I’ve been interviewed by Javvad Malik about my career in Information Security. He published the interview on his website
The difference between Leron and anyone else that has ever asked for advice is his willingness to learn and take on board as much knowledge as possible and then apply it. In a few short years, not only was Leron able to complete his MSc, but he landed a job (while turning down other offers), spoke at events, and wrote a book. Achieving more in 3 years than most people do in 10.
So, the roles are now reversed. I needed to catch up with Leron and pick his brains about his journey and see what I could learn from him.
Read the full story
I wrote about the games you can play to enhance your privacy and cyber security knowledge. We also talked about gamification in the security context. But how do we apply this knowledge to “gamify” security awareness efforts in you organisation?
A recent company I’ve been working with has been experimenting with their security awareness programme; in particular, they’ve designed posters to remind employees of potentially risky behaviours. They placed these posters in the areas where violations could occur: near the confidential bins or printers. They’ve invested in a memorable design and created funny-looking creatures people can relate to. For example, they’ve had something resembling an angry Twitter bird to emphasise the fact that employees should be mindful of what they share on social media. Other examples included monsters on the lookout for confidential data.
I liked the idea and I saw employees discussing the posters shortly after they were released. But what if we wanted to take this a step further? What if people could not only look at the posters but also engage with them?
The recently released and hugely popular Pokemon Go app gives us an example of how this could be done. In the game, players are encouraged to explore the real world around them and catch creatures that appear on the map. The game uses augmented reality to make the experience of catching Pokemon a lot more fun.
The app developers used classic game design elements in this game:
- There’s a ton of items to be collected, like stardust, pokeballs, various potions and eggs.
- You get frequent rewards and feedback on your progress.
- The game is very social in nature and players are encouraged to engage with each other.
- There are leadership boards and there is a chance to get your name displayed in a gym – a place where Pokemon battles take place.
How can some of the ideas from this game be applied to a security awareness programme?
What if we take the monsters from the company’s posters above and make them more engaging? It only takes a small financial investment to attach a QR code to a monster, so an employee could get immediate access to the relevant section in the security policy. Or how about giving employees a quick quiz and, if answered correctly, reward them with bonus points?
These points could be also collected for accomplishing other tasks. Your employee volunteered to participate in a security awareness presentation with her story? 100 points! Attended a lunch and learn session? How about 20 points? Reported a phishing email? Stopped a tailgater? There are many ways people can demonstrate their involvement in a security awareness programme.
As long as participation is voluntary, there are clear objectives and rules, feedback is readily available and rewards are desirable, we’ve got a chance to change security culture for the better!
As David Maister famously puts in his timeless book The Trusted Advisor, “it’s not enough to be right, you must also be helpful”. You first need to earn your client’s trust, and with it, right to offer advice and be critical of the way things are right now.
What do clients want? You need to demonstrate that you understand them and you are transparent with them. It’s unhelpful to try and bamboozle your clients with jargon and numbers, instead tell what these numbers mean for them.
Consulting has traditionally thrived on information asymmetry: consultants used to know more than clients but this is going away. Not only do we need to shift to provide insight rather than just information, we need to disrupt our own industry to remain relevant. I’m talking, of course, about automation.
Yes, there will always be cases were clients hire consultants when they have already made up their mind and just want to rubber stamp their agenda. But these situations are becoming rare.
From my experience, clients are increasingly reluctant to pay for glossy PowerPoint decks. Managed services and post-implementation support might be some viable options to remain relevant and, therefore, profitable.