In this episode we are joined by a guest who has committed their career to the world of advertising agency work. Influencing target audiences awareness of products and stacking the odds in their clients favour, that the target audience will choose their product over their competitors. The challanges our guest has faced, over the years, are in many ways similar to those that education and awareness managers, for information security and data protection, now face.

The role of the human resources function, in the the overall process of employee awareness, behavioru and culture can't be under stated.

In the early days of my research, at Re-thinking the Human Factor, it was very apparent that HR was a major stakeholder. From what I like to call KPI's clash, where stakeholders KPI's sometimes clash against each other, through to employee performance and development, and from HR processes such as starters, movers and leavers, through to organisational change. The HR department can add a lot of value to the process of delivering change in employee security awareness, behaviour and culture if you work on fostering a beneficial releationship. 

With that in mind I wanted to invite a guest who excels in the area of organisational development, epople management and HR. Our guest, Anne Benedict, stepped right up and agreed to share some insights into the challange of employee awareness and education, from a HR perspective.

When I first got involved in “information security” 20+ years ago, I found myself almost entirely surrounded by industry peers whose training and experience was in technology or technology disciplines. My training in law, marketing and finance, and my experience in business development, marketing, recruitment and even a stint in purchasing and supplies all seemed out of line with the world of IT security as it was called back then.

As I came to understand, during my own research in human behaviour and culture, my lack of an education in technology meant I was culturally and even physically wired differently. This meant I looked at things through a different set of lenses. The result, was an approach that we would now call governance, risk and compliance. However, it was these very human disciplines, which led me to fundamentally think differently when it came to kicking off the Re-thinking the Human Factor research programme.

Our guest Lana McGill, to me, enshrines the change in direction of an increasing number of forward thinking security professionals looking for a more mature approach to employee awareness, behaviour and culture. Lana believes that by diversifying their search for skills and experience, outside of the traditional industry expectations, you can bring new insights and energy to the challenge of influencing  employee behaviour and culture. Her role as a senior information security leader, in the finance sector, and her willingness to embrace other skills and experiences in the search for more effective interventions, gives hope that the industry inertia, when it comes to the human factor, may finally be shifting.

©Copyright Marmalade Box Limited

The content of this podcast is the property of Marmalade Box Limited. Any use of the content of the podcast, either in full or partially, will be considered an infringement of Marmalade Box Limited rights as sole owners of this content. Any enquiries about the use of this content should be directed to Marmalade Box Limited. Contact information can be found at www.marmaladebox.com .

Finding relevent metrics, for security awareness, behaviour and culture has been a long standing  challenge which the information security industry has struggled hard to address.

Now, when I reflect on how I personally tackled metrics, around the human factor, before I kicked off my research programme here at Re-thinking the Human Factor, I recognise I had an in-mature approach. That approach focused on what data I knew I could get rather than what was useful. Some industry folks called this "vanity metrics." That's all changed now, and that change started off, with getting back to basics by looking at what the science of measurement had to say.

In this episode our guest and I talk about the sceince of measurement, how it is has evolved to enable human kind to progress at every stage of human evolution and how this knowledge might shine a light on the challenge of finding effective metrics when it comes to employee awareness, behaviour and culture.

If you want to know more about how we have used this and other insights into metrics to support information security professionals measure the effectiveness of their programmes to influence security awareness, behaviour and culture then visit www.re-thinkingthehumanfactor.com and register for the monthly webinar. 

Educating employees on their roles and responsilities when it comes to information security and data protection, is common sense, and, even if you don't think that's the case, it is, without a doubt, a regulatory obligation for many. So, what is "education" and what is going on in the world of learning and development which might help us to re-think the human factor?

In this episode our guest, Teisa Marshik, a respected educational psychologist and passionate educator, shares how her's and her colleagues approach to educating learners is changing. We cover everything from how the effectiveness and success of education is measured, through to how advances in our understanding of human behaviour and culture, mean we now recognise that students are consuming and responding to education content based on their own life experiences and situations and what this means for traditional best practices in L&D.

Our guest, is Dr. Ben Evans. Ben is an aeronautical engineer, and he’s applying his understanding of the forces at play, to the seemingly insurmountable challenge of conquering the breaking a world record at the Bloodhound Land Speed Project.

Ben talks about the laws of science and engineering which help him to find the marginal opportunities for improvement which are helping the team towards breaking the world record. But, in this interview, it’s also clear to me, that success is a matter of teamwork often with colleagues with different and sometimes conflicting priorities.

Understanding the forces at play includes understanding science and nature, even when it comes to human awareness, behaviour and culture, but it’s also about understanding the forces at play across stakeholders, where often conflicting priorities and interests can arise. Getting the “Team” aspect right, you could argue is as important as the science which drives decision its self.

