91. Communicating about Privacy (without the boring bits) with Kate Monckton
Claire talks with Kate Monckton, a Partner in Cyber Risk at Deloitte, about the difference between cyber and privacy, and why we should never apologise for cyber or privacy being boring.
Kate joined Deloitte in February 2022 as a Partner in Cyber Risk. Prior to this she spent over ten years as part of the Security Senior Leadership team at nbn. Before joining nbn, Kate held security roles at Symantec and Microsoft both in Australia and the UK. In December 2021 she was named 'Australia's Most Outstanding Woman in IT Security' at the Australian Women in Security Awards. Kate was a member of the Board of the International Association of Privacy Professionals ANZ for five years, including two as the President. She is also a co-founder of the Security Influence and Trust (SIT) Group.
Links:
Transcript
CP: Hello, I'm Claire Pales, and welcome to The Security Collective podcast. Today I'm so pleased to share with you my chat with Kate Monckton. Kate joined Deloitte in February 2022 as a partner in cyber risk. After spending over 10 years as part of the security senior leadership team at nbn, Kate was a member of the board of the International Association of Privacy Professionals ANZ for five years including two as president, and she's also a co-founder of the Security Influence and Trust (SIT) Group. In this conversation, I spoke with Kate about the difference between cyber and privacy, and why we should never apologise for cyber or privacy being boring. So please welcome to the podcast Kate Monckton, the AWSN 2021 Most Outstanding Woman in Security. Kate Monckton, it is fabulous to have you on the podcast today.
KM: It's great to be here. Thank you very much for inviting me.
CP: So you've spent lots of your career in the privacy space. But how have things changed in privacy in the last decade, would you say?
KM: So much, so, so much, so I kind of ended up in privacy as a bit of an accident. So I started my career in a small boutique management consulting company. And one of my clients at the time was McAfee. So that was my introduction into cybersecurity world. And from there, I loved it, I found it really interesting. From there, I went to Symantec, after Symantec to Microsoft, all in very security roles. Now, at Microsoft, I had privacy in my job title. But honestly, at that point, 11/12 years ago, it really wasn't heavily privacy focused, there were people who did privacy, but my particular role was probably about 10% privacy. And then when I started at nbn, I was tasked with building the privacy programme. And that with it came an elevation to the senior leadership team. So I thought, okay, I've never really done this before, but I'm sure I can figure it out. And I think that it's safe to say around that time, there were lots of organisations starting to think the same thing, right, we need to do something about privacy. And I think to an extent in some parts of industry and government, potentially it still does, it tended to sit with records managers, or lawyers, very focused on having a privacy policy, and maybe having a few processes around. But generally, it was not as well recognised as a profession, as a practice outside, I would say, of legal and record management, as it is now. So when I was first starting, I actually found it really hard to find people here who had built a programme out. Who had really on the ground, figured out how to do it, to make it important, appropriate from a risk perspective, and effective. So I got really involved in the International Association of Privacy Professionals and met some incredibly smart people, most of whom were lawyers. And I was really, really motivated to get involved and join the board, and help to try and set a different angle, which is really about practical privacy management. And I think what I would say over the last 10 years, as I've seen that really change and grow. In Australia, privacy has become part of so many people's roles, you just can't ignore it. And that's off the back of legislative changes, technology changes that have been. If you think about the huge change in the way that we interact and social media, etc, over the last 10 years, and community expectations about what we do with personal information. So I think I can't really think of very many roles in organisations where privacy is not an element, and at a very minimum that might be handling personal information about employees or staff or customers. And in fact, if it's customers, then you should be completely across privacy. So I think that's really changed. I think the profile of people joining the profession has changed, which I'm really excited about. And I'm really pleased to have played a small part of that. It was historically very hard to find really good privacy practitioners because there just weren't that many people doing it. And I think that's still a challenge. It's a massive challenge. But we have become much more flexible about who we can bring on board and some of the experiences people have from outside of a privacy background are actually incredibly valuable. So I'm thinking really great communicators, risk management people, marketeers, people who've got that first hand experience and are really excited about privacy. And I really encourage people to think about a career in privacy, because we need all that experience because it adds a different element of things rather than just typical legal regulatory backgrounds.
