Episode #64 The 14 Day Security Challenge with Paul De Arajo
"As security practitioners, we can't be afraid of using old messaging as there are a lot of first time listeners that are still out there".
- Paul De Arajo
Paul De Araja joined NBN during COVID-19 in 2020 delivering security influence programs to protect NBN’s people and assets from personnel, physical and cyber security threats. Prior to NBN, Paul served in local and international Corporate and Government roles in the IT industry for over 30 years with experience in sales, marcomms, corporate social responsibility, compliance, and cyber safety/security roles. For over 19 years, Paul carved his career with Microsoft Australia and abroad.
Paul’s passion for keeping citizens safe in the digital world began as a founding member of the ThinkUKnow online safety and security program. In 2017, Paul joined the eSafety Commissioner in marketing and stakeholder capacity driving awareness of the office and its services to citizens and delivering the annual Safer Internet Day campaign.
Paul joins me in this episode to share his career story, and how he and NBN ran with an idea I had, creating and implementing the 14-Day Security Challenge!
Links:
Transcript
CP: Hello, I'm Claire Pales, and welcome to The Security Collective podcast. Today's guest is Paul De Arajo. Paul joined NBN during COVID-19 in 2020, delivering security influence programs to protect NBN's people and assets from personnel, physical and cyber security threats. Prior to NBN, Paul served in local and international corporate government roles in the IT industry for over 30 years. For 19 years of that Paul carved his career with Microsoft, Australia and abroad. Paul's passion for keeping citizens safe in the digital world began as a founding member of the ThinkUKnow online safety and security program, and in 2017, Paul joined the eSafety Commissioner in marketing and stakeholder capacity. Paul, it's great to have you on the podcast today.
PDA: Thanks. It's great to be with you and a really great opportunity for us to share our joint story.
CP: Yes, well, I wanted to chat to you today about the joint project that we worked on together last year and share some of the outcomes with my audience. But before we do, I'm always interested to understand the paths that people have taken and the reason that they've ended up in cyber. Your role is more focused on communications around people and influencing behaviours. What took you down this path? And why did you join the cyber security industry in this way?
PDA: I started thinking about where it all began, and I do have to go back over 30 odd years to back when I was selling Commodore 64 with data sets and Omega 500s. PCs with no hard drive and a 5 & 1/4 inch bootable disk drive. And you had the choice of monitors, you know, you could buy a monochrome and EGA, a CGA or VGA monitor. And it's very exciting times and of course, they were the 80s. And the closest we came to the internet back in those days was of course bulletin boards. And the hack, well, a hack was some cheat code that you would buy from a computer magazine that you type into Pacland or Outrun, and they would take you to another level. And I'm sure your old school platform game lovers on your show will know what I'm talking about there. But look, I worked through the industry until I was headhunted by Microsoft. And at that stage I was 24 years old. And I really summarise my career at Microsoft is two things. One is I spent half of it making the money and the other half I spent giving it to charity by working through their community affairs area. But my path to cybersecurity, and one of my proudest legacies at Microsoft began when I was working alongside the now eSafety Commissioner Julie Inman Grant. And in partnership with the AFP, we started the ThinkUKnow program which you made reference to. And that is a free, evidence based online eSafety program that provides presentations to Australian parents, carers, teachers and students nationally. So we grew with that program to include all state and territory police and brought on new partners like Commbank and Datacom to deliver on average a presentation every weekday of the year. Talking to parents and hearing their stories really opened my eyes to the online world. And watching them take notes and the looks on their faces, as I spoke made me realise the difference we were making and keeping them and their children safe online every day. So following Microsoft, I joined the eSafety Commissioner, as you mentioned, as well and my responsibilities there were really around marketing, communications and stakeholder engagement. I delivered 3 safer internet days for the commissioner. And this gave me great exposure to the cyber awareness and influence roles in the corporate space, and especially those organisations that are part of the security influence and trust group. And they are of course, a community industry of professionals dedicated to building security awareness cultures. So transforming from online safety to cyber safety was really a natural next step for me. And what better place to lift the digital capability of Australia than to do it of course with the nation's largest broadband provider. So I turned my focus from cyber safety to cyber security and joined NBN. And I did this during COVID. So you think I'm mad, right? Taking over security influence role in the middle of a pandemic. But I had a great team and I still continue to have a great team who have taken me under their wing and really taught me so much and helped me with that transition in those eight months. But my working life was really built on our customer service foundation. I loved serving people in sales. I love the challenge of getting cut through with marketing and communications and engaging in products with stakeholders. And I'm passionate about helping people and making a difference. So in answer to your question, bringing all those skills together, along with my passion for cyber safety and security, it was that natural fit to want to influence people and do it with our staff and of course, through the community that NBN reaches out to.
