Too often, security awareness and training are focused on organisational needs rather than holistic end-user cybersecurity. At ADAPT’s CISO Edge in July, we asked cybersecurity thought leaders Robert Carey, Simon Waller, and Ellie Warner of their most effective ways of changing the conversation to be about the employee working safely anywhere.

Robert Carey – VP & GM, Global Public Sector Solutions at RSA

So there’s a nice hierarchical chain of command to throw information down and there are lots of ways to do that in a structured manner. But you really find the nexus of the unstructured communications, the word of mouth, the blogging, the all-hands emails, the all-hands meetings, so you communicate in a way that you enable the communicators to continue the journey of aligning thought and value propositions around cyber security investments. One of the biggest things that we encountered was, I need to make sure that every user has a certain amount of skill as they engage the network to do their job. We took it for granted that you log in with your user id and password and off you go. I was one of the people selected to roll out smart cards for the United States Navy and so, it was a giant change to how you’re going to log onto the network, giant change, and how you’re going to call yourself a member of the United States Navy. It was a different ID card. And the change management initiative was really persistence, thoroughness, and a deliberate demonstration of the value proposition on the other side, so that you diffused all the questions, concerns, and challenges. And there was a point in time when there were several commands who said: “I’m just not doing it.” And then you can pull out the letter from the deputy secretary of defence saying “yes, you are.”

So, but if you didn’t have to do that, that went all the better, and then suddenly they got over it. And sometimes you had to push them, but sometimes they were, and there was always a few that, give me mine, I want to be the first.

To me, it’s persistence to ensure that you’re touching all the right people, and then enable those people to continue to communicate the message.”

Simon Waller – Digital Champion, Author and Advisor

I mean a couple of examples that people came up when we asked and where they were saying “we’re thinking of our friends, and training to parents about cybersecurity for kids.” And as much as it’s valid to say that it’s probably the kids that don’t need so much of that training.

Suddenly we’ve taken this idea of cybersecurity and we’ve made it meaningful to people.”

And I think the skills that people develop in that type of training, a perfectly transferable backing to their work posts. We’re not dealing with different problems, like here you are in business, worried about my password security, and I need to be worried about that in my personal life, And you’re worried about phishing emails and ransomware attacks, and turns out that most of those are actually directed to people at home, so I need to be worried about that too. So all the things you’re worried about, I’m worried about. So in theory, if you were to teach me the things that I needed to know, it would also be the things that you needed me to know. It’s interesting that we haven’t seemed to have come over from that direction.

Ellie Warner – Head of Cyber Awareness at Standard Chartered Bank (Singapore)

We tend to treat employees as risks, and as the weakest link, and we use all this terminology that suggests that they don’t actually have the power to be a strong security agent. So the language we use needs to change. We need to really think about our employees as security agents. Arm them with tools, make it really personal for them. So rather than talking about what’s in it for us, the company, how can the tools, techniques, and the tips we give them help them at home as well. These are human beings. They want to be able to be secure in their home life as much as they do when they come into the office. We need to change our rhetoric, really make it personal, and think like a marketer would be the third aspect.

So, audience-based awareness, rather than one size fits all.”

If I’m an application developer, I’m going to have a very different set of security questions than if I’m somebody that works in a branch sensor of a bank, for example. So we have to tailor our training based on the recipients, rather than everybody takes an e-learning course, or everybody read this policy document.

Aparna Sundararajan:

That’s insightful because I’ve never heard that before: think like a marketer. And then how about the actual delivery of those modules because we are used to reading really long documents and then either sign or, answer a few questions and then you’re done. But that’s, does not help us retain a lot of things in our head.

Ellie Warner:

It really doesn’t, does it? And everyone knows the kind of the adage about you know, if you read something versus if you see it versus if you do. So we are trying to get more and more immersive in the way that we run our training sessions. So, worst-case-scenario you would give somebody, as you said, a policy document. Read this, check the box, well it keeps the regulators happy, but are you actually changing their understanding? Probably not. They want to go back to their day job, straight! I have never met anyone that wants to do more e-learning. However, if you can shift that balance to doing, the chances of retention, and also their ability to understand the inherent risk, can only increase.

So one of the tools that we’re using, for example, is discussions around cyber case studies. So, industry news that might have happened, whether its BA, or Marriott, or Uber. Discuss what happened, what would you have done?

Especially if it was the human angle that led to the breach. So, what could you have done differently?”

And what are the types of information you need from us to help you do that? So get them involved, get them doing, get them discussing, rather than being passive agents of data overload, because no one responds well to that.

