Compromising Positions – A Cyber Security Podcast

This Episode we are joined by Martina Mitz, a UX Psychologist, Strategist and Designer.

In this episode “Can Cybersecurity Teams Flex Their Creativity To Keep Us All Safe?”, we’re going to talk about the natural intersection between psychology, UX and Cybersecurity, and the importance of understanding human behaviour to create user-centric digital interfaces, that people will not only want to interact with, but will also keep them safe.

We’ll also discuss the importance of bridging the gap between the Cybersecurity and UX teams, building trust between two teams that are often perceived to be at odds with each other, or may not interact at all!

And finally whether or not Cybersecurity could or maybe even should be considered a creative pursuit.

Key Takeaways:

The Intersection of Psychology and UX Design: Martina explains how her background in clinical psychology enhances her approach to UX design. She highlights the importance of understanding human behaviour to create user-friendly and secure digital interfaces.

Bridging the Gap Between Cybersecurity and UX: We delve into the often-overlooked collaboration between cybersecurity teams and UX designers. Martina emphasizes the need for cybersecurity professionals to engage with UX teams to better understand user behaviour and create more effective security measures.

Overcoming Fear and Building Trust: Martina discusses the common fear and mistrust between cybersecurity teams and other departments. She provides strategies to foster better communication and collaboration, ensuring security measures are user-centric and effective.

The Importance of User Research in Security: The episode highlights how user research can identify potential security risks and user vulnerabilities. Martina shares examples of how understanding user needs and behaviors can lead to more robust security solutions.

Creativity and Innovation in Cybersecurity: Martina challenges the stereotype that cybersecurity is purely analytical and devoid of creativity. She argues that solving security challenges often requires innovative thinking and a deep understanding of human psychology.

Links to everything we discussed in this episode can be found in the show notes and if you liked the show, please do leave us a review.

Follow us on all good podcasting platforms and via our YouTube channel, and don't forget to share on LinkedIn and in your teams.

It really helps us spread the word and get high-quality guests, on future episodes. 

We hope you enjoyed this episode - See you next time, keep secure, and don’t forget to ask yourself, ‘Am I the compromising position here?’ 

Keywords: cybersecurity, UX, psychology, UR, behaviour, creativity, design, trust, accessibility

SHOW NOTES

A version of Martina’s talk that Lianne and Jeff saw- Experience Mapping: Why, How and What

ABOUT MARTINA MITZ

Martina started as a self-taught Web Designer in 1999. From the very beginning her approach was user-centered despite not being familiar with the now-common phrase of ‘User Experience’. In 2007 she finalized her (Diploma-) study in Psychology and started working in the field of clinical Psychology. It was at this point that Martina’s academic background and her passion joined and she started a career as UX Designer, being called “Conceptioner” at first. Since then Martina has not only contributed to the digital and service ecosystems of many recognizable companies (e.g. eBay, PayPal, Emirates Airlines, Volkswagen, Telekom and many more), but she also helped selected Start-ups in Europe, by forming and driving their Research, as well as contributing to their product or service strategy and definition.

LINKS FOR MARTINA MITZ

Martina’s LinkedIn

Martina’s Website

Martina’s Youtube

This Episode we are joined by Michael Walford-Williams, a consultant specialising in operational resilience and third-party risk management. His consultancy Westbourne Consultancy Limited sees him working for various clients providing risk management services for the financial service industry.

In this episode, we look at how risk appetite evolves over time, the power of red teaming, how to empower everyone to care about risk and ask the question: ‘Is your risk management toast?’

Key Takeaways:

Risk Appetite is a Moving Target: Just because a threat hasn't hit you yet, doesn't mean it won't. Learn how to adapt your risk management strategy to evolving threats.

Testing Makes Perfect (or at Least More Prepared): Don't wait for a real attack to expose your weaknesses. Simulated attacks like phishing campaigns and red teaming can expose vulnerabilities before they're exploited.

From Paper to Reality: Testing cybersecurity resilience shouldn't just be best endeavours on a piece of paper (business continuity documentation).

Better Red than Bread! Red Teaming Unleashed: Testing, from phishing simulations to physical assessments, to full-blown-red-teaming activities all play a pivotal role in empowering employees and increasing organisational vigilance. And remember, it’s not about pointing fingers—it’s about empowerment.

