Moving security from blocker to business enabler all comes down to culture, says James Packer.
People complain about cybersecurity. They just do. It gets in the way, stops people from doing their job and, let's be honest, is really just completely unnecessary. Who would ever be fooled by a phishing email?
If you've ever thought that, you're probably among those most in need of cybersecurity, and you're not alone. Only about 10% of us remember all our security training.
That's because, for most people, infrequent formal training is far from the best way to make people care. It's better to instil a culture that values it - and to show people the personal ramifications of poor security.
At least, that's James Packer's experience. He boasts years of experience in the sector, most recently as head of information security - CISO, by any other name - at EF Education First, a role he left this month.
"This is a very large global organisation. Its security posture and its maturity were not where EF leadership wanted it to be. Five years has been transformative for the organisation."
EF's security culture has changed "very dramatically" over the last half decade.
"This is because you take an organisation with a mixed level of understanding and maturity around the topic of cyber, and you give real, measurable human-relatable examples of security being important to the person and to the profession.
"The culture shifts, and taking an enabling and facilitating mindset, rather than a disrupting and a ‘no' mindset, really helps to bring people on the journey."
It's their purse, their wallet, their car keys
"You've got to make [security] clear and relatable for people to get it," says James.
It's a good point. Traditional security training focuses on threats to the business, and it doesn't tend to stick. People might behave themselves for a few weeks, and then it's back to business as usual.
Instead, take a more disruptive approach to drive the point home.
One of James' most talked-about projects, which prompted lasting change, involved physically penetrating one of the facilities. Attempting to imitate an attacker, he walked in with a GoPro strapped to his chest, highlighting the need for better physical security.
"I went and broke in and filmed it. I edited it, tongue in cheek, bit of humour, bit of music, bit of playfulness, and played it back to the staff over lunch.
"People's minds were just [overwhelmed,] because they can recognise the premises, they recognise their office, they recognise their desk, they might even see themselves in that video. But they're looking at it being played back to them from the eyes of an attacker... People get it, they can relate to it because they're picturing, not that it's a company laptop that's being stolen, it's their purse; it's their wallet; it's their car keys."
Making the video relatable, but also with "a bit of humour and playfulness," made it immediately memorable, and prompted staff to ask questions about security.
"There's a fun angle to it, but actually there's quite a serious angle to it too." James points out that, had he been a real attacker, it could have been "a big problem" for the company.
This example, and others, have had more impact than traditional training, and employees' mindset and culture around security has changed as a result.
"We've encouraged people to really be curious about security, and now they are. They're asking questions left, right and centre."
His time at EF has been rewarding, and James hopes to have left a lasting impression on the company's security mindset; but he recently decided to move on to a new role. Although he hasn't yet announced where he's heading next, he has told us that he will continue to use his hands-on, practical experience and creative mindset to "challenge the way businesses think about security; done well, it can assist, rather than hinder, in achieving lasting business impact."
Considering the cyber skills gap looming over the UK, we wish him the best of luck.