In this episode we look through the eyes and experiences of an education and awareness manager from Brazil. We explore the consistent challenges, no matter where you are or what your culture is, when it comes to employee awareness, behaviour and culture.

In this episode we delve into the world of branding with the out standing Geraldine Michel and explore possibilities for security professionals responsible for the human factor.

We draw on lessons from the world of fashion, by skirting through branding and how Brand Directors and Managers utilise this mammoth of the modern day commercial world to shape and influence behaviour and culture. 

Internal communications is a major stakeholder in employee awareness, behaviour and culture. We often defer to their skills and experience as the specialists in communication strategy for reaching out to internal staff. However, there's something a foot in the industry. Traditional ideas of what makes "good internal communications" are being challenged and our good friend "behavioural science" has been a great influence on the thought leaders in the field of communications. In this episode  I talk with one such thought leader.

In previous episodes of the podcast we have explored why human judgement and decision making, which drives our behaviour, is heavily influenced by the environment within which we make our decisions.

In this episode we take this one step further and ask how employee awareness, behaviour and culture pans out, after all of the theorising and planning, when the tranquil environment of corporate learning is replaced by the rawness of a major security crisis.

In this episode I am joined by my co-authors, Adrian, Ciaran and Jess, of the CyberSecurity ABC’s book for a long overdue catch up. We hadn’t been able to spend anytime chatting for a while and so it was fabulous to get us all together again to enjoy having a talk about security awareness, behaviour and culture.

We touch on not just the challenge of employee awareness, behaviour and culture but also about industry stakeholder’s roles in recognising the long overdue need for change.

We explore the role of the environment in people’s decision making through the way Covid 19 has shaped not just the world but highlighted the need for continually re-assessing employee education and awareness.

We tread the well-trodden path and saying that education and awareness doesn’t always deliver changes in behaviour and culture, and we ponder whether there needs to be a change in the language that industry uses to really break through the glass ceiling that’s been imposed on everyone responsible for employee education and awareness.

It’s a great episode, touching on so much, with some laughter rolled in and a dodgy rendition of the Thompson Twin’s Doctor, Doctor track as well.

Episode Outline:

We love a different angle here at Re-thinking the human factor and we think this interview is a great new angle with which to tickle your re-thinkology senses. Pay attention closely and it’s littered with insights which can make a difference to your efforts.

In this episode I have the privilege to chat with the ex Information Commissioner to the United Kingdom, Richard Thomas. Richard was appointed by Her Majesty the Queen to spearhead the data protection office in its delivery of embedding privacy cultural values into day to day life in the United Kingdom.

Richard explains the challenges that he and his team faced around awareness, behaviour and culture and also his thoughts around what good awareness, behaviour and culture might look like from a  regulators perspective when assessing an organisation who has been reported to the regulator for a breach in security around personal data.

The vast majority of cyber attacks target people, not technology. That's why an approach to cybersecurity that centres around people can be a game changer. Research shows that ensuring employees know what to do when faced with a real threat can reduce successful phishing attacks and malware infections by up to 90%. But how do you go about it? Do you just go for it?

In this episode, we’ll dive deeper into what it means to have a people-centric approach to cybersecurity, and how putting the human at the heart of your strategy can be a change gamer.

In this episode we talk with a guest who is on the front line when it comes to employee education and awareness. We talk about video content, tailoring your content to your audience and what it takes to succeed when it comes to creating videos for education and awareness purposes.

We will also explore why we should not neglect, or make assumptions about, the cyber security teams brand and how our customers perceive us. And, if we get this right, how it contributes to our roles as influencers of employee awareness, behaviour and culture.

Knowing when to deliver the right education, to the right people, at the right time is critical in building security aware teams that succeed. However, when failing to maintain users engaged the organisation’s exposure to threats might be an even bigger challenge to solve.

In this episode, we’ll diver deeper into how ‘limited attention’ can result into a security awareness-poor organisation and explore the different ways in which people learn, the importance of ‘Learning Science Principles’ in maximising the learning curve.

Cybersecurity awareness can be one of the most challenging items in any CISO, IT/Security team’s agenda as building a program that effectively drives awareness and cultural change can be daunting. After all what makes us human, makes us a risk! So, what does it take to win when it comes to driving user behaviour?

In this episode, we’ll look at where do you start with a company-wide training program that aims to change behaviour and impact organisational culture. What barriers might you come across to get buy-in and how to overcome them.

Culture is an intrinsic part of what makes us human – it encompasses the social behaviour and norms found in human societies and their individuals. And, in a ‘always on’ digital society, that can only mean one thing – We Click! We click to open potentially malicious emails, infected files. We click to share information and then we click to share a bit more – all in a simple click of a button.

