Thursday 10th June 2021, 10:00 (BST)

Hybrid-focused security awareness – overcoming colleagues’ remote habits

  • The importance of establishing benchmarks before engaging in any change exercise, both qualitative and quantitative 
  • Recognising and reflecting behavioural psychology, cognitive abilities, social attitudes and modern work-environments
  • Definitions and objectives – what do we want the end ‘culture’ to look like, so that we can establish progress against this

Good morning, everybody. It is Thursday, 10:00 in the morning. Therefore, it is time for another time. Talk show host Jeff White every Thursday morning, 10:00 o'clock. We are live every Tuesday afternoon at 4:00 as my colleague Jenny Radcliffe, who is also live with the toys talk on Tuesday afternoon of the award winning toys talk no less. Last night we had the European Cyber Security Bloggers Awards won by Cenziper, and we won. We won best.

Well, I won't tell you actually which category we won, because if you want to win a title talk mug, if you're one of our few viewers who hasn't won the title much, or if you want to complete your collection of build up to, it doesn't tell us what category we want in. That is going to be the person who tells us the category we in will get a nice talk this morning. So listen, thanks for joining us.

Great to have you back with us. Those of you returning, great to have new people as well to spread the word if you got people to think you'd be interested in this. We are discussing all of the key topics in cybersecurity. And today we're going to be talking about the hybrid work environment and security awareness. How do you do security awareness when some people are in work and some people are away? And we've got a fantastic panel to be talking to us about that.

There's a panel there. Do get involved. You send us a chat, let us know you think it was a wave, say hello. And I say, if you know what category we were in last night, the Cybersecurity Awards, then drop a note in the chat and you will amongst SIMPLES, that much, so to speak. We have got a great panel to say about security awareness training in a hybrid environment. We've got your email us who is chief security officer at Energy Services at Netherland's.

We've got a Nick Harris is associate director of Information Security and Cyber Resilience at Oxford Technologies. And we've got Sarah-Jane, who is behaviour and culture specialist at Layer eight. But first, we'll talk on this topic to our first guest, who is Stu Hurst, who's chief information security officer at Trust Pilot and has also worked with lots of other companies besides. Stu, how are you doing? I've got a photograph of you that I'm hoping you'll come back to my Jeff.

Good to speak to you. Thanks for having me.

Indeed. Indeed. And how are you? How you getting on? How are you feeling today? Have you been with the with the lockdown itself?

Yeah, not too about. I guess we've all tried to manoeuvre our way through through the craziness, haven't we, for the last 15 months and try to adapt. I've been quite used to remote working even before covid times. But I'd be lying if I said it wasn't a bit of a slog now. And we want to get back to some kind of hybrid working as we're going to talk about shortly.

I when I went into an office for the first time on Monday, Tuesday, I went into the BBC, actually into the offices, and I finally met the producer I've been working with for the last nine months in person. Let me speak. You know, we speak pretty much every day, and I never, never met this woman. It was a bizarre experience. And you go in the excitement of the hand. It's just empty desks. It feels like being in on a sun every day is Sunday.

Indeed. And there's a kind of nervousness as well about behaviour and what's the expected kind of norms as we are as we get back to normality.

And I've seen you talk a lot of conferences, actually do a lot of talks. Do you miss doing Age-Based conferences and you miss the talks? Because those are two two different questions, I think.

Yeah, there's just something about speaking in person, I actually get far more nervous speaking in person than I do online, maybe because I've got whiteboards and things here that I can reference or whatnot. But, um, yeah, there's just the connexion, isn't there, when you're when you're in person, there's obviously the sort of social side to it as well that we all enjoy and mixing with people and talking to know people in the industry, which is which is a shame and doesn't have it just now.

I think there's a fatigue. There's the fatigue kicking in, I think as well, where you've been online all day with your colleagues. And sometimes the last thing you want to do is spend another couple of hours at night on your calls. Yeah, they're definitely looking forward to getting back to in-person events.

Indeed. It's interesting. I get more nervous on the online talks. I find them more nerve racking than the in-person ones because the in-person ones, there's somebody there to take care of the sound and the lights and all that kind of thing. You just have to go up and talk with the airline stuff. You know, you've got your Internet connexion, you've got a microphone. You've got there's lots of sort of technical, logistical stuff that has to work and that you're in charge of.

Yeah. So myself and Harry McLaren, one cybersquatting connect and we pivoted the way that obviously lots of events organisers have last year. And the first one we did was kind of rife with tech problems, unfortunately. And you're trying to actually run the event, but also behind the scenes panic and everything kind of running. And, yeah, it's a different dynamic when you're not used to doing that.

