And the first one will be Tom Langford. Who's somewhere renowned for his online videos of educating on information security, please. Welcome top. Good morning, Tom. So here is your device. Thank you. Okay. And slides are here.
Okay. Good morning folks. It's really exciting to be here, such a big room, and there's about one person per table on average by the looks of it. So I'll have to be looking a lot from left to right here, but you know, we're all, we're all here together. This is a safe and happy place for us all.
So I'm gonna be talking to you today about trying to make security your competitive edge. And if it's, if it is your competitive edge and looking at three different aspects of, of how we can do that, the very first thing, my standard disclaimer, which says that all of these ideas are my own and nothing to do with the employer, which is great, cuz you're gonna love my ideas and break into Raptor applause at the end, obviously.
So the first step we go to when it comes to actually making your security function, a competitive edge is we start with marketing and why marketing?
Well, I'll tell you it's very simple. It's because I work for a marketing and digital marketing and advertising agency. So marketing is something that's quite close to me, quite close to my, my DNA. Something that I do. That's why I wear trainers instead of shoes. So I can mix in with the creatives and they don't realize that actually I'm a CSO. They think I'm one of them.
So, but marketing is very important because actually it's the way that we communicate effectively. If you think about advertisers, advertisements that you see on the TV and on print and post, they evoke a response from you as opposed to just purely selling, which is just telling you that you need to do something.
Marketing evokes a visceral response. If we look at an advert, for instance, this is an advert for Volvo Volvo trucks. Now 90% of the advert, you may remember this advert, but 90% of the advert concentrates on Jean Claude, van dam's face, not the product, not the truck.
It's only when the camera pans out that you actually see that the product happens to be under either of his feet as they're traveling along the road. You know, and it, the point of the advert is, is about the smooth ride, the suspension, et cetera. But most of the advert is about Jean-Claude van dam. It's about evoking your response about him, whether you like him or dislike him or whatever, what he's doing here is very impressive. And how is he able to do that because of an impressive product.
And similarly, again, Volvo, if you think about how much advertising space are costs generally per square inch or per per square meter of poster, you want to put your product onto as much of that space as possible.
You would think.
Well, here's some great examples where you don't. There is the, the product itself is this tiny little car in the bottom left hand corner. What you're looking at is a lifestyle. If you buy our product, you have a lifestyle. So you can drive to these various places and leave your children's valuable things.
You know, line around litter in the environment, you know, is one way of looking at it. But, but it's about actually evoking that response. The product itself is secondary. You plus the product equals the lifestyle that you wish to lead. And that's something that I think that we need to do as security professionals is to start marketing ourselves internally to our business in order to be more effective.
Now, if I was to stand here and tell you about my first kiss, I think I was 14. It was in back of a cinema.
You know, cetera.
It was, it was really good. I don't remember her name. You're starting to get bored already. Okay. Now I want you to think about your first kiss. Just cast your minds back. Think about your first kiss. What happened, the situation, how you felt, what you were doing, what were the, what were the smells?
What were, what were the colors? What was it? You can start to feel this in your stomach now because you are thinking about your experience and this is what we need to do. We need to stop telling people about how I want you to perceive security. I need to tell you, or I need to ask you to get your perception of how you perceive security and what it means to you. It's a very subtle but important difference here. You'll get much more of a visceral response when you relate the topics that you talk about to the individuals and to the people that you want to talk to.
So we come up with this algorithm, if you will. That's that's been shared within a technique as it were. That's used by a few of the agencies within art, within our brands, which is value. Plus story equals experience. Now everybody here as security professionals brings value to the product value to their company. What they don't bring is a story. They don't bring anything that generates that visceral response in people. And therefore there is no experience to be had. And therefore what they bring becomes valueless. It becomes ignored.
If we sit people into a room and shout PowerPoint at them for an hour and tell 'em that what's good for them, and what's not, they will completely ignore it. Or at the very best. They'll remember it for the 10 questions at the end and then leave. And by the time they they've eaten their lunch, they've forgotten just about everything about it.
If you bring a story into it, you will create an experience. You need to create that experience in order for them to engage. Because storytelling is something that we have done since we're children.