CP: So if you think about coming in I guess a decade ago, all those things that have changed and the different types of people in the profession. How do you see the difference between communicating and educating about privacy, and communicating and educating about cyber being different? So if you're trying to get cut through with an audience, do you think people understand the difference between the two? Or how would you how do you approach the two separately, if that's what you do?
KM: I think it very much depends on a few things. So the audience and what they need to understand. And I think that's the biggest thing is, if you're looking, just speaking, internally, they're looking at an organisation, you've got to tailor your methods to what they care about. And sometimes that might be more of a privacy spin and sometimes it might be more of a cyber spin. But I don't think it really matters so long as you can get them to care. Just a little bit about something and have a hook. I think a lot of that comes from storytelling, and also really understanding as much as you can, try and understand the business and asking the people that you're talking to about what matters to them, and then being able to frame the privacy or the security message to that. So it's relevant and it hits home. I would say I used to be quite a stickler and quite a purist around terminology. And it used to drive me mad when often the tech guys would call personal information as we refer to it here in Australia, PII, which is very much an American term. And that used to drive me mad and I'd constantly be correcting people. And then I just had a bit of a lightbulb moment, which was, does it actually matter, and it doesn't matter at all. So long as people take the right message, the right behaviours, the right skills out of whatever conversation you're having, who cares what they call it, as long as they know what it what it is. I also think I learned some lessons along the way in terms of my own personal way that I was framing this stuff. And right back at the very beginning of my time, at nbn, I delivered a presentation to a group of marketing people. And I prefaced it by saying, this is really boring, I'm sorry. And then did a presentation that actually went down really well. And the back of that the GM came up to me at the time and said, hey, great presentation, but you really let yourself down at the beginning by telling us it was going to be boring. And I that feedback has stayed with me, because actually, this stuff isn't boring, it's really important. It can be really engaging, and people want to know about it. So I think you've got to be really careful to keep that in the back of your mind, or in the forefront of your mind, the whole time. This stuff matters, you can lose some of that excitement because it becomes the mundane, especially if you're used to dealing with things like incident responses and incident can become the norm when you're dealing with multiple. But actually, for someone who's hearing about it or going through it for the first time, it's not day to day, it is sometimes scary. But it can be exciting and kind of get the adrenaline going. And I think it's important to remember that we can very easily fall into treating it a little bit cavalierly. But we shouldn't, we should keep our enthusiasm and share that around with the organisation.
CP: So what are some of the other ways that you think cyber and or privacy teams go wrong when they're trying to communicate their message. And I spoke to another guest on the podcast this season about how a lot of the time we see awareness professionals or behavioural influence professionals trying to make these kind of zany, cartoony, jovial ways of displaying cybersecurity and how sometimes it lands. And sometimes it doesn't. And I'm interested in your thoughts on that, too. But where are they going wrong? Apart from this is a boring presentation, what are some of the other things that you think could be done better by these groups who are tasked with educating and changing their behaviours?