Watch interview

How to Make Security Training About the User with Cybersecurity Thought Leaders
Play Icon watch 06:04
Contributors
Robert Carey VP & GM, Global Public Sector Solutions at RSA
As Principal Deputy CIO for the US Department of Defence and formerly CIO for the US Navy, Carey has championed transformation, strengthened... More

As Principal Deputy CIO for the US Department of Defence and formerly CIO for the US Navy, Carey has championed transformation, strengthened cybersecurity, and led policy for millions of personnel and multi-Billion dollar budgets. Now serving as the VP & GM Global Public Sector Solutions for RSA, Carey integrates teams to connect technologies to solve customer information challenges in the Global Public Sector. As a recognised technical and business leader in enterprise cybersecurity, he engages senior leadership in the public sector globally to define their solutions.

Less
Simon Waller Digital Champion, Author and Advisor
Simon fervently believes that as a society we have the opportunity to do things better – whether it’s through the commercial practices... More

Simon fervently believes that as a society we have the opportunity to do things better – whether it’s through the commercial practices of organisations or personal actions of individuals. Motivated by the importance of personal responsibility, Simon left his position in scenario planning at Rio Tinto to explore how organisations could use emerging technologies and new ways of working to drive improvements in both the way we work and the way we live.

Simon’s natural ability in teaching and authentic and affable nature encourages others to positively question the world and why we do the things we do. Simon has extensive experience in both managing projects as well as and coaching and mentoring for performance improvement.

During his time at Rio Tinto Simon provided business improvement support to a tyre retread facility that serviced Rio Tinto iron ore and bauxite haul truck fleet before moving into Rio Tinto’s scenario planning and strategy team. Simon has also previously worked as a sustainability consultant where his work focused on developing holistic approaches to behavioural change. Simon holds a Master of Business Leadership and post graduate qualifications in futures thinking.

Since leaving corporate life Simon has focused his efforts on helping organisations identify ways technology can drive operational improvements. Initially he did this working as an external consultant and more recently as the founder of the Digital Champions Club, a digital transformation program for SMEs that trains internal agents of change. Along the way Simon has also written two books Analogosaurus: Avoiding Extinction in a World of Digital Business and The Digital Champion: Connecting the Dots Between People, Work and Technology.

Simon is also an in demand conference speaker having spoken to audiences both across Australia and overseas

Less
Ellie Warner Global Head, Training and Awareness - Trust, Data and Resilience at Standard Chartered Bank (Singapore)
Ellie has led the Bank’s Information and Cyber Security Training, Awareness and Exercises agenda since January 2015, with Data and Privacy, Resilience... More

Ellie has led the Bank’s Information and Cyber Security Training, Awareness and Exercises agenda since January 2015, with Data and Privacy, Resilience and Third Party being added to her remit in November 2019. She also leads the Bank’s global Information and Cyber Security (ICS) Skills Accreditation programme to ensure the Bank’s cybersecurity workforce has clear learning pathways to upskill and cross skill, as well as to attract other Bank employees interested in a career in ICS.

Her team’s mission is to foster a robust Security Culture. Specifically, to ensure all Bank employees, from Board to branch, are aware of ICS risks and their role in protecting the Bank and customers’ wealth from existing and emerging security threats. Her team does this through the design and deployment of awareness frameworks and learning interventions, with an increased focus on role-based training and an adaptive learning culture. Born in the UK, Ellie has worked in technology for 25 years, living and working in the Middle East, Europe and Asia since 1995 with Sun Microsystems, HP and EMC, in sales, partner, analyst, marketing and communications roles. She joined SCB in 2015 as Global Head, Policy and Awareness – Information and Cyber Security.

An advocate of ensuring women have an equal voice at the table, both professionally and personally, Ellie is actively involved in Lean In Singapore, founding Lean In at the Bank in 2018. As of August 2020, 59 Circles have been established in multiple countries empowering hundreds of female Bank employees to achieve their full ambition. She speaks regularly at conferences and panels on cybersecurity and women in technology.

 

Less
Aparna Sundararajan Senior Research Strategist
Aparna Sundararajan leads the emerging and disruptive technology research agenda within ADAPT’s strategic advisory team. As Senior Research Strategist, her role is... More

Aparna Sundararajan leads the emerging and disruptive technology research agenda within ADAPT’s strategic advisory team. As Senior Research Strategist, her role is to create independent advice for the Australian C-Suite around emerging technologies, trends and investment priorities and developing industry leading content for the ADAPT portfolio of Edge events.

As a technology analyst and marketer, Aparna aligns the burning issues of senior executives with digital business dynamics and emerging technology capabilities to create strategic advice for ADAPT’s Members and Strategic Partners.

Aparna has had 12 years working in the IT services sector, much of it with Gartner, where she developed independent advice for senior IT managers on the emerging roles and responsibilities they face in digital technologies, digital customer behaviour, and business model transformation.

 

Less
Security Compliance