It's a very, very vital, important and fundamental part of human nature is storytelling. And if we tell stories and I don't, I don't mean in the traditional sense, but if we tell stories and weave environments that people can relate to, then actually they start to get that experience. They will engage far more with you as a result. And the very key thing I would say about this is be generous with your information.
If you want to do this, this is that, you know, the one thing I will give you to take away because this one slide in of itself is an entire talk by itself, but be generous with the information you impart from my perspective and my experience.
We advise people on how to secure their own wifi networks at home, how to enable two factor authentication on iCloud and Google and Gmail, etcetera, how to do things at home, how to close down YouTube so that young children can't access inappropriate content.
That for me, is an important part of an education to my people that allows them to then bring that fundamental knowledge into the workplace and apply it there, where I will also give them other information. There was a recent study by the British computer society that said that 23% of people do not have the basic requisite skills to manage a, a digital lifestyle. They do not know how to use computers. They do not know how to secure things. They do not know, you know, how to act appropriately when various emails come in.
So if, if we're looking at that in your workforce, that's at least a quarter of people who will absolutely lap up what you offer them and will engage in a very different way.
And it's probably a much higher percentage that will also be able to share that with their families and their friends as well. So I want to move on before, you know, before going down too deep into the whole value and experience chain, I want to talk about strategy versus culture. This is the second part of trying to ensure that security is a competitive edge.
Now, hands up here, everybody here who has a security strategy, I was hoping for a few more than that, but that's good. That's good. Well done. You should be very, very proud hands up here. Anybody who has a security culture, right? Significantly fewer, but again, same, but this is good. This is important. There's a difference between a strategy and a culture. A strategy is like the bullet leaving the snipers rifle. You need to make a tiny adjustment here. Otherwise you are way off target out there and it flies and it flies in a straight line.
If you can imagine culture does not change.
What culture does is actually adapt and change in accordance with the environment that it's in strategy will change every three to five years, at least now marks. And Spencer's a, a great British brand that many of you may have heard their core culture and values have not changed since the late 19th century, when they first opened, they have remained exactly the same. Their strategy is very, very different. And here's another view of this Batman and the joker. We all know these guys, my favorite's the joker because he has a culture. He adapts and he always comes back.
Batman just keeps smacking him down, smacking him down. And then up gets the up, gets the joker because Batman has a strategy. Fists. The joker has a culture in the fact that he adapts and he improvises and he overcomes, and he changes the way that he attempts, which is why the books keep on going.
And if Peter drer, everybody knows Peter, Dr. And everybody knows this culture.
Each strategy for breakfast culture is fundamentally important and that for a business and that, so therefore is a security culture because a security culture will do a huge amount of work for you without you even knowing it. Now, if you were to Google, as I did, if you were to Google, how to create a security culture or how to create a culture, you'll get a whole bunch of, of things there's gonna be. There's lists of, you know, 10 things to build a culture, et cetera. I'm gonna focus on four, which I think are the most important here and the ones that you can take away very, very easily.
So the first thing is, you know, the, the, the advantage of a culture over a strategy is it's resilience. It changes it bends, it doesn't break.
It evolves over time. The culture actually will ensure that your message gets through whatever the strategy, whatever the economic climate, you know, because in a, in a bad economic climate, there might be less opportunity and less money for training. Now in a traditional environment, that's a problem in a security culture environment. That is not a problem. It's also efficient.
You don't have to feed it much once you get it up and running it, it keeps going. It's self-generating because the culture is embedded within each and every one of you, it's about ensuring that your, your security topics and your security environments and your security attitudes are maintained. Despite what is going on in, in your business. It's incredibly efficient and very cheap. If you will, or good value, I should say to operate. It also really differentiates you.
If you look at your competitors and you could line them up, what actually differentiates them, it's not necessarily product offerings, certainly in our industry, you could look at one product.
And it's very, very rare, at least, you know, after a few months that, you know, a, a company stands out purely because of its product. It stands out because of its people and its attitudes and its culture. It stands out because actually these people get what we do. These people are just selling. This other company is just trying to sell you boxes and Blinky lights or whatever.
