Well good afternoon everybody, welcome back from lunch. I hope you had a good chat and some nice food and a good morning. I'm really excited about this track because mental wellness in the cyber security conference like this is not a very typical subject, and it absolutely should be as we'll be hearing over the next couple of presentations. And so that's why I'm really excited about this track and I'm glad that you're here. I hope people start filling in because I think this is a topic that really needs a lot more discussion and focus than it's originally getting.
Kicking us off this afternoon is a presentation on a resilience framework for stress, burnout and mental health. And presenting that is someone I've known for many years in the cyber security realm, so it gives me great honour and pleasure to welcome the one and only CTO of Virtually Informed and co-founder of the Mental Health and Cyber Security Foundation, Saab Sembi. Thank you very much for that warm welcome Warwick and everyone else here. It is a pleasure to be here and I've been talking about this topic for the last two years. We can cover those aspects a bit later on in the panel session.
I'm going to try and zoom through, and I do mean zoom through, the presentation I've got here for this session on a framework. It's a slight cheat and I say slight cheat because we are developing the framework. It's not fully developed. We are hoping to get input from everyone. What I am doing is I'm using a case study to explain the things that we're putting into the framework and what we're looking to do and the participation you can have into that framework as well.
So I'm going to leave out all the other things that I can talk about around mental health and why we're looking at it, stress, burnout, all of those things, and that's going to be for the panel session. So let's move on. And right. First thing is it's about cyber resilience. It's not about wellness. That's very, very, very important because most enterprises, large enterprises, have got a wellness program and they will try and say, you know, we look after people, we look after mental health and things like that. That's great. That's fantastic. We love it. It's brilliant. Don't stop doing it.
But what I would say is that why this issue for us in cyber is a resilience issue is because if anything happens to any of you, basically it could impact the cyber resilience of your organization. And that is worrying because those people that don't work in cyber, if anything happens to them and they take a day off work or whatever it might be, it's not going to affect the cyber resilience of the organization. So that's the first thing. It is about cyber resilience. That's why we're doing it. We think it's important because that particular aspect.
Second thing is anything that we look at, any sorts of risks should always be evidence based. So we are trying to do things, making sure that we are looking at the evidence and responding to the evidence. So this is a risk, stress, burnout, mental health in cybersecurity. It is a risk and it should be evidence based. It shouldn't be based on gut feelings because of what somebody said or what somebody done. And that's quite important. And that's what I'll be trying to illustrate. So with that said, I'm going to go through these slides fairly quickly, as I said.
And the first thing is in all these points here, this case study that I'm using, it's a company. Has anyone heard of Admiral Insurance? It's a insurance company in the UK. It's a fairly large one. And they grew. And what I'm pointing out there in item four is they grew from 13 to 130 members over a short period of time. And that was quite significant. That was sort of the background to why they instigated a program to reduce stress for their teams. It is about the data in terms of what they were looking at. What they tried to do is that they felt that things weren't right.
Things were disjointed. Things were siloed. Things weren't working right within cyber. They weren't quite sure what it was. So they looked at all the data they had and they tried to collect more data. And they used as much data as they could, again, looking at evidence. And that's quite important. They wanted to find out from people what was wrong, what was right, what people like, what they didn't like. And they had loads and loads of questions. So they used in the UK. We have this survey in lots of enterprises as a good place to work. And they ask a whole bunch of questions.
So this is the sort of thing that they were looking at. And this was just one example of the range of questions. Other things that they looked at, they tried to identify, look at using all these different surveys, internal, external surveys and so on. What was the root cause of some of the problems that we're seeing? They didn't feel that they'd identified everything. But what they did identify, they tried to look at the root cause and they looked right across the organisation, across the different teams and the silos of teams, across different, I guess, you know, what people were feeling.
They didn't want to ignore anything. And because they didn't want to ignore anything, they tried to look at as much of whatever the complaints were across the whole organisation over that period. And that led them to look at their security operations. What were they doing? How were they doing it? And some of these things here are quite significant in how they responded. And I'm going to come back to that one there in terms of their sprints, because everything they were doing, they were doing as an organisation that grew very, very fast.
Lots of teams, people not knowing each other and trying to make sure that that worked and that worked well and trying to deliver to the business. And they made a bunch of changes and they changed some of the structure. They prioritised, managed the workloads based on capacity, provided open communication, increased a structured regular one-on-ones and that made them regular. And they even tried to make sure that the collaboration and the engagement was right across all of tech and all of business. So it wasn't just within the cyber team.
It was speaking to the business, the customers within the business, to make sure that they were identifying and working and making sure that the changes were right as well. And they had several data-driven feedback loops to refine the process. And that was quite important. It wasn't a let's do it once and we'll fix everything and everything will be fine. So there's some of the changes that they made.
