92. Cyber communications for the greater good with Olivia Grandjean-Thomsen
Olivia Grandjean-Thomsen is passionate about designing and implementing internal and external communication and stakeholder engagement strategies for the private, public and not-for-profit sectors. Olivia joins Claire and shares what good long-term communications planning can look like, how to measure cybersecurity communications programmes, and they talk about some of the grand scale comms activities Olivia has led.
Olivia currently works as the Head of Communication, Media, Events and Brand at Stone & Chalk Group, which includes AustCyber – an Industry Growth Centre aimed at driving innovation, productivity and competitiveness in the cyber security sector by focusing on areas of competitive strength and strategic priority. Previously, she was the Strategy Lead and Head of Content at My Health Record – a high profile digital transformation project at the Australian Digital Health Agency. She has worked as a Senior Communications Strategist at contentgroup, and for Global Access Partners – a public policy think-tank that initiates strategic discussions on pressing social, economic and structural issues to increase stakeholder participation in the development of government policy.
Links:
Transcript
CP: Hello, I'm Claire Pales, and welcome to The Security Collective podcast. Today's guest is Olivia Grandjean-Thomsen. Olivia is currently the Head of Communication, Media, Events and Brand at Stone & Chalk Group, which includes AustCyber. I first saw Olivia talk at the Women in Security Awards a few years back, and I loved the passion with which she spoke of communications in cyber, and I wanted to share some of her advice and guidance with you. In our chat, we covered what good long-term communications planning can look like how to measure cybersecurity communications programmes, and we talked about some of the grand scale comms activities Olivia has led. There are some great lessons to be learned from her experience. And so please welcome Olivia to The Security Collective
So Olivia, it is lovely to have you join me on The Security Collective podcast today.
OG-T: Thanks for having me, Claire, I'm excited to be here.
CP: So this season, we are talking about behaviour change, influence and building cyber resilience in our workforce, what would you say is the best place to start for organisations who have not considered cyber education for their workforce at all?
OG-T: I think there are many places to start, but two that come to mind immediately are probably the ACSC's cyber.gov.au website, or AustCyber's website. One that isn't mentioned often is actually the Security Influence and Trust group, of which I'm a member. And I'm sure you've probably spoken to a few others who are also members. But it's a really great group, and you can join via the LinkedIn group. And so members actually share best practice to improve security awareness just across the board. So we actually come together once a month, and we bring our collective experience. So we have people who are represented from nbn for example, ANZ, NAB, I represent AustCyber. And what we do is we actually share our learnings about campaigns and security awareness, so that we can actually improve security across the board. We also generally have a few events throughout the year that people can attend. And so yeah, I highly recommend that people come and check it out, or join the LinkedIn page for more information.
CP: Which is funny, because I didn't realise you were a member, and we have had a few other members and founding members of the SIT group on this season. So even better that we've got a united front in terms of guests. And it sounds like too it doesn't matter how big or small your organisation is, you can join that LinkedIn group and kind of get information that will be relevant to you in some way, shape, or form.
OG-T: Absolutely. And you can also have the opportunity to volunteer and be part of, I guess, the Organising Committee for SIT as well, which is a really great experience and something I've done before as well.
CP: Great. And we've talked a lot this season on the podcast and across the board really about cyber awareness not being a one off activity for businesses, or some businesses thinking that it can be a one off activity. What does good long term cyber communications planning look like?
OG-T: So for me long term communications planning is crucial. By reiterating a limited number of messages over a long period of time, it really gives you that opportunity to create a ripple effect that kind of continues to flow. Consistency is also key. And so people come to expect things from you, whether or not that's a one off social media post, once a day, or you're sending out a monthly newsletter at 3pm on the last Friday of every month. So being consistent is really important. So a few things that my team do specifically at Stone and Chalk Group, which also incorporates or AustCyber. Number one is really understand the business plan and the strategy of the organisation. That allows you to then put communication goals next to that, to be able to plan and achieve those. We generally try to brainstorm out of the box ideas and innovation. And so that's a really good one to also include into that business plan and then factor that into your budget. Have things such as social media calendars, that you can pre-plan in advance, and really determine what channels you are on or should be on there. A lot of people I guess, make the mistake of saying, okay, I should be on every single channel at once. But that's not the case, actually, you need to do something, as I said, consistency is key. And so you need to be able to maintain that as you go along and be able to respond to any comments and feedback that you get from that. But again, at the end of the day, long term communication is really about two things. So people really need to understand what your product and service is. And you can do that in a number of ways, you can do that mostly through I guess, plain English, but also, through adopting a common language. There are a lot of acronyms out there in the industry. And that's one of the things that the SIT group tries to allay, but also to make sure that the audience is engaged. And that's really to the use of things like storytelling and using case studies, which are super crucial to long term communication planning.