KM: I'm laughing to myself, because I've lived through that whole security mascot thing, and would say my experience with that was a bit hit and miss. But I think it's a real challenge. And I don't think anyone has quite got the magic formula, because again, it's going to keep changing. And every time we think we've got something that works, it changes. So I think there was a time when this sort of security zany mascot thing makes things a bit different, was probably quite hard hitting because it was new and exciting, but then it becomes twee and sometimes people start to take the mick a little bit. So that you've got to really be prepared to change your thinking, I think. I don't think we see this as much now, but I think one of the big issues I saw at the start of my career was technical people also wearing a security awareness hat. Now, unless that technical person is also a really good communicator, it just doesn't work. So I think that's changed. And I think we've been really, really good at identifying other skills other than just having a technical background in security. I've always played really nicely with tech guys, but having would never claim to be a technical person myself. But I've relied heavily on their expertise to be able to understand the concept. And I figure if I can't understand it and explain it in 30 words or less, then how can I possibly expect someone in my organisation to understand it. So I think, looking at, again, looking at people from different backgrounds, so communication people, I've hired people who had zero security background, but have been amazing at understanding complex issues and distilling them into something that other people can easily access and understand. I think the group, like the Security Interest and Trust Group has been awesome in terms of bringing professionals together to have open conversations around what's worked in their organisation and what hasn't. And looking at other industries, so where we've seen some really big scale behaviour changes, what can we learn from those awareness campaigns? I think it's not so much a question of where are we going wrong, because I don't think there's anything necessarily wrong with going wrong, I think sometimes you got to fail fast and learn from it. And you got to see what lands and resonates with your organisation. And that's going to vary from place to place. But I think tapping into other professionals as well within your organisation. So who are your internal comms people, who are your learning and development people, if you're looking at externally and educating customers who are your external comms and PR team, because they are going to know, in many instances better than we know, as security professionals, what is going to hit, what's going to resonate, and what's going to get the traction. And I think it can be tempting to want to put your arms around the whole thing and say it's mine, mine, mine, because you're a bit worried about what that could mean for your own job that I think in fact, that coordination across an organisation, it's just so pivotal to the success. You can't do this on your own, you've got to leverage other people's expertise.
CP: And we talk a lot in the industry about how, whether or not this is the right term or not, about how the humans in the business are some say the weakest link, some say you know, our defence lines. You know, however you want to describe them, we talk about the people in our business, all it takes is for them to click on a link, and there's a lot of education around phishing. And then, you know, we've seen in the last few years, these phishing simulations come about. And we've got another guest this season talking about how phishing exercises don't work as an awareness or behaviour change activity. I'm keen to see what you think about this. Is it all about preaching to people and having a two way conversation about how they can do things better? Or do you think that we can use tools like phishing exercises as another means or another avenue to education?
KM: It's a great question. And I did download the report about that, but it was very dense, so I skimmed, I'm going to be honest. But I took some of the key highlights out of that, and had to say I'm a bit gutted to find out the research shows that it doesn't have effectiveness. Because I think what we have really struggled to do as a profession is to find meaningful metrics where we can demonstrate to executives and board that we are pushing the dial on security behaviours. And phishing was always quite a good one. Because you could run the drill and you had a somewhat empirical, or so I thought, an empirical metric that you could actually show hey, look, here's industry average, here's where we were, we could break it down by different user groups and do targeted training. And I think we've long since moved past the kind of punitive approach, much more carrot approach. So when I read the highlights of that report, I actually thought, I'm really sad for us. But it's great to know that we need to think about other ways of doing this. So to your question around two way conversations and preaching because I think, again, it's really a mix. So tools are great. And I'm really excited to see over coming years, what happens, someone's going to come up with some great idea that I can't even fathom right now about another way that we can do this. It's not scalable if you're relying on people to go and deliver face to face training and presentations to people. And I've tried that at various stages in my career, trying to take content that really works well one to one, and scale it up for a big audience. And sometimes that can be really challenging. And so I'm excited to see what comes out of the space and there's not a lot and maybe you know Claire, if there's any cool technology on the horizon that's coming out?
