Plenaries - Day 3


  • The attackers focus on people, process and technology (probably better than the rest of us do)

  • “What does it look like to put people first”
    • Business asks people to take personal responsibility for their work, Security intsead acts as C&C - clash of cultures
    • Shift: listen to and engage with staff to understand the reason that they’re not complying with policies
    • Reaction to noncompliance is to run awareness campaigns: these don’t work, because awareness often isn’t the problem
    • Give a company the ability to lock things down and they will lock EVERYTHING down - unusable
      • IT don’t trust users to not make mistakes
    • “shadow security” - people finding their own ways of protecting their stuff
    • Analogy to Health and Safety - a super innovative thing at the time - we need something equivalent for security
  • Role of boards
    • Need to pass these ideas down into the supply chain. Otherwise we’re just ‘hiding the mess’
    • It’s not “deep technical expertise or nothing”
    • Need to get rid of compliance culture
    • “It’s not black and white. We are taking risks: what are those risks”
    • Need to find why it matters to the board:
      • Don’t start with compliance: start with risks, and the way it helps you move faster with more confidence
      • Risk is conflated with lack of compliance
  • ?
    • Security is seen as a pain because the sec community treats risk as a checkbox exercise: why should anyone else care
      • conversation is one-way
    • need scalable tools to allow SMEs and small business to benefit
    • Don’t burden SMEs with a load of governance - they can’t handle it
  • Cyber skills shortage
    • Mid-career pivots
    • Need cybersec ability in Law, medicine etc
    • Massive lack of diversity of skills in cyber professionals
      • Need to stop “having a go” and bring in specialists
    • If people keep viewing this as something superhuman, they’ll never think it’s something that they can do
  • Do we underestimate the value of face-time
    • People remember personal stories
      • War stories, personal experiences
    • Humans speaking in person in a trusted closed circle are more likely to share near-misses
    • Fear campaigns: if people are afraid but don’t have the skills to mitigate risks then you don’t get good results
    • Send the right people: middle aged man in a suit is unlikely to get a team of devs to open up to them
    • Need to make sure that people are engaging in open conversations because if not then
  • Advice for CSOs
    • Spend a lot of time understanding all parts of the business - not just the bits falling in security domain
    • Move beyond red/amber/green
    • Stop perpetuating the security silo: it’s everybody’s problem