CP: And I think to just going back to your point about channels, and people thinking they've got to get across all channels. Within an organisation, it's so important to know what channels your audience like to use, you know. There are many, many different channels that we can use within a business. But it may be that when you're trying to target a message to the marketing team, you have to go down one channel. And then if you're trying to target another group, possibly even in another location, they may use a completely different tool for regular comms. And so do you find that that's part of the long term planning as well, is really thinking through not just tailored channels, but tailored messaging?
OG-T: Absolutely, I think you really need to start to identify who you would like to talk to. I generally start with having a set of key messages, then break that down into bespoke tailored messaging. That's really important because you know, for example, something that might be relevant to an investor may not be relevant to a government audience, and it's really important to make it relatable and something that's in it for them.
CP: So on the topic of audiences, what if your audience is literally everyone. Like what if you work in an organisation that needs to spruik a cyber message to the whole population.
OG-T: So that's actually quite tricky. And actually, one of the things I'd love to share here is my experience of working as the Strategy and Content Leader, at My Health Record. So there I was responsible for crafting the messaging, and consequently, producing all of the advertising that you would have seen regarding the opt out period. So my job over a two years was not to determine whether people would opt in or opt out, but rather just to let them know that they could do that, if they wish to do that. And when we're talking audience, at that time, it was every single Australian. So we're talking something around 25.5 million people, which is crazy, and probably the hardest communications campaign I've ever had to work on. And we had to reach them at least three times over those two years. So obviously, that was a tricky task for multiple reasons. Firstly, because as I said, the Australian population had to understand what My Health Record actually was. And then they actually had to see what the benefits were. Then they had to take an action to either opt in or opt out. Obviously, reaching every Australian was then further complicated by the fact that we had multiple audiences. So for example, we had parents, we had older Australians, we had young Australians, carers, people who didn't speak English. That was also a tricky one, I learnt a lot about the different languages that Aboriginal and Torres Strait Islanders have. And then many other target audiences. So each group actually required different messaging. And so what we had to do was identify the channels that were best for them. So when does each group like to receive that information? Is that in the morning? Is that in the evening? Do they check online? Do they do things by paper? Do they like videos? And so once we had broken down those audiences, it made it a lot easier to communicate with them. And so as I said before, we had a set of key messages, but then we also had bespoke key messages, and we would throw that out through different channels to each one. And in the end, actually, it was quite successful. We actually found out that nine out of 10, Australians saw the advertising over that two year period. And the participation rate, I think, in My Health Record now is about 90.1%, which is phenomenal. But I've always had that aim of replicating that awareness exercise for the cybersecurity industry.
CP: You were just talking about some of the metrics that you were able to measure through that experience at My Health Record. How do you measure, particularly in cyber, obviously, because of the topic we're talking about today. But how do you measure that your plan, long term, short term, however an organisation wants to plan for cyber comms, how do you measure that the plan is working?
OG-T: So you really should base all marketing material and decisions on data. So what we do is we do monthly reporting, we do quarterly reporting, and we do yearly reporting. And so often this is for boards. But it's also really good to establish this within your business regardless, and within your team to get them set up and used to doing this. So for example, we would use Google Analytics quite a lot for things like websites. And we will definitely use all the social media channels such as LinkedIn, Twitter, they have the ability to go in and find analytics. For example, LinkedIn has a great one where you can actually go and see what your competitors are doing, and how you rank compared to your competitors. You can really get some fantastic data. Not only through those, but also some detailed data through things like HubSpot, through HootSuite, and HootSuite is a free tool that most people can use. But effective communications really comes down to trial and error. So I wouldn't make any decisions based on anything other than data, actually, because it's really about kind of putting out some content, seeing if it works, measuring it, and if it works doing more of that. Because it's really important to understand what is engaging your audience. Go every month to your website, have a look at Google Analytics, have a look at the top five pages, see what people are interested in, and go and do a bit more of that if they are interested in it. But it's also okay for a small business, for example, to start small. You don't need paid advertising straightaway. You can do it organically, you can set up Google Analytics for free. So any business big or small, or an individual, can set this up and measure their communication activity.
CP: And it sounds like there's an opportunity, I guess, for those long term plans for you to adjust a little bit if you find that the message isn't landing, or whatever the case is. But it probably takes a little bit of time, like don't judge just on the short term data. So stick with it and sort of see how those messages land over a decent period of time. Would that be your advice?
