Take a seat and then, Sarb, you can join in here on stage and hopefully we've got Jasmine still on. Oh, there she is, big online.
So now, I had planned to ask you to do an opening statement and to kind of reintroduce yourselves. But I mean, I guess we've gone past that. So you've made your opening statements, three excellent presentations, by the way.
Thank you, everybody. So this is your opportunity, those of you who are remaining, to jump in and ask your questions because we were hoping to get a perspective from a CISO, Hammond Huber, who was going to be joining us afterwards, but I've just been told that he hasn't been able to make it. So we've got more time to discuss this and hopefully there are people online who will be able to send some questions. So I'll check for questions there, but I'd like to keep it as interactive with the folks who are here as possible. But from your experience, all three of you, I'll go around the room.
Going into organisations, how well understood is this kind of mental impulse, are you going in and saying, well, yes, you have to take care of the people and they're going, yes, we agree, or they're going, like, what are you talking about? I think we'll start with you, Inge, because you kind of implied that getting the business back on the road tends to be the priority, but is that always the case? Are there some organisations that get it? It really depends on the organisation you're in.
So when you have already an organisation that has a pretty well understanding that wellbeing is important, we have seen organisations that already have a link towards different psychologists. For instance, when you have such an organisation where wellbeing is important, when there is a safe culture and leadership is involved, then in that case, everybody understands that wellbeing is a really important thing.
When you have a more task-oriented, hierarchical organisation where that is more rule-based, like when you don't do this, you get a punishment, then in that case, it's always harder work to convince them that they also need to have attention for the mental wellbeing. OK, and I was going to ask you next, Jasmine, with your, you know, OK, so you've worked with organisations like Google and having experienced a visit to Google HQ, the culture is more sort of oriented towards that, but is it much harder sell outside organisations like that?
Yeah, I would say 100%. There was actually two factors I'd say that I've noticed have had a big impact. It's so funny, Darlene, this is like the future of panels and so on, Darlene, from online.
So yes, I'd say that the things that have had an impact are, and this is why diversity in the leadership team is so important, when there's a balance of younger leaders with kind of, you know, there's a big emphasis from younger generations to take this really seriously. And I've noticed that when we're going to companies that have, you know, a much more balanced generational kind of difference, that does make an impact.
And also, I think also we have seen that, again, a lot of, I don't know, it's when people have experienced it personally, like we meet a lot of people in cyber that said, I've burnt out and I've hit rock bottom and now I'm going to take this seriously, or in organisations when they've experienced it, which unfortunately so many people have now, that is what I'd say contributes to people then taking it seriously. So I think those are the factors, I would say, but it's still difficult to kind of really translate how important this is.
And that's why you do need that hard data, like we've been showing, you know, how is it affecting productivity, how is it affecting attrition rates, how is it affecting turnover, and actually fishing click rates, you know, how is it affecting the business overall? And that's how you kind of get companies to take it more seriously, I've seen.
Okay, great. And Yusab, you know, you were talking earlier about Admiral, are there, are there kind of typically types of organisations that are more, that get it better or get it to a greater extent? I think generally the first thing is that if you look at the point I made earlier on about the fact that we tend to, or the industry tends to think that this is a technical issue, so breaches, ransomware, all of these things, it's a technical issue, not a people issue, and that is so wrong. That's the first thing.
I think the second thing resulting from that almost is that quite often teams tend to think that they have the answer, they've created the problem, they must have the answer. Although I talked about Admiral, they worked with so many external organisations that helped come in, did some workshops on a whole range of things, I didn't include any of that.
The fact is, you have to go outside for help, especially when you're in the situation you're in, I almost said crap, but yeah, I did say crap, but when you're in a bad situation, you have to go outside for someone to look in, to be able to tell you all the things that you may not notice, because you're not thinking straight. And we haven't got all the answers. We do need to go to organisations like yours. We do need apps like yours.
There's lots of services out there, but quite often they're not called upon, they're not used because we tend to think we've got the answers, we should be able to figure it out. And that's the biggest mistake you can make, because when things are bad, you're not in a position to think about what's wrong critically. So one of the reasons for having this on the agenda is to kind of raise awareness, because I think that's also something that the three of you have mentioned, is this kind of a need to raise awareness.
