Industry News

Conference

12 Mar 2018

Engaging with your people to make InfoSec an enabler

Mark Nicholls

Ahead of his panel appearance at Cloud Security Expo, Nicholls discussed the best way to help your people stay secure, without creating a ‘blame’ culture.

“Users are the weakest link.” This phrase is often rolled out, and has gained serious traction when discussing cybersecurity. Nicholls, however, is not a fan. He argues that colleagues, customers and partners can actually be the strongest line of defence in the fight for information security.

At Peabody, Nicholls tries to ensure his team are always on hand to give help and support, and encourage people to speak to the team if something doesn’t feel right – even if nothing comes of it, he argues, it is better the team knows.

By combining this approach with awareness and education, and avoiding a blame culture, Nicholls believes his colleagues are empowered to become security champions, rather than being afraid of it.

Changing security culture

It is an unfortunate fact that organisations with this structure are probably the exception. Changing behaviour so that people feel more able to approach their information security team can be difficult.

Nicholls recommends starting at the top. By leading through example and changing the culture at c-level, it’s far easier to instil an enthusiasm for security throughout the organisation.

At Peabody, Nicholls notes that the CEO had previously seen information security as something purely for the IT team to worry about. After the director of finance received an email from somebody masquerading as the CEO, asking for a money transfer, did he realise the importance of security, and the role that everybody has to play.

Following that, the CEO took part in a short video for staff, where he spoke about the importance of information security. Personalising the risk in this way, Nicholls argues, is far more impactful and helps people become aware of what they need to do and need to know.

That human element is key. In Nicholls’ experience, people seem to be relatively adept and aware of security risks when doing online shopping at home, for instance. But once they enter the workplace they tend to see the personal impact to a lesser extent.

Opening up a conversation with an example helps people understand how better practices can directly affect them. Nicholls once explained to a member of HR staff that by leaving their workstation unlocked with the HR system open he could change the bank details of their payroll record so that their salary could be paid to him.

This action would have affected them very directly in the sense that they wouldn’t be able to pay their bills. That person, Nicholls says, now locks their workstation whenever they leave their desk, and encourages others to do the same.

How InfoSec has changed

Having started his information security career in academia 12 years ago, Nicholls’ career developed through traditional IT roles and into more specific security responsibilities. A chance meeting at another university led to him joining a group of security professionals based in London, who collaborated and brought new ideas together.

Discussions at this group made it clear that they were all facing the same challenges. At that time, there were very few full InfoSec teams in academia, and looking back now, Nicholls sees a similar trajectory to maturity in different industries.

What this path to maturity does cause, he argues, is a stifling of collaboration. In the commercial sector, where competition drives a lot of behaviour, this is particularly true. According to Nicholls, this approach doesn’t help the end user. Cross-sector collaboration, he says, has a long way to come.

Saying ‘yes’ – securely

By consistently saying no, and blocking requests, security teams can be seen purely as a barrier, which encourages a move towards ‘shadow IT.’

At Peabody, there is a need to share sensitive information with partners. However, because IT had not previously come up with a solution to securely share this data, they had been telling staff not to do so. That led to some people using Dropbox, which obviously the IT department can’t control.

Nicholls’ approach was to embrace the challenge and look for a solution that would not block business-critical operations. The result was a successful, award-winning solution.

The relationship between InfoSec and the rest of the business

The security team, Nicholls notes, are trusted by the rest of the business to deliver secure solutions and keep them safe. Evaluating risk is a big part of that job, and a mixture of solutions can be put in place that means the InfoSec team can be seen as an enabler rather than a blocker, while also satisfactorily keeping the business secure.

At Peabody, there is backing from the most senior staff on this point. Nicholls says his first exposure to the board was with the signoff of the overarching information security policy. At the time this happened, the chair of the board was also involved with an NHS trust that had been affected by the WannaCry attacks.

This meant they understood the risks and was familiar with the consequences of an attack. As such, Nicholls and his team gained the full support and backing of the board. This, he says, is a vital ingredient to producing an effective and secure InfoSec policy – but also one which allows them to say yes.

View all Industry News
Loading

Sponsors

Platinum Sponsor

Platinum Sponsor

Keynote Theatre Sponsor

Theatre Sponsor

VIP Lounge Sponsor

Compliance & Change Detection Leader

Gold Sponsor

Gold Sponsor

Gold Sponsor

Gold Sponsor

Silver Sponsor

Silver Sponsor

Silver Sponsor

Silver Sponsor

Silver Sponsor

Bronze Sponsor

Bronze Sponsor

Bronze Sponsor

Bronze Sponsor

Bronze Sponsor

Partners

Knowledge Partner

Global Analyst Partner

Official TV Partner

Official Video Partner

Official News Release Distribution Partner

Security Education Partner

Event Partner

Event Partner

Event Partner

Event Partner

Event Partner

Event Partner

Event Partner

Event Partner

Media Partner

Media Partner

Media Partner

Media Partner

Media Partner

Media Partner

Testimonials

  • "The best thing of us part opportunity to meet with our partners and customers. We met with many relevant prospects from different verticals and get a sense of the market demand. I understand much more of what the customers in this region."
    CEO and Co-founder, Votiro
  • "Considering the large number of exhibitors at the show, the crowd at our booth is great and stayed consistent throughout the day. Delegates who visited our booth met our expectations and we gathered good leads too!"
    Malwarebytes, Sales Development Representative 
  • "There’s no other show like Cloud Expo Asia and Cloud & Cyber Security Expo that reaches out to two groups of different audience from both cloud and cyber security in the same venue which is exactly who our service offerings are for! We have been participating in both Cloud Expo Asia, Hong Kong as well as Cloud Expo Asia, Singapore and more than happy to be part of the next edition!"
    Technical Account Manager North Asia, Qualys
  • "We met our target audience including service providers and SI, we have lot of interest throughout both days which is great! The show is definitely a platform for us to meet APAC audience and catch up with our partners across the different shows here."
    Channel Manager – Strategic Alliance APAC, Webroot