In this podcast, I enjoyed talking with Chirag Shah, Model N's Global Information Security Officer and Data Privacy Officer, about creating a security-minded culture. Infusing a security culture within organizations starts with leadership buy-in and support. Chirag highlighted the need for interactive and engaging training programs tailored to specific departments, involving real-world examples and practical scenarios. He stressed the significance of fostering a security mindset among employees through daily reminders and reinforcement and leveraging free or low-cost resources to implement effective security awareness programs. Chirag also emphasized the need for a strategic approach to security and a security-minded culture where employees are empowered and responsible for maintaining a strong security posture.

Action Items

Develop an interactive that delivers bite-sized security awareness content, quizzes, and scores performance.

Organize escape room and security hackathon events as hands-on learning initiatives.

Contextualize training for specific employee roles and responsibilities.

Incorporate security into employees' goals and recognize adherence to policies.

Lead by example and make security part of a company's vision and operations



Time Stamps



00:02 -- Introduction

02:38 -- Guest's Professional Highlights

04:14 -- Why do you emphasize the importance of infusing a culture of security?

06:35 -- How do you create a security-minded culture?

09:42 -- How do organizations create engaging and effective cybersecurity awareness training to develop security-minded cultures and cyber hygiene habits among employees?

15:49 -- Personalizing security

19:49 -- Dealing with common challenges and hurdles associated with creating security-minded cultures.

27:53 -- How do you get top management buy-in?

29:05 -- Creating a culture of accountability

36:35 -- Treating cybersecurity as a strategic enabler

37:57 -- Final Thoughts

Memorable Chirag Shah Quotes/Statements

"Security belongs to everyone, not just the security team. It's about embedding security awareness and responsibilities into the vision, mission, and day-to-day operations of all departments and employees."

"Security should become part of the daily goals for the execution of the business."

"Focus on security awareness training that is engaging, fun, and rewarding for employees, and move beyond annual compliance training to create a continuous security learning culture."

"When anyone asks, how big is your security team, I say about 1300 some people, right, because that's what my company is. All of them are our security team, and they are the security champions, and they helped me manage and drive the security program to the next level."

"What you want to do is implement a phased approach to security awareness training, starting with basic concepts and gradually increasing the complexity of those concepts."

"90% of the employees in US companies use laptops to conduct personal transactions, whether they're paying the credit card bill or they're booking travel tickets, they're all doing it online, and using a company laptop."

"Appoint security champions within different departments to assist in training and awareness."

"The message has to be very simple and to the point, so employees can understand and have an open dialogue."

"Implement pre-and post-training assessments and measure changes in employee knowledge."

"Leaders and managers should lead by...