The Security Collective

View Original

Episode #75 Marketing Cyber 101 with Paul De Arajo

See this content in the original post

After joining the podcast as a guest in Episode 64 ‘The 14 day Security Challenge - Paul De Arajo is back as we continue our chat about the role of marketing and communications in cybersecurity risk management.

Paul joined NBN during COVID-19 in 2020 delivering security influence programs to protect NBN’s people and assets from personnel, physical and cyber security threats. Prior to NBN, Paul served in local and international Corporate and Government roles in the IT industry for over 30 years with experience in sales, marcomms, corporate social responsibility, compliance, and cyber safety/security roles. For over 19 years, Paul carved his career with Microsoft Australia and abroad.

Paul’s passion for keeping citizens safe in the digital world began as a founding member of the ThinkUKnow online safety and security program. In 2017, Paul joined the eSafety Commissioner in marketing and stakeholder capacity driving awareness of the office and its services to citizens and delivering the annual Safer Internet Day campaign.

Links:

Paul LinkedIn

Episode #64 - The 14 Day Security Challenge with Paul De Arajo


Transcript

CP: Hello, and welcome to The Security Collective podcast. I'm your host Claire Pales and today we're welcoming back Paul de Arajo. Paul, it's great to have you back on the podcast.

PD: Thanks, Claire. It's great to be back, thanks for having me again.

CP: So I want to take listeners back to earlier this year, episode 64. I've had a habit of narrowing in on great topics from guests just before we're about to finish up. So when we were last together on the podcast, we chatted about the role of marketing and communications in cybersecurity risk management. So I want to dive back into that. And you mentioned you had some stats around engagement and all sorts. So let's go back to that podcast for another day and chat about that now.

PD: Yeah, look, last time we were together, we were talking about the 14 day security challenge. And that conversation led to how we sort of marketed and communicated the challenge to our employees. And during the podcast, I made a comment about how I segment my internal audiences. And I said, but in general, I found that with any campaign, there’s 20% of people who are your champions and just want to engage, then there’s those 20%, who don’t care, and never will, until they’re impacted. And then during that podcast, I said, I always focus the majority of my time on that remaining 60%. And look, I found this to be true throughout my career, leading marketing, communications, compliance work that I’ve done, or the 10 years that I spent with Microsoft, managing their corporate and social responsibility programmes, where I was responsible for getting employees engaged in giving back to the community, I found those stats hold true all the time.

CP: So how do you get these stats, or how do you use these steps to focus your time in driving influence in awareness with those 60%? 

PD: Look, as with any marketing campaign, and I'm conscious of the type of audience that you have may not be marketers or communicators. So I'm going to sort of keep that in mind as we go through. But you need to find your target audience and you've got to develop a message that's going to appeal to that audience. As we discussed last time, I do segment them by those 20% are champions, 20% who don't care, and that large segment of that 60% is where it's most fruitful. And that's where I do focus that time, those 60% of the people who are interested, but just need a little bit of help coming to the party. They know they've got to take the time, but they're time poor, it's just not a priority, it's on the to do list, but then it always gets pushed down that to do list. My job is to bring it up to the to do list. My job is to elevate the priority for them, and to nurture those who are really engaged and develop those with that interest. And this isn't to say that I don't pay attention to my top and bottom 20% either, they're obviously important as well. But interestingly, I do spend a lot of time on the bottom 20% when they pop up in my phishing reports, or on non-completion training reports. And that becomes more disciplinary actions, rather than trying to market and communicate with them. And look, it's important to of course communicate and keep my champions engaged. You know, they are my champions. They're a champion for a reason, they're passionate. But it's really important that I spend time with those guys and gals as well. I spend a lot of my time being a translator. I take complex techie and policy talk, and I translate that into a language that staff at all levels is going to be able to understand but also to be interested in as well. And considering your audience, as I said, what I thought might be valuable, was to do a bit of a quick intro into marketing and the marketing mix and maybe use some examples if you don't mind.

CP: Yeah, that'd be great.

