when it comes to security, you can easily feel like you are part of a mission. You are serving something greater than yourself or even the financial interest of your organization.
What inspired you to become an author?
More than anything, there were lots of thoughts and opinions in my head that I wanted to get out. With Transformational Security Awareness, I spent a lot of time looking for the ‘perfect’ security awareness book for professionals who wanted to make security awareness their life. That book didn’t yet exist, but I knew of so many great resources, lines of research, and people that I thought everyone should be exposed to. So, the idea behind that book was to serve as an aggregation of all that great information, with a bit of my own thoughts, experience, and philosophy sprinkled throughout. I wanted that book to be a great resource for others and also a great jumping-off point for anyone wanting to take the research further.
My co-author (Kai Roer) and I had similar goals with The Security Culture Playbook. There was a ton of research that we wanted to give people access to; but we also wanted to up-level the conversation. So, as you can see in the subtitle of the book, we really wanted to take the conversation to the Executive level and frame ‘security awareness’ in terms of risk, show that culture can be measured/quantified, and that organizations have the power to influence the security-related aspects of their culture (including beliefs, social norms, etc).
What is your writing process like?
Both dreading and looking forward to every morning. The process of writing a book can be grueling yet rewarding. I start with a very basic outline of what I believe the critical components of the topic are. Then I try to go down to subtopics, and subtopics of subtopics. At the same time, with each topic/subtopic I also try to make note of anything that might be interesting or inspiring… or maybe a fun rabbit hole or two to point out. These little side trails are often fun to peruse and (I think) can help to give life to the topics.
I also love the process of playing with language… trying to find interesting (and hopefully memorable) ways of conveying ideas. And I think that’s really important when it comes to writing a book about security awareness because the audience for the book is people who need to do the same. So, I get to serve as an example of sorts.
One critical aspect of my process that I encourage everyone to do in their writing is this: I *always* use text-to-speech to listen back to what I’ve written. You’d be surprised how many grammar errors or awkward phrases you pick-up on when you hear a computer or another person read back what you just wrote.
Talk to us about your podcast 8th Layer Insights!
I started 8th Layer Insights just over a year ago because it was a podcast that I wanted to find but couldn’t. I’d been on the lookout for a cybersecurity podcast done in a Freakonomics Radio or Planet Money style for a few years. And, while there are some absolutely fantastic cybersecurity podcasts out there, I couldn’t find any that had the flavor that I wanted and covered the topics I wanted.
I had the idea in my head for a while but kept putting it off because I don’t love my voice and also felt a lot of pressure to only release things that are of a certain quality. Let’s face it, I’m an industry voice who has spoken quite a bit about how best to convey ideas, capture attention, and what good content is. So, I felt like anything I create has to reflect those values. I finally gave myself permission to give it a try and to always let my audience know that I’m using the podcast as a way to experiment with many of the principles that I evangelize.
As part of that ‘experimentation,’ I try to not shy away from taking risks. For example, I often include comedy skits or even entire episodes that are in an experimental format. The goal with these is to help encourage listeners to take similar risks and to always show that I don’t take myself too seriously.
How do you make sure your family is staying safe online?
I doubt that I have advice that is different from any other security professional with a family. But I’ll say that the most important thing for our family is to have open conversations. I talk about the threat landscape and trends that I see. My family members always bring up instances of strange or interesting things they’ve seen or heard. And, between us all, we try to figure out how best to navigate our digital lives without being too closed-off or too open.
What is something most people might not know about you?
Many people may not know that I’m autistic. It is something I’ve not spoken much about publicly. In many ways, I think my autism is what drove me to be so interested in the human side of everything. I’ve been spending decades trying to better understand other people, myself, and the human condition in general. I’ve been trying to learn how best to convey ideas, express empathy in meaningful ways, sustain relationships, and give back to the world in ways that are meaningful to other people while also being true to myself.