CTO Exchange: The human side of cybersecurity
Protecting people and companies is critical, but making that need relevant to staff is key to making it work. Cyber expert Jaspal Jandu spoke to the Inflexion portfolio about the importance of security.
A culture of cyber complacency is dangerous. Cyber veteran Jaspal Jandu says it is important to change this culture. He should know: he boasts a 20-year career in cyber within the media industry and has extensive experience in dealing with some of the largest security breaches of our time.
He joined ITV plc in 2015 and currently serves as its Deputy Group Chief Information Security Officer. His aim was to boost the FTSE 100’s cyber capabilities, mindful that “culture eats strategy for breakfast”. In short, he knew it was crucial to understand the business and how it operates if he was to succeed in educating the business on the importance of cyber to significantly up its resilience.
Jaspal began trying to make an impact by getting in front of teams to get people rallied round the importance of cybersecurity, explaining what individuals could do to protect themselves and the business. Once the message was out, he tried to keep the drum beating, and pursued a compliance approach in parallel, but it wasn’t scalable, not least because creatives were neither enthusiastic nor engaged by the approach.
Returning to the drawing board, Jaspal looked at research and talked to academics and – more importantly – talked to colleagues across the business about what would work. His conclusion:
The love of game-play meant an experience would be the best way to reach the team. “We developed an escape-room which used physical puzzles along with a digital app to take colleagues through common techniques used by attackers to land messages around secure passphrases, phishing, encryption and more.”
It was clearly popular, but then the pandemic put a halt to such events. As a result, Jaspal and his team decided to move the experience to live streaming events and created competitions where colleagues had to solve a bunch of clues from communications sent out via different channels. “We even built a digital 'world' to make our mandatory training more of an 'experience',” Jaspal enthuses.
It went down a storm, mixing fun with encryption and illustrating the importance of multi-factor authentication. It effectively moved away from pure ‘compliance’ to show how cybersecurity related to them specifically, and made it about personal protection.
Ultimately, it has helped drive behavioural change. “While we need to continue and are never done, we have learned loads and now are looking at how we can effectively measure these changes in behaviour over time,” Jaspal explains.
Indeed the job of educating on cyber is an ongoing one, both because of new joiners as well as the evolution of hackers themselves. While threats and measures to mitigate them continue to evolve, one thing remains a constant: Relevance ensures a willingness to take part.
It takes 66 days to form a new habit. As a result, a one-off security session won’t catalyse change on its own.
Trying to instil the right kind of thinking for people to help themselves is preferable to the compliance angle when it comes to cybersecurity, according to Cydea, a specialist consultancy in the field. “This needs to be modelled from the top so that leaders are setting a strong example. Additionally, focusing on positive behaviour is a better driver of change than rather than berating breaches ,” says Cydea founder Robin Oldham.
A key element of conveying the seriousness of cybersecurity is to do so in a way that is clearly understood by non-experts. “The cyber industry at large loves the image of hackers in hoodies and acronyms and it’s not very helpful when it comes to communicating the issues” says Robin.
For this reason, it’s important to communicate up to the board and ensure that people understand the impact and the relevance to business – financial damage and reputation. Rather than lots of tech jargon, it’s about transforming technical language into digestible wording to make a straightforward impact.
Cydea recommends three Ts for delivering effective security awareness training: make it Targeted at specific roles, Tailored to their needs, and Timed for when they need it.
Finally, make training about impact rather than box-ticking. “Measure meaningful things – completion rates for example are only half the story. Rather than simply asking staff to attend, it’s about illustrating the impact you’ve seen on your business. For example, ‘We've noted five fraudulent emails in the last month that could have cost the business £250,000!’ Making it relevant will make it matter.”