Risk Ownership: Risk isn’t just IT’s problem. It’s everybody’s job. From the boardroom to the frontlines, we’re all in this together. We will show you how to redefine risk ownership.

Links to everything we discussed in this episode can be found in the show notes and if you liked the show, please do leave us a review.

Follow us on all good podcasting platforms and via our YouTube channel, and don't forget to share on LinkedIn and in your teams.

It really helps us spread the word and get high-quality guests, on future episodes. 

We hope you enjoyed this episode - See you next time, keep secure, and don’t forget to ask yourself, ‘Am I the compromising position here?’ 

Keywords: cybersecurity, risk, resilience, red teaming, risk appetite, RACI, AI

SHOW NOTES

‘Biggest cyber risk is complacency, not hackers’ - UK Information Commissioner issues warning as construction company fined £4.4 million. ICO

The Tipping Point: How Little Things Can Make a Big Difference by Malcolm Gladwell

ABOUT MICHAEL WALFORD-WILLIAMS

Michael Walford-Williams is a consultant specialising in operational resilience and third-party risk management. His consultancy Westbourne Consultancy Limited sees him working for various clients providing risk management services for the financial service industry.

LINKS FOR MICHAEL WALFORD-WILLIAMS

Michael’s LinkedIn

Michael’s Website

This Episode we are joined by John Sills, managing partner at customer-led growth company, The Foundation and author of the book ‘The Human Experience’ 

John joined us last week and shared with us fantastic tales of his time working for a major bank and how the IT team decided to rollout a new cybersecurity control without talking to the customers insights team - spoiler alert, didn’t end well - do go back and listen if you haven’t already! 

This week we continue the conversation from last week as John guides us on how to design for positive intent to build trust, how to lean into inconvenient truths around the data you source from feedback, and why you should treat people how you’d like to be treated, but instead, treat every customer like they are your gran.  

SHOW NOTES

Christian Hunt’s episode on Compromising Positions

Rory Sutherland on ‘Minority Rule’ as featured on The Human Risk Podcast

The real dangers of being left handed

John talked about crash test dummies being based on men, likely taken from the brilliant book Invisible Woman: Exposing Data Bias in a World Designed For Men by Caroline Criado Perez

National Customer Rage Survey

ABOUT JOHN SILLS

John Sills is Managing Partner at the customer-led growth company, The Foundation.

He started his career 25 years ago, on a market stall in Essex, and since then has worked in and with companies around the world to make things better for customers.

He’s been in front-line teams delivering the experience, innovation teams designing the propositions, and global HQ teams creating the strategy. He's been a bank manager during the financial crisis (not fun), launched a mobile app to millions of people (very fun), and regularly visits strangers’ houses to ask very personal questions (incredible fun).

He now works with companies across industries and around the world, and before joining The Foundation spent twelve years at HSBC, latterly as Head of Customer Innovation.

His first book on the topic - The Human Experience - was published by Bloomsbury in February 2023, and he's pretty much everywhere you look online.

LINKS FOR JOHN SILLS

John’s Book The Human Experience

John’s Newsletter

John’s Instagram

John’s Twitter

John’s LinkedIn

The Foundation

Welcome to Compromising Positions!

The award-winning tech podcast that asks non-cybersecurity professionals what we in the industry can do to make their lives easier and help make our organisations more prepared to face ever-changing human-centric cyber threats! 

This Episode we are joined by John Sills, managing partner at customer-led growth company, The Foundation and author of the book ‘The Human Experience’ 

In cybersecurity we have many customers, our external customers who engage with the products of services our organisations provide and our internal customers, our colleagues. But how many of us can truly claim to know how to be customer-led? Well in this episode, John shares his decades of knowledge to help us really understand what people care about - especially when it comes to cybersecurity.

We do a deep dive into the human cost of bad customer service, what customers really think about cybersecurity threats, how cumbersome security controls at a bank led to a chart-topping and innovative app, and if you’re a cybersecurity consultant you won’t want to skip this one because we talk about the good, the bad, and the ugly of consultancy. 

Key Takeaways:

The Customer Disconnect: We delve into John's experience of working for a major bank who build a security product that customers hated and he demonstrates how understanding customer needs and frustrations when designing security solution is so important.