Ideally, when somebody does the tackle and somebody does the talk, but it's not necessarily always like that. We watch these watching on mobile phone. I'll be watching a series called Start Up, which actually got a good series on Netflix. Other platforms are available. And they were at a conference. They sort of mocked up a big technology conference for this drama, you know, fictionalised a conference. I just looked and I was like, oh, booths.

There were booths. And I never thought I would miss Booth. The landlords would just like to go them anyway to the subject in hand, which is security awareness and the hybrid working when we first see a test pilot. How are things working in the near future for you guys? How many people back in the office? How many way? What's what's the plan?

Yeah, so so the ops teams and various other teams within the business have been working really hard over the last eight to 10 weeks or probably longer actually, to come up with plans about how the officers return, you know, Wispelaere over numerous geographies. There's a lot of companies are. So there's the subtleties within those geographies, not just because of of covid, but how those offices run. And you know that they've worked really hard. We're getting to a point where we are starting to look to open offices up.

I got Kopenhagen offices is open for limited numbers, you know, with certain kind of restrictions in place. But, yeah, very keen to kind of offer that as a as an opportunity, again, for people to get back to its offices. We've got quite, um, there's some interesting nuances around the different parts of the world to Copenhagen, for example. They have they have a system where the kind of lunches are paid for as part of their employment.

So people are quite keen to get back to the office because they they have some perks that come with that. But we might see in some other geographies that maybe there's more of a split, perhaps.

Yeah. Yeah. Interesting. Oh, by the way, up Kendall Jackson just won a mug. Well done, panel. Best Up and coming podcast was, of course the category on the European Security Blog Awards last night. Bizarre because not technically a podcast, but would not tell anybody about that. It's like winning the Oscars for a stage play. But that was the category. Well, don't you, when you went and did you actually we should talk about just how many countries, because I'm familiar with it, you know, where you find reviews of trades people in that kind of thing.

How many territories is it? Cool. So what's the scale?

Yeah, we have offices in New York, Denver, Vilnius, Copenhagen, Berlin, London, Edinburgh, Melbourne as well, actually. So we're quite distributed and growing in a number of those markets. So, yeah, really, really interesting time to join as well. We IPO then in March. So a really interesting growth period for the company.

Yeah, definitely. And in terms of those different offices is the one office that seems sort of taking the lead in terms of moving into the type of working environment and that you're learning lessons for.

Um, good question. I would say the Copenhagen office, with it being the biggest office, although there has been a kind of working from home culture as a lot of tech businesses have, I think that's the one that's permitted the most given the numbers, but also might be the one that returns in the highest numbers compared to perhaps some of the other geographical areas where the office is growing quite rapidly. We've just moved into a new a new large office space.

Yeah, an interesting few months just to see who we're working on, kind of three three different set ups really either fully rmo a mixture of both or fully back to the office, if that's what you want to do. So there's a kind of a nice mix with people to choose their.

And so so each of us will offer those three options to each employee. He's not going to essentially, you know, depending on roll, there'll be some roles where perhaps operational reasons as a need to be on site or various other reasons. But yeah. Which we're trying to be as flexible as we can. And I'm sure most businesses are trying to to do that. I've seen a shift actually between athletes 15, 16 months has gone on. I think you see and this is just my anecdotally my personal experience of around Christmas time, there seem to be an acceptance that working from home was what we were all going to continue to do, perhaps for some people forever now.

And that's what they were happy doing. And actually, as the months have gone on into this year, I'm seeing more people want to get back to an office in some capacity, perhaps not five days a week with with commutes. But I think people miss the social interaction more than the being in an office, particularly.

I think this is the thing. I think the pendulum is swinging back, swinging back fully. But I do think, you know, if you just to be the beginning of last year, January last year, oh, by the way, by April, you won't be leaving the house. You know, you live to believe in the house for half hour mandated walk each day. I said, well, it's what we do that. And yet we you know, within a few months we adapt.

So, you know, the idea that we won't that we can't switch back to exactly how things were. I think, you know, you've got a question that is going to be interesting to see how far that goes back. But still, I want to ask you. That's interesting. So you've got these three possibilities for employees. Has that helped you in terms of being a CEO to put in place? OK, one, two and three. Here's the security and the systems we put in place.

Options, one, two and three. As that helps you systematise out, I.

I would say on a personal level, I haven't really figured that out yet. Actually, we're sort of just all working our way through a fairly fluid situation where even as we speak, there are things changing in different countries around, you know, roadmaps and things. So from a planning point of view is actually quite difficult. What I would say is it appears that most of the businesses on the planet have pivoted brilliantly to remote working and they've run their businesses from from home over the last 14, 15 months, which is probably got rid of or shattered.

