89. Cyber is a team sport with Erica Hardinge
It is always a pleasure to speak to passionate cybersecurity leaders and Erica Hardinge from ANZ is no exception. Erica and Claire talked in this episode about SIT and the work they do to bring the security awareness industry together on a regular basis. They discussed the magnitude of her role to influence the behaviours of tens of thousands of staff, and covered the pain points for security professionals when it comes to trying to get their message heard.
Erica is responsible for developing the global strategy for engaging and empowering secure behaviour change across customers and 40,000+ employees over ANZ’s 30+ geographies. Erica feels strongly about the role of sharing and learning across industry to improve the security awareness and enablement function. As such, is excited to have co-founded and grown the Security Influence and Trust group for Awareness professionals in the Australasia region. The group was recognised with the Australian Information Security Association “Educator of the year” award in 2017. Erica completed her MBA qualification at Melbourne Business School in 2008 following the earlier completion of a Bachelor in Arts and Science at Melbourne University, with a focus on Behavioural Sciences, including Criminology, contributing to her passion to help staff become cyber safe.
Links:
Transcript
CP: Hello, I'm Claire Pales, and welcome to The Security Collective podcast. Today's guest is Erica Hardinge. Erica is responsible for developing the global strategy for engaging and empowering secure behaviour change across customers and 40,000 employees over ANZ's 30+ geographies. Erica is also the co-founder of SIT, the Security Influence and Trust group for awareness professionals in the Australasia region. Erica and I talked in this episode about SIT and the work they do to bring the security awareness industry together on a regular basis. We discussed the magnitude of her role to influence the behaviours of tens of thousands of staff. And we covered the pain points for security professionals when it comes to trying to get their message heard. It is always a pleasure to speak to passionate cybersecurity leaders and Erica is no exception. So Erica, it is lovely to chat with you on The Security Collective podcast today.
EH: Thanks, Claire. I'm so excited to join you and have a chat about the things I love most, all things people.
CP: I mean, I guess that's probably a good place to start. Because you came from a people place in your career. Like most of my guests this season, you didn't start your working life in cyber. So how has working in this field impacted the way you operate day to day, given that you started your career somewhere very, very different? Do you think you've become a more paranoid person in the workplace?
EH: Oh, it depends who you ask. If you asked my friends, I'd probably say a little bit, and my kids would say, definitely. I just love the fact that cyber security attracts so many different types of experience and expertise and backgrounds. And as you say, I started off an undergrad in biology, psychology, a touch of maths and a lot of criminology and moved into recruitment and then ultimately HR type of roles, before I joined security. So I think all of that becomes really applicable to my day-to-day role and definitely helps me understand the people components of cybersecurity, which is just so critical. It was actually a friend who shared the job ad for this role in an IT security team at ANZ many years ago, and it just sounded so interesting. I thought I have to give this a shot. I think it's a little bit ironic that one of the questions in that interview was to prepare a presentation on phishing. And I had to do a lot of research to even understand what that meant 15 plus years ago, and now it's just such an integral part of my day to day role, that it's it feels bizarre that I had to research the understanding of that back then.
CP: Yeah, I mean, it's probably a podcast for another day, given that we're here to talk about behaviours, but questions in interviews or scenario based interviews where you have to prepare something like that, I guess did give you a really good sense of what you're about to walk into.
EH: Oh completely. Actually not understanding this stuff inherently myself puts me in a better position to be able to translate and make it accessible for staff and ultimately, customers as well.
CP: I think that's a really good point, because the more inquisitive we are as an industry, in fact, we're all very curious people, I think it does make you a good, I guess, litmus test of whether or not the content you're sending out to people, is actually going to hit the mark with those who are probably in a similar position to where you were when you first joined the industry.
EH: Completely.
CP: And so working in a large organisation, you might be fortunate or unfortunate to be heavily regulated working in a bank. What role does compliance play in security awareness for you and in your influence programmes?