The Curse of Knowledge: Security professionals often fail to consider the user's perspective. John emphasises the need to bridge this gap by starting with customer understanding.

Perception of Threats: Customers often overlook potential threats, rendering multiple layers of security meaningless if they don’t resonate with the user’s sense of relevance.

The Doorman Fallacy: Echoing Rory Sutherland’s insights, Sills talks about the value of the human touch in technology and services, which often gets lost in the pursuit of automation and efficiency gains.

The Myth of Customer Feedback: A cautionary tale on the pitfalls of relying solely on customer feedback surveys, which can lead to a narrow understanding of customer needs and desires.

SHOW NOTES

John’s episode on Melina Palmer’s The Brainy Business Podcast

Paul Bloom’s Psychology episode on Melina Palmer’s The Brainy Business Podcast

A nice video on The Doorman Fallacy featuring the legendary Rory Sutherland

Book recommendation - The Customer Copernicus

ABOUT JOHN SILLS

John Sills is Managing Partner at the customer-led growth company, The Foundation.

He started his career 25 years ago, on a market stall in Essex, and since then has worked in and with companies around the world to make things better for customers.

He’s been in front-line teams delivering the experience, innovation teams designing the propositions, and global HQ teams creating the strategy. He's been a bank manager during the financial crisis (not fun), launched a mobile app to millions of people (very fun), and regularly visits strangers’ houses to ask very personal questions (incredible fun).

He now works with companies across industries and around the world, and before joining The Foundation spent twelve years at HSBC, latterly as Head of Customer Innovation.

His first book on the topic - The Human Experience - was published by Bloomsbury in February 2023, and he's pretty much everywhere you look online.

LINKS FOR JOHN SILLS

John’s Book The Human Experience

John’s Newsletter

John’s Instagram

John’s Twitter

John’s LinkedIn

The Foundation

Welcome to Compromising Positions!

The tech podcast that asks non-cybersecurity professionals what we in the industry can do to make their lives easier and help make our organisations more prepared to face ever-changing human-centric cyber threats! 

For the longest time podcast host, Lianne Potter has been saying: “Cybersecurity has a PR problem!” So what better way of tackling this problem than to get on the show an actual PR and marketing expert?

This week we are joined by Sarah Evans, the head of digital PR at Energy PR. Sarah has over 12 years of experience in SEO, digital PR, digital marketing, content and social media.

In this episode ‘Can Cybersecurity Overcome its PR Problem? Building Your Brand and Social Capital’ - we’re going to learn how to target our cybersecurity message for maximum effect, how to rebuild your team's image, learn what marketing and PR really think about cybersecurity, and learn how to be prepared during a public cybersecurity incident with a 101 on crisis comms.

We will also shed off our desire to the the hero in the story and transition in a more useful role, that of cybersecurity sage as we deep dive into brand personas! 

SHOW NOTES

ABOUT SARAH EVANS

Sarah Evans has over 12 years of experience in SEO, digital PR, digital marketing, content, social. Currently working as a digital PR specialist, she’s worked on audience profiling, insights, comms and campaigns for a broad mix of B2B and B2C brands including Gousto, Rowse, AXA and Goodyear. She puts her curiosity for data and creativity at the heart of her team and has spoken at events for PR Moment and Google on SEO, content and attribution. She loves data, tea and puns

LINKS FOR SARAH EVANS

Energy PR’s website

Sarah’s LinkedIn

This week we are joined by James Charlesworth, a seasoned Director of Engineering at Pendo with 15 years of experience in software engineering. James is also the creator of the Train to Code YouTube channel, where he shares a wealth of excellent training videos on software development.

In this episode, Say Goodbye to ‘Git Blame’: Building Collaborative and Secure Software Development Lifecycles, we dive into some great topics aimed at saying goodbye to the blame game and hello to good app and product sec!

James talks us through his process of building up cross-functional empathy between his engineering function and the security team; why the engineering team might not be the best team to speak to if you’ve got a lot of vulnerable code and a step-by-step guide on how he excels in delivering product security in his organisation.

Key Takeaways:

Empathy-Driven Collaboration: James emphasises the importance of empathy when aligning priorities across inter-departmental teams. Whether it’s engineering or cybersecurity, understanding why people request specific tasks is crucial.