Some of the old illusions of certain things have to be done on site leadership or or certain types of collaboration. And we forced their way into that way way of working. So, yeah, from a security point of view. I guess like anybody would, just trying to feel our way through it. It's been a very unique set of circumstances. And then to have to look further on about how we cater for more scenarios perhaps and we would have done previously.

And that's going to be interesting in terms of how we deal with just politics.

That's just three months.

Just so basically. So you've now got this you come in. Presumably there was some kind of security awareness project that was part of was some kind of security awareness thing, looking at the next six months, 12 months or so. How are you handling that? Because normally you'd have a security well rolling programme and you'd be able to work out with it successful. And you get some results back and you can monitor things. You're not only the new company, but your new company.

That really dynamic time. That's how are you going to work out the security awareness training you do and how you monitor the effectiveness of.

Yeah, on the one hand, it's been it's been easy to speak to everybody across the business in a way that perhaps wouldn't have happened previously and attack it helps with that. But also, I think in the kind of role that I'm in just now, there's a hell of a lot of leverage in physically meeting people and building relationships across the business as you start to to build awareness or try and drive cultures forward. So that that's obviously been missing and something I'm personally looking looking forward to to getting back back to.

Yeah, it's trying to be cognisant now that people can be anywhere at any point in time. And there isn't as much of a. You know, strict regime that people are following in the way they might have done it, 9:00 to 5:00 in the office, we've now got this very open, flexible working pattern where on a day to day basis, you could choose where you are and how you go about doing your work. And it doesn't necessarily just have to be kind of at home.

People could be travelling coffee shops, you know, wherever they want to go and do the work. I think we're moving into that world only if you can be anywhere to do your work. If you've got a decent Internet connexion, you have you seen have you seen. So Jonas is just coming to so many people. Colleagues are starting new roles in the last year or so. Same with culture is hard to build and maintain, especially for security, which is a really interesting point as well.

I mean, you're new in the business, I imagine just pile up. Being an online business has been either growing or expanding healthily over the last year or so. You've got a whole bunch of new people you knew you and I have not met. You know, physically a lot of these people, including my peers and our leadership team, where you would normally be building those relationships and in person, as I said before, and that's that's not been there.

But it's not to say that we haven't been able to to do that to a certain extent. And I think the tax been really valuable beyond the way that we might have used it previously.

How easy is it then for you to get the hang of it? Because you've got a lot of different places to a freshman memory on your CV, but you let me pick you with a while back and yeah, so I did my kind of security journey has been the train line and then I did Skyscanner for three years and then I did Capital One box and then and then just finally, a couple of years before moving on to test pilot.

So when you go into a place, presumably a certain stage, you start to get the hang of what their security culture is like and so on. How easy are you finding that in of that? Having been there for a few months and it being all virtual, how do you how do you go about getting a sense of like what's the security culture like here when you go into the office and just think.

Yeah, you know, I've had some very interesting conversations about this over the last few days, even around when you're on Zoome calls, you can do small talk to a certain extent, but there's generally kind of an agenda. And, you know, you talk through the items of work that there's less of the water cooler chat or the small talk or the beer after work or the coffee at lunchtime or whatever it might be that there's not really that much of that.

And frankly, that's where a lot of the measuring perhaps of culture can come from. You know, it's just having those conversations with various people that you might not normally bump into in the business. I can go and create meetings with, you know, X, Y and Z across various teams. But it's like bumping into somebody in the office and then just having that conversation or somebody brings a problem to you that they wouldn't have normally raised on slack or on a call.

And I think that can help you measure. I mean, that takes time to do that. So what I've been doing for the few months I've been here and just speak to as many people as I can, but obviously it's been it's been online and I've not been able to have those side of desk chats that I would normally perhaps have.

Yeah, yeah. Interesting comment from Jonte that The WaterCooler is my primary source of Koutsky counterthreats intelligence. I'm going to guess I got this weird email somebody says, and so it's really, really interesting. It's how you sort of replicate that online. Have you seen examples? You have good, good examples of that, of things people have been able to do to try and replicate that kind of culture in a couple of companies I've been in since covid kicked off.

I think everyone's tried really, really hard to replicate that as best they can. I've seen like a justy. We had a Google Hangout. It was open all day that you could just go and join and see if anybody was on it. And so grab a coffee and get some some small talk and not necessarily even work related. You know, just go in and shoot the breeze. Is that they seem to do quite well in those initial few months as people try to adjust.

I think there was a fatigue as the months have gone on around those kind of things that became less less valuable and. I've seen that in other areas as well during COGAT, where lots of social events, you know, the kind of post five, five p.m. Friday online get together, they just tailor a little bit towards the end of the year as people got a little bit bored with them. I think just trying to invigorate those things and some security awareness will be part of that.

But how do you sort of continually invigorate these programmes to keep people interested, keep people on board?