PD: Okay, well look, the marketing mix is quite simple. And you've probably heard it before you know, it dates back to the 1950s Product, Price, Promotion and Placement, the four P's. And applied simply, we can use one of the world's best marketing campaigns as an example and a simple can of Coke. So what's the product? What are we trying to sell? A can of Coke classic or Coke Zero. What's the price is how much is going to cost, $2.25 at Woollies or maybe $3.50 at a service station. But really, it's about finding the price that drives the ultimate value to the customer. Are they willing to pay $3.50 to get a classic or Coke Zero taste in their mouth? Promotion is all about how you tell people about it. What channels are you going to use? Could be a TV commercial could be a billboard, an instal service station promotion. These are the kinds of things that they might use to promote. And then about placement. How am I going to put this product into the hands of my customers? At Woolies I could pop it in the drinks aisle or I could pay Woolies a little bit more and have it put at the checkout so that you grab one on your way out at a service station. I could dump a pallet at the doorway so you see it as you walk in to pay for your gas or I could advise my service station staff to promote it to customers as they pay, you know, would you like a can of Coke, two for one offer whatever else it might be. And the last point on placement is how do I get the product there is really important. How do I get it to Woollies? How do I get it to the service station for that price point as well? So let's apply that to a security lens. So my product here at NBN is the security of NBN. That's the product that I'm trying to sell. I'm going to use marketing terminologies here. But perhaps my campaign goes a little bit deeper than just security. And today, I want to focus on selling phishing attempts and the impacts of phishing attempts to my staff. What's the price? Well, they don't pay for it, but if we get breached then we will certainly be paying for it, right? So the impact is the price of the breach and the organisation due to the employee's negligence by clicking a link in a phishing email. Promotion, we have a tonne of tools and I'm going to talk a lot about these later on. But I've got a tonne of tools, they might be internal communication tools like Workplace or Yammer, they might be digital screens that I have in the office, they may be emails that I send out, flyers that are leaving the kitchens or I might get a little bit creative and go and put them in the back of toilet doors. Or I might get physical and I'll stand, and I have done this before, stand at the car park entry and as people drive in I'll be handing them a flyer and trying to get these points across, or I'll do it at the lifts in the foyer. So you know, there's different ways in which you can go about being quite creative. And of course, it comes down to the amount of money and resources that you've got to execute a campaign. And the last is placement. And this might be the workplace site that I have the info that I'm trying to get people to. I need my employees to know about this information, so it could be as simple as a hyperlink to a training module, or it could be an outlook invite to a face-to-face presentation. So it sort of gives you a bit of an intro to marketing and how we might use a campaign in trying to drive a cybersecurity campaign. So I was recently having a chat with one of my Citigroup colleagues, Blair Adamson, from Telstra, about influence versus awareness. And he speaks a lot about this topic, he's quite passionate about it. And we were talking about a whole different audience that we have to influence that is more than just our employees. And that's to influence the teams that are responsible for our technology. So as a really simple example, the IT teams will come to us and say, hey staff aren't using strong enough passwords, and they've got to change them every 90 days, can you help me communicate this? So I could run out and do that, or, and that's my awareness job is running out and doing that, or I could say, hey, I influenced the IT team. And I say, well, why don't we just force a 14 day character passphrase on the employees at a next refresh, and we only have to do it annually. And then you do your awareness job, and that is telling the employees the great news! Hey, you're going to have a passphrase from now on, it can be simple, you're not going to have to change your password every 90 days, and they won't need to include special characters, a number, a capital letter or your bloody blood type(!), you know, it's going to be really simple. So it's a really simple message to sell. And once they've done it and realise how simple pass-phrases are to remember, they should go out and tell their friends and family about how simple and secure they are, as well. So we start to spread this outside of the organisation. So I do spend time influence on my IT teams, and influencing and driving awareness with our employees. But ultimately, I'm really interested in driving behavioural change with both of those groups.

CP: It's a topic that I've spoken to a few guests on the podcast before and I'm quite passionate about it as well. Just because you're aware of something doesn't mean that you're actually going to change your behaviour. And there's a lot of carrot as opposed to stick when it comes to cybersecurity awareness as well. And, you know, trying to sell the positive benefits to our staff of doing the right, in inverted commas, "the right thing", as opposed to staff really understanding the impact of what inappropriate behaviour or clicking on the wrong link might actually cost or cause. And I feel like if we can influence them to make the change because they can see the impact it would have if they were to do the wrong thing or to cause an incident, that's more likely hopefully to compel them to have that healthy sense of paranoia, as opposed to just blatantly you know, going away and doing their job and worrying about productivity, but not necessarily seeing the impact of their behaviours. Because it only takes one as we say, and there's, you know, thousands of people in an organisation that could lock the whole thing down. You know, it's, I guess, inevitable to an extent that organisations are going to experience that at some point.