CP: Well, what I'm seeing is still the use of phishing, people trying to kind of build games around it or build other ways or means of measurement and other ways or means of encouraging people to change their behaviour. So I've got some concerns about this space as well because I've seen myself in organisations where I've been the security leader, that a lot of the time you see the same people clicking on the links, because they're just trying to get their job done and they're not thinking it through. And I would love to see somebody come up with a new technology because really culturally in organisations, most people are relying on tech to be the kind of the catch all of these cyber incidents and these phishing links and, you know, black holing attachments before they even reach people's inboxes. So, there is a heavy reliance on tech. And so I'm really hoping like you, that somebody comes up with a new solution at some point, because I still feel like the phishing activities have become so commoditised that, yes, there are a way of getting training in front of people. But they're also not necessarily sending the right message. Because most people I speak to, when they receive the phishing simulations, they just hit delete. What we want them to do is to report them. And I don't necessarily know that without that change management or that communication over the top that says if you get a phishing email, report it. If people aren't getting that message, they just, they know it's phishing, and they just hit delete. I don't necessarily know that we're getting the outcome we want anyway.
KM: Yeah, I hear you. And I think there is, sometimes there's also integration issues with even just being able to put like the report phish, I know it’s got easier over recent years, but that was always a bit of a challenge in organisations. And yeah, people are time poor. And to be honest deleting is still better than clicking.
CP: Yes, it is.
KM: Yeah, there's still an outcome, that's slightly better. But it is so tricky. And I think the perennial issue we have is being able to show that behaviour change, and how do you measure your baseline, and how do you want to change. It because often, organisations just aren't mature enough to have a lot of historical data that shows X behaviour, X behaviour, oh, we implemented this change initiative, and we changed that behaviour. That's a very advanced organisation. And I would argue, if you've got historical data showing that a behaviour is less than ideal, then why aren't you doing something about it sooner?
CP: Yes, more so than running phishing exercises.
KM: Yeah. So I don't know what the answer is. But I do think the community is very great at knowledge sharing and sharing when things have worked well and when things haven't. And there doesn't seem to be a lot of concern between organisations who are sharing that because everyone wants the right thing. I think it's really, really important that we are all on the same page. Because it can be confusing if I am a customer of a certain bank, and I'm employed by a certain company, and I shop in a certain supermarket, and everyone's giving me some cyber online safety advice. But if it's a little bit different from place to place, so I'm asked here to do multifactor using my phone, but here I'm asked to use a dongle. With the various differences, I think it becomes overwhelming and confusing. And when it feels like that, people tend to get scared, and they just don't do it, or they find a way around, or they just kind of throw their hands up in the air. But I think it's important that we are all and I think we've made real strides to be all on the same page and be making sure that the message is consistent and simple. Make it simple. Get the tech to make it simple for people. Because if you don't, and if you provide them with tools that impede productivity, but increase security, they will work around it. And you can't blame them for that. Because it's not the right tool for the right purpose. So I think there's a lot of challenge there that we need to overcome as an industry as well.
CP: Yeah, I think the desired path is just people trying to get their jobs done. 99.9% of the time, there's no malicious intent. It's just if things get too hard, as you say, they just work their way around it. The other thing that I wonder about too is we have all this going on at sort of a senior management, middle management, frontline level. We're trying to teach all of the employee community about cybersecurity and about resilience. I'm really keen to understand what you've seen at the board level, how are organisations moving the needle at the board level? There's so many directors that lack confidence in cyber, what methods have you seen get real traction at the board level, to help with cyber confidence so that the boardroom is having this conversation? Because as you said earlier, we have to tailor our message. It's a very different message at the board level to what it is to say marketing or HR or customer service.
