Cyber Insights - Part 2 - with Marilise de Villiers, Security Training and Awareness Expert
We’re delighted to have Marilise de Villiers, a Security Training and Awareness Expert, join us for our second Cyber Insights feature where she discusses building a culture of training and awareness.
People with your expertise and experience in Security Training & Awareness are now in high demand. What do you think has been the catalyst in recent years to the realisation that cyber security isn’t just a technical issue?
The increase of high-profile security incidents and data breaches, that have more often had a human element to them, have been the catalyst for CISOs and their Boards prioritising security awareness and training. Organisations can no longer afford to have a false sense of security that technology will protect you! Organisations and society can only become truly secure if we strengthen the ‘human firewall’ and turn people into our strongest defence against cyber attacks.
What was it that drew you to this career initially and inspires you to continue now?
I spent almost my entire career working as a People and Change Consultant in a ‘Big 4’ accounting firm. As a chartered accountant I’ve worked mostly with finance and internal audit functions. Eight years ago, a surprise conversation with a colleague triggered my interest in the human aspects of cyber security. Through extensive research and collaboration with my cyber security colleagues we developed the people-related aspects of the firm’s holistic cyber security client offering. I am fascinated by our industry and the work we do. It has been encouraging to see the focus shift over the past few years – there is a general consensus that people play a fundamental role in protecting organisations and the investment in cyber security awareness and training investment has increased. The issue now is that most organisations don’t know how to design and implement effective people solutions. That is why security awareness and training experts are now in such high demand.
What is the biggest challenge you have faced to date within security awareness and how did you overcome this?
Particularly in larger organisations, encouraging people to recognise the importance of protecting systems and data when they have so many competing priorities is certainly a challenge.
To overcome this, I take the ‘hearts and minds’ approach, ensuring that they understand why it’s important and engaging individuals on that basis. I approach this on a personal level rather than an organisation level; gaining an understanding of how these effect people as individuals rather than employees. Once people realise how a security incident or data breach could affect them personally, they are likely to care more about protecting their organisation’s valuable systems and information assets. Behavioural change has to be led from the front; by the senior leaders and managers. These individuals cast a long shadow and people are more likely to take cyber security seriously if their managers are taking it seriously.
Another challenge is that upskilling is certainly needed in this area. Thankfully, an increasing level of emphasis is being put on campaigns and guidance. We certainly need more tangible solutions that not only develop skills and raise confidence, but are also easily accessible to all. We need to ensure that these solutions are scalable, whether you’re targeting 200 or 200,000 people.
If we think of effective security awareness training as essentially, a cultural change program, what kind of personality suits someone working in your role?
I wouldn’t say it’s necessarily a personality type but more having the right mix of skills; technical, interpersonal, commercial and strategic. Some of the best leaders and trainers I’ve ever met are introverted, however generally they have strong listening skills, and therefore make excellent communicators / facilitators. It’s essential to have a real passion for people. An interest in the human psyche and ‘what makes people tick’ is essential because you’re trying to influence behaviour. Conversation is the catalyst for behavioural change, only if the conversation is two-way and based on real-life stories and events. If we want to engage people and influence their behaviour we have to invite feedback, measure effectiveness and continuously enhance our awareness and training solutions.
Who have you found are the early adopters and who are typically the laggards in engaging with corporate security awareness training? How do you effectively engage the laggards?
It’s hard to generalise as it very much depends on not only organisational culture but also organisational demographics.
Regardless of position, title or experience; there will always be early adopters and laggards. My way of overcoming this is to embrace the early adopters as security ambassadors or to create a ‘security champion programme’. Then, the early adopters and those who have taken a genuine interest in cyber security updates become your evangelists, spreading the word to the masses. Security champions are your ambassadors, must “lead by example” and essential in ensuring ongoing commitment and training.
Plus, you must make it as simple as possible for people to do the right thing. The way you design systems and processes should make it as easy as possible for people to demonstrate secure behaviours, hence the importance of ‘human-centric’ and ‘secure by default’ design principles.
Cyber remains a challenging subject for most Boards and there is often a knowledge and translation deficit that can weigh on Directors. Are the Board becoming more receptive to security awareness?
Yes, I would say board members are definitely becoming more receptive and are more understanding of both the technical and human element. Going forwards, boards need to recognise that they won’t always have the answers and that the best thing to do is to bring the experts into the room; the devil is often in the detail. I’d certainly like to see more of that.
Knowing it’s important is one thing and the general awareness is there, but Boards and senior management now need to focus on ‘how’ they are going to develop skills and embed secure mindsets and habits. I would really like to see more CISO present at the boardroom table when big decisions are being made. Although there has been a step-change in the role of the CISO and an increase in their numbers, I still don’t see many CISOs having the desired board-level presence, impact and influence.
My mantra is to Engage – Enable - Empower:
Engage (Knowledge, Awareness): This is your ‘level one’ solution, applicable to all employees, so general awareness and communication campaigns, including eLearning.
Enable (Skills): This is your ‘level two’ solution, targeted training which is aimed at high risk individuals, they equip people with the right skills and the confidence to mitigate cyber and information risk effectively.
Empower (Habits): This is your ‘level three’ solution. This is all about embedding secure mindsets and habits in the moments that matter and empowering people to mitigate cyber and information risk effectively.
I define “moments that matter” as high-risk touch points where individuals interact with systems and/or data. Those moments where a human error could have devastating consequences. Whether it’s clicking on a malicious link in a phishing email or allowing a stranger to tailgate you into a building. My security awareness, skills and culture programmes are always designed around a handful of habits, based on an organisation’s ‘moments that matter’. Then solutions (level 1, 2 ,3) are all designed to influence and embed these habits over time, typically 3-5 years.
A huge thank you to Marilise for sharing her knowledge and insights in our second Cyber Insights feature. For more information about Marilise and her expertise, you can visit her website here: https://www.marilise-de-villiers.com/ and Twitter @marilise77, or add Marilise on LinkedIn http://linkedin.com/in/marilise-de-villiers-9184521a
If you’d like to feature in our Cyber Insights series you can contact the team at firstname.lastname@example.org.
Next week we will be speaking to another cyber and information security professional who will be sharing their insights!