Understanding peoples’ motivations and exhibiting trust are two approaches that the security industry dramatically under-utilises
We often think of IT as a very technical space. With the proliferation of industry-specific terms, niche soft- and hardware and the need to understand how it all plays together, that is probably no surprise - but Lianne Potter, an IT leader at Covéa Insurance, wants to prove that people without a technical background deserve consideration.
Today, Potter is Covéa's information security transformation manager, responsible for changing the way security is seen and thought about. It's a big role, especially for someone who wasn't in IT until a couple of years ago.
"I passed my degree in English Literature just as the financial crash was happening, panicked a little bit and thought, ‘I've got an English Literature degree. How am I going to find a job? What am I going to do with that?'"
After several years working in a charity, Potter became interested in the digital divide: the idea that not having access to online services in the modern world leaves you at a social disadvantage. That interest led her to study a Masters degree in Applied Anthropology, which in turn "opened my eyes to the potential that tech for good could really do."
Six months later, having taught herself to code, Potter was working as a software developer for NHS Digital, which inspired a love of cybersecurity that she describes as "a baptism by fire." That, in turn, led her to Covéa, which loved her approach to blending security and storytelling.
"I really wanted to change [the tech-focused approach to security], and I did it through storytelling and through understanding what peoples' motivations are, all drawing upon my past work as an anthropology researcher. Word got around that that's what I was doing and Covéa said, ‘We're doing a big digital transformation at the moment and we would like to have that kind of mindset, because we want to try something new and security is definitely top of our priority'."
Tech through a human lens
Anthropology - the study of humanity - is an unusual background for an IT professional, but Potter defends the choice, pointing out that while the technology might change, people stay the same:
"How we use tools and how we use that to communicate with each other does change, but actually the fundamentals of human experience never change, and that's why [anthropology] works so well there."
People are often said to be the weakest link in cyber. Potter believes having a background that encourages thinking about people - their motivations, hopes, likes and dislikes, all of which affect their behaviour - is fundamental to addressing that.
The issue of trust was one of the first things she tackled. Realising that security is seen as a blocker ("We've got a horrific PR issue as an industry"), she points out that employees hate to feel untrusted - and it can actually exacerbate the issue when things go wrong.
"Trust is about giving people the safety net to think, ‘I want to make my own decisions, but I know who to go to if I don't make the right decisions'. To me as a security person that's just as important; so, knowing what the right thing to do is, but if something goes wrong, knowing that you can just come to us and we can get it sorted, rather than fearing retribution."
Most CIOs, of course, have exactly the technical background Potter doesn't - and they probably aren't well-versed in anthropology, psychology or other behavioural sciences. But that's the reason different teams exist.
"A lot of companies these days have user researchers and user experience teams: leverage those. If you're going to put a new control in place, do the prep work beforehand, engage them, and say, ‘Can you just find out what people's [pain points are]?' Like you would if you're adding new functionality to your application; you would go and do your due diligence, your market research. Do something similar."
There's no pressure to completely change the way the entire IT industry functions, but it does need to rethink how it handles people: whether they are employees or potential recruits.
"I think we're too concerned about certifications and years of expertise rather than what someone can actually bring," says Potter.
"Do I think [IT leaders] need to do an anthropology degree? No. But I do think they need to start hiring people or considering people from backgrounds that have human-centric qualifications, because the tech can be taught. I come from a totally non-technical background and within six months I got my first tech job, and that was through just learning it.
"I think there's a lot of ivory tower-ness about the type of work we do. If you just find the hook that you're into, you can just learn the tech, but the human side is much more of a different story."
Lianne Potter will be speaking about the fusion of anthropology and information security at the Cybersecurity Festival in June.