It's like it's like the companies in quizes. I think the phrase Ziemkiewicz now is associated with please kill me. It's just it's trying to keep that going. Maybe, just maybe just my family's interests. Interesting stuff. Thanks. That's a really good overview. And get us into the various issues we're going to be discussing with the rest of our panel who I want to bring in now. We have Midland's. We have yodellers, who is chief information security officer at Energy Services, Nick Harris, who's associate director of security and cyber resilience at Oxford NON-SUPPORT Technologies.

And so a change in behaviour will help, especially, like I said, we're going to come to you. First of all, it's a very coordinated use top on the background. The wall, the wall is going with that colours very on trend, aesthetically pleasing, certainly most certainly pleasing to my students is to use frozen. But Stew's frozen in a really sort of charming, charming little sister pussy. Tell us about layaways, because people may not come across what what's what's that great about?

Yeah, no worries. Solera is a company that I set up about six years ago now, really trying to answer this question. Is it possible to to change behaviour? You know, is it possible to move from kind of the compliance based approach to security awareness to, um, to actually changing behaviour, something that we came across quite early in? That is this concept around is conversation. And Stu said it, you know, in in his piece earlier, it's about the relationship.

So we focus on conversation being the catalyst for change and how we can can sort of work towards that, mainly through, um, developing champions networks. And that's what we're doing every day.

Interesting stuff. Thanks. And we will come back to you. Some interesting insights from a survey that you carried out fairly recently, Nick Oxford NON-SUPPORT. What does Oxford NON-SUPPORT do and how have you guys been recently? Independent.

Good morning. Thanks for having me on for a spin out of the University of about 15 years ago, we've grown to about 750 people and are some very, very clever people from when I was at my works, otherwise very rapidly sequenced genome. So I think the quote they have out is Dolly the sheep cost about a billion dollars. It can be done for thousand. So that's a tall order of magnitude that this technology enables. If you can sequence the genome, the virus has a genome, you can sequence it and you can test for it.

So we've been very busy providing quite a lot of the testing sort of devices and equipments and even some mobile testing bands over the last 18 months or so into Oxford and the post office, actually part of the commodifies testing regime.

And that's why we're so willing to provide the service, I say. But we provide the equipment and the materials by which the labs can can do some of the testing. And it's the it's the more detailed testing. So it's allows for it's not just the positive negative. It's about what variances and how that how's the DNA evolving. And it allows that degree of analysis.

Yeah, yeah, yeah. It's interesting. I had a conversation with the hairdresser the other day. I had my hair cut and he was saying, oh, it's just flu, it's the same as flu. And sort of explain to him the idea of genetic test that you can just simply test viruses was through a mask. Obviously both masks just didn't go very well. Judy, hello. For those who don't know Angie, what does she what does she do?

What's the what's the next step as well? And Angie is in the past and an energy company, but they also do several utilities. And in the Netherlands, the utilities department, this is as far the biggest as just a little Energy Department and utilities, as in building technical installations for for for a wide scope of of of of industries.

Erm, good stuff. Thanks. Thanks. Nick, can I come back to you because you've presumably you've grown quite a lot over the last year and you've got people who, you know, again, like us, you've, you've never met colleagues that you've never met. Talk to us about that, about trying to sort of instil the security awareness in those folks.

Yeah, I think we'd like to do really we we are both joining the steering committee. So nonpoor itself has grown over, over without a hundred people in the last year. We've been one of those so great like. Mystery from a personal level, engaging with the people on the top floors in the labs, as well as to get that more sort of feel of normal businesses rather than just sort of data and metrics and budget suits. There's been quite a challenge.

But then we've we've got that challenge of engaging the staff. And to some degree, some of the new joiners have gone straight into the lab. So labs have always been open on manufacturing has always been open that they have that the role has never really changed. And we just have to have very stringent progress on the public around those individuals. Some people have gone astray and they've never been to the office at all. So to answer some of moop, how we reached out to them, how we engage with them, how they engage with us has been a real challenge.

And actually, as the people at home have been easier because the people we've got in the labs, in the manufacturing arms, on our infrastructure like channel, we can't reach out to them that easy. They've got their white suit, white coats on in that way. But if they're at the desk at home, it's actually a lot easier to engage. And, well, the fact we haven't had to focus so much on the consoles, the hybrid in the second, but the in office activity has sort of waned off less posters, less visible reminders of the online shift as well.

It's finally gotten people been quite used to having Zoome calls for work, as well as engaging with us online for Social Security. That's what's interesting. And so, yeah, I want to come to you on this, because one of the one of the things your survey that that was interesting was people wanted to be people wanting to be contacted by security and people who had been contacted for security at work.