Shared Ownership of the Codebase: Forget the notion of “that engineer’s code.” James advocates for a hyper-collaborative approach where everyone takes responsibility for the codebase. Avoid the blame game (say goodbye to ‘Git Blame!’) and recognise that collective ownership leads to better outcomes.

Coding Literacy for All: Should security professionals learn to code? Absolutely! While not everyone needs to be an expert, having a basic understanding of coding helps bridge communication gaps. It enables security teams to comprehend technical issues and collaborate effectively with developers.

What is Product Security?: Product security isn’t an afterthought; it’s embedded throughout the development process. Prioritising security ensures a robust and reliable end product.

Learning from Errors: James encourages learning from coding errors early in the software development lifecycle.

Cowboy Coders and Robust Processes: James shares his thoughts on “cowboy coders”—those who cut corners.

SHOW NOTES

Train to Code YouTube Channel

ABOUT JAMES CHARLESWORTH

James is a Director of Engineering at Pendo, where he also serves as the site lead for the Sheffield office.  With 15 years of experience in software engineering, he is committed to Pendo's mission to elevate the world's experience with software. An author and public speaker, James is passionate about diversifying the tech industry and actively works to help individuals from various backgrounds enter the field of software engineering. In addition to his role at Pendo, he also organizes the Sheffield AI Meetup, further fostering a community around artificial intelligence. James is not just a lifelong computer nerd; he's a leader committed to making an impact in technology and community.

LINKS FOR JAMES CHARLESWORTH

James’ website

James’ LinkedIn

We are joined again by Dr Bettina Palazzo a business ethics expert! She works with compliance managers to create a culture of integrity that focuses on the leadership and behavioural dimensions of compliance.

In this episode, “The Dilemma Game”: Unleashing The Power of Ethics and Good Cybersecurity Through Play”, we delve into the complexities of power dynamics within organisations, exploring the efficacy of policies and the role of ethical standards in both corporate and personal settings.

We question the effectiveness of merely adding regulations in response to ethical crises and stresses the importance of cultural context in shaping responsibilities towards cybersecurity.

Then our discussion extends to the necessity of embracing local nuances while maintaining universal ethical standards, and the limits of systemic solutions in a diverse, evolving landscape.

And finally, this episode also introduces the "dilemma game," an innovative approach to enhance understanding and application of policy texts through real-world scenarios, fostering a culture of integrity and psychological safety where open communication and trust are paramount.

This thought-provoking episode is a must-listen for anyone interested in the intersection of culture, ethics, and organisational behaviour.

Show Notes

Cyber-attacks and stock market activityBy Onur Kemal Tosun

‘Biggest cyber risk is complacency, not hackers’ - UK Information Commissioner issues warning as construction company fined £4.4 million. ICO

How to fuck up an airport (Podcast)

On the Importance of Trial and Error with Stefan GaillardBy Christian Hunt

About dr Bettina Palazzo

Bettina stumbled on the topic of business ethics in the early 90s and soon found out that it is such a rich and exciting topic that she never stopped doing anything else – at least professionally. She suffered through the cumbersome but rewarding effort of getting her head around the philosophical and economical foundations of business ethics, won a prize for her PhD. thesis and rode off into the sunset to join KPMG. There she helped to build their business ethics consulting services. Tough pioneer work at that time! After a short detour into strategic management consulting, she returned to her true passion and started her own business ethics advisory in 2000. Over the years Bettina has learned that you cannot press ethics into checklists and processes and that unethical companies make unhappy people. The desire to create corporate cultures that make work fun and meaningful instead of dreadful and depressing drives everything she does.

Fun facts: Bettina also has a blog about her city of the heart Rome and dances salsa. She met her husband, Guido Palazzo, on a business ethics conference and they have two almost grown sons.

LINKS FOR DR Bettina Palazzo

Dr Palazzo’s website

Dr Palazzo’s LinkedIn

Welcome back to season 3!

To kick things off we are joined by Dr Bettina Palazzo a business ethics expert! She works with compliance managers to create a culture of integrity that focuses on the leadership and behavioural dimensions of compliance.

She states that unethical organisations make people unhappy - and we couldn’t agree more. So she has dedicated her life work to helping organisations create cultures that make work fun and meaningful.

Ethics is such an important subject when it comes to business because poor ethical decisions can mean poor compliance, and ultimately, can lead to poor security decisions.