What is it that people can do to, you know, because Saab, you mentioned that people don't really want, or there could be disincentives for people to raise their hand and say, look, I'm struggling. So how do you introduce this as part of the conversation, and how are you planning to support this through the foundation? So what we're hoping to do is try and tackle it in the graphic that I used at lots of different levels, because you may as an individual be working in a team where you really can't talk to your team members.
So that way you're in a position where you have to deal with it individually, or look outside for support. Or you could be a team that really gets it, but the rest of cyber teams don't. Or you could be the CISO and you get it, but nobody else does. So wherever you are, what we're trying to look at is how can we support you, what sort of support you need, and there's no one answer for all.
We totally understand that, and that's why I started off saying that we're trying to look at evidence-based results, and we don't want to recommend things unless we've got some evidence behind it, but also we do want to be in a position where, you know, we are, yes, I do know you, Jasmine, we've known each other for years. I've known Jasmine since, well, I won't say, but I know her parents very well. You don't know yourself, but there are other services, and we're beginning to know some other services, and we want to be able to be in a position where we can refer people. We are independent.
We don't want to say this is the best, that's the best, or the other. We want to say, look, there's some services out there. Figure out which is the best for you. These are the sorts of things they do, and that's quite important, and I do think that issue about raising awareness is that we don't think we should do it on our own. We want to work with everyone working in the industry to raise that awareness because, you know, there's that saying, a rising tide raises all ships, and that's what we want to do.
We want to raise all of the people working on the service provision side and the cyber industry to actually raise all ships and for us all to do much better than we have been doing by raising that awareness, and all we really can do at the moment from our perspective and the foundation is to raise that awareness and start picking away on what we need to do at the individual level, the team level, the enterprise level, governments, industry bodies, and we are working with CISEC in the UK. We've got conversations with ISARCA, UK Cyber Security Council.
We are talking with industry bodies, and we're hoping that we can impact quite a few of them around the world, but it's a slow thing. We've only started last October, and yes, we wrote a paper last year. We wrote an update this year, and that hopefully we believe will help raise that awareness. I'm very interested in the resources you mentioned there. We'd like to share some of those as well if we could once we've had a look at them. That's great, and Jasmine, was there any particularly good campaign that you saw with your engagements around this raising awareness?
Did you see anything that the organisations you work with that they tried around this awareness raising that worked particularly well? Yes, so I'd say when you look at behavioural science and how to shift behaviour, it's a three-pronged approach. It's like start with education, education and training, then provide the tools, and then finally make it a habit. So it's kind of like that initial piece.
I think, again, what Saab's saying is awareness, and starting with that awareness. I kind of think it's like education, it's tools, and then you're looking at kind of like that habit forming, and then the peer-to-peer support and the community is so important. Saab and I have been in so many events in London where you just see people, you know, you're physically together, and that community, I cannot express how important that is.
We recently ran a workshop for NCC Group, and what was amazing is we had people from all over the world in the workshop, and we had people messaging in the chat, and I'm using this example because it shows just how important creating safe spaces are about these topics.
And, you know, someone wrote in the chat, oh, actually, I've been struggling with this, and then loads of people globally from the organisation were saying, well, actually, I'll support you, you know, this is how you can do it, but it's because it was, it provided a safe space, the conversation was out there, and then the community and the organisation was able to kind of like be like, actually, we're going to support you.
So I feel like that open conversation, you know, leadership, modelling, and say, you know, it's okay, like, we're human, and this is how we feel, and then that peer-to-peer support really, I love what Saab said, you know, you elevate one, you elevate all, and it's like, we need to move away from this egocentric, individualist approach to actually like, how can we help each other, which is why I love what Saab and the Foundation are doing, because it's like a collective approach. We really do, we have to be kind of more of that collective way of thinking.
So that's how we're going to be stronger, right? It's kind of that collective piece. So those are some of the things we found have worked.
Oh, that's great. Thanks. And you know, your engagements with organisations, is it typically only at time of crisis? No. Or do you do like pre-engagements and do some work around this that, you know, like the things that you suggested, do you actually work with your client organisation and say, well, you know, if a storm comes, you need to do this pre-work that you were talking about?