KM: That's a really good question, and actually one I was talking about just this morning with another friend in the industry and about how that's changing. I mean, especially places like financial institutions, directors are on the hook for this from a regulatory perspective. So I think there's been a lot more questions being asked a lot more concern, potentially, quite rightly. I'd say in the 10 years that I've been sort of more involved in this space here in Australia, I've seen it go from being something that you'd have to fight to get on a board agenda, and I'm talking kind of generally, observations across industry and peers and industry, to actually in the last few years it's almost a standing, it is a standing agenda item. And I think that's off the back of a lot of high profile incidents. So I think as a security team responsible for kind of trying to help them with that, I think you've got to strike the balance between being pragmatic and realistic and quantifying the risk and not crying wolf, I guess for one of a better expression. But also addressing it with the seriousness and the focus that it needs to have. And I do think it keeps people up at night. And I do think we need to provide appropriate amount of comfort that we've got this. But as anyone in security knows, you can never give 100% confidence in that you're never going to be hit with a security issue, it's just not going to happen. So I think you've got to make sure your board understands the posture, understand what their business is doing, where the risks are, what the likelihood of those risks actualising are, and what's the impact of it does. Wargaming, running through incident response, all of those things that we do quite regularly, I still think have quite a hard hitting impact. And I think I've seen a lot more willingness with boards to devote a whole day or half day sessions to cyber. In fact I was just talking to a friend about that today. They're going off to talk to a board for half a day about, a big company board, to talk about cyber and to do almost the basics. And I think not assuming knowledge as well, not talking to people as if they know nothing, but just being able to pitch it at the right level is also really important because you don't want people to feel overwhelmed. Again, tricky, but I think we've made huge advances over the last few years.
CP: And just in terms of the role or whose responsibility is for that education. Do you see the internal staff, whether it's the CIO, the CISO, the Head of Information Security, internal comms? Do you see it as the role of the internal staff to be educating the board? What accountability should be on those directors to be seeking external support, their own education? Do you think that there's a balance there? Or do you think the contextual advice they're getting from inside the business is the best?
KM: I think it's an absolute mix of the two. You would hope that if you're operating at a director level of a board, that you would want to be making your own inquiries as well. And looking external, for some guidance and reassurance and educating yourself. But heavily relying on your internal team, obviously, because you've got experts in place for a reason. And it's can't just be a CIO, or a CISO or Head of Comms, it's got to be all those people looking across your whole organisation. And again, I think that's something that I've really see change is that it is something that everyone feels ownership in. And I think probably where I've seen, the biggest practical change of that is running some of those fire drills. When they are done really well and all organisation level with the right people responding, who would actually be called in and not delegating it down to someone because it doesn't fit in your diary that day. And throwing in real life scenarios, and this is how we have done this a few times where using elements of real life data breaches. And what actually happened, what made the media, what hit a regulator desk, what stakeholder minister was involved? And playing that out, I think that then you really see how you rely on an entire organisation to respond and remediate. But I still think there's a massive place for that. But yeah, absolutely, if I'm a board director, I'm 100%, relying on the expertise in my organisation, but I'm going to be going out and looking at other resources, speaking to other people that I know who are also on boards, and to get a feel for, and government resources too, just to make myself feel like I really educated. And knowing the right questions to ask,I think that's also really important. And I think for us as security professionals it's being able to anticipate what those questions are. And again, that's where sometimes we do need to lean on and work with other people in the business to get an understanding of where's that board at. Because we are obviously, we're always gonna have a bias. We know what area you work in, we're going to think we know what's really important, and we might be right some of the time, but then you might get a bit of a curveball or something that we haven't thought about. And I think again, if you want to keep maintain your credibility with the board and remain important to them, you've got to kind of do your own homework too. So I guess it's both sides. Both sides, do your own homework!
CP: Yeah, I mean, I was just thinking as you were talking that, you know, my question to you was about, should the board be taking some accountability to understand more about cyber outside the organisation as well. But certainly, as a cyber leader, or whoever is coming to the board reporting on cyber, they have a huge responsibility to understand where the organisation is at from a cyber perspective. But also meeting the directors where they're at and making sure they're not talking in riddles or talking in technicality that the audience is just going to glaze over. And also hearing about cyber not just from the CISO or the CIO. Sometimes the CEO talking about cyber or sometimes others in the C suite, taking an interest in understanding as well, because it's enterprise wide, everybody in the organisation is going to have responsibility at some point.
KM: For sure, I just don't think it's as hard of a sales job to get the interest now as it was maybe 10 years ago. But I still think that that's not the case of every organisation as a general statement.