EH: Yeah, look, that's such a great question. I think it's a necessary part of working in a bank, of course, as you'd expect, or any heavily regulated industry for that matter. I'd like to quote one of my team here by saying it's really our ticket to play. So that sets the baseline for what we must do. And we must explain to our staff and customers those minimum requirements, but to really make a difference, and ultimately, what we're all about is changing behaviour or better yet, enabling better secure habits. There's different things that we need to do as professionals and not just tick the box. So as an example, we have mandatory training, because that's a great way of reaching our full staff population and measuring whether or not people have read and understood what we expect them to. But to make that really impactful, we've made our training personal. So we talk about the impact that it has on individuals in their own life and on the customers they interact with. And I think going to those great lengths, helps to show our people that securing email or not clicking on a dodgy link has real world, real life, very personal implications, so much more than just compliance. Just to add to that, I guess research has really shown us that compliance is the last reason people do something. It's things like understanding the level of perceived threats or organisational norms. You know, it's just the way we do things around here, a bit like safety was many years ago, and continues to be now as a result. And of course, the amount of self-efficacy. So the action that I take actually makes a difference and is actually part of the greater good. They're the sorts of things that we hone in on in our programme. And where possible, we try to relate that to the things that we have to do, because we need to show that we're compliant. And perhaps to bring that to life just a little bit. We used to have emails that came out from our tech department saying things like as part of our information security policy, we need you to update your device tonight, please do XYZ to enable that to happen. I think you can imagine Claire just how that was received. So we worked really closely with the tech teams to change that. And so now the language is more along the lines of just one way that you can help to protect the customers that we work with and our bank, is to make sure that our systems and our devices are up to date with the latest security, so can you please XYZ. And that starts to help people to understand how their action can help to protect the greater good. I think there's also lots we can learn from other industries too. So there was a study a few years ago now from UK blood banks. And they found that the number one reason people gave blood was because of the sense of community that it created. And that they knew that by contributing and in fact, all of the people contributing in that room with them, so it was the greater good piece, were actually helping to make their community a better place and a safer place.
CP: It's actually really interesting that you talk about community because you know, most security leaders would struggle to reach just a handful of people and get them to change their behaviours. You're trying to reach more than 35-40,000 people in the ANZ community. How do you do that? How do you mobilise that many people? Do they get it? Do they get it that that every single person counts in that move and shift towards better cyber behaviours?
EH: I think that's another great question Claire, because ultimately, we have people across all geographies, all sorts of cultures at ANZ as well. And ultimately, what we have to do is really embed it into the lifecycle of the employee. So to bring that to life a little bit upon commencement, we need to do things like distribute a Security Essentials Handbook, so that people understand those simple things that they can do to help protect the bank from day dot. We have the mandatory training that I mentioned earlier on, we try to make that as personal as possible. And then we have inclusion of security and other things that get distributed like our Code of Conduct for example. Then throughout the journey of the employee, it's about keeping security front of mind on a day to day basis. So whether that's our regular phishing drills, which are our simulation exercises, targeted training for those who are at greater risk or in specific roles, direct comms for those impacted by incidents. We're big believers of never let a breach go to waste. Lots of intranet activity, reminders about data loss and the importance of protecting sensitive information. And I think really importantly, more recently, has been the support of our ambassadors throughout the organisation so that we have that, I guess, for want of a better term, that army of people who can help to grow our programme and enable much greater reach. But things like phishing drills actually aren't just about phishing, it's actually about that regular reminder or experiential learning moment for people to enable them to see what cyber is actually about an experience at firsthand. And of course, measuring the impact of our programme and sharing those results right across the organisation all the way up to the board is a really important way of helping to mobilise that, and give ownership to different leaders across the organisation around the importance of secure behaviours, as well.
CP: We've had a couple of other people this season, talk about those sort of nudge tactics, you know, that constant drip feed of reminders and, you know, just being visible and kind of popping up in, you know, when people onboard, and then when they do their training, and then when they're doing a project, or you know just security kind of popping up as part of how you do business. You know, is that something you employ? That those sort of, I don't know, if you call them nudge tactics, but you know, that sort of little reminders all the time?
EH: Yeah, absolutely. And we're constantly looking for new ways to do that. Because I think you're right, it's really important that it's just part of the day-to-day role. It's not just about taking people out for an hour, two hours, whatever, for dedicated training. It's about how do we just make this part of the way we do things at our organisation.
CP: And one of the reasons I wanted to bring you on the podcast is that you're a bit of a pillar in this industry in terms of making others better at doing cyber security awareness. And you were one of the founding members of the Security Influence and Trust group here in Australia, the SIT group. For those who haven't heard of SIT, it was founded in 2015 and Erica was part of that process. And it's a community of people who believe, collaboration, consistent nudge messages, and simple actions are key to empowering people to protect themselves in the digital world. So six years on, and in a totally new world that we live in now, did these three pillars still really ring true for you?
EH: Incredibly, so Claire. And it's bizarre, even after all, the change we've experienced in the last two years in particular, that it's still the case. Because ultimately we can't do this alone. In fact, I know Lynwen often refers to cyber security as being a team sport. And it's never been more true than recent years. And I think enabling that connectivity as we all work in often solo spaces in our homes and so forth is really critically important. And in the same way, consistent messaging helps to make things memorable, but it also helps to reduce confusion. So the more we can do that, as an industry and with government in partnership is critical. And of course, simplicity is one of my favourites, because let's face it, we're just all too time poor. So if it's not simple, we won't do it. And we need to demystify cybersecurity. So I think that's really a huge part of our role in the SIT group and more broadly in cybersecurity as an industry.