PD: Yeah completely, look as Darren Kane always says, you know, the hackers only have to get it right 1% of the time, we've got to get it right 100% of the time, right? So you're absolutely right. We feel we've come a long way in getting our employees on that journey. And that's been through a whole bunch of different ways of doing it over the years, you know. Whether it's, hey, what's happening to you in the business can happen to you at home, so why don't you listen to this and take it home or vice versa. Bring those habits that you're using at home back into the office as well, because ultimately, you know, I did speak about this in the past a lot, is that people are the CISOs in their own home as well, right? They are responsible for the network that uses the connectivity, and what's occurring in their homes. And I do find that what they learn at home and bringing those lessons back to work and vice versa actually do work quite a lot as well. But we have found that employees are really starting to get on board and our media has had a lot to do with that, you know, it's every day there's something happening in the news around this particular topic, and people are starting to be concerned about what's happening with their data, the security of their connectivity. So I think those all those things are working together to help drive security awareness behaviours.

CP: I know that obviously, you've worked in this space for a long time and most bigger organisations do have communication professionals focused on cyber within their operating model or in their team. What do you think's the impact of not leveraging communications as part of a cybersecurity strategy?

PD: So you may need to look at the huge increase in reports of scams and financial losses to Scam Watch. You know, they’ve seen over 45,000 phishing reports and over 3 billion in losses, and that’s compared to 1.6 billion for all of last year. Or you can take a look at the ACSC’s Annual Threat Report, that flags ransomware and business email compromise as key cybersecurity threats for Australian businesses. They found that ransomware has increased nearly 15% from last year. And the average business email compromised loss was over $50,000. That’s 1.5 times higher than last financial year, so we’re seeing a clear trajectory there. But regardless of the size of the business, or the amount of communication resources you have, there are many resources available to businesses for them to share with their employees. And ACSC Small Business Cyber Group, cybersecurity guide or step by step guides and their quick win guides are a great place for those organisations to start. You don’t have to reinvent the wheel, you don’t need someone doing this full time if you’re a smaller organisation or don’t have the funding or the resources. So I understand that organisations are resource and time poor. And I do encourage them to find someone within the organisation that perhaps has an interest in the cyber world, and who can be the champion of the cause within the business. And then what I would encourage those organisations to do is also designate time in that person’s role to allow them to go do some research and drive communications within their organisation. So it’s, you know, not a full time job, but it might just be, you know, a couple of hours a month or a week that they can dedicate, in driving awareness through the organisation, because ultimately, the organisation and the employees are the ones who are really going to benefit and avoid the breaches, right?

CP: So if someone was to be taking on that role, as you say, on a part time basis, and leveraging some of those tools that you've just talked about, if they were planning a comms strategy, what would the structure look like? I mean, do you do you look to current affairs, you know what's going on, I guess, you know, from a cyber perspective, globally or locally, or are your topics more sort of methodically planned out throughout the year? How would someone best go about say a 12 month cybersecurity communications plan or strategy? Should it be dynamic? Or should you think to yourself, okay, this month, we're going to talk about this and this month, we're going to talk about this? Is there a right or wrong way to approach it?

