It’s not techies, it’s communicators says Melanie Oldham, founder and CEO of Bob’s Business Information Security Awareness. She spoke to us about how to tackle cyber crime by getting numbers on your side and about cyber security champions.
Melanie found herself surrounded by techies. When her manager asked her if she had heard of information security, she replied with a resounding “no.” Even so, cyber security was what she was asked to do. Working with 13 techies, all males, she said “they spoke a different language” and “I felt stupid.”
But that was in 2004, Melanie learnt the lingo, such that today, she worries she knows too much.
In the early days of her career, when technical knowledge was not her thing, she learnt how to communicate the important information. These days, the jargon comes naturally to her, and its her team, many of whom are still new to the technology that help her tell the story in a way that sticks.
For Melanie Oldham, the battle against cyber crime is largely about communication. She explains: “Most breaches are down to human error,” but for too long the industry has focused on the technology.
It is changing, though.
A good example of this is this InfoSec conference (Info Security Europe). Melanie says she has been attending the conference for around ten years, but the human stream was barely in existence at first, now “more and more things are focused on human side” because you “can’t physically fix or patch people, like you can with technology.”
The Oldham insight is one that is being shared by many cyber security experts and CTOs.
To defeat cyber crime you need numbers — “strength in numbers is important,” she says. In part that means champions, but it also means getting the workforce onside.
So fighting cyber crime may be just about psychology as it is technology. Melanie says: “if you are wanting to change people’s behaviour, you have to connect with them on an emotional level. They have to understand how it relates to them.” So it’s about showing an employee the benefits; “they support the cyber security strategy because they see the benefits. Maybe they believe in the company they work for or they may see information security as something that will protect them; that way that they buy into. It is about being really human. It’s is not about saying you have to do it because it is mandatory, but explaining why it is useful how it can protect you and your home life.
“Trust and transparency is the key. The best thing anybody can do in the event of a security breach is take the appropriate employee for a coffee. And say ‘okay, talk to me.’”
Melanie’s insight, maybe arising from her lack of technical knowledge in the early days, was finding engaging ways to communicate. Animations, “delivering cyber security education in bite sizes and using an emotive way more way of presenting information, communicating without creating information overload.
“One of the biggest things we discovered was the amount of people using their work email addresses to purchase things online. Because 75% of people re-use user names and passwords, if they are using the same user names and passwords for work based systems and for their online shopping, then when breaches happed, such as when Yahoo got hacked, that data is easily transferable. People don’t see that as being a risk So it is vital to explain the importance of keeping things separate.”
Communication is vital, that’ where Melanie’s business comes in.
But she also talks about the importance of security champions, information securities advocates who preach the importance of security. “You need good communicators” she says. The CTO needs to find good communicators, because people who are good at communicating can take the key bits of information from IT and disseminate it across an organisation.
There is another way — and that involves having a cyber security expert on your shoulder, with you all the time — warning you of a potential problem. Up to now, that was not possible, but maybe, thanks to AI, we can have the next best thing. This takes us to Paul Chapman, co-founder of Cybershield, a company which may have just found a way to have an AI security expert sitting on your shoulder.