So how do you build a culture that is comfortable with having honest conversations about ethics?

Well that’s what we will explore in this episode, Rules Without Relationships Create Rebellion: Why Ethics Matter in Cybersecurity.

By the end of this episode you will Learn how to create a ‘speak up’ culture so that people can raise cybersecurity concerns with you.

How to build a compliance influencer programme (and no, that does not mean trips abroad at beautiful locations surrounded by policy documentation for the gram)

And how the cybersecurity team can not only be ethical role models but also give people a reason to care for the big question: why we do the things we do to protect them!

Key Takeaways:

Speak Up Culture: Learn how to create a safe space for open communication about ethics and compliance. No more fear of reprisal!

Ethical Leadership: Great leaders inspire ethical behaviour. Dr. Palazzo explains how to be that leader.

Communication is Key: Don't just tell people what to do, explain the "why" behind the rules.

Ditch the Shame: Falling for phishing attacks? It happens! We need to build psychological safety to discuss cybersecurity issues openly.

Goodbye Curse of Knowledge: Cybersecurity isn't just for the techies. Learn how to communicate cyber dangers effectively to everyone.

Links to everything we discussed in this episode can be found in the show notes and if you liked the show, please do leave us a review.

Follow us on all good podcasting platforms and via our YouTube channel, and don't forget to share on LinkedIn and in your teams.

It really helps us spread the word and get high-quality guests, on future episodes. 

We hope you enjoyed this episode - See you next time, keep secure, and don’t forget to ask yourself, ‘Am I the compromising position here?’

Keywords: cybersecurity, compliance, leadership, psychological safety

SHOW NOTES

Dr Palazzo’s Compliance Influencer Programme

Oh Behave by Cybsafe

Vote for us in the European Cybersecurity Blogger Awards!

ABOUT DR BETTINA PALAZZO

Bettina stumbled on the topic of business ethics in the early 90s and soon found out that it is such a rich and exciting topic that she never stopped doing anything else – at least professionally. She suffered through the cumbersome but rewarding effort of getting her head around the philosophical and economical foundations of business ethics, won a prize for her PhD. thesis and rode off into the sunset to join KPMG. There she helped to build their business ethics consulting services. Tough pioneer work at that time! After a short detour into strategic management consulting, she returned to her true passion and started her own business ethics advisory in 2000. Over the years Bettina has learned that you cannot press ethics into checklists and processes and that unethical companies make unhappy people. The desire to create corporate cultures that make work fun and meaningful instead of dreadful and depressing drives everything she does.

Fun facts: Bettina also has a blog about her city of the heart Rome and dances salsa. She met her husband, Guido Palazzo, on a business ethics conference and they have two almost grown sons.

LINKS FOR DR BETTINA PALAZZO

Dr Palazzo’s website

Dr Palazzo’s LinkedIn

Welcome to the grand finale of season two of ‘Compromising Positions’, where we delve into the fascinating world of AI security. In this special episode, your hosts will guide you through the labyrinth of securing AI models, one step at a time.

For those who prefer a quick overview, we offer an abridged version on Apple Podcasts and Spotify.

This version deep dives into two key topics:

Jeff’s unique mnemonic C-PTSD for threat modeling AI systems, and an intriguing discussion on the correlation between boredom, worm-killing, and AI efficiency gains.

For those who crave a deeper dive, scroll down or visit our Youtube channel for the extended cut.

This version includes everything from the regular version, plus:

Jeff’s academic journey in AI at the University of Hull

Lianne’s preparation for a 100 days of Code in Python for her MSc in Data Science and AI at Leeds Trinity University

A critical discussion on OpenAI’s transparency and the latest AI wearable technology, along with the complexities of consent and privacy in an ‘always recorded’ lifestyle

Whether you choose the regular or extended version, we appreciate your support throughout season two. Stay tuned for more enlightening discussions in season three! Thank you for being a fantastic audience.

We hope you enjoyed this episode - See you next time, keep secure, and don’t forget to ask yourself, ‘Am I the compromising position here?’

Keywords: Cybersecurity, AI, Threat Modelling, MSC, Data Science, IOT, Wearables, Data Security

SHOW NOTES

Jeff’s article on C-PTSD

Lianne’s Article The (AