Episode #59 Great Employee Engagement - Part 2 with Brendan Smith
“I'm not here to produce a shiny security strategy. I’m here to figure out how to secure your business strategy".
- Brendan Smith
Brendan had a vocational interest in security, across various internet technologies and cryptographic systems, prior to commencing his security career, and maintains his technical interest to this day. He has built high performing teams through authentic leadership, and continues to mentor and coach new entrants into the field, as well as supporting incubators through knowledge sharing.
Brendan's episode is so informative we are going to share it over two weeks - in part 2 Brendan’s shares his career story, the massive success that he has had in security awareness and behaviour change programs, and provides some great tips on how he managed to achieve this.
Links:
Transcript
CP: Hello, and welcome to The Security Collective podcast, I'm your host Claire Pales and in today's episode I'm bringing you part two of my chat with Brendan Smith. Brendan was kind enough to share with me in part one some information about ISO 27,001 and the implementation of these types of standards in an organisation. And we also talked through strategy and governance and reporting to the board.
In today's chat, part two, we talked about career and how Brendan got to where he is today. And we also talked about at the end of the conversation about the massive success that Brendan has had in security awareness and behaviour change programs. Make sure you listen right through to the end, because some of the tips he gives around how he managed to change behaviours, and some of the success he had is absolute gold. Over to my chat with Brendan, part two,
I want to talk a little bit about your career before Tabcorp. So you spent about 12 years at Fujitsu delivering a range of security services to clients. And then in 2015, you made the move to become a CISO at Tabcorp. And I'm interested to understand what made you make that move from the vendor side into running security for a large corporate and what surprised you about the difference between those two?
BS: Fujitsu gave me the opportunity really to see many different organisations and how their risk profiles varied and therefore how they approach security. And we dealt with government departments who had relatively inflexible obligations through protective security, through to financial manufacturers utilities that were just starting to realise the challenges of IT in the form of OT in the form of SCADA networks and devices. And being able to consult and work across those different sectors was a great privilege. And I like to think that as a team, we were able to apply our learnings from one client and so on to the next one. It taught me that security really has to deliver value, we had to demonstrate that we were worth paying for, to be blunt. Because otherwise as a service provider, you will be shown the door. Our services at Fujitsu normally are bundled as part of a larger outsourcing agreement. But of course, they're all clearly identified and defined. And during the course of a multi year engagement, the client situation could change. You know, they might open a new business or a new office, they might, you know, identify new risks. And we had to provide a compelling proposition as to how we could help them to address that.
The other thing that I really learnt as the manager of that team was the importance of those strong personal relationships.. The world of IT, and in particular, security is not a not a big one in Australia. And it was critical that I had a working relationship with the management of our client organisations so I can help with incidents issues and so on and continue to, you know, build out our business, build Fujitsu's business. So I did that role many years before I was approached to join Tabcorp. And at the time I wanted to move for a few reasons and Tabcorp was an exciting and as it turned out, a fun place to work. Firstly, I wanted to be part of a journey and to deliver a meaningful improvement over time, and it's a fact that when you're working for an MSS (Managed security services), it can be just a transactional service. You might have some input into strategy, but really that's owned and developed by the organisation, as it should be.
Fujitsu did have some consultative capability. But that wasn't our core deliverable, we were delivering, you know, straight security services. And with Tabcorp, I knew I'd have that opportunity to review the existing situation and then to help to develop a strategy to continue to build on my predecessors work. It will give me a sense of ownership, I guess that I wanted, the skin in the game that you get as an internal staff member, where you're building something that's for the betterment of the whole business.
One of the aspects of being within a MSS is you have limited engagements and touch points in the client organisation. So most of my time was spent talking either to internal security staff or the CIO, or equivalent. It's very rare that you dealt with someone outside the IT organisation. Once I moved across into the enterprise space though at Tabcorp, that changed. Like any new CISO, I took the time to go around and meet the various business heads understand their ambitions, their pain points. And in the process of that I got to understand the higher level of interest in security that actually exists right across an organisation and certainly a far you know, greater level than what you see when you're at an MSS.
Technically, in terms of things that were different, the amount of legacy and complexity was almost overwhelming. So, at Fujitsu, we would try and dictate platforms that sometimes we would be putting in brand new systems, you know, for an organisation that we would use to deliver our service. That's not an option when you step into an internal role. You work with what's in place, the technology, the people and the processes.
And then you seek to sort of incrementally and iteratively change and uplift these. Of course, we went through a merger as well, we brought the two organisations together Tabcorp and Tats a couple of years ago, and I know that anyone else who has been in an exercise like that will know that that's not complexity double, that's complexity squared. So you know, there was an awful lot of effort that had to go into that.
The other thing is that whilst you have a lot of, you know, care and love for your clients, as a, as a managed service provider, when you are the CISO your sense of responsibility also increases exponentially. And you realise that as the senior leader of an organisation, if we got hacked, or DDoS (Distributed Denial of Service), or whatever, on Melbourne Cup day, the spotlight was going to shine very, very brightly on me. And I think it's something as a CISO that you feel at a visceral level. And no matter how diligent or committed or engaged you are, as a service provider, it's just not the same.
It's received wisdom that you can outsource security, but you can't outsource risk. I paraphrase that also to say you can outsource responsibility, but you can't outsource accountability. And as the CISO, you're accountable to your executive for the security of your organisation in a way that a managed security provider cannot. And indeed, you know, should not be. So there's a few things that sense of ownership, which can bring so many rewards when you become an internal CISO comes with also a sense of responsibility, and the pressures that come around with that. But to me, the rewards outweighed that challenge, and I was very happy with my decision to move from the service provider into Tabcorp. That's not to say that I wouldn't ever go back, you know, I didn't enjoy my time at Fujitsu. But you know, the internal role was a lot of fun.
CP: You appear to be very loyal. He spent 12 years at Fujitsu, spent five years at Tabcorp, whoever gets you next is going to be very fortunate. I mean, most CISOs transition every two to three years. How do you take your own loyalty and instil that in your staff and teams? Because not just CISOs move along every few years, but the attrition in security teams is quite high as well. I mean, have you got some top tips for sticking around? Is it about choosing the right business, or what is it about you that keeps you so loyal?
BS: I guess the first thing to say is within those longer periods, I had several career phases at times. So, you know, Tabcorp kind of splits into the pre merger, and then the post merger. And that, you know, was a really challenging period going through that, that merger. And so with those challenges comes interest and you know, things that you want to do and achieve, you know, we had to merge. And we doubled the size of the security team and insourced some functions and consolidated tool sets. And we had to do all of that internally within the security team. So we can then turn around and face outwards and assist the rest of the technology organisation with their integration. And during that period, we had to, you know, think about the risks that were being introduced. You know, there's lots of change, which can lead to incidents, gaps, pressure to shortcut security practice, and so on. We wanted to make sure that we maintained the security posture. And that's not an easy balancing act, and one that tested all of the leaders in my team, as well as myself.
But I know what you mean CISOs do tend to move quickly. And I think it's partly because it's a very stressful role. And sometimes you don't realise that when you're actually right in the middle of it. And I talked about, you know, earlier about that sense of responsibility and accountability and so on, but that's only part of it. It's a demanding role from a delivery point of view as well. You're expected to lead a function, manage people, manage budgets, make key decisions that impact on the risk profile of the organisation. Educate and inform senior managers and the board, present, there's a lot of actual just stuff that you need to do. For me, spending only a short period of time in one role wouldn't be enough, I want to be able to make a meaningful contribution to the company as a whole, not just the security maturity. And that means spending enough time in, you know, learning the business so that I can design and iterate a security strategy and program that enhances and enables the business strategy. And that's one of the things I've said often, you know, I'm not here to produce a shiny security strategy. I'm here to figure out how to secure your business strategy. And, and that's kind of a slightly different mindset. And once you've got that, you know, that security strategy that you've put together, you then need to execute on the program. And enabling and empowering your team to do interesting security work and produce great outcomes is probably the single most rewarding thing that you can do as the CISO. I've always found that there are plenty of challenges. And yes, I guess I, you know, I am loyal to an organisation. And to the managers that I've worked for over the years, I'm certainly not one of those CISO’s that that moves on for the sake of it, or because they feel they've hit a milestone or for the next big thing. I'm there to do a job, I've been engaged to do a job. And I'll stay until I feel that, you know, I've reached a natural end point, whether that's, you know, the time at the end of Fujitsu or my time at the end of Tabcorp.
Now, the question about loyalty of the team, I think comes down simply to how you engage, enable, empower, and how authentic you are, as a person. I know that those are buzzwords that get thrown around an awful lot at the minute. Authentic Leadership seems to be, you know, the, the flavour of the moment, it's been around for a couple years, I guess. It's really hard for me to actually define exactly what it is that I do in order to, you know, encourage my team members to stick around. Because it's, it's something that I do naturally, it's it's part of my persona and my personality. I think perhaps it's the fact that I have strong technical skills, I'm very keen to, to assist in and mentor people in their roles and to help to build them up. I don't feel threatened or don't feel the need to, you know, make people feel like I'm the superstar in the organisation. You know, there's a lot of people coming through in security now who are absolutely brilliant, and bringing, you know, amazing skills into the organisation, and it will be far more technically competent than I am. But I think that if you're able to ensure that you build a good working relationship, people will stick around. And I, I've been fortunate at Fujitsu, and at Tabcorp, both had, you know, low turnovers in my, my security teams. And you know, people have stayed for long periods of time. I've had people who, who've left for greener pastures, and then, you know, call up for coffee six months later, wondering if they could come back and rejoin the organisation, which is very gratifying. Normally, because after six months, you haven't still managed to fill the role, so it's good to get them back again! So, you know, I think that if people are leading naturally, and leading, you know, with the view to not being the superstar CISO, that rather than, you know, we are the security team, and we're going to do this as a team, then, then the loyalty will come.
CP: I love that it's part of your persona. But also I think your tips were really important. And, you know, the talking around rolling up your sleeves, and because you are technical, you can, I guess coach and lead in the technical space, as well as teaching leadership traits to your staff as well and, and setting an example. So as a role model, if you're there for a long period of time, and you're committed and loyal, then people will look up to you and see that as well. And I know that there are many security professionals who do leave and come back to organisations as well, because of the boss, and you know, I've talked to a bunch of times to lots of people on this podcast about the importance of having a great boss. And, you know, when you choose an organisation, you're not just choosing that organisation, you're actually choosing your boss and that can be the absolute make or break of your time in an organisation.
I want to finish up by talking about your passion around employee engagement and security awareness. And I've heard security leaders say that as an industry, we're failing in security awareness, because ransomware still happens and people click on links and people Gmail themselves so they can work at home and you know, behaviours are possibly not changing as rapidly or on as grander scale as we would like. And I’d just be interested to know, what's your experience in these influencing behaviour change campaigns?
BS: It's a really, really difficult thing to do. And, you know, it's not been made any easier by the events of the last, you know, 12 months, when everyone's, you know, suddenly had to rush home. Security teams, I feel historically, at least have had an image problem, you know, as the Department of No or the Internal Security Police. The policies and technical constraints that we put in place tended to show that we don't really trust the users, and really only have maybe a secondary concern about how easy it is for them to do their work. And it's been a bit of a black and white restrictive approach. And then that began to change a little while ago, and some organisations made some great advances with really innovative programs. And I remember hearing about one at ANZ bank, for example. But too many of the changes actually tend to be the same approaches and mindsets, just with more colourful posters. And you can't change attitudes and behaviours like that. We had an external organisation, PwC, came in and did a security engagement culture survey for us to understand exactly how the team was perceived, and what was the general level of security awareness across the organisation. And it was a very illuminating and somewhat challenging exercise, actually, and I remember discussing with one of our managers, who was in my team, I mean, a leader in my team who said, well, that can't be right. You know, everyone knows where the security policies are. And I'm like, clearly not, because they've just done a survey, and they said it. So it gave us some really clear guidelines about where to focus our efforts. Our approach, and instantly, we had to report that to the board that document and report our progress on it. So it was being taken very seriously at Tabcorp.
Our approach consists of two main streams. The first was really our power level of engagement, making the team easier to contact with a single email address, ensuring we're sending out lots of information in an easy to understand manner, making sure we were seen as approachable. Warning emails we sent out about phishing and smishing would have screenshots and, you know, no, not much more than three dot points of what to do. And at every opportunity that I got, I'd go and speak to monthly leaders meetings, town halls, about what was going on at Tabcorp, in terms of attacks and our response projects, and what they could do to help as well. But also what was going on in the news, you know, what they might have seen what they needed to be aware of.
