87. Cyber Nudge Tactics with Christie Wilson
Claire talks with Christie Wilson, the Cyber Resilience Manager at UniSuper, where she helps employees understand cyber security threats and how to take the right steps to protect themselves. They cover how hard it is to measure cyber behaviour change through metrics and also the lessons Christie has learned in nurturing security champions at UniSuper. Christie also shares her use of nudge tactics and how consistency is so vital in behaviour change.
Christie brings a business lens to technical challenges by giving employees simple, easy to understand advice on cyber safety for work and home, as well as up-to date information on the latest cyber security threats and how to respond. Christie is a senior IT leader with over 25 years’ experience in both the vendor and corporate IT roles. Before moving into cyber security four years ago, Christie’s IT career spanned roles in sales, service delivery and management, vendor governance and management, and IT governance risk & compliance. Christie has a BA in English Literature and Sociology, and a Graduate Diploma in Social Science from the University of Tasmania.
Links:
Transcript
CP: Hello, and welcome to The Security Collective podcast. I'm your host Claire Pales and today's episode continues the security behaviour change theme for this season. My guest today is Christie Wilson. Christie is the Cyber Resilience Manager at UniSuper, where she helps employees understand cybersecurity threats and how to take the right steps to protect themselves. Christie brings a business lens to technical challenges by giving employees simple, easy to understand advice on cyber safety for work and home, as well as up to date information on the latest cybersecurity threats and how to respond. Christie is a senior IT leader with over 25 years of experience in both vendor and corporate IT role. Before moving into cybersecurity four years ago, Christie's IT career spanned roles in sales, service delivery and management, vendor governance and management, and IT governance risk and compliance. Christie has a BA in English Literature and Sociology, and a Graduate Diploma in Social Science from the University of Tasmania. You can feel in our chat today the passion Christie has for her role and the subject matter of cyber resilience. We covered how hard it is to measure cyber behaviour change through metrics and also the lessons she has learned in nurturing security champions at UniSuper. One of my favourite methods Christie uses is nudge tactics, and how that consistency is so vital in behaviour change. I hope you enjoyed listening to Christie's stories today, and I'm sure you'll take something away from her experiences. Please welcome Christie Wilson.
CP: So Christie, thank you so much for joining me on the podcast today.
CW: Thanks for having me Claire. I'm really, really excited to be here.
CP: So firstly, you weren't always in cyber influence, what got you interested in being a leader in this space?
CW: It was Anna Leibel, and I know that you know Anna well. She joined UniSuper in 2017 as our CIO, and it was really her that encouraged me to have a look at security. So when she came along, I was looking for a new challenge, the role that I was in wasn't sparking joy for me anymore. And I'd always dabbled around the outsides of security through being involved in the audit programmes. I was familiar with the pen tests and the annual security audits that we did. And we've recently done a security maturity review and Anna suggested that I have a look at it. So I went in initially to help with an audit has just been done and what we needed to do to do some uplift in that space. And then we got some really passionate security people join UniSuper. And they really sparked that interest in me that that's led me on the journey that I'm in that I'm on now. And two of them Vijay Krishnan and Magesh Dhanasekaran were really pivotal to encouraging me to learn and really supporting me in my growth and development in security. But ultimately it all comes down to Anna, she changed the course of my career. And I'm going to be forever grateful to her for that.
CP: And as a very good friend of the podcast, still holds the mantle for the most downloaded episodes. Yes she's very generous with her time and definitely with her leadership. If we look at cyber influence as an initiative or a programme, it's one of the hardest things for people to measure. How have you gone about putting metrics against your work?
CW: It's so hard to measure that you're making a difference, because this is all around behavioural change. So when I was first starting to think about how can I demonstrate that we're making progress, I started by looking at the key things, what are our top human risks? What are the key behaviours that most effectively will help manage those risks? And importantly, how do we motivate people to change their behaviour? So focusing on working to manage the human risk we do through our annual NIST controls assessment. So it was really looking at the NIST controls that we wanted to put in place to manage human risk, baselining those, and then tracking them on an annual basis to demonstrate improvement, or equally to highlight areas where we've got to do more work. Then the ongoing demonstration is a mix of qualitative and quantitative metrics. So the quantitative metrics are things like the phishing click rates, the phishing reporting rates, training rates, number of people that watch our awareness videos, number of security champions. But the qualitative things is really the engagement. So what kind of feedback are we getting on the initiatives that we're delivering? How much feedback and we're getting? How often are people proactively contacting me or the security team with information or questions. Or even things like, you know, this looks weird, what do you think? So an example of that is when we run our phishing campaigns. So when I kick off a phishing campaign, if people contact me to say, hey, is this phishing, or even during the month when we're not running campaigns like, this is weird is it phishing? That's an example that our training is working. So that's really a qualitative measure that our training is working. And one of the best examples I've ever had of that was one Sunday morning, a couple of years ago, when I ran into one of our employees in the Coles carpark up the road. And he said to me, that phishing simulation that you sent out on Friday was fantastic. And I've reported it and I let the team know. And it was great. The thing is, it wasn't a phishing simulation, it was a real phishing email. So that, to me, was a really great demonstration that our training is working, but also that we're getting engagement from people.