Yeah, we do different things. So we also do awareness and behaviour programmes. So it's broader perspective from a cyber security perspective. But if you specifically look at the mental impact we have when we do incident response or crisis management projects with clients to prepare themselves for an incident, we always put that mental aspect as well in that training or in that plan. And during incidents, we really open up that conversation with leadership. So I completely agree. You want to create that community.
And I think that leadership should put the examples out there and show some vulnerability because without that, it's really hard to speak up. Yeah, sure. Just about some of the things that we're creating, they're not created yet. We've got in our plan for next year, hopefully we'll get them done by Q1 or this particular thing, is that those people that do sign up to the charter or want to sign up to the charter, we're creating some resources that will enable them to be able to talk about this issue within their own organisation, within their own teams.
Because I think that's quite important because, you know, it's very difficult to talk about a subject that you know nothing about, you know you're not, you know, don't work within the mental health field or the stress field. So how are you going to go and speak to your team about this? And it's a worrying thing.
So what we're hoping to be able to do is create some resources that can be used by people to be able to discuss it within their own organisations, whether you sign up to the charter as a whole enterprise or a team, or you want to do something within, you know, within those that you work with. And that's quite important. So resources to be able to talk about this when you're not from a psychology background is very, very difficult. So hopefully those sorts of things will help raise awareness within those organisations as well.
Okay, so now we've spoken a bit about cyber incidents and the kind of stress that that causes there, but what are the kind of day-to-day things that, you know, what are the primary factors here contributing to the stress and burnout in your experience? We'll start with you this time, Jasmine, do you have, you know, what are the things? I wanted to build upon a point that Saab just made actually, because I think, that's okay, I just, if I may, he also mentioned again, like that, that piece around awareness.
I think the bare minimum that we can do that can make a big impact is recognising the early stages of stress. Like what do they, what are they, what are the early stages of stress? As leaders, like Saab said, how do you educate leaders that don't have a background in stress, they don't have a background in psychology, simple things like your chest is tight, brain fog, sweaty hands, you know, these, these physical symptoms, which is one of the body's early signs of, okay, actually, you need to stop, you know, you're about, you're getting those early signs of stress.
That is a really simple, clear intervention, that could be something like printing it off around the office, and it's kind of, that is the awareness, and it's just so simple, like what are the 10 early signs of stress?
Having that in your space, and then actually show, here's some quick shifts, you know, like I mentioned, those three deep breaths, or, you know, making that part of the culture, and visibly, so people around the office, or they have the tools to be aware, okay, I'm actually at the early signs, not always, if we're looking, oh, this end of the, end of the road thing happened, it's like the early signs, and then there's early, very simple interventions.
I think we've overcomplicated so much in the world, that we need to make this so simple, that you can explain it to your child, we need to be like, these are three simple things you can do, that, and again, as Saab mentioned, evidence-based is everything we're really big on, so making sure it's backed by data, it's backed by research, it's backed by academia, and that's super simple.
So, I just wanted to add that, you know, as a case, which is like, with leaders, just understanding the early signs of stress, and some very simple interventions, could be the first step that everyone could take away from today, to be like, okay, that's a simple intervention that you could look at. Jasmine, you've just volunteered yourself to help him produce that.
Okay, I'm happy to do that. So, yeah, so you've been talking about the symptoms, my question was to say, well, you know, like, what are the things in the day-to-day job that actually leads to this stress and burnout?
Yeah, it's a good point. I think part of it in Saab, when we've done a few, like, CISO roundtables and things like that, and actually kind of speaking to people in the industry, and I think it is always on culture, it's the fact that, you know, you can go through a month, and you might have three days where, like, you know, you're working around the clock, and you are literally working incredibly hard, your body is under that, like, high, you know, high intensity state.
I think it's the inconsistency of that, you know, it's not like every day is the same thing, it's like these really high spikes and troughs for the body and the nervous system. And then again, it's this, it's the always on kind of, it's the toxic culture of, like, are you always on, being always on, and what that does to the mind and to the body, it's a very, you know, when we look at, like, it's overstimulating, it's very overstimulating as an industry. So I think that's a key, a key issue. The other thing I speak about a lot as well, in cyber, it's predominantly a lot of on-screen solo work.
And what we're actually seeing is that is causing a big issue, because we can't see when someone's struggling. So when we say what is causing that, we can't see now if someone in our organisation is actually, you know, visibly hunched over, they're not, you know, they're not presenting themselves well, because there's so much ability now for people to be behind a screen and have that invisibility of, okay, you know, if people are struggling.