CP: It's probably a podcast for another day, but I've often had conversations with people about how important marketing is in the cyber security team and how much a CISO would benefit from having a marcomms person reporting to them. And the saleability of the security message out to the internal customers is so, so important. And I think those skills of yours absolutely would make you an incredible cybersecurity communicator, because you're keeping the audience in mind, you're applying your marketing and sales principles to something that usually would be quite technology focused in some organisations. So I'll have you back and we can talk about that another day.
PDA: I completely agree, I often think that sometimes I'm a bit of a translator within the business and being having those skill sets and being able to talk the different languages does make my job a lot easier. So I'd love to come back and have a chat.
CP: Definitely. So we recently collaborated last year on a 14-day cybersecurity behaviour change challenge, which I first thought of last June, and I shared it with my newsletter community. And I was fortunate that Darren Kane, your boss, read my newsletter and helped me to bring this to life as a pilot within your organisation. You and I got to work on this project together. It'd be great if you can share your experience running the challenge. And what were some of the success stats, you know, what lessons did you learn? How did it go?
PDA: Yeah, look, it was when it first got handed to me from Darren, as a 30-day challenge, we were like, whoa, how are we going to deliver on this?! And I have you to thank for that! We have you to thank for the great idea, but I also have you to thank for not giving me a playbook with this as well. But the beauty of having gone through this pilot is we've now got a great playbook. And we're able to share with you and your listeners, and I'd love to be able to help out anyone who wants to try and do the same. But not having the playbook was a bit of a challenge, but we had to be pioneers, and we really built on your idea into something that could really be executed. And mind you again, it was executed by someone who had only been in the organisation for less than three months. And again, it was the middle of COVID, right. So really challenging times. And I think when you hear about the results that I'll talk a bit about later on, you'll see how effective it really was. So along with your great idea and your passion to make it a reality, we started to plan out what would become the 14-day challenge and it was as a pilot program. And the goal was to really develop security conscious behaviours at home and at work by encouraging our staff to do something security focused every weekday. Your listeners may know Darren, and he's a massive advocate of the converged security model. So we brought together the challenges across physical cyber security and privacy as well. And over the 12 day, sorry, over the 14 days, we had 12 challenges because of weekends. And they really focused on passwords and passphrases, phishing, MFA, Wifi, at privacy location settings, applying updates, using a background in teams, how to report serious security incidents within the organisation, promoting NBN security principles to your colleagues so that we spread the message, promoting the security group on workplace, sharing that challenge externally. So we wanted to help you get this message outside of NBN as well, so that was important. And lastly, the one I really loved the most was locating your NBN pass. Well here we were, we hadn't been in the office for over six months, so that's a massive security risk. So where were people's passes? And we had some really creative videos back of people looking for their passes, and it was just really a lot of fun. For the pilot, our goal was to recruit 40 volunteer employees. And we ended up with 47 and 47 really engaged and really creative volunteers. And collectively, we generated over 4000 views in workplace across the organisation, 245 workplace engagements, and surprisingly, we actually started to see employees who weren't participating in the pilot starting to engage. And this resulted in us growing our subscription base to our normal comms by over 100 employees during the pilot. So lots of great success. We did have a survey, which we sent out at the end and I'd like to share some of these results with you, because anyone who's considering this is the kind of stuff you're really looking for. 100% of staff would recommend future challenges to others, with 75% of those strongly agreeing. 100% of staff were more aware of how to resolve security incidents at work after the challenge. 94% of staff thought the challenges taught a broad variety of things to improve security both at home and at work. And we expected this to be lower as some of the challenges were pretty basic, and we were making the techies yawn, but everyone participated and engaged all the way through, which was really surprising. 94% of staff thought the delivery of the challenge was interesting, engaging and fun, and this is important, and I'll talk about this a bit later on. 81% of staff found the amount of time to participate required was not onerous. So we had to make this simple and quick, but effective. And 75% of staff were able to complete every aspect of the challenge over the 14 days. And then lastly, we asked for feedback on things that we could do better next time. And some of those things include gamification, phone call and SMS scams, security settings on popular apps, and maybe some harder challenges for the more technical folks as well.