CP: Yeah. And I think the media does a lot that's positive and a lot that maybe isn't as positive in terms of education. And I love the idea that, you know, any conversation that gets started about cyber is a good one. Because at least the conversation is happening, hopefully, though, it's coming from an educated source.
KM: And yeah, a little anecdote. So I travelled for the first time to Melbourne for work since March 2019, before I went off to have my first daughter, and then went subsequently on to mat leaves and only went back to work for nine months in COVID times. So going in through the airport, to the Qantas lounge, and in both Sydney and Melbourne, very visible advertising for security services, security products. I'd seen that before, but I have it was a bit of a reminder of how it's prime real estate for hitting your C suite is in the airports and then the lounges. So it was just a bit of a reminder about how much work I guess because some of these companies are doing in the space to try and get in to and in front of the C suite and the board.
CP: Yeah, I also think that it's actually an interesting point that given that we are all no longer really in the office, and even board meetings don't really happen within boardrooms anymore. The idea that these messages about cybersecurity are reaching directors and executives, in realms of their life that normally walking into the Qantas club or an airport lounge, you would normally see high end fashion or the types of brands that they're expecting to see advertised as opposed to an antivirus product or endpoint protection. I think it's really telling about the day and age that we live in, and also quite heartening to think that they're getting served up these messages in another part of their lives that hopefully will start to filter through.
KM: For sure.
CP: This season. I'm asking all of my guests, what's the one thing in your personal life that you're a stickler for when it comes to cybersecurity? What's something you do, Kate, it doesn't have to be anything major, but in your personal life, particularly what do you do to protect your personal information?
KM: It's probably not so much what I do, but how I respond and how I encourage friends and family to respond when things go wrong. So my husband actually did have his number ported, his mobile phone ported, and an attempt was made to take quite a lot of money out of his bank account. Now that was stopped, but it led to a few issues along the way. He also had a very odd thing happened with his Medicare card. And we we still don't know what happened. But somehow his medical care card details were used fraudulently. And the number one piece of advice that I had for him at the time and for everyone else, is to know who to IDCARE are . And know what to do if and let's face it, it's probably inevitable that at some point, credentials will be compromised. And hopefully when it happens, it's benign. But it could very easily not b. We've had mail going missing from the letterbox and we think that would be where the Medicare, that came in. IDCARE for those people who aren't aware, it is a charity based up in Queensland, run by Dave Lacey. And they do fantastic work helping people who have been the victim of a data breach or identity theft, to figure out what to do next because it can be incredibly hard. They know the ins and outs of various states in terms of issuing driver's licences, etc. And they work with a lot of the organisations, bigger organisations in Australia, to help people get over those issues and it can be so traumatic. The psychological, financial impact on people when you have, I hate to use the word victim, because I think we are all victims in this case. But actually you can be doing everything really, really well and still fall foul of scams. And I think encouraging people to feel competent with saying hey look yeah, this was a very elaborate very well done scam and I did send money here or I did think this was legit. I did click and text and try to take away some of that fear people might have a feeling a bit silly or like people are going to ridicule them. I have very nearly fallen for phishing, proper phishing very nearly when I'm in a rush and you see something and you're just like oh yeah, I am expecting a parcel. And it's only that because I'm in security that split second, ope, nope., hang on, this looks fishy. So I think we've got to encourage people to speak up and ask, but the biggest thing for me is just know what to do when it goes wrong.
CP: I think too, we do so much more on our mobile phones now than ever before and reading emails on mobiles that can sometimes look a little bit different than they would on a computer screen. It's much, much easier to accidentally click on a link than ever before, I think. But IDCARE do a great job. And I think that's a really great tip. And so in all the episodes of this season, there are tips at the end of every episode from amazing cybersecurity leaders such as Kate talking about what they do in their personal lives. So Kate, thank you so much for joining me today on The Security Collective podcast. And it's been great to have you as part of this season where we're talking about cybersecurity behaviour change.
KM: Thank you very much for having me.