PD: I don’t think there’s a right or wrong way. And I think the answer is perhaps a little bit of both. You know, current affairs are important. And there’s no as I said earlier, there’s no shortage of media stories for organisations to leverage. And to give you an example of comms working through my champions, that 20%, those guys are constantly posting stories on workplace literally on a daily basis, and they do get great readership right. So they are important, those stories are important for people to understand, oh, wow, this can happen to anybody, this isn’t just happening to the organisation itself. It’s happening to individuals and it’s happening both at work and at home. But for me, I really do think that planning is key. Not only does it help me with getting dollars for to execute my campaigns within the organisation, but it helps the whole organisation plan their resources in order to help my team get the message out. Going to one of my stakeholders at the eleventh hour causes anxiety and stress, and usually results in a poorly executed campaign. When you advised this was a topic that you wanted to talk about, I got really excited. And the reason I got excited is because I’ve literally just three weeks ago rolled out our very first 12 month campaign plan that takes into account every single significant cyber focused event or national day. So I’ve got this massive calendar. It’s got things in there like the ACCC and Scamwatch Scams Awareness Week, which is coming up next month. It’s got the Safer Internet Day in February. It’s got the Office of the Australian Information Commissioner’s Privacy Awareness Week in May, it’s got World Password Day, WIFI Day, Backup Day, Cyber Monday, Black Friday. And that includes those days that you might not think about - April Fool’s Day, Valentine’s Day, back to school, and tax time, right? These are all days where the scammers come out, and you know, want to play on people to people’s emotions. Whether it’s a dating scam or a romance scam on Valentine’s Day, or tax time trying to take advantage of ATO communications. So my team has just finished delivering this plan. So we brought, we went out and thought about all of our internal stakeholders, comms, social media, marketing, media, corporate affairs, my retail service provider teams, my call centre, and even our community ambassadors who are out in the community helping communities connect to the NBN in delivering important security messages. So now these business units know 12 months out the what we are doing, they know the when we’re doing it, and now they can implement into their own plans, the how they’re going to help me and my team get it out and do it. And that plan is really backed by a timeline framework, we’re not just saying this, what we’re going to do, and then you know, we rock up, the day rocks up, and we’re not ready, we built in a timeline framework. So six weeks out of any one of these events, we start communicating with our internal stakeholders. And then of course, at the end of it all, we close out with a review and the measurement, post the activity, to really see if we want to do this again next year. You know, there’s nothing worse than executing a campaign not measuring that it’s failed, but you go and do the same thing again next year. So as I mentioned in our last chat, the content has really got to be engaging. And it’s got to be fear monger avoiding, and humour always works. And we recently made a tonne of funny videos using our executive leaders that have been received really well.

CP: By the way, I love the idea of the executives getting involved, I think, you know, it's got to be from I know, it's a cliche, it's got to be from the top down. But it's absolutely true. You mentioned in there that you measure and check, you know, how things have been received? And do you want to do it again next year? What's the best way to get feedback on whether your comms plan is working? And I guess, what type of metrics are you monitoring that others might be able to learn from as well? 