OG-T: Definitely. So I don't think you can judge it off one or two posts. I would definitely recommend doing at least a month's worth of posts or content production and then seeing how that works, then doing that trial and error process. But ideally, you're looking at it over a three month period or half year period to really determine what is working and what isn't working. And again, experiment with different types of content to so for example, video content works really well on social media, try doing that. Or you know, make it as interactive as possible. I always say to my team, know, if you just post a link, nobody is going to really click on it, you need to make sure it's personal. You need to make sure you're using plain English and make sure it's interactive and something that people would like to view. Like what would I like to view, it's probably something that they would like to view.
CP: And if you think about social media, inside an organisation, there's Yammer, there's Workplace, the same rules apply that you would apply if you were doing social media in the outside world?
OG-T: Definitely. Yeah, I think so. In terms of interactivity, to get staff on board and engaged, you definitely need to do the same processes. And that's something you should always be thinking about with communications. It's not just external, but it's also the internal. Once you have engaged your staff, they become your champions. And they are they are, I guess, they live your brand, and they are the people who are going to guide through your organisations. So once you have them on board, and them engaged, you could definitely make the external campaigns better.
CP: I want to shift directions a little bit from talking about workplace and cybersecurity influence inside a business, to some of the work that you have done and the very important role in raising awareness of cyber in the community, and how you've gone about that.
OG-T: Yeah, so during my time at AustCyber, so I'm coming up to about three and a half years now, as you know, we've merged with Stone and Chalk Group, I actually get to work with some fantastic Australian cybersecurity companies. I also get to work with Stone and Chalk's founders who sit in our hub. So we're talking probably around 500 Australian companies and about I think we're up to about almost 2000 residents now. So it's fantastic going into work every day, and really being inspired by what they can do in the products and services they're inventing or innovating. But during my time at AustCyber there have been two instances of success for me. First one is the National Missing Persons Hackathon, which I have loved. And we've done that twice before. So the first event was held in 2019. It came out of this need to educate the industry or the public really, as well, a little bit more about cyber and the importance of cyber. And before I spoke about making it relatable, and so we thought, okay, how do we actually do this? And how do we do it in an innovative out of the box kind of thinking way. So decided to partner with the Australian Federal Police and a Canadian company called Trace labs. And what we did was we ran a hackathon. So the federal police supplied the profiles of 12 national missing people. So these are real people. And what Trace Labs did was they provided their platform, and we had a whole bunch of volunteers. And at first we thought, let's just do it in Canberra because that's where AustCyber is based. But we actually had a fantastic response. And we had people who wanted to participate from Sydney, Brisbane, Gold Coast, Sunshine Coast, Adelaide, Melbourne, all across Australia. And we had roughly 360 participants come and they participated in this hackathon, which went for about eight to nine hours. And at the end of that hackathon, what we actually had were almost 4000 new leads for police on these national missing people. And they did that through open source intelligence. And so it was a fantastic way to raise awareness, we got a lot of media for that. You know, the benefit of doing something for good for purpose was obviously, much greater than that. And so we ran that for, firstly in 2019. And then we decided to do it as an online event in 2020. And again, a much bigger response than in 2019. And we had more media, more volunteers, more judges, and more leads. And it's yeah, it's been a fantastic outcome. And we continue to work with the Federal Police in that way. But it's just one instance of thinking outside of the box, to really do kind of a longer term, effective, impactful communications campaign. That's probably my first one. And the second one is probably Australian Cyber Week. This had been an event that had been running for four years. And we originally started as an in-person event in Melbourne. We partnered with people like ASA, ACSC previously, and with COVID, obviously, in 2019 to now, we couldn't go ahead with an in person event. And so what we decided was to actually put that online. And I don't know if you've ever explored what online conferences looked like before, but it was pretty drab. And we explored a whole bunch of different programmes, mostly American actually, that had, you know, very simple rooms that you could go into. And we thought, this isn't for us. This isn't the way that we do communications. Let's think again, outside the box and think a little bit differently. And so what we did was some of my colleagues and I thought, okay, how do we make this fun for people? Why would people want to come to a conference that's online and sit there for many hours for five days, which is quite a tough ask right, in the middle of COVID. So what we did was we actually partnered with an agency. And we said, hey, we want to create a 3D virtual world. And we thought, okay, it's cyber, let's come up with a circuit board, we wanted to look like a circuit board. And what we also wanted to do, and I guess my idea of having you know in my younger days, having gone to lots of music festivals, I said, okay, let's make it look like a music festival map. So let's have kind of an overview of this 3D circuit board. And what they built together with us was a circuit board city that we could actually you could walk into the lobby, and you were surrounded by robots, and you could go into an amphitheatre. You could literally walk into that amphitheatre, sit with the robots, and have an a session live streamed there in front of you. And again, I guess that comes back to that, thinking outside the box. We actually had our office in Canberra, and we decided to set up a studio in there. So instead of a whole bunch of cameras, we invited guests to come in, and sit down and talk to us, and we live-streamed that directly onto the platform. And as a backup, we also had things like an exhibition hall. So we asked Australian savvy security companies if they would like to exhibit and we have things such as show bags, and people who go in and look at 3D stands. This year, we did that we use the platform again. And we introduced something called the cyber escape room. So I'm not sure how familiar you are with a physical escape room. But we've tried to replicate that experience, through several sessions in the cyber escape room. And we had many other kinds of interesting things that we thought people might be, you know, a little bit different to your traditional conference, but also providing the high quality speakers and the sessions that you're used to. And that's something I'm really proud of, I'm proud of the team for achieving. It's important when you see a product that you think can be made better to actually go and experiment and try to build that yourself.
