UniSuper Cyber Resilience Manager, Christie Wilson, shares thoughts on cutting through to non-security staff on information security
Senior information security leaders helm the important job of protecting organisations from cyber threats and risk. Increasingly, however, organisations are recognising they need to take a company-wide approach to security responsibility.
This has given rise to programs that educate and train non-cybersecurity staff to be more aware of the risk and threat landscape that exists. With it, come new roles and approaches.
Christie Wilson is Cyber Resilience Manager for UniSuper, a large Australian superannuation provider that boasts more than 450,000 members and more than $100 billion in funds management.
Wilson leads the initiative within the organisation to bring cybersecurity awareness to the staff, but says it’s more than just running training programs on security policy.
“The kinds of things that I do includes ongoing awareness and training for our people to keep themselves safe at home as well as at work,” she says.
“We make it more personal because despite there being baseline compliance work that needs to be met, compliance doesn't mean safety. With a lot of awareness training, we try to focus on people, and keeping themselves safe in their personal life, because that’s really the hook to get people interested.”
Engagement Challenges
Wilson says beyond meeting compliance, cybersecurity leaders really should develop programs that cut through to staff in terms that resonate with them in order to truly embed more resilience in an organisation.
“One of the challenges with security is that it’s the most important and interesting thing in the world to security people, but to everyone else, it can be noise,” Wilson says.
“There’s a joke that security people put the ‘no’ in innovation. We have to cut through that perspective and deliver messaging and content that’s going to win hearts and minds rather than just say, ‘Follow this policy, don’t click this, don’t open that email’, because that’s just boring.
“There’s an analogy I use with our security team when I'm trying to explain to them why we need to look at different ways to get buy-in from our people. It’s that people intrinsically know that you should have a yearly health check with your doctor or go to the dentist every six months. You should exercise, you should eat well. Whilst we know all that it doesn't mean that we always do it. Security can be the same.
“These days, people know you should have long, complicated passwords, and that you should use unique passwords for all of the different systems and platforms you use, but just because people intrinsically know that doesn’t mean that they do it.” Because getting through to staff requires more than recital of the rules (rules which they probably already know), Wilson says she also trains her security staff to understand the need to better engage employees on security.
“Sometimes security professionals suffer from the curse of knowledge in trying to get buy-in from non-security people. When security people think that something is easy for them to do, they don’t always understand that it can be complicated for people that aren’t technical or interested in security,” she says.
“We have to think about how to give our staff cyber safety messaging that resonates with them but also training the security team, the technical team to be able to communicate in a way that resonates with our people as well.”
Spreading Influence
Another way Wilson approaches the challenge of getting staff to adopt and take seriously company security is to recruit security champions within each department.
“It’s a group that I call my cyber evangelists. They're people that are subject matter experts in their part of the business. They've got good communication skills and they're also interested in security,” she says.
“I get them to help cascade messages across the business in a way that resonates to the people that they work with. During one of our recent monthly catchups, one of our cyber evangelists shared the story of how she had become the victim of identity theft about 10 years ago.
“She went into a mobile phone repair shop here in Melbourne and was asked for proof of identity. They took a colour photocopy of her driver’s licence. That photocopy has been used for identity theft for the past 10 years, it’s an ongoing problem for her and the 15-20 other people who were caught up in it.“It has impacted her credit scores, details with banks, even impacting her purchase of a house earlier this year. When she shared that it really resonated with people.
“If people can hear a story from somebody they know, a real-life example. It drives it home that it could happen to them, or their parents, partners, and loved ones. I think that really gets the cut-through.”
Ongoing Resilience
Wilson implemented UniSuper’s cybersecurity awareness program about three years ago, and it’s now a business-as-usual element of the organisation, one which she refines on an annual basis.
Wilson implemented UniSuper’s cybersecurity awareness program about three years ago, and it’s now a business-as-usual element of the organisation, one which she refines on an annual basis.
“I have a rolling 12-month strategy and over the course of the year, I'm looking at all sorts of threat intelligence from Australia and around the world, plus the kinds of things that could pose a risk to UniSuper. Using that I then look at what I can do to our messaging,” Wilson says.
“The program includes compliance training, which, as I mentioned, is the bare minimum; making sure that people understand the policies and standards that they need to align to.
Then there’s the ongoing cyber evangelists’ network.
“We also have a security news Yammer group for ongoing conversations around different topics that are of interest. Again, we are trying to keep the focus on what is happening out in the world, and how staff can protect themselves.
“We do specific training that's role-based as well. We'll look at roles that are at an elevated risk. It might be people like executive assistants or executives. Because of the role they have in the organisation, they're often at greater risk of being targeted. We'll do specific training for them to understand the kind of risks that they might be exposed to and what they can do to protect themselves.
“We also have a really strong, ongoing phishing awareness program. We do phishing simulations for the whole organisation every three months. When people click on those we gain more visibility of who might need additional training too.”
It’s a busy schedule of information delivery on what is quite a serious topic, and Wilson is careful to ensure the training and communication respects differing existing levels of cyber awareness.
“The guiding principle for all of it is that we want people to be alert but not alarmed,” she says.
“It's really important that people don't get a sense of shame or feeling that they've done the wrong thing. That's why we call it the cyber resilience program. It’s all about building up people's resilience.
“It's really important when I'm delivering information that it's not just some scary story. If you're giving people a scary story and you're not leaving them with a tip for how they can help themselves, you're just scaring them and that's just going to turn people off.
“So every piece of information that I'm giving, I try to make sure that it's, ‘Hey, here's something that's happening and here's something that you can do to protect yourselves’.”
Get the latest information security insights delivered directly to your inbox by subscribing to Business of InfoSec