CP: It's interesting because this idea came about for me, because I'd done a 30 day challenge elsewhere. And I really bought into the idea because it was helping me to change my behaviour. And I'm interested to know why you think staff bought into this idea of security education and changing their behaviour in this challenge style of way. Do you think it was, there's something about the style that got the 47 people on board for the pilot?
PDA: Yeah, there are a number of key reasons. Firstly, it wasn't forced or mandated on anyone, you had to volunteer. And this is key, if you want people to do stuff, they've got to be passionate and engaged about it, it had to be fun. And it was fun. Humour should form a part of any campaign or any communications, when you're trying to get cut through that our employees might feel a little bit dry. Be it cyber security, or finance or compliance, those kinds of things, you've got to be different. It was easy to participate. So each challenge only needed a few minutes of a person's day. And we actually put schedules into their calendars to make sure that they are engaged and not forgetting it was the first thing in the morning. So you didn't let them get into meetings or, or get into work. And the challenge really hit a sweet spot of our employees who wanted to participate. A lot of what we do is normally broadcasts, so a bit of you know, spray and pray in the hope that we're able to get a bit of cut through with our messages when we're competing against other groups within the organisation who are trying to get mind share as well in the same space. But really, I think promoting it as both a personal and business exercise makes a difference as well. And it makes any exercise that's closer to home or in this case, we literally were at home and a lot of them were related to home security, increases your chances of success. So things that they could take home and implement in the home are really beneficial. So again, I'll remind you, it wasn't mandated, but senior management really got behind the challenge and supported it with fun face to camera videos and supportive workplace on posts. And of course, we had the pleasure of introducing you to our staff with the videos that you made for us. They got really great hits, and they were really well received by our staff. So thank you for the idea and actively being involved in bringing this to life at NBN.
CP: Security awareness is kind of my area of passion when it comes to security. And while it's not normally something that I do in my day job in my business, you know, is something that I believe is central to everything around security and how organisations are going to become more secure. So yeah, it was really fun, a really fun activity for me to do and, and I was stoked that an organisation sort of picked up my idea on a whim and moved forward with it. So we had some diversity in you know, you talk to us now about senior leadership buy in at the top and there was some diversity in the types of people who signed up across your business for the challenge. What would be your key tips for influencing different levels of the organisation to make change when it comes to security? For example, how would you go about educating the board for example, to change their everyday security behaviours, as opposed to say someone who's in the finance team?
PDA: So we had every business unit engage in the challenge. And a lot of that work starts well before the challenge right. We actually do a lot of work in engaging our employees and really building up those champions within the business that sit across the business groups. So they were key for us to then get deeper into pulling in new employees who hadn't been engaged or sharing security messages and challenges in the past. So leveraging those champions is really key and getting them to promote. But attacks can be role specific, we know that right? There is no hierarchy in attacks that are coming through. Whether it's a finance scam coming into accounts with a fake invoice, or an employee who is socially engineered or a high profile board member and their EA being sent a sophisticated phishing email At the end of the day, the end goal is the same. So I really don't see and think there is a hierarchy that needs to be addressed there. Ultimately, they're just trying to get in. And whether it's at the top or bottom, or somewhere in between, it doesn't really matter. So we do targeted role based training. And it's contextual for a specific audience focusing on how it affects their roles and their teams. It's the same message, it's just packaged a little bit differently based on that audience, we need to talk their language for them to come on board and come on the journey with us. But in general, I found with any campaigns, what I was referring to before, there's 20% of people who will engage from the beginning, right, our champions they're just in. There's 20% of people who just don't care, and won't care until they're impacted. But my job, I always focus on the remaining 60%, they're the people who are interested, but just need a little bit of help coming to the party. Now, they know they need to take the time, they want to take the time, but their time poor, or the priority just isn't high enough on their to do list. So my job is to elevate that priority to nurture those already engaged and develop those with that interest. And in the case of the challenge, well, we had to make it personal. We started with 30 challenges, which scared the hell out of me, and then broke those down to the key 12 that we ended up with. But we knew that those would spark the interest across a very diverse group. So my tips that you asked for, I would say start planning early. And ensure you've really thought through the plan, from recruitment to marketing, communications, volunteer support, how it aligns to your business objectives, and really the outcomes that you're seeking. And more importantly, how you're going to measure them at the end. What is it that you're trying to drive as a change here?