CP: Both of those examples are mind blowing of what was possible. And I think sometimes people think way too small. And I'm sure that people are listening to you thinking, that sounds like it takes lots of time, lots of people and lots of money. However, you can do things on a smaller scale, and you can innovate. And, you know, I think we can move on from some of the traditional posters in the kitchen, brown bag lunches, hopefully everybody's moved on from there, because we're at home now, we're not together. For you to have moved both of those events to an online space and remain successful and grown year on year is incredible.
OG-T: It's not even expensive to be honest. It's all about partnerships. AustCyber is a not for profit and we partnered with the Federal Police, we partnered with Trace Labs. And for example, with cyber week, we partner with a whole bunch of different companies as well. So partnerships is really important in communications. And having that kind of in kind contribution where you can all bring something to the table, because you know, it's going to create impact.
CP: And what I also thought is important, too, was the missing persons week. We talk all the time and in fact, on this podcast, we've talked about it. But in general with awareness, we talk about hitting people where it's personal, because that's where you kind of get the message across. And you know, if we ever invite people into the office to talk about teenagers online, keeping your kids safe, keeping your elderly parents away from Nigerian scams, the room fills. You can't move for the number of people who want to come in and protect their families. And for you to use missing persons, which is such a sensitive topic, to bring cybersecurity awareness to the community and create 1000s of new leads on cases that potentially could have been cold for year, I think that really sparks something in people whose values align with a purpose like that. And you can replicate that in so many ways in the workplace and really drive into people's hearts. I know that probably sounds a little bit kitsch. But I think that's where we need to go with this, is to show people the why, the importance of it, and that it can be life changing for people if we get this right.
OG-T: Definitely. And the why, for me has always been important. I guess that's the key factor when you communicate anything. Don't communicate something unless it has a why. Otherwise, it's just not useful in any way. So when I say do a social media post, you have to include the why. When you're doing a big event like this, make sure the why is front and centre. It's crucial for any communications campaign.
CP: This season, I've been asking all my guests what they do in their personal lives for cyber. And obviously your background originally probably wasn't cyber or your background wasn't cyber, I should say not probably. What do you do now that you're in the industry that you're kind of a stickler for, for protecting yourself online?
OG-T: So I use LastPass, religiously for all of my passwords and I highly recommend that you do and everybody else in the audience does as well. We've also developed at work and it's a really interesting one, very specific processes and muscle memory around using systems to easily identify things like a phishing email. So for example, and we actually introduced this a couple of years ago at AustCyber, we really like the tool Slack. And we don't like getting lots of different emails, as you know, it fills up everyone's inboxes. And so we develop the muscle memory around talking to each other internally using Slack. And for any external emails, that would be done through the emailing system. So for example, we've had a few instances where I would receive an email from Michelle Price, for example, my CEO. And it looks a little bit weird, and I also know that she doesn't talk to me generally by email. And so we've been able to pick those ones up. And I thought that was a really great way of kind of training your team to be able to identify phishing emails. And we haven't had an instance at all because of this system. And the other one is actually follow a lot of alerts. So I'm a bit of a Twitter nerd, and I love reading, I actually find it a bit of a news cycle actually on Twitter. And so I follow that religiously, but stay up to date on those kinds of followings. They have a lot of alerts that go out. ACSC, you know all different types of organisations. And that's really good, because they're quite timely, and you can get on top of it pretty quickly.
CP: And I think in the current state of the world, you would probably be getting a lot of alerts.
OG-T: At the moment we are, yes.
CP: Olivia, it's been so fun to have you on the podcast. Your examples are so excellent I think for people listening. You can take something from everything that you've been able to achieve. And you should be incredibly proud, certainly of My Health Record and of the Missing Persons Hackathon. Thank you so much for the work that you do and for joining us on The Security Collective today.
OG-T: Thanks Claire, thanks for having me on.