Yeah, really interesting. So we asked the question, how many people had been contacted by somebody from the security team over lockdown to help them set up their home? And there was 26 percent of people had been contacted, but actually around 50 percent, just under 50 percent of people had said, actually, I'd really like to be contacted either a one to one conversation with somebody that can help facilitate the change or a presentation by. Tonight, for four people to have some contact and some relationship building with security, perhaps in the survey, I didn't go into this in detail, but perhaps it's due to, you know, all of their kind of fishing activities and those sorts of things, I think have become a lot more apparent over the pandemic.

And perhaps there was concerned about friends, families, et cetera, during that period as well.

Yeah, this is what I found really interesting is the idea of, you know, the work and home division sort of really finally breaking down. There's been a lot of stress for a long time. The idea of good work is now part of your part of your home environment. Is that is that one way you can potentially reach out to people by saying, look, this if you are working from home, you work security. Now, if it becomes your home security, not something people hold very close to the heart.

Yeah, I think that's what we've been seeing in the industry for a little while, haven't we, around trying to if we can embed good security practise in people's personal lives, then they're more likely to bring that into the working environment. Obviously, the working environment is now the home environment. Those things are blurred more than they ever have been. It's also bugged me a little bit that people think there's a there's a hard stop between, you know, how you personally deal with tech and then you go into an office and somehow it should be something completely different.

Much of that many of the things that we try and evangelise are fundamentally the same things around what to protect and how to go about doing it. I think there's. The working day has become different for people now at home, so you would have that like 9:00 to 5:00 perhaps in an office if you're in that kind of role. Now, people are adjusting their day to work all sorts of times to care for children or whatever. So that complexities about how you make that available, how you secure your operationalise working at other times of the day that we haven't been used to.

And you can come to you just just following up on next point. Obviously, Nick was saying that, you know, they have a lot of people out in labs and actually they're a bit more difficult to reach because they're not sort of online all the time. I imagine it it's the same. You know, you have engineers out in the field. You have folks in the office. How do you manage that?

Well, that's that's a very difficult story. The funny thing is that I started also like Nick and also likes to think in that way. So I started from over my my fortune, and it was very hard to connect with people because a lot of mechanics, they were working in the fields and I'm working from my home office and trying to to to to make policies and not being the bullet that stops everything. So and it's hard to to to create policies at this time when you see that people are getting back to the office and you get a hybrid situation of of mechanics that were already in the office and they were reached by by by security, but from security, from home and scritch people were working from home.

So and now we have to to to to create a new situation where. We all levelling against everything just for everybody, and that's that's a struggle.

And this is the thing, so isn't it is it's not just trying to work out, you know, how how you do working, how you have an office working, but making sure the experience people get is seamless, that actually you get the same satisfying and secure experience wherever you are. That's not the time.

Yeah, absolutely. And, you know, one of the things about security culture is I think in a lot of organisations it's just been allowed to happen. And there's a security culture that exists. One of the things that the organisations might need to look at a bit more formally is how they create that security culture through the types of relationships that they have with people. Are new and different relationships required like ones right down inside certain functions, perhaps even with people who already know that team already who've already built up a trust relationship with them, who is your kind of route through how you and your team behave as leaders in the words that you use?

So how other people are viewing security? And also, I think what's really important in curating that security culture is how you can identify those those stories and those moments that matter, those those good practises that that can be shared.

Yeah. Stay with you so so so a lot of what you've done in the past has been about conversations and conversations in the workplace, but how do you give us some insight? How how can you know? Actually, Nick Yorty and and Stu, how can you replicate those conversations effectively in online or mixture of online and offline?

So what we what we look at doing and is really trying to find out the values of the people within the organisation because people come to work and they turn up for their paycheque. Absolutely. But for lots of other different reasons as well. So if we find that we can have conversations with people and really understand their values by asking questions like tell me a time, about a time where you felt proud and enthusiastic to defend your business, what were you doing?

Who were you talking to? And the idea is really to to establish the core values that underlie why people come to work and protect the business and do do the right things and which gives a really good sort of underlying set of values to say, OK, and if we were doing those things every day is the norm rather than the exception, what kind of security culture could we create and looking at doing that collaboratively with people. So long answer to you know what?

That's OK. So do you think that that it would help to try and integrate the security awareness stuff that people are doing for homework and office work and remote work, or do they need to be two separate channels? What is their benefit to kind of combining them to pull everybody into the same room, even if is physical something with a virtual or should, you know, inevitably there going to be two separate channels?

I think pulling people into the same room would be would be really useful to have those discussions about this, because I think it's not just black and white. There's so many crossovers with hybrid working model that it's very difficult to box. This is what you do at home and this is what you do at the office. I think bringing people into the same environment where they can talk about things that they've learnt at home, how that translates back into the office and vice versa would be useful.

Yes. So I would I would condone sort of combining those those messages together.