A culture that differentiates itself from everybody else is one that's going to stand out and having a security culture will make you stand out whatever industry you happen to be in. And finally, the other good thing about the security culture is it's disciplined.
Actually, you probably won't have to pull out your disciplinary handbook very often because people will self discipline. This whole concept of, I know I've, I've done it. Many of you may have done it.
If somebody leaves their computer unlocked, well, they get an email sent, you know, from their account to their CEO or something, telling them about their weekend plans and how they're going to, you know, meet up with them and pay for them for dinner and things like that. It's a self-discipline environment. People actually check within each other as well with, with each other.
So if a bad, you know, if a Phish and email attempt comes in, the culture allows them to openly ask the person next to them for advice on, is this a fishing mail email, or is it not a security, a non-security culture company? Doesn't they just focus in on their day to day tasks, what it is they've got to do. So how do we actually create this security culture? Because it's all very well, me telling you get a culture, get a culture.
Culture's brilliant. It's fantastic.
Well, there's three things I want to look at very briefly here. So the first thing is we must stop treating our users like idiots. This is the most fundamental part.
You know, we've all used the phrase. If it wasn't for the users, we might be able to get our jobs done. We need to start treating them much more as heroes. These are the, the people that are making money for our business. These are the people that pay in your wages. In many cases, we need to stop calling them, you know, just users at such a passive term, start talking in to them in terms of, of you know, of, of clients or people, perhaps let's even talk about them as people, you know, start engaging with them in a very, very different way, from a position of trust, rather than distrust.
Because in this way, you start to build that relationship with them, which will allow you to impart the, the culture information that you want them to, to have secondly, be open with them. So I'll give you an example of this. We've we've recently in, in the last few sort of six months, we've introduced Yama into our organization, the internal social media platform. Now we've been, I've been CSIS for just over a year, and we've got a, a huge laundry list of things to do. And we think we're doing a very good job.
And somebody posted on Yama, why don't we have an email address where we can send phishing attempts so that we can, you know, see if it's actually real or not. It's such an obvious thing to do fishing@publicistgroup.com, such an obvious thing to do, rather than just ignore it and slowly build it and, you know, make it happen.
We did it. And then we went back to him and said, thank you in front of everybody else on Yama. Thank you very much. This was a really good idea.
We, we missed this opportunity completely. This ensures you'd start to create this two way street because your security team is a insignificant proportion of the company as a whole, everybody else out there. If you start to make them security advocates on your behalf, you are going to create a far greater amount of interest and ideas and concepts. Some will be terrible. Some will be very, very good. And some of them to be honest with you will be bleeding obvious just as it was with us. So start being open and then finally, really reward and celebrate.
So, as I said, I went back to him and said, thank you. There's a little way of, there's a little function within a Yama that allows you to, to effectively put someone up for a, a, an award, you know, a thank you or whatever.
So we, I put up this individual for this, for this award, but again, every time something good happens, reward it and celebrate it. That doesn't mean financially, although it could do, but celebrate it. If somebody captures a Fisher email and says, I'm pretty sure this is efficient email, I'm going to delete it, but I want to check with you. Thank them for it. Actually take an opportunity to thank them for it, for doing that because they're, they're acting on your behalf. Celebrate the fact what they're doing.
If something, you know, a bit more fundamental happens and somebody does, perhaps somebody is stops a massive spear fishing attack. For instance, you know, either over the phone or over email or letters, et cetera, make a point of it, celebrate it with the entire company, tell them about what they did about what this individual did and how they did it, and why it's such a good thing, make them feel good about themselves. And they'll keep doing these things all too often. We focus on the negative.
We punish the people when things go wrong, which ultimately what happens is people don't want to confess to things. When things have gone wrong, we should be celebrating the other side. We should be fixing the other stuff and it will take time. But we'll start to see that actually there is less, there are less opportunities for things actually going wrong and more opportunities of things going, right?
So, and finally, the, the final section here, how do you stop saying no? So first of all, because all I should say, why, why we say no, the departments are always saying no, right?