CP: I love that. And I've been in organisations myself, where a real phishing event has happened on the same day as a simulation. And I mean, you can't obviously predict those types of things. But what an awesome piece of feedback for you that they knew what to do and they thought that it was just you, you know, carrying out the usual scenario exercises. I think one of the things that really interests me about awareness and behaviour change programmes in particular, is that people feel that they've got to be funny or zany, or, you know, they have to be cartoon like, in order to be engaging. And this has been a trend, I think, with information security programmes where we're trying to educate. Do you think that this is because if it's fun and zany, the FUD factor (Fear Uncertainty and Doubt) can be taken out of the messaging? Do you think that having something this light hearted works or what's been your experience?
CW: I think you're right. I think the thinking behind it was very much making things funny or zany so that you would get buy in from people. So I found that a lot of people who don't work in the security space are intimidated by security. They're scared of this concept of cybercrime and cyber criminals. They're hearing it in the news all the time. And they're being conditioned by those bad things that they're either seeing in the news, or the stories that they're hearing from friends and family. So I think the thinking behind awareness initially was to make it fun, as a way of reducing that fear. But the danger with that approach is that the cyber influence team can then develop a reputation for being seen as the Entertainment Committee. And what I mean by that is that if you make everything jokey and funny and zany and cartoon like all the time, we can miss that serious message that we want to deliver. So I really think you've got to consider the message that you want your audience to take away. For example, one of our cyber evangelists last year shared her identity theft story with me. And I thought this would be a really great story to share with our cyber evangelists at one of our monthly meetups. There's nothing funny or light hearted about his story. In fact, it's quite a scary story. It's her talking about her suffering identity theft, about 10 years ago, when a copy of her driver's licence was photocopied in a store in Moonee Ponds where she was getting a mobile phone. She was like one of about 20 people whose ID was stolen. And she talks about the ongoing impact that that's still having for her nearly a decade later, there's all sorts of different impacts. So she's really authentic when she talks about it and she's also really vulnerable in his storytelling, because this significantly impacted her and it continues to impact her. She presented this story at cyber evangelist group, it got really great feedback and she's now presented this story several times to other groups across the organisation. And each time she shares it, we get really great engagement and feedback. And employees come up to us afterwards and they talk about how they've changed their behaviour based on her story. So this is a really serious story, there's nothing jokey, there's nothing zany in it. But it's got a really important message. So I think considering your audience and considering the message that you want them to take away from the information that you're giving them, storytelling is really important. And being authentic I think is the key.
CP: So these groups that you call them, cyber evangelists groups, and some other companies might call them champions. So these groups that you are bringing together, tell me a bit more about the programme. I know you've been working to embed these champions in your business. What are some of the lessons you've learned through doing that? And what's the value I guess, of having these people throughout the business?
CW: So I set up our security champions network about 18 months ago, and I set it up in the middle of the pandemic, which meant that I had to do everything remotely and over Teams. So in hindsight, that's not the best way to set up a group. Because you're not, you're not having that face to face interaction and just that opportunity to meet people in person. But it was the best that we could do in a situation where everyone's working from home. And I really started the group with support from a couple of trusted teammates. So I'd gone to them to say, this is what I want to do, this is how I think I want to roll it out, will you help me do it. So that so they were really pivotal in trying to help me get engagement across the organisation. And I didn't roll it out as a big bang to say tada!, you know, we're launching a cyber evangelist group, come and join us, let's see what we can do to spread the cyber safety message. Because in my experience, I think that often things that you launch as a big bang, can start off where everybody's really excited, really engaged, really enthusiastic, and then you lose momentum, and they can wither on the vine really quickly. So what I did instead, is I did it more as a guerrilla marketing campaign. So I started at slow, invited some trusted people to join, and then really got it out through word of mouth. And I developed a, like a sales pack that I could give to people that were interested. And people join the group by invitation. So I'm not opening it out to anyone in the organisation that wants to join. I want this to be an exclusive club, because people get more interested if it's something that they're invited to join, rather than something they're sort of being volunteered to join. But I also wanted to make sure that the type of people that I got, were going to be able to influence their peers. So that they would be able to deliver the cyber safety messages that I was sharing with them in a way that will work for their peers, and also giving them information that they could share with friends and family as well. So I try to make sure that the information I share is quite generic. And it's not branded with UniSuper branding, so that they can share it with people outside the organisation. And I found that it's really a delicate balance of giving people easy to understand information that caters for a range of skill sets, because our cyber evangelists are everyone from engineers within the security team, through to people in our people services space, and in our HR space as well. So it's a really broad set of skills and knowledge and experience. So I want to give them information that caters to that broad group, while also gently steering them to share this information in a considered way. And I'm constantly reminding people that what we're doing is a marathon, it's not a sprint. So we're talking about cultural change, we're talking about behavioural change. This is something that takes months and years, it's not days and weeks.