PD: Yeah, look for me, the simplest answer is to ask your stakeholders. Yeah, that’s the simplest thing in the world, I will get more detailed. But you’ve really got to go back to those folks, if you’re not going back to those folks who you’re doing things for, or doing things for you, and don’t communicate about the value to either of them, they’re going to be reluctant to want to do this again with you. So if you want to know if it’s worked, go to your stakeholders. And some of those stakeholders aren’t going to know the outcome because they’ve been part of the process. But you need to let them know what the outcome was so that they know how they assisted you has made an impact on X, the business, the community, or whatever it might be. So in our plans, we schedule post campaign debriefs to measure the value and consider whether the same activity as I said, makes it into the cookie cutter for next year. And using those videos I mentioned as an example, through the use of humour, we’ve been able to see a deeper level of engagement from our staff. They haven’t just liked the videos or the posts like they have in the past. They’ve actually shared them and left comments you know about how funny they were or whatever it was. So, you know, they’re starting to get more engagement through that kind of activity. The great thing is, is that we’re not always having to come up with creative ideas. We are borrowing with pride from others. And let me give you a couple of examples of that. You know, as you said about the the SLT getting on board, you know, Darren was not for a second embarrassed about getting in front of a camera and trying to become a comedian. We actually had him reproduce, I don’t know if you’ve seen it, but Michael McIntyre’s password skit on YouTube. But you know, we had him watch it, we wrote it for him and he really delivered it as a stand up comedian and people loved it. But the thing was, we’re getting these really funny subliminal messages across to our staff. And then another one is one I did with a colleague of mine at NBN, where I am this obsessed person who wants to get 100% of my staff completing their training and you see me interrogating them throughout the office, those people who haven’t done it, and it’s quite, quite funny. And this is the way that people are really wanting to interact. So they’re fun, they’re fun making them and our staff have a laugh, but they also learn, and as I said sometimes subconsciously, and that is really key. But, look, we’ve got a tonne of ways that I can share with your audiences. So we’ve got mandatory security and privacy training with a knowledge check that they must pass. And that’s a good measurement of ensuring that staff are hearing the message at least once. But like any good marketing campaign, we’ve got to ensure the messages are repeated. And our campaigns that I’ve been talking about are about that echo. And we have measurements, like, of course, your engagement and interaction on our workplace platform. So yes, are they liking things, sharing things, are they leaving comments? We measure our click rates from our drills, our phishing drills, and they’ve really been successful. I know you touched on a word before, you used the word paranoia. Our phishing drills have been really successful. We’ve now had this paranoia about our phishing drills, where it’s driving that conscious behaviour, or change, about questioning email sources, the attachments or hyperlinks in them. And we’re having people come to us and ask, even when we’re not doing a phishing drill, so it’s actually working. We also measure the proactive invites from business units to our team, not something that people might think about. But when you’ve got teams are saying, hey, we’ve got an all hands coming up, would you mind coming and give us a security update, that is a key driver of awareness and influence. And you’re hitting a full team in one hit. We measure our social stats, we measure bums on seats, and obviously in COVID world of virtual bums on seats, at our drop in presentations that we deliver. Where there is resource and time available, we do conduct surveys, they’re really effective. But of course, they do take time, and they do take money. And we also do post implementation reviews, to see what we’ve done before, whether it’s been effective, yielded those results. And as I said before, whether they’re worthy of doing again. And as I said, we always share those results with our stakeholders, so we’ve got their support for future campaigns. But really look, the fruits of the labour from our annual campaign planning that I was excited to talk to you about, is going to show itself over the next 12 months. And I’m really hoping that there’s going to be a significant shift on the behaviour needle from our employees.

CP: And I think that's, you know, all you can hope for, because, you know, clearly you're working on innovative ways of reaching those audiences. And the best thing that you can do is keep checking in if what you're delivering is working. But that loop back to those people that I mean, essentially, if we come back to the Coke example, these are your customers, you know, these are the people that you're trying to get to buy into your message. You know, whether it's a can of Coke, or don't click on that link. At the end of the day, you know, I think it is marketing, and I think it is giving them a positive opportunity to make a difference. And you have to, I guess, change those messages all the time. And yes, there's an echo, which I believe is really important. But finding new ways of getting the initial messages out to people is I know something that you're really focused on and something that you guys should be incredibly proud of.

PD: Yeah, look, I think Darren talks a lot a lot about this. And he's, you know, he's walking the talk in hiring people that are not from cyber. I came from eSafety, three years of eSafety prior to coming to NBN. But before that, I was marketing and comms. And I think Darren really realises that, you know, he can't have a cyber person talking cyber language to people who don't understand cyber talk. And it's really bringing in roles and people, and he's doing this across the board, not just with marketing and comms, he's bringing in people to do all types of cyber roles that don't have experience in cyber because he really sees the benefit and the value and the different perspectives that they can bring in. So for me, it's been a great learning curve, I'm growing in this cyberspace by learning so much, but  I'm also leveraging my past skills there. So it's a win win for both the organisation who gets to get my marketing comms skills, but I also get to get back from the organisation by learning so much more about the cyber world. So I think it's a great win win. And I really encourage organisations to go out there, as I say, if you if you can't afford the people, then get them. Awareness people are fantastic and valuable. And if you can't afford them, then you know, look at potentially giving that responsibility to one of your employees as I spoke about earlier.

CP: Definitely. And look, Paul, thank you so much. You've shared an incredible amount of tips and advice and experience and research around what works and what doesn't. And so I really appreciate what you've given to my listeners today. And it's been awesome to have you back on the podcast in season eight. And for those of you that want to go back and listen to Paul on episode 64, he shares lots of really great information about the 14 day challenge that was done at NBN. And also just comms in general when it comes to cyber. So thanks so much, Paul. It's been great to have you back.

PD: Thank you, Claire. Always great to see you and speak with you, so thanks for having me.