InfoSec, can we open this firewall rule? No. Can we install this software? No. Can we put this new piece of hardware?
No, that's very often seen as you know, that's what the security functions do. Well, I suggest you focus on risks, not absolutes.
You know, don't say no to a firewall rule. Say what the risk is. If the firewall rule is open, why that happens. And I'll tell you why, because you know, the reason why I chose the rose here is because the rose is us. We're all lovely flowers. When it comes down to it, we're all beautiful people, a rose by any other name would be called information security.
However, we also need to know our place within the business. We are not the special flower. There are plenty of other flowers within our business, sales, HR, legal finance, you know, also what about, you know, facilities and it and marketing, et cetera, each one of these people, each one of these groups has the same rights and has the same input into the business.
As you do, your opinion is, does not Trump, everybody else's opinion here, because it's about the business outcomes, not the security outcomes. If you understand what your business outcomes are, that might be making more widgets, making more money, making money for shareholders, which is very often the case, then you can start to make your decisions based upon that rather than just pure security. So let's talk about next steps.
I've only got three next steps here for you because in half an hour, you're only gonna remember one of them, but I'm hoping that it's all gonna be a different one for most of you, rather than just, you know, just one.
So the first one is stop selling and start marketing your, your, your security function internally, make it a lifestyle choice and not a corporate demand. Make people want to do it and engage with you in a fundamental manner.
Secondly, embrace a security culture. If nothing else, just for the sake of a cute kitten picture, just embrace the security culture because it will help your strategy work. It helps make your strategy resilient and flexible, and finally stop being a department of no support the business. Don't inhibit it every time you say, no, you stop your business from being able to do something. Risk is not an inherently bad thing. Without risk business will stifle. We kind of know this, but we very often don't put it into practice.
Start focusing on business outcomes and recognize the fact that actually, while we're all special, we're not that special. That's the end of the presentation. You can contact me on any of these internet residencies. I believe we've got a, a few minutes for questions and thank you very much for listening.
Thank you so much. Can we see the questions, please? There you go. What is the first practical thing to do to install an security culture?
I mean, you mentioned success factors, behavior component,
I would say engage,
But what, what is the first, what, how can a inhibit start a culture? Is
This yeah, absolutely. Starting a culture is, is one of the hardest things. But the first thing I would say is engage and listen, start talking to people, create, you could even start at the top, create a steering committee for your security function.
You know, of cross people from across the business that starts at the top. But what about at the bottom, you know, start talking to people at the water cooler as it were, as you walk through the environment.
We, we run events. Occasionally we sponsored Chinese new year, last year in one of our agencies. And we put, you know, stickers of our camp, of our, of our awareness campaign all over the beer bottles and, you know, made sure that people were there. It wasn't a security event. We just wanted to make people know that we were here as much for them as individuals, as it were, was as a corporation, but start engaging with them, talking to people.
Good. Next question. How do your services, security culture in the global company from different cultures?
Well, a, a security culture is, is, is a, is a singular global thing, you know? Yes, you have to be aware of security cult of, of, of different cultures, but the security culture should span. All of them. One thing I would do is, is look for ambassadors slightly difficult because sometimes you get people who just run off on their own, doing their own thing and not quite getting what it is you want to do, but try and understands the individual cultures.
I mean, I work in a global organization. I completely understand the challenge, but start working and understand those cultures. See if you can embed somebody in there, actually go and visit and talk and engage to people. And also using global tools like Yama, which actually, you know, transcend geographic barriers will help address that, that, that as well.
And quick, quick sentence about your host unknown project
Host unknown.
So host unknown is myself and two other colleagues who basically spend vast amounts of our own money to make enjoyable information security films currently for no profit. So we are looking for sponsors, but, but the idea is that actually our, our thoughts are that just because security can be made to be fun, doesn't mean that security is funny. So we try and bring a little bit of, you know, fun and enjoyment into it.
We, we call it three idiots in a camera to be perfectly honest with you. So if you, if you're interested, take a look, just do a, you can go to host unknown.tv, or just look us up on YouTube.
Thank you very much.
Thank you.
Thank you, Tom.
