How to Avoid ‘Doom Fatigue’: UniSuper Cyber Resilience Manager
Unisuper Cyber Resilience Manager Christie Wilson explains her strategy for supporting her team and driving cultural change across the company
UniSuper is one of Australia’s largest super funds with more than 620,000 members and $115 billion in funds under management. Protecting the life savings of Australians undoubtedly requires a diligent, dedicated and well-educated team.
The superfund’s Cyber Resilience Manager, Christie Wilson, has worked in information technology for more than 25 years in a variety of operational and governance roles across both vendor land and corporate IT. She moved into cyber security six years ago, looking for a new challenge.
“Boy did I find one!” she says. “I originally stepped in to help the team with audit work and was lucky enough to continue to work with the new CISO and an amazingly talented group of security professionals.
“Together, we completely transformed security in our organisation. I developed and implemented our Cyber Resilience program, which I’m still running today.”
Wilson revealed that joining the cyber security team was the best career move she has made.
“I’m eternally grateful to my CIO for suggesting that path, and to the CISO who took a risk with me and gave me such a life changing opportunity” she says.
The constant evolution of cyber threats and attack techniques poses constant hurdles for cybsersecurity professionals. Cyber criminals are continually developing new and sophisticated ways to exploit vulnerabilities and target individuals and organisations.
This dynamic threat landscape makes Wilson’s work around keeping up with the latest threats and educating UniSuper’s employees on how to protect themselves that much more involved and challenging.
“‘Doom fatigue’ and complacency are real risks, and it’s a fine balance to keep our people alert but not alarmed,” she says.
“I use a lot of nudge tactics in our cyber resilience program, so that cyber safety is embedded as an ongoing conversation across the organisation. Small, consistent messaging can significantly influence people’s choices, and the decisions they make.”
Knowing vs Doing
There is a big difference between creating cybersecurity awareness and driving cultural change. Just being aware of something doesn’t mean that you’ll take any action. This is the philosophy Wilson adopts and she uses personal healthcare to help illustrate this.
“We all know that to stay fit and healthy we should eat well, exercise regularly, and have regular check-ups with our doctor. That doesn’t mean that we necessarily do that,” she says.
“So, a big part of driving cultural change is consistently giving people small, simple steps they can take to protect themselves. This drives behavioural change, which, over a period, creates cultural change.
“Culture is ultimately ‘the way we do things around here’.”
Wilson also notes that it’s important to remember that cultural change takes time – months and years, not days and weeks. She believes that having people on the team who understand this, and who have the enthusiasm and energy to drive this change, is vital.
“We’re talking a marathon, not a sprint” she says.
Wilson also thinks that having employees thinking, ‘What’s in it for me?’ is important for engagement and buy-in.
“Cyber awareness and education should always include simple steps that people can take to help protect themselves. If it’s just a constant stream of scary cyber stories, people will switch off pretty quickly,” she says.
Helping Others Step Up
Wilson says one of her biggest successes in the past year has been watching her Cyber Resilience Analyst grow in her role and oving into a technical security role. She is also proud to see a new Cyber Resilience Analyst moving into security from another part of IT.
“Cyber Security is a growing field, and there’s an ongoing need for new skills, perspectives, and insights. I’ve loved watching both teammates blossom in their roles, and the enthusiasm they’ve brought to the team,” Wilson says.
Ahead of her speaking engagement at CISO Melbourne 2023, Wilson touched on the importance of cybersecurity resilience training, and and what others can learn from her session.
“It’s all about the human element of cyber security,” she says.
“There’s a great quote from Bruce Schneier (an American cryptographer, cybersecurity professional and privacy specialist) who says, ‘if you think technology can solve your security problems, then you don’t understand the problems, and you don’t understand the technology’.
“When effectively communicated, cybersecurity becomes a story of empowerment, transforming the human element from a vulnerability to a formidable asset.”
Christie Wilson will be speaking at CISO Melbourne 2023, being held from 17-19 July at Crown Promenade. Click here to review the agenda and register to attend.