In this episode, we explore how cultures are formed and influenced by digital, social media, and we touch on the role of technology in allowing organisations to drive security awareness and cultural change in today’s ‘NEW HQ’.

Humans have achieved great things, from survival through to prosperity, and all because of how our brains have evolved.

However, our physical and cognitive evolution lags behind Moores law and our brains just cannot cope with the amounts of information and huge number of decisions we need to make both consciously and unconsciously every day

How do our brains cope and why does this coping mechanism make us vulnerable and keep CISO’s awake at night? In this episode Bruce and ProofPoint's in resident CISO Andrew Rose tackle this thorny question amongst a range of other interesting points

A conversation with award-winning CISO, Andrew Rose

ANDREW ROSE joins us for Series 3, Episode 12 of the Re-Thinking the Human Factor Podcast. Join us for this straight forward discussion with an award winning CISO who transformed security management for three major organisations.

With his extensive background, Andrew is a strong relationship manager who is able to develop and lead teams, driving initiatives forward with a style that is facilitative, tenacious and positive. Able to communicate, co-ordinate and influence effectively at all levels and respond to challenges with dedication, enthusiasm and pragmatism. 

Andrew Rose is strongly focussed on sensible, cost effective security solutions being used to enable a business to innovate and develop.

AS YOU LISTEN TO THE EPISODE, IF YOU FIND YOURSELF WANTING TO IMPLEMENT SOME OF THE INSIGHTS YOU’RE GAINING BUT YOU FEEL YOU NEED A LITTLE HELP, PLEASE DO GET IN TOUCH WITH ME AT:

 

 

bruce.hallas@re-thinkingthehumanfactor.com

JOIN ANDREW ROSE AND BRUCE HALLAS AS THEY DISCUSS:

• The early days of cyber security and how people almost gave up on the human factor.
  
  
• How the idea of applying the knowledge of human awareness came into play.
  
  
• Challenges today’s cyber security managers face.
  
  
• How can you be safe if you are not secure?
  
  
• The key indicators to a healthy security culture.
  
  
• The influences that help to drive our decision-making and behaviour.
  
  
• Designing cyber security awareness and training with the human in mind.

• How to win over people to try something new.

• How hackers think.

RESOURCES AND TOPICS FOR FURTHER STUDY

• B.J. Fogg and his new book, "Tiny Habits"
• The Analogies Project

MORE ABOUT ANDREW ROSE:

• LinkedIn
• Twitter

Please subscribe to the podcast in iTunes, and if you enjoyed this interview, please share with your friends and colleagues and leave a 5 star rating and review.

Thanks for listening and sharing.

Bruce & The Re-thinking the Human Factor Podcast Team

Know your cyber security risks with Prudence Smith

PRUDENCE SMITH joins us for Series 3, Episode 11 of the Re-Thinking the Human Factor Podcast. Join us as we discuss risk assessment within a changing cyber landscape. We know our listeners are going to glean a great deal from this discussion this week and enjoy the fruits of Prudence’s years of experience.

PRUDENCE SMITH is a trusted cyber and security risk professional who has been working in security, technology and compliance in a career spanning over 20 years, working in large multinational financial institutions, senior management, client and government liaison, high-risk targets, intelligence and SMB infrastructures.

So put the kettle on, sit back and enjoy this riveting discussion as Prudence explains the importance of understanding the ever changing landscape of cyber security risk.

AS YOU LISTEN TO THE EPISODE, IF YOU FIND YOURSELF WANTING TO IMPLEMENT SOME OF THE INSIGHTS YOU’RE GAINING BUT YOU FEEL YOU NEED A LITTLE HELP, PLEASE DO GET IN TOUCH WITH ME AT:

 

iwanttoknowmore@re-thinkingthehumanfactor.com

TOPICS DISCUSSED:

• When/why human behaviour become a focus in the cyber security industry.
  
  
• How an audit lead to the investigation into the human factor.
  
  
• Cyber security awareness.
  
  
• Risk-based profiling.
   
• Cyber Security Education, Awareness and Culture.
  
  
• What impact events such as the Coronavirus have on culture and awareness.

RESOURCES AND TOPICS FOR FURTHER STUDY

• RSA Conference
• The Analogies Project
• Consumer Data Research Report

MORE ABOUT TERRY O’REILLY:

• LinkedIn 
• Twitter

Please subscribe to the podcast in iTunes, and if you enjoyed this interview, please share with your friends and colleagues and leave a 5 star rating and review.

Thanks for listening and sharing.

Bruce & The Re-thinking the Human Factor Podcast Team