Now, as a result of that, over two years, 2022 and 23, I've highlighted one thing there, which is the demand of my job do not regularly cause me stress. In 22, the score was 39 and in 23, it moved up to 65. And that's a big change of 26 points. And that's quite significant as a result of the things they were doing. And that's not the end. That was the first year they started to see a significant change.
Now, one other thing I will say, some of those other things where they scored previously high on and they improved by one, even that within the new sort of changed culture and set up is quite significant. Because if you think about it, when you're at the lower numbers, increasing one or two, five, ten is much easier. As you get to the higher numbers, every time you increase by one, it's quite significant.
Now, I'm a big fan of things like Breaking Bad. If any of you have seen Breaking Bad and you will notice that there's one really, really interesting thing right towards the end where one of the competitors who ends up working there, he can understand the significance of purifying the drug that they were making and changing that purification from 93% pure to 95% pure. And I use that as an example because once you get to high numbers, it really, really is so much harder to increase by one or two points. And that's quite significant. So the lower numbers are usually much easier to contend with.
But if you haven't seen Breaking Bad, do watch it. It is good. Right. What they did. So what they did was they looked at the four areas that I talked about. They looked at communication, engagement, culture, value and ethics, and they started to engage. They had lots of why talks around the communication. They had lots of sort of team building exercises and many more than they had before, like the summer barbecue and so on. They sort of had a InfoSec award committee. So they started to have awards and recognize people doing well. They improved their capacity planning.
So they worked on lots and lots of little things. And there were smaller groups, each looking at a variety of different things. And they tried to make sure that they were using the data, as I was saying, to move things on and refine process step by step, not relying on anything as a chance, but looking at things in the right way.
Now, one of the other things that they started to do, actually, I think it's the next slide. It's a bit further. It might be the one after this. So what happened? They changed a hell of a lot. They created a whole range of clubs, well-being representatives. They created some of those. And those worked really well. The clubs were like the film club, the movie club. They had a couch to 5K. And although there's only six or seven things here, the range increased.
There's probably something like 25 different groups to help build the teams, actually reduce the stress and work in a way which makes it a far more welcoming place. They also improved their scores in terms of the well-being and workplace support. This is a charter that they signed up to, which is the Mental Health and Cybersecurity Foundation Charter. That's the organisation I'm a founding member of. We set it up last October. We did some work the whole year before that, and it took us a long time to set it up because we weren't sure if it's something that was needed.
When we did set it up last October, one of the first few things that we worked on was a charter that enterprises could sign up to to say, yes, we agree that something needs to be done and you can choose what you're signing up to. So all that text there, the first part in what you're recognising is simple because that's what we're saying is what we're finding in our industry. And then how you're going to respond is what you sign up to yourself. And Admiral signed up to this.
Now, before they signed up to this, they did internally have their own charter and that chart that they had, they got every single one of the cybersecurity team to sign up to it. And they took a photograph with all of them, all agreeing what their responsibility was to making sure that they didn't increase stress and that they helped reduce stress for the whole team. And that was done way before we came up with our charter and got people to sign on. Early on this year, we got 30 organisations ranging from admin insurance, one of the big ones, through to industry bodies like Tech UK.
If you're familiar with the UK, you see them. And then you've got, I think it was one of the tech companies, it might be Rubrik and maybe I'm right, maybe I'm wrong. It's one of those tech companies that also signed up at that time. So we have got quite a few companies, tech companies, insurers. We've got pharmacies. We've got event companies. We've got publications. We've got a whole range of recruiters as well. And that's quite significant. It's quite important.
So we've got a whole range of companies signing up to a charter and each person, each organisation rather, signs up to what they would like to sign up to. We don't say that you have to sign up to this, that or the other. The reason is because this level of charter that we've got the moment is basically to raise awareness more than anything else. At some point, we are going to have a charter that people can sign up to voluntarily. But whichever level they sign up, they're signing up saying we will do these things. And that's what we hold them to account to. OK.
Oh, sorry. I have missed it then. I thought it was in another one slide and I might have excluded it from.
Yes, I did exclude it. It would have been after this one and around here somewhere. One other thing I was going to say in terms of some of the work that they did to reduce stress, they changed the way that they were working and the way that things were organised. So they started to, instead of having half hour meetings or an hour meetings, meetings were now 25 minutes and 50 minutes, which meant that every time anyone's organising a meeting, even with a business, they've got a five or 10 minute break between one meeting and another meeting. That was quite significant.
What they also started to do, they work in sprints of two weeks. Everything everyone is going to deliver is going to work in two week sprints and you've got 10 days.
Now, what they did was they gave two days of slack and that was intentional. They said, we're going to give you eight days of work, but you've got 10 days to do it in. And that those two days, if you get it done before, that's great. But if you don't, you've still got another two days in which to make sure you get it finished by. And they started to make loads of changes like that. And that's what I thought I'd included that slide in, which shows.
