Do you have advice for information security leaders on building cyber resilience?

"From all that effort, it made the delivery much easier.  We had...data which said which audiences needed what sort of awareness campaign.  The delivery becomes very easy at that point."

 

Nick Harris, Global Head of Information Security at Oxford University Press talks to Sooraj Shah about behaviour and security awareness across the organisation, and how they were able to pinpoint and target their messaging to build awareness and cyber resilience.

Nick Harris will be speaking at the teissR3 | Resilience, Response and Recovery summit taking place online, 15 - 24 September.

This year, the very popular teissR3 event focuses on how to improve your organisation’s cyber resiliency and adopt best-practice in incident response and crisis management in a post-COVID-19 world. Space is limited. Register your free place by clicking here.

Video transcript

Do you have any other advice for Infosec leaders when it comes to cyber resilience?

So going off our experience, and I'm pretty sure every organisation is different, however much of a cliche that even comes across like, we took our time. And we had the luxury of it because we started our awareness programme so early.

So resilience of our staff. And we set out a strategy looking at all aspects of security that we wanted. We had a strategy that aligned with the business, we had a strategy that aligned with IT, and a strategy that aligned with the business continuity and resilience strategy.

And that's allowed us to look at where our shortfalls were, where staff behaviours were absolutely not where we wanted them to be. We took the time to run an internal behaviour awareness cultural survey to identify even more data on particular points.

And therefore, from all that efforts, it made the delivery much easier because we had to our fingertips data that said, which audiences needed what sort of awareness campaigns, some of which was distributed completely across the organisation, some of which we can now target specifically so people aren't being inundated.

And that allows us to pinpoint the message and get it across far better. And that really has paid dividends. It was a lot of effort up front, but if you've got the time I would spend it wisely really understanding what you're trying to do. What is the purpose that you're setting out? What resiliency message and efforts and change do you want to make. And then the delivery becomes very easy at that point.