Skip to content

Advisory · Keynotes · Board Counsel

Boards and executives call me when cybersecurity becomes a business decision.

I created the Security Culture Framework — adopted by ENISA and used by thousands of organizations worldwide. I've been building companies at the intersection of technology, security, and leadership since 1994.

I advise leaders on human risk, cybersecurity strategy, and digital transformation.

I'm not a consultant. I don't do implementation.
I'm the person you call when you need clarity on hard decisions.

Explore Advisory Book a Keynote

The Track Record

Three decades of seeing what's next. And helping leaders get there sooner.

2010s Security culture as a measurable discipline Adopted globally. Framework used by ENISA.
2015 Measuring culture, not just training completion Mainstream now.
2018–2020 Human risk focus over awareness training Industry is shifting.
2022–present Measuring actual behaviors, not proxies Industry hasn't caught up yet.

Created the Security Culture Framework

The framework I developed was adopted by ENISA — the European Union Agency for Cybersecurity — and is used by organizations globally to measure and build security culture.

Keynotes and Lectures on Six Continents

Over 30 years of keynotes, lectures, and executive sessions at conferences and institutions worldwide — including RSA Conference, Black Hat, UC Berkeley, Singapore Management University, and the University of Ljubljana. Serves on the Advisory Board for the Black Hat Europe Executive Summit.

Built and Sold CLTRe to KnowBe4

I built CLTRe — a SaaS platform measuring security culture — and sold it to KnowBe4 in 2019. It was the seventh startup I've been part of, and one of several I founded.

30+ Years Building Companies

I started my first company in 1994 and have been building at the intersection of technology, communication, and leadership ever since — through the dotcom era, through multiple exits, and through the shifts that shaped how organizations think about security today.

Published Author

Multiple books on security culture, human risk, and building security programs.

Still Building

Currently building Praxis Navigator — a human security behavior monitoring platform. still in the arena, not advising from the sidelines.

CSA Ron Knode Service Award 2015 ENISA celebration Kai Roer — credentials and published books Kai signing books after a speaking event
Kai leading an interactive workshop — audience engaged with hands raised

How I Work

Challenge. Reframe. Commit.

Every engagement follows the same arc — whether it's a 45-minute keynote or a 3-month advisory relationship.

01

Challenge

I surface the assumptions you don't know you're making. I question the "best practices" that are actually holding you back. I bring the outside-in perspective that internal teams and conventional advisors can't provide.

02

Reframe

I offer a fundamentally different way to think about the problem. Two decades of research, pattern recognition from building and selling companies, and a track record of calling the direction before the industry moves.

03

Commit

You move from new understanding to decisive action. I'm a sounding board as you act. I open my network where it helps. But the value is the shifted thinking — not a document gathering dust.

Advisory

Executive Advisory

For leaders who need someone who'll tell them what they're not hearing — and who's been right about this before.

Time-boxed strategic advisory. Typically 3–5 sessions over 1–3 months. Scoped to your situation — whether that's a specific decision, a strategic initiative, or a fundamental rethink of your approach to human risk, security culture, or cybersecurity governance.

You get

  • Assumptions surfaced, blind spots exposed, "best practices" questioned
  • A strategic frame that changes the decisions you make
  • A sounding board between sessions
  • Network access where it matters

Typical triggers

  • Your board is asking cybersecurity questions and you don't have good answers
  • Security culture or human risk efforts aren't producing measurable results
  • A digital transformation is underway and security is an afterthought
  • You need a strategic sounding board you can't find internally

Board Advisory

For boards that need a cybersecurity voice in the room who thinks like a business leader — because he is one.

Ongoing board-level advisory on cybersecurity governance, human risk, and the security implications of digital transformation. I translate complex cybersecurity risk into language the board can govern — and I challenge management's assumptions with informed skepticism.

You get

  • Independent cybersecurity expertise at the board table
  • Early warning on strategic blind spots not yet on the risk register
  • A board that governs cyber risk instead of rubber-stamping narratives
  • Entrepreneurial perspective from 30+ years of founding and building companies

Typical triggers

  • Regulatory pressure is making cybersecurity a board-level liability
  • The board lacks independent cybersecurity expertise
  • A major transformation is underway and security governance hasn't kept pace
  • A breach or near-miss exposed governance gaps
Kai presenting on stage at Black Hat Executive Summit

Keynotes

I don't give comfortable keynotes.

Audiences have heard every cybersecurity talk. I give them something they haven't heard — a genuine challenge to how they think about human risk, security culture, and cybersecurity strategy.

I draw from two decades of research, multiple company exits, and a track record of seeing where the industry needs to go before it gets there. Talks are custom or drawn from a curated backlog of signature presentations.

Security Culture: What You're Still Getting Wrong

You're measuring activity, not behavior. That's why nothing's changing.

CISOs · Security leaders · Industry conferences

The Board's Cybersecurity Blind Spot

Your board thinks it governs cyber risk. It governs a narrative. Here's the difference.

Board members · C-suite · Governance events

Human Risk Is Not a Training Problem

Security awareness training was a stepping stone. The industry stayed too long. Here's what's next.

Industry conferences · CISO summits

Digital Transformation Without Security Is Just Digital Risk

You're digitizing everything and securing nothing. Let's fix that.

CEO/CDO events · Transformation summits

Kai presenting on Security Culture Kai at Security Culture Framework workshop Kai presenting CLTRe data at RSA Conference

Writing

Latest from roer.com

I've been writing about security, technology, and culture at roer.com since 1995.

Read the blog

Around the World

30 years. Six continents. Stages that matter.

Black Hat Executive Summit 2023 CISO 360 Barcelona Normkonferansen 2022 IKT Norge On stage at KB4-CON ISMG interview SMU Cybersecurity Strategic Leadership Program AI Summit Africa Leaders manage culture — keynote RSA Conference Singapore RSA Conference Europe CyberWest Summit Australia On stage at JCI conference Presenting as CEO of Praxis Security Labs Presenting Security Culture Report at RSA Security Culture Conference 2021 Kai speaking Co-presenting at event KB4-CON — Measuring Security Culture Guest lecture at university Cultivating a Culture of Security On stage keynote Royal Norwegian Embassy Business Days — Digital Transformation At UC Berkeley Large conference stage BCI conference Business Days 2016 speaker

Let's Talk

I work with a small number of boards, executives, and event organizers at any given time.

If you're facing a hard decision about cybersecurity strategy, human risk, or digital transformation — or you need a keynote that will actually change how your audience thinks — let's have a conversation.