Yeah, it would have been here, but it did show the way that they worked and changed their work in terms of the slack that they organise. So they made lots and lots of little changes and all those little changes basically ended up creating a scenario, which apart from all that, we've got a case study, which is this one, and that one is nothing more than slides at the moment. We have got a word document which we do share, but that is not for public release. You can have access to it if you sign up to on our community of practice, our community of practice meets once a month.
And those that are members do get access to that and you will be able to use that. The idea is that we're not sharing it widely. Part of the reason is, is because it belongs to Admiral. They wrote it in their time. They've written it for us. We are just agreeing the terms with which we can circulate it, but it will be released on, you know, sort of open source once we've agreed whatever we need to agree and taken out all the bits that they don't like. A couple of other key things to recognise in that particular case study and what we're going towards in terms of a framework.
We've tried to make sure that the benefits that are out there are wide ranging. So in terms of that particular case study, when you get the written one, the PDF or the word copy, basically what that will include was what would be some of the benefits that they had within their organisation. What they found was retention improved. Job quality, as I said, improved. People who felt stressed didn't feel stressed anymore. They found loads of unexpected benefits that they didn't feel that they would have in such a short space of time.
And they did find lots and lots of very, very significant changes within their organisation that they weren't expecting. So in terms of the framework, we looked at what Admiral were doing independently, but we were working on a framework independently anyway.
Now, in terms of that, the way that the Mental Health and Cybersecurity Foundation works is we've got a couple of groups and we've got some activities that are aimed at various levels. So the framework group impacts everything at all levels. The research group, again, like the framework group, will impact lots of different levels. The charter group, basically, I mentioned the charter earlier on. We have got one version of that at the moment, but we are creating other versions. And those other versions, we will have the charter group leading that.
The community of practice group impacts mainly the team and the individual. And it does impact the others in terms of the framework. But really what the community of practice group is looking at is trying to impact the team and the individual using case studies. We've got one case study. We are looking for more. We are working with a couple of organisations already, but we wanted to get one out there. And that one would help sort of hopefully enthuse others to come forward and put themselves forward as well.
In terms of the framework that we've got, the framework is broken down into these areas, because we do think that if you look around when we did our original search two years ago, we found if you look at the cyber resilience strategies of most governments around the world, which states that the cyber resilience of the country or the nation relies on the cyber resilience of enterprises. Now, what they don't say is what is the next thing. The cyber resilience of enterprises relies on the resilience of each of you. That is what's missing.
And that's quite significant from our perspective, because we would like governments to recognise that and that they shouldn't just be relying on the cyber resilience on enterprises without really understanding that it actually relies on teams of cybersecurity people around the country. The next thing is around the profession and the industry. Lots of things around the industry that need to be changed. One of those is around the fact that most of the cybersecurity certifications, if you look at them, they're all technical.
They're all worried about whether you know the technology and understand the technology and the risk. What they don't understand and they don't allow for are the people skills and the fact that the people skills and coaching and whatever it might be, these skills need to be part of what we look at within our profession and within our industry. Enterprise, team, individual, I'm not going to go into that in great detail. But on the enterprise side, we're working with, and I mentioned we're working with recruiters, we're working with lots of different organisations at various levels.
But the recruiters we're working with, what they're helping us do is something very important, because at the moment, if any of you went back to your organisation and said, you know what, I'm feeling a bit stressed out. Is there anything you can do for me? The chances are you'd be asked to speak to someone in HR. It will go down on your record that you've got mental health problems if you hinted that you might have mental health issues. And that will go against you there and it could go on your record and further.
Now, what we're looking at and why we think it's important that there is transparency and we should have the ability to be transparent in the same way that some of the other areas of discrimination today, people can be transparent about a whole range of things. But one thing that we can't be transparent about, especially in our industry, is about stress, burnout and mental health.
So what we're looking at and what we're working towards in our framework is that whereby enterprises, CISOs, other people working in cybersecurity can be transparent that if they decide they're leaving a job because it's causing them mental health issues or stress or burnout and they leave because of that, they can actually state that and they should be able to state it to the recruiter. So the recruiter doesn't put them in another job, which is even worse than the one that they've just left. And that level of transparency is quite important.
So we are hoping that we will be able to create the right environment within our industry, whereby we are able to be transparent about this in a very, very open way. Am I coming to the end? Yep.
OK, good, because I've only got one slide left. OK, so some of the things that we're looking at around the framework is around collection, assessment, education, awareness. So we are doing lots of things. The framework work hasn't actually started in a big way. Only within our small team it started. But apart from that, we are looking for anyone that may be interested, whatever interest you've got, if you'd like to get involved with the framework or any other aspect in any of the groups that I mentioned.
Sorry, I'll wait. Yep. Anything I've mentioned here, some of the other groups, do let me know. And that's it. That's the end of my presentation. If you are interested, I am around. Please do let me know. Thank you.