So I think that's also another contributing factor to the fact that, you know, there's a invisible wave of people that are being lost and not caught in the net of support. Okay, we've covered a lot of ground. Is there anyone in the room who's got a question, because as I said at the beginning, we'd like to be this kind of as interactive as possible.
I mean, you've got these people who are working in this area, I think it's laudable that they are. And I think it's really important that we focus on this industry issue. But is there anything that we've covered today that you would like to kind of drill down a little bit more on? Because Saab hinted that, you know, there were parts of his study that he hasn't kind of mentioned. I can keep on asking the questions. But if you any of you would like to ask a question, just raise your hand, I'll come give you a mic.
Please, please don't feel excluded. And don't be passively consuming what we're saying here. Please get involved if you want to. What are the potential long term effects of neglecting mental health in cyber security professionals?
I mean, is it just simply a question of high churn? Or, you know, are there more serious consequences? I'm going to give my own example. A couple of years ago, I went through a period where I was very stressed, very burnt out, and so much so that I still don't talk about it today.
Normally, when we go through good things, when we when we've had a good holiday, we've had a good experience, birthday party, went out with some friends, go to, if you like opera, ballet, whatever, it doesn't matter. Whatever you like, you've been out. Don't you enjoy talking about it? But you go through something, and if you still can't talk about it after a few years, it's impacted you that badly. That's not good. That's not good for anyone. And that's the sort of thing it can have. It takes you back and it brings back emotions.
I mean, I can feel my face changing now just just thinking about it. Yeah, that is the sort of impact it can have. And it's not just me. Different people react very, very differently. All of us deal with stress when we're stressed in completely different ways and how it impacts us in very different ways as well, which is why the question you were asking earlier, Jasmine, about what can we do? I think it comes from ourselves. We are in some respects, you know, able to look at things ourselves.
But with someone maybe who's a coach being able to speak to us and saying, right, how does how does that make you feel? How does that make you think? What does it do? And so on. And you can find things that are moving forward, whether it's in terms of everyday patterns and finding ways that you can reduce the stress.
I mean, as a result of covid, I get up early and I have great days because I get all my work done before twelve o'clock after twelve o'clock. Anyone can talk to me about everything. And I don't mind because I've had six hours of work, really good, productive stuff that I never used to do because during covid, I was stuck. I'm saying to you, I used to be stuck in calls all day and decided I didn't want to be stuck in calls all day, reorganize my days. And I have much better days as a result of it. I don't worry about my email. I check my email a couple of times a day.
If I don't respond to it, they'll just email me back and say, can I have this? And if it's that urgent, they'll call me. And that's the way I tend to think. So I readjusted so many things to make my working day more productive, maybe more relaxed, not worrying about those things that aren't a big deal. And I think each of us, there's some things we can figure ourselves.
But at the end of the day, it's always good to have someone who understands these things and can be honest with you saying you're kidding yourself or whatever it is, because sometimes it's always good to have someone challenge you on these things. So if I may add to that, it's not only about the individual. We did our research on CISOs and talked with CISOs and with the board members. And there are a few aspects that you can do as an organization as well.
So if you're looking at autonomy, if you have a lack of autonomy, certainly in such a role, that can give a lot of burden, can give a lot of stress. So making sure that you have enough room to make your own movements as a CISO is really important. Looking at workload, making sure that it's doable, especially in these days where the threat landscape is enormously changing, where regulations are getting stronger and stronger, and the role of the board is getting more important than ever. That is a thing that really gives a huge workload to CISOs.
So making sure that it's still a realistic job is also important, and a job for the organization to make sure. And also, if you look at support, in many cases, the CISO has a direct line towards the board. And that is a good thing. Only they face resistance on the director's level. And in these cases, you can do something as an organization as well. So I completely agree. You can do a lot on an individual level, but as an organization, you have also a kind of responsibility to make sure that your work is doable.
And I then know specifically for the CISO, but I can make sure that that is, in a generic sense, as well the case. I've got some good stories that we've had from CISOs talking about their staff. And CISOs talking about their staff saying, do you know what? We've had some people, and all of our jobs, we know we've missed our children's theater, parties, or whatever it might be. But they're told other stories, even worse stories, where they were saying that members of their team late for their own wedding by 15 minutes, because they were dealing with an incident.
And the thing is, one thing that we haven't had a chance to mention today, but it's true. I like working in cybersecurity, because in cybersecurity, I've found we are very caring people. But that goes against us sometimes, because we're so caring in that we want to be heroes. We have that hero mentality that we can get things right. We can get things done. I can do it, and we want to do it. But sometimes that's wrong. We need to actually understand that we can't do everything. There are things that we can't do.
We need to, for the organization, and again, the case study, what they looked at was, how can they organize their capacity far more effective? And in a way that whatever they asked to do, they're going to get done. But if we get these things done in this period, that means those other things can't get done. So that capacity part, you mentioned, absolutely vital. It's critical, because otherwise, we are going to be unsatisfied. We're going to end up working long hours, not achieving things. And if anything bad goes wrong at that period, then it's going to be even worse. Yeah.
So looking at something from the Council of the EU, they said that this was last year's figures. They said 84 million EU citizens are affected by mental health problems. So that's kind of roughly 17% of the population, apparently. And in their report last year, they estimated that that cost the EU about 4% of GDP, which doesn't sound very much in 2023. But that's worth 600 billion euros, apparently. So it's got a financial impact. So it seems that it's not peculiar to cybersecurity.
But would you agree that if some people don't perform at optimum, they may not get a performance bonus or whatever? But in cybersecurity, people have this even greater sense of failure or guilt that they're either exposing the company to economical or financial, you know. So does it make a difference?
Again, do you agree? And does it make a difference whether it's a breach or a ransomware attack or whether there's personal data lost? If it's personal data, do people take it more to heart? What we see during incidents, in many cases, they already knew that there were pitfalls in the system. And they already mentioned it tons of times to the board. But the board was not always aware of the fact that the impact can be so huge. So what we see is that when you have responsible ones, it's the CISO or IT director or CFO, it doesn't matter.
When they understand the risk, are able to express themselves on the right level, and to get ownership or acceptance of a certain risk and really get that message through the board level, then it's okay when an incident happens. But when you're not able to, but already knew that there were pitfalls, then the burden is really high. Especially in a family-owned company, or where they feel that they are the responsible ones for the security of the company.
Okay, so I got some Osaka figures, which were also from 2023. And they, according to their membership there, 66% of cybersecurity professionals said they experienced stress at work. But 64% said that the mental health issues affected their productivity. I think that speaks to your idea of the kind of resilience. So maybe just kind of tell us a little bit more around that concept of, you know, is resilience of the organization is linked to individual, personal sort of resilience? And how much of it is responsibility of the individual to make sure that they are resilient?
And how much of it is kind of an organizational thing? My personal view is, it's all down to the organization.
Yes, you have a responsibility, but you have a responsibility if the enterprise has set up the right sort of structures. If it hasn't, it's neglected you. It's let you down. For you to point out things and try to do things, I think that's an afterthought on your part, not theirs. They should have been thinking about it well before then. And I think that's difficult. And I think that server that you mentioned, I know you know this, but I'm very involved with Osaka.
The research, the server that you mentioned, one of the other things that I found was that in the last five years, I don't know if you've got it there in front of you, but in the last five years, a higher percentage of people have found that the last few years have been more stressful than the previous years. And that's true for all of us. We are in a time where, you know, when I talk about this in organizations and resilience, you know, 20 whatever years ago, when I joined the cybersecurity industry, what you had to know was very simple. It was very straightforward.
The principles are still applicable today. My first event I went to, there was 40 vendors and most of them were anti-malware vendors or firewall vendors. And I came from a development background and I looked around the room and I thought, this is odd. The problems are created in the code, but nobody's looking and talking about the problems being in the code. They are dealing with the issue with anti-malware and with firewalls, that's wrong. But from there, things changed because then we started to see greater use of email.
We saw greater use of mobiles in the enterprise, IoT, cloud, SAS, digital transformation. And over all that time, we've had more compliance. We've had more standards. We've had more of everything, including certifications that we have to comply with and actually have to demonstrate that we're smart as we are. So all of these things haven't just sort of gone up from here to here. It sort of jumped quite a lot from where we used to be. And all of these things impact us and we've taken it on the chin over all these many years.