Interesting stuff. We've had a couple of questions, really good questions, actually. Anastasios, as asked all of you. But Stu, first of all, on this, because you talked about this, how can you address security fatigue while employees also experience pandemic fatigue and anxiety? It's that refreshing, the message of renewing the message. What do you think of that?

Yeah, that's a brilliant point. And. It's knowing what pace to go out, frankly, and there isn't a right answer to that. I'll give you my experience just now is, you know, new into a role, wanting to be seen, wanting to be driving some some cool pieces of work, but alongside lots of other important business things at a time where there is fatigue in general in the population and people having struggled quite a lot. There is no right answer to that.

It's just trying to understand what pace you can go out alongside all the other things you need to need to do. Sometimes it's the quick winds or just picking off the low hanging fruit sometimes rather than those those big projects which will take a bit more time. This balancing act, I think trying to just be aware that this is a thing like fatigue at the moment and and people struggling towards the end of what this is, is is a thing. And we need to be cognisant of it.

You know, make on that on that front.

You know, what you want to say to people is really important. The other aspect we've got and so we're trying to address that is it's got to be useful and to degree valuable to the people you're speaking to. So it's yes, I really favour service all in one room, even if you're working at home. But we have smaller groups in one room. So if it's a privacy related conversation that's about job and and customer services and if it's about secure development, we'll have a different communities as relevant.

And that's the same with the online training we do. It's relevant to the audience. So they're not someone who never deals with personal data, is not going to go through another round of GDP training. We try and sort of avoid that and that really helps. But also we've gone beyond sort of the home working with to give to try and offer a bit more value. So we've said, for example, do you excuse sort of online games ahead of half term?

There's like dozens of freebie things. We actually got stuff in the stay safe online stuff about cyberbullying, because if you're keeping the family safe and if they think they're getting something from it, then they're more likely to engage. And actually that practise will then come perpetuate back into the business.

Interesting stuff and annuity in terms of tackling fatigue. What sense, if you go for how fatigued and please, how about this and how do you how do you get around the how do you manage that?

That's that's a very important point. And I discovered that there was a lot of fatigue and about cybersecurity and cybersecurity training. And I think it's also because of the wave of of how energy is organised, because you're a very broad company with very broad people, with a lot of other things to do. So we have just one awareness training for everybody. So like Nick said, that that that leads to a lot of fatigue. But I think some of the strangest things are, is that we have this for working at home.

We have this this policy that you can order a desk and you are the screen and the chair, and you have to commit yourself to a lot of health and safety regulations for working at home. But there are no security regulations. So that's that's a that's a strange thing. So that's also that you see that that the security awareness at home is not yet at the same level as when you are at the office.

But you were saying did you say that you changed that you're going to work from home, you now do with energy, have to do some security training?

Yeah, we have the security training is not mandatory at this moment. So I think I looked at I looked it up yesterday. It was twenty four percent of our population did the security training. So why not one out of four? And we we started to to to to let the security training be mandatory for four people. And the first thing we started is that when you apply for working at home, you you are obliged to do the security training.

So that's the first thing to get more and more people aware of the of the training. And with with that, you don't hit the mechanics that they can work from home. So you got a specific group and that works better.

Interesting, I think we should do. Sounds like something we do in Poland. We try and do a poll. We have our tie self away in the background helping us out on this. I wonder if our title could do a little poll for attendees. Should should employees working from home be forced to do security awareness training or mandated to do security work Australia? That would be an interesting, interesting one. We get that pulled together. We create another question from Tony here, which I thought was very interesting.

One, how do we best communicate the safe, home safe work message? Oh, hang on. Popped up on my screen. Now, I'm going to submit that back to the question then. Yes. How do we best communicate the safe at home, safe at work message when people are carrying a portable office with them because, you know, people carrying a devices in and out? You you were talking about this when we spoke yesterday. How do you tackle that?

One of people, people taking literally computer monitors and towers home and bring them back into work?

Yeah, I mean, when we chatted yesterday, briefly, it was that people will be carrying equipment more than they probably ever have been. Hopefully not service that some things, but, you know, laptops in bags and phones. We carry phones a lot anyway, but far more work equipment will be being transported around the place. So probably need to be cognisant over the next few months that there will be maybe more thefts or a loss of some of those things.

So I think I think it's just trying to understand some of the subtleties of how we're now working and whether that presents more risk or different types of risk in various different areas.

Interesting, Nick, what's the what's the strategy at Oxford on that, because obviously got incredibly valuable at the office. How do you handle people coming home, take taking home and to the physical side of it?

I guess one aspect, there's always that risk. I suppose we know who handles the IP. We have some really critical trade secrets, IP, which the business is dependent on. We know why that is. We know who handles it. And then there's other information out there which our staff handle, which we have different sort of controls around. So firstly, knowing where the crown jewels lie and who's got access to them means that you can have different degrees of stringent access.