CP: And you're right, that it's more than making people aware. And I'm sure my audience is going to get sick of me this season talking about how much I don't like the word awareness. It's just not a call to action. You know, it's, here's some information, now you're aware, but how are you going to change what you do? Like what's going to drive you to change. And what have you seen as effective ways to instil behaviour change in your employee community?
CW: That's why when we talk to our people, we're talking about building resilience. So we talk about it as our cyber resilience programme, not our cyber awareness programme. So the whole theme is around building people's resilience. And that also sets the scene that this is an ongoing programme, this is not going to be a one and done programme. And I think that in any organisation that is thinking about putting an awareness programme in place, I'd really encourage them to consider it being a full time employee, and somebody that's dedicated to the role to help deliver the awareness programme. So I think with me being a full time employee and not being say, a consultant or an external that's just brought in to deliver an awareness programme and then sort of hand it over to the organisation. I've been invested in this from day one. So I've come up with a strategy, I've come up with the plan, I've handpick the people that I want to be part of this programme. So it's my baby. And I'm really invested in making sure that it works not just from a project delivery perspective, but then ongoing. So in my programme, I found things like nudge tactics, being really, really important. And Yammer, which is our communication tool across the organisation, has been really pivotal to using those nudge tactics to just remind people on a regular basis to be aware of cyber safety. And it's really important to get that balance and it's a really delicate balance. So you don't want to be giving cyber safety messaging to people every day. But equally you don't want to be giving it to them every three or six months and that's often what a lot of compliance programmes do. They'll do a one and done cybersecurity training on an annual basis, and then they forget about it. I think those nudge tactics, where we're constantly reminding people, whether it's through stories, or here's a bit of useful information that's out in the news that you might need to be aware of. It just keeps cybersafety front of mind. And I think when we thinking about those nudge tactics, when you're giving people information, it's also really important to give them an action as well. Because if you're just giving them information to say, hey, here's a current scam that's around. Here's an SMS phishing scam that's around, or here is where people are having their identity stolen at the moment, and here's how identities are being put up for sale on the dark web. If you're just giving that information, you're just creating that fear in people. But if you're giving them that information, and then giving them an action, so for example, here's a bunch of SMS scams that are happening at the moment, if you're getting them, what you can do is you can block the caller, you can report it to Scam Watch, here's where you can go if something goes wrong. Then you're empowering people as well. So you're not only educating them, but you're empowering them with some information around what to do if something goes wrong, or how to protect themselves.
CP: It's interesting what you say about having a dedicated person within the organisation who's full time employee that people know they can go to. And in one of the other episodes, we talked to Susan McLean. And we talked about how when she goes to talk to certain audiences, she talks in this example, kids who are eight and over. And then for younger kids, it's better if the message is coming from their teacher. And I just wondered, with your thinking around a dedicated person within the organisation. Is there ever a time in these kinds of influence programmes and behaviour change programmes that you can see value coming from third party experts or third party suppliers?
CW: Oh, absolutely, because it's that classic consulting model. So often, an organisation will know what needs to be done. But if people internally are trying to share that message, or to say this is where we need to go, people in the organisation won't listen. If you bring in a consultant who often might be delivering the same or a similar message to what your internal people are doing, people will listen to that person, because they're almost seen as being in a position of authority. And so that's just human nature. So I think, absolutely, there is a role for externals in your cyber awareness programme. And one of the things that we've done is we've brought in people like the eSafety Commissioner's office to do lunch and learn presentations to us. Or we've brought in threat hunters from our security partners to give a lunch and learn around what they're seeing on the dark web. So I think those people bring in that gravitas and people see them as being experts in their field. So they're certainly really important to help deliver that message that you want to get across to your people.