But it is beginning to impact us in lots of different ways that we may not have realised. And a phrase that I've often used is, you know, when people say, well, what's different?
And I say, look, nothing's different. It's all the same. So nothing's different and yet everything's different. And why everything's different is because the principles are the same. The principles that we've have on security have not changed.
However, how they apply to all these different technologies that open up the connectedness that we've got with every device connected to every other device, all that creates more vulnerabilities. So the context around this and understand the context is very, very hard. It's much harder than it used to be. I was speaking to outside earlier on the two hackers that were presenting this morning. Yes. And I was telling them about the fact that with wireless now, it's possible to jump three or four wireless networks because of the way that they work and how open things are.
And this opens up more ways to attack people and devices and everything else. And that's what I mean.
You know, the principles are the same, but the context of how it impacts us on day-to-day basis, that's what's grown a hell of a lot. And is that kind of also your experience that it's the change in the business IT environment that's kind of, it's incrementally changing to much faster and tech services are getting bigger.
I mean, are you seeing that in practice as well? Yeah, it's getting more and more. And the type of attacks and the incidents are getting more sophisticated time after time. So five years ago, ransomware attack, everybody was like, it was not a subject of the board table. And I don't have to explain it nowadays that ransomware is a serious threat and they need to take mitigating measures to make sure that they protect themselves. And now we see nation state sponsored attacks as the new benchmark of cybersecurity.
But when I talk about that on a board level, they're looking at me like nation state, now that's nothing for me. So that is continuously changing. So also that indeed combined with the connectiveness with all the different regulations, with getting more and more applications in the company, it's a tech service is growing and therefore the pressure on the security teams is growing as well. So of course, another thing that's changing almost daily and we've touched it on the conference here is now the greater use of AI. And I was quite interested to see that.
It's like a study said that 55% of cybersecurity professionals say that gen AI is increasing their stress levels. Is this something that you've encountered Jasmine in your work with organizations where people are just getting stressed out about the fact that they're having to work with gen AI?
It varies, again, it varies. I think it's about people's tech literacy. It's whether people are using AI to assist and almost remove the burden of the work that they're doing. And I think that's, again, comes down to how we can educate ourselves from organizations, here's how you can best use AI, gen AI, machine learning to actually help kind of automate and offload some of the yucky stuff you don't wanna have to do in your day. And you can then actually optimize your performance and productivity. But I think it really varies.
We've also had people that are suddenly, again, what we're seeing is, as Ina mentioned, AI is proving deepfakes, is proving much more sophisticated threats that we're starting to see from AI. So again, on that one side, I think it's providing more sophisticated threats. But on the other hand, I think if we can use it smartly and keep our finger on the pulse with the innovations that are coming out of that area, I think we can start to use it to our advantage. But it's the same thing with any technology that comes out. It's about how we use it and how we best learn, how we can help it help us.
So it's really varied with the way that we've heard people talk about it, from those that are kind of using it to assist them versus those that are kind of scared about the impact it could have on an organization. And what I wanted to actually also mention from the point we just spoke about before about the individual and the organization, whose responsibility is it? I wanted to add to that point previously and say that actually, I think in the long term, we're gonna see organizations take these topics more seriously.
But I think in the short term, it really is down to us as individuals to make sure, like Asaab said, practicing. And he said kind of like actually scheduling these things into your day, like not having meetings for half the day. It really has got to come from us taking these behaviors seriously and changing our behavior. And it's gonna be an accumulation of many individuals, I think, making changes in their lifestyle and in the workplace. And that's how we're gonna start to see shifts happening.
Because I think it's gonna be such a longer game to really, really shift the industry and really shift the culture. As you've been seeing, when you're trying to put together, I don't know any recommendations, advisory papers, white papers.
Really, I'd say it's for the individual now to actually take some of these things upon themselves to actually start implementing changes. So I hope that makes sense.
Yeah, that's great. Thanks. And if I could just stay with that Gen-AI thing, Asaab.
I mean, we've been hearing today and yesterday that the Gen-AI is going to be helping analysts so much more. It's supposed to be a positive thing.