But what we we did was quite early on, actually, we just had a checklist and the idea was you could essentially stick it to the top of your laptop screen. I don't know if anyone did, but the idea was there anyway. And it was just simple things to do when you got home on. And it was a bit of a snapshot of what was in our typical work policy. But it went a bit further to say that if your kid is short of a laptop when they're trying to home school, have a separate account for them, don't let them just go on your email.

So we have all sort of checklists that just meant that they didn't have to trawl through documentation, but it was just at the fingertips and it just let them know what things they could do, what sort of steps they can take home, wi fi, routine practises, etc. that would help them when they got there.

Interesting stuff, we've had the results of the polls, which is probably no surprise to anybody, should employees working from home be forced through security or training? 89 percent of our audience says yes, because a large majority of our audience are security folks. Look, if you said no to that, actually do in the chat as to why you don't think that's a good idea. What interest does it seem to make in the face of it? Perfect sense, perhaps as counter counter intuitive aspects to that, just in terms of what Nic was talking about that is coming out of home from work and all that kind of thing.

I mean, obviously. So there's different sizes of businesses and, you know, not all businesses of the scale of, you know, and just pilot and so on for smaller businesses. How are they handling all of this?

Yeah, I mean, again, on the survey that we did, which was completed by actually quite a lot of people from small businesses, 75 percent of them said, yes, we're going to be taking our equipment and probably printed documents to and from the office. And that ranged from literally just a laptop through to the keyboard to mouse the charger, etc. So so lots of different data in in an equipment and in transit. And of course, a lot of small businesses might not be able to afford what Jodi was discussing about, you know, ordering different equipment.

So they're just going to have to cope. And, you know, some of the things that we would that I would suggest to organisations is, yes, there's lots of kind of like rules that we can give people. There's lots of advice, which is all or great. But about identifying some of those key habits, some of those moments that matter when people interact with a system or piece of data, and how can you steal some kind of key thoughts and conscious thoughts in people when they're, you know, moving from the home in the office?

Hmm, interesting. And you also talked about it was quite interesting, the idea that security culture used to be, you know, security culture was like a lot of culture developed on the fly. Where was that? Security culture now needs to be engineered. You need to actively say what is our security culture going to be and how do we do that as opposed just relying on it kind of coming coming to fruition.

Yeah, so and that's always a difficult one, because I think when you use the word culture, people go, oh my gosh, what does it mean? You know, it could be enormous. So, you know, I would define culture as what people say and what people do that demonstrates what's important to them. And if we can understand that through having the conversations, through those relationships that we've got in the business, we can start to boil that down to a number, perhaps four to seven key habits that if everybody in the business was exhibiting those, it would mean that the business was much more secure.

Those key habits can then, from a process and a measurement perspective, be broken down into these moments that matter, these touch points, high risk critical touch points when people are interacting with a system or piece of data. And then that's what we need to curate in terms of, well, how do we how do we catch people doing the right thing? How do we make sure that we shout about those things and amplify what's happening? And how can our words and language with with the board, with everybody sort of move move us in the right direction?

Yeah, interesting stuff. Um, Martin made a good point, which is about security workers for working home. If you feel the need to force people to do the training, you need to look at the approach content and how you're selling it. You might make some marginal gains on. What the mosqueda, a multiple gains awareness gains. What are you going to change behaviour because I just want to come on. Oh, hey, we got John's comments actually following up on this.

People colleagues often learn how security is done here from leaders in or around the office with no office and no visible leaders. Getting colleagues to exhibit these key habits, both at home and in the office is the huge communication challenge to that. John, I just want to come in in the closing minutes of this to the idea of measuring this, of the metrics. I mean, Stu, you know, in normal times you would do a security awareness programme, fishing, exercise, whatever, and then you get results and then you do it again.

And how do you get around that challenge at the moment of not only are you in a fluid environment, but getting the metrics, getting the measurements must be it must be a nightmare. How do you get around that challenge?

Yeah, there's been some really good hair around measuring actually just just in the last few minutes. And it's notoriously quite difficult because when there's been a good point made around, you know, there isn't a one size fits all and that's why the industry company or even an individual level, everybody learns in a different way. And there's different types of information you want to give to different people in the business. We sort of historically go to measurements of bad things happening.

So you do your fishing campaign, you can see how many people click the link or went into the euro or whatever, whatever it is. How do we measure that? I think Sarah's kind of touched on this. How do we measure the positive aspect that is there even a way to measure the good things people are doing because you don't see them, not you don't see a bad knock on effects and good things happening. So how do you even measure that?