CP: Yeah, I think your point around context is really important, because I remember when we came together, and you know, it was originally a 30 day challenge, and I'd sort of done a brain dump of 30 ideas that you could have across the 30 days. But they were so general, and then by the time the pilot actually happened, it was so contextual for NBN. You know it was about how your organisation would reflect best on these 12 challenges that you ended up having. And that, you know, as you say, you know, a lot of the people that are involved in how they're going to respond. And so you know, my sort of general umbrella things that people could change across the 30 days, became very specific and contextual to your organisation. And the planning, and the measurement is so important, because we can't do behaviour change activities in a sporadic sort of way, and hope that people will change their behaviours, we actually want to see what's today's baseline and where did we get to by all this effort that was put in by yourself and your team and also the 47 people that were part of it. You want them to see that something good came of their efforts as well.
PDA: Yeah, completely. And it wasn't just 47, it was like 147, because of the people that we touched externally that were hearing about it and wanting to play in the space as well. So I definitely agree.
CP: Yeah, I just want to finish up by talking about sort of awareness in general. And if you look back over the sort of last decade, or maybe even two decades, it sometimes feels like we haven't made much progress. And changing people's behaviour in relation to security is really, really hard. And some organisations are still stuck back at, you know, an annual compliance training. What do you think needs to dramatically happen to improve the way people think about security in their everyday activities, both at home and at work?
PDA: Yeah, look, I talk to my colleagues a lot about this. We do have a long way to go, there's no question, I definitely agree with you there. But I really do feel that we're getting traction as awareness grows. But as practitioners, we've got to be patient. We can't be afraid of using old messaging, as there are many first time listeners that are still out there. And we can't get fatigued thinking that nobody's listening or learning because they are. And for those of us in the awareness space, we've really got to look at things that have worked in other spaces like road safety, and sunscreen, or more recently, the public health campaigns during COVID-19. You know, the fundamentals are basically the same. We need to be better at not making people feel paralysed. You know, there's no bad actors in skin cancer, or car accidents. Nobody's targeting you, right? But in cyber, we've got sophisticated bad actors. And people feel helpless when they hear people talking about Chinese or Russian state based attacks. And they feel like well, that's a bit out of my scope. But what we want to make clear to them is that these issues are occurring and that they do exist. And we want them to know that your average scammer isn't that sophisticated and that the small changes they can make like passwords, keeping their devices updated, not over sharing personal information, can all help protect themselves and ultimately, as employees be protected in the business as well. But people can be empowered by doing some really, really simple things. Education is really key. You know, I often think of my wife, when her eyes start rolling when I start talking about cybersecurity, and mind you, she has been a victim of cyber security not once, but twice. But of late dinner parties when someone asks what I do, and of course, we start talking about phishing emails and ransomware that are now getting closer to home in our own backyard. I find my wife is actually listening. And especially when I'm not repeating the same stories, right. We've got incidents happening now on a weekly or daily, or every few days there is an incident occurring. So I've got plenty of stories. But I've really found that once it starts impacting people's lives, and in the case of my wife, like when her favourite breakfast TV show is interrupted, the penny starts to drop. So the last thing I sort of want to end off on this point, is it a bit bittersweet. I think the media is doing a great job in raising awareness with headline reports and cyber attacks as I said, almost every day. It's, you know, bittersweet. We don't want them, but they're there. But they're really helping drive that awareness, and I think it's just too hard to avoid today.
CP: Your comment around comms that have an emotional attachment or emotional language, emotive language is so important, because you've got to sort of hit people where, personally they're going to be impacted. I've loved chatting today, I loved working with you last year, it was very fun. You've got a really, really great group of engaged users over at NBN. And, and you know, I think you guys should be really proud of how you rolled out this idea that was really just a back of a napkin idea that I put out there in the world. So thanks so much, Paul, for coming on the podcast and sharing your experience. We have had Darren on the podcast earlier in this season as well, so a big thanks to NBN for sharing your cyber professionals with the podcast. And, Paul, I'll see you again, I'm going to hold you to that and invite you back to talk about how to inject marketing messages into your cyber security comms.
PDA: Thanks again, take care.