CP: And through that group, you must regularly meet loads of different people who are either aspiring to get into the awareness side of the industry, or who are in it and working in it day to day. What are you seeing as some of their pain points that they're facing in executing on their strategies, or even just doing their jobs as security influence and awareness managers?
EH: I think there's two main things. One is around justifying the investment in education and behaviour change programmes, determining how much is enough. And then relatedly, measuring the impact of that programme. But as a couple of my leaders have said, particularly over recent years, comparing dollar for dollar, the impact of spend on people and education versus technology, it just becomes a no brainer. Education and change management programmes are just an integral part of a holistic approach to information and cybersecurity. We can't do these things without the complete picture. It needs to be about people, process and technology to really come up with better solutions. And equally measuring the success of programmes. It can start really small, what behaviours can be measured right now? How can you share those results across the organisation? And then just start to see how that can evolve over time.
CP: And do you see the industry growing? Are we seeing more and more people come into cyber security awareness type roles, and not only want to get into that part of the industry, but organisations creating these roles?
EH: Definitely, it's a growing industry. And we're seeing that just through the number of people interested in joining SIT as a community and learning from others and looking for those doors into these sorts of roles as well, which is just fantastic to see. And it's a real mix yet again, of people with technical backgrounds, and very much people focus roles. Be it marketing, change management, HR like myself, there's just so much scope for opportunity here and to look at ways to continue to simplify and make it consistent.
CP: And the other thing I want to ask you just off the back of your comment earlier about the investment balance between, you know, technology being put in place, and the more education side. And I don't want to say soft skills, because I don't believe they're soft skills at all, you know. That's the hard part, influencing people to change their behaviours is much harder than relying on a firewall or web proxy or something put in place in the cloud or in a data centre to protect you. When you look at the balance in terms of investment, do you think that awareness, it takes people but does it take a lot of financial investment? Or can you pour a lot of money into it? How does that sort of balance work do you think?
EH: Look, I think it really depends on the culture of the organisation, and what jobs are to be done. Yes, you can absolutely spend a fortune on different off the shelf programmes, learning tools, etc. But there's lots that can be done through communications and drawing upon some of those basic change management principles like we talked about nudge theory earlier. So I think it's really about right size, right fit for the organisation more than anything else. And then looking at those pivotal opportunities to demonstrate where we're at now, and where do we want to be and in using that to help the case to get more investment going forward.
CP: And I guess, from your perspective, in your personal life, what's one of the key non negotiables for you when it comes to cybersecurity? You know, obviously have been in the industry for quite a few years now, but in your home life, what's that one thing that you just absolutely without a doubt, always follow to the letter?
EH: Can I have two?
CP: Yeah, why not!
EH: I love the concept of one and in fact, I think one of our SIT conferences we made about the one thing, what's the one thing we want people to do as a result. But for me, it's hard to separate really. So one is about pausing before you share sensitive information. And it's one that I really drill in with my kids, particularly as they increase, over the last few years let's face it, they've dramatically increased their time online, and gaming. So they're a little bit sick of hearing that one from me, but I just, I think it couldn't be more important. And relatedly is two factor authentication, but perhaps not for the reasons you might think. Yes, there's all of the security aspects. And it's definitely saved my bacon, in email, in particular, in my personal life. But that's another story. I think, for me, it's about, again, helping the kids and their tech time because they can't get into their gaming without me being there to enter in that second factor. And so that's just been a lifesaver for me, particularly again, in the last few years.
CP: It's funny, you say those two particular things because multifactor with the kids is, is really, really important and frustrating already. I've got a 13 year old and you know, the number of times I hear him shout down from upstairs, 'a code's just been sent to your phone'.
EH:Yeah!
CP: 'Can you please give it to me?' I think it's teaching them that sometimes you've just got to wait and that putting security in place might just make things take 10 seconds longer, but actually, it's having a huge impact. And the other one about thinking before you share sensitive information. And I might have shared this on the podcast before but a colleague of mine once had a setting on his email, that meant that when he hit send, it didn't actually leave his outbox for three minutes, so that he could get that email back if he needed, and think actually on a need to know basis, does that person really need to know that?
EH: I love that idea.
CP: Yeah, I just think that kind of pausing. And like most things in life these days, we need to be more mindful of what we're doing and being a bit more mindful about is the information in this email fit for the people that are about to receive it. You know, I think that's a really, really good tip. And thank you, I really appreciate you digging into your personal life and your personal cyber for us.
Erica, I've loved chatting with you today. You've shared really great insights. And the whole season, season nine is about cybersecurity behaviour, change and influence. I'm trying not to use the word awareness because being aware does not make us do things differently, it just makes us aware. So I really appreciate your time and all the great things you do for our industry. It's much appreciated. Thank you.
EH: Thank you so much for having me Claire. As always, I've loved speaking with you and thank you so much for focusing in on the people side of cybersecurity. It's just wonderful to see that attention and helping to spread the word is so important, so thank you.