Sometimes it's sometimes it's just a palpable feeling, you know, that a culture is moving. It's not necessarily measurable. I mean, one of the things I found in my in my own career is the more people speak to me, the more that people actually sort of come to me with an issue or that they're open to. The idea of having a chat to a security team, although that's not brilliantly measurable, is a really good example of your spreading your wings a little bit and getting around the business, I think.

You know, I've seen some great training platforms and tools and things that are great, but again, it needs to be tailored to the right sets of people or even individuals to get to get the value. And that's very different. Maybe I could go from a technical WASP top 10, talk with engineers to something very high level with an echo or something more less technical. So, yeah, it's just trying to tailor those conversations to the right areas.

Really interesting stuff, just the way we're approaching the limits of our time. So I want to thank all of our panellists. That was a really interesting discussion. And it's just one of these things that is going to keep coming back and back over the next six months to a year of how how you manage this. So I wish you the best of luck with it. Steve Hurst, chief security officer, Aptos pilot, your CTO at Energy Services Netherland's, and Nick Harris, associate director for security and service at the NON-SUPPORT.

And of course, Jane's behaviour and culture specialist at least. Thanks to all of you. Their LinkedIn profiles are in the chat, so do click on them and connect if you want to chat with them further. Thanks for all of your questions and comments. It's always great to hear from our audience here. At times. I am going to quickly go on to the Tice thing and see what we're talking about next Tuesday. My colleague Jen is talking about next Tuesday.

Oh, here we go. The Sisso cyber security vendor relationship. Oh, that'll be a spicy one. So, Jenny, next Tuesday at four will be speaking to Leader Muller from Stanford University about that's going to be a really interesting chat. So to tune in for next Tuesday and of course, next Thursday here for talk. Have a great, great weekend. Thanks again to our panellists. And we'll see you all again soon on the award winning Taisto.

Have a great day. Thank you.

Your host:

Geoff White

Investigative journalist Geoff White has covered technology for BBC News, Channel 4 News, Audible, Forbes online and many others.

An experienced public speaker, he has given keynote talks at some of the UK’s largest tech events, in addition to hosting conferences and chairing panels at venues ranging from London’s Chatham House think-tank to the Latitude music festival.


Stu Hirst, Chief Information Security Officer, Trustpilot

Previously at Just Eat as Interim Director Of InfoSec and also headed up Cloud Security, for a leading global hybrid marketplace for online food delivery.
Former procrastinator turned excited imposter.

Former IT Security bloke for Skyscanner, Photobox/Moonpig, Capital One and The Trainline.

Some awards I nominated myself for to have a night out (and subsequently didn’t win):
Finalist for Outstanding Contribution 2019 – SC Magazine Awards
Finalist for Security Team Of The Year 2017 – SC Magazine Awards
Finalist for the Cyber Evangelist Of The Year 2017 – Scottish Cyber Awards.
Finalist for the Cyber Evangelist Of The Year 2016 – Scottish Cyber Awards.
Finalist for Cybersecurity Team of the Year EMEA 2017 – Cyber Excellence Awards

One half of Cyber Scotland Connect: – helping build Cyber communities across Scotland.

Jordy Mullers, Chief Information Security Officer, ENGIE Services Nederland
Nick Harris, Associate Director Information Security and Cyber Resilience, Oxford Nanopore Technologies

Nick has over 14 years of experience in security, and driving strategy and change from a career spanning the Ministry of Defence and Big 4 consultancy. Nick also holds a Masters in Business Administration from Cranfield University.

Sarah Janes, Behaviour and culture specialist, Layer8

Straight from school to BT’s Security Awareness Team I found out pretty early on that the people side of security was what I was interested in. By the time I was 21 I was running the team, and learning what it was like to try and get budget and buy-in for the people side of security. Which is where my incessant drive for improving how we measure behaviour change comes from.

Between then and now – Graduating with a 1st in Professional Communications whilst working full time and competing for the UK in Age-Group Triathlon, becoming a parent, being a Trustee for a local charity, working in small organisations, delivering change programmes to FTSE100 clients – helped me do the toughest thing yet! The decision to start Layer 8!

And I do it because I truly believe in people, and that a future exists where we’re on par, or even ahead of the hackers. I believe each and every one of us has the power and the freedom to make change happen and that’s a life lesson I especially want to pass on to my daughter.

Expertise in people security:

  • Creating people strategies woven into business strategy
  • Supporting managers to get security on Board agenda
  • Measure behavioural change and impact on risk
  • Creating security awareness/behaviour and culture programmes
  • Speaking on cyber/people security

© 2021, Lyonsdown Limited. teiss® is a registered trademark of Lyonsdown Ltd • Registered number: 05832927 • VAT registration number: 830519543

[s2Member-Login login_redirect=”” /]