I mean, do you know the context of why people feel stressed about this? I mean, why is it, kind of, is it a threat or is it, as Jasmine suggests, it's just a new technology that people are struggling to come to grips with? The way I look at this is that it's to do with why anyone does something or doesn't do anything. And for me, it ties back to risk models and mental risk models. And if you look at the fact that, Inga, you mentioned about the board. Once upon a time, you had to talk about this, the board, now you don't have to.
See, what's changed for them is the mental risk model around ransomware has changed. You didn't change it. It got changed because of what was in the media and how we perceive different risk models on different things. So the risk model that we're talking about around generative AI, individual people's risk models that they have will determine what they will and won't do.
And that individual risk model, if we're attempting to change anything, is what we need to look at trying to change because most of these mental risk models are based on what's in the media, not by what us as professionals are saying. What us as professionals are saying would quite often go over people's heads. So what we need to look at is what is there in the media and how we can talk to them about what is and isn't in the media. In some cases, some organizations by not using this will see that they are instantly, it's a cost to them by not using it. They're going to lose out.
Others will see this and think to themselves, well, if I start doing this, then Google or whoever is going to have my data and their mental model is that they're going to lose, not gain. And I think, again, it's questioning that. So the way I look at this, it's always about tackling individuals' risk models that they've got on a particular aspect, whatever that issue is, whether it's ransomware, whether it's AI, whether it's about whether the whole business is going to be attacked, whether it's about phishing or it's about opening PDFs.
It's that risk model that they have that they think about that we need to be attacking. And I think trying to tackle that on an organization-wide is difficult. It's trying to look at who it is that you're trying to target and what that risk model is in that role or that person and trying to deal with those in particular. I don't know if that answers your question, but that's the way I look at it.
Oh, that's great. Thanks. Thank you again, all three of you, for your brilliant presentations and for your suggestions. Just to close off now, a closing statement from each one of you. I'll pick on you again, Jasmine, if you could just give us your closing statement for this session. Just generally?
Yeah, yeah, yeah. So we're going to be wrapping up now.
So just, you know, what would be, if there's anything that you haven't spoken about that you would like to have spoken about, or just your closing statement on kind of key takeaways or whatever. Yeah, I think a key thing, I think that's really exciting that is happening in cybersecurity is looking at the impact of stress on the safety of organisations and on an organisation's cybersecurity posture.
So I think really go away from today, my key closing thought is to go away and actually think how is your own stress, your team stress impacting your online behaviour and how critically you're thinking and really emphasise that. I think, think about how you can go away and ensure that stress management, mindfulness, mental health is at the forefront of everything that you're doing and thinking.
Because if it's not, you're going to fall behind and it's something we can't afford to be, you know, not accounting for in everything from our education, training, any thought leadership coming out of the industry. So I think it's incredibly important. And I think it's wonderful that today, that it's so emphasised in the agenda. So thank you.
Well, thank you, Inge. For me, it would be that I think awareness around the mental burden of not only the professionals, but specifically in crisis situations, that is something I really want to stress because that is important to know. And if you know that, you can open up that conversation.
So for me, that would be the key takeaway, open up that conversation. Last word to you, sir. Thank you very much. I didn't include on my slides links to getting downloads and things like that. If you want to get in touch with me, if you look on LinkedIn under MHINCS Foundation, which is Mental Health and Cybersecurity Foundation, join the group. We can get information to you. We have got some links. I know that you took them in the webinar and so on. So there are links there. You can download our report that we had.
We are hoping to do a lot more and get more people involved in the framework because we want it to work. I'm a volunteer. The other people are volunteers. We are all volunteers. We're hoping to make a difference, but we can't do this alone. We do need to be working with people like yourself and yourself. It is very important. And as I said earlier on, a rising tide raises all ships. We want everyone to do much better and not go through this. Plenty of people have gone through this.
There's no reason why in this day and age, we should be embarrassed to say, I am stressed, I'm burnt out, or I've got mental health issues because of the work that I'm involved in. We should be able to be transparent about that. And hopefully we can help change that so that we can be. Thank you. Thanks for ending on that positive note and call to action once again. Thanks to all three of you for brilliant presentations and for great contributions. And I wish you very well with your work into the future. And so there you have your call to action.
Go back to organisations, evangelise, and let's make cybersecurity a much more mental health friendly environment to work in. Round of applause for our presenters.