The second thing we did was to make the messaging and some of the threats personal and real. And I think that's one of the key things to helping people to take it all on board. For example, when we ran our security awareness days, we'd had, you know, displays showing real time security operations consoles which are always a bit interesting. And they help with the engagement piece of people see, you know, the IDS blocking traffic from certain nation states in real time, then, all of a sudden, they understand that, well, yes, Tabcorp is under attack. And you know, it's not all just theoretical, there are things that the security team does that matters. And more importantly, there's stuff that they might do that matters as well, because, you know, things were actually happening. Apart from those displays, we had a lot of stuff about how they could secure and store their own personal passwords, what they should do with their Gmail account to prevent phishing, how to set up 2FA on their banking accounts, you know, we would, we would be giving them out information about that. Giving out free antivirus to the home PCs, showing how to switch on automatic updates for Windows, etc. And our logic there was that if you showed people how to be more secure in their personal computing, it would bleed across into their behaviours in the work setting. We wouldn't have this big discrepancy in people's minds between the secure workplace, where incidentally someone else took care of all of that stuff and kept me secure. And the insecure home environment where we just trust that we're okay, because hey, who's interested in me. We made sure that everyone knew that actually, you're facing the same security challenges at home now, you don't have an IT department to fall back on, so here's what you can do about it. And that approach is even more important now, because of the distributed work model that we've got. So it's absolutely in the interest of all security teams to have the users being educated and aware of what's going on in their home computing environments, because that's where they're accessing the corporate data from.
The final piece that really worked for us was the abandonment of the annual security training, e-learning and I'm doing the air quotes thing there! We all know how exciting those can be and how quickly they become dated. You end up having to rewrite the module every 12 months, if only to give the staff something different. We move into having a straightforward induction e-learning module that new starters do along with all the other compliance training that was required in a highly regulated financial institution. And it covered how we do security at Tabcorp, where to find the policies, how to report security incidents, and so on. And after that, we had a subscription to deliver a short engaging and humorous video to all of our users every month. And they're three to five minutes long, professionally written by and produced by people who worked in the TV industry. And, and with professional actors and the characters, you know, we're the same in each episode. So people got to know the characters that was sort of like a series or a serial. And they'd deliver one key message a month, and we could tailor which message we could choose which message we wanted to send through. And I have to say that the engagement that we got from that was absolutely incredible. People would stop me in the corridor to tell me how they would prefer them. People emailed the team, unprompted, to say how much they enjoyed them and how good they were. And the guys in my team who championed that project and got it up and running, they did a fantastic job. The staff would, or the sorry, the system would would send a survey to the staff with a couple of questions, not much more, every few months, and having done a temperature check at the beginning of the whole exercise, it would keep updating that to make sure that we're still getting the engagement.
The really rewarding one was just a couple of months ago - 69% of our staff indicated in a survey that they had changed a personal security behaviour as a result of the training. And that's a great result for two reasons. You know, firstly, it showed we were getting engagement. Secondly, it confirmed that we were changing behaviours and attitudes. And from a CISOs point of view, it is real measured data. And that's just not something you get for security awareness, you know. Normally the best you can get is completion, and here we were starting to get outcome. So we were very pleased with the way that we had, we had turned that around.
CP: Brendan I'm so pleased that I asked you that question, because there is a lot of gold in there for my listeners around how to develop and deliver a really great Security Awareness Program and a behaviour change program. I'm a firm believer in the term awareness because being aware doesn't change behaviours, it just is information in your brain. But you know, you need that call to action. And it also strikes me that what you delivered in that program doesn't come for free. And so you know, investing real money into people, because people are the gap in cybersecurity. They're not, you know, they're not the break in the chain all the time. But up being able to educate them as to why they would change their behaviour, and in a way that you're doing it where you're engaging them because they're interested in seeing what comes next. And, you know, I think understanding your audience is so key. And you obviously knew what your employee community was like, and you delivered a security behaviour change program in a way that they would enjoy consuming it. And yeah, I think it's brilliant. So thank you for sharing your wins and your experience. And thanks for joining me on the podcast today.
BS: No problem. Thanks for having me.