CP: And just coming back to the piece you talked about with the nudge tactics, which I love the idea of just that consistent messaging all the time, not the annual compliance training, or the one and done. You know, we've done a lunch and learn and everybody came along, so that's awareness done for the year. With those nudge tactics, is that something you have planned out in advance? And, you know, if I think back to Paul from NBN, he was on the podcast last season, and he talks about having a calendar of topics that he talks about every month, and you know, they'd have themes, and it's all planned out. With your nudge tactics, do you have sort of these little nuggets of information that you build on? Or how does that programme play out for you have that, those sort of drip feeding of messages?
CW: So we have a calendar of events for our awareness programme at a macro level, and also account of events for what I'm going to do with the cyber evangelists. So I'll have a 12 month plan and say, this is the topic that I'm going to talk about this month. This is the theme for this quarter. And then I'll develop content based on what my topic is for the month. So I've planned that out for the year. When I'm looking at the nudge tactics that I'm going to use with Yammer, I will align it to what I'm sharing with the cyber evangelists. So we're getting that consistency of messaging across the organisation. But I'll also keep a rolling list of topics in my back pocket, so that if I need something extra that I want to share, or equally, if something's coming up in the news that I think is a hot topic, then I'll slot that into what I'm going to deliver as well. So it's kind of it's a high level plan, but it's a guide rather than being set in stone to say, January I'm going to talk about this February I'm going to talk about that, for example.
CP: And so given, just kind of looping right back to the start when we talked about the fact that you haven't always been in this industry. And you know, if I think about how things have changed for you, and how your thinking has changed, I'm really interested to know, something that you've changed in your personal life, since you've become aware of cybersecurity, and how to protect yourself. And is there cyber behaviour change that you've made, because now you're in the industry you've realised that there's a lot more to protecting yourself, than maybe what you thought before when you were more in the audit space?
CW: Ah, absolutely. And I think for me, the biggest one is using the password manager. And I know that sounds really simple, and it could almost sound like you know, one of those motherhood statements that security people give to others. But using a password manager is the thing that's really changed my life. And I've actually been able to use that as a story in our awareness programme, as well. So like, a lot of people, I had all my passwords on a spreadsheet for years and years and years. And I also used my cat's name or a variation of my cat's name as my password for a long time. My last cat lasted for 17 years, and I reckon for most of those 17 years, I used his name or a variation of his name as my password. So when I came into security and started, and you know it's like anything, you go into a new area, and you don't know what you don't know. And then you start to learn a little bit and it opens your eyes and you're thinking, well, there's so much that I can be doing to protect myself and a lot of really simple steps that I can take to protect myself. So I think for me, the password manager was the really key one, getting my passwords off that spreadsheet, making them unique for every website that I go to or every system that I use. And that was really hard too, because it's so much easier just to use the one password across everything. So trying to be really disciplined in doing that. And a couple of years ago, I got to work one Monday, and I was going through my emails in the morning. And I got one of those scam emails that says, hey, we've seen a video of you posted up online and we know it's you because here's your password. So it would have been one of those data breaches that might have happened on LinkedIn or something like that, a few years ago, where they've got a password, and they've sent me through a screenshot to say, we've got your password so I know it's you. Now, I know that had been one of my old passwords, because it was my cat's name. But I also know that since I'd been in security, I changed their password. So it was four or five years old, and I was confident that my online passwords and my internal passwords were protected. But I thought, I can use this as a really good story to raise awareness across the organisation and try to get people starting to think about using password managers themselves. So what I did is I partnered with one of our security engineers, and we presented a lunch and learn. So I shared my story around why it was really important to use a password manager and shared the scam email that I got and said why I knew that I was protected. And then our engineer demonstrated how to use a password manager. And so for us, we found that a really great way to drive engagement. It was something that we recorded and to this day still have people coming up and saying, yep, because I've watched your video, I've changed my habits and I'm now using a password manager.
CP: That's so awesome. And I do have to say for the audience this season, we are partnering with LastPass and I did not ask Christie to make that her answer. And we've had other episodes this season where they've talked about you know, the one thing they do is do better with password hygiene. So not a planted answer. I promise you that. It's definitely 100% Christie's response. But look, I think if you do nothing else, having better passwords and not having them written down on a piece of paper is an amazing start to having better cyber behaviours and not just being aware. So thank you, Christie. I really appreciate you coming on the podcast. I love the fact that you're a woman in cyber who once upon a time was not a woman in cyber. So thanks so much for the work that you do and for joining me today.
CW: Oh, thanks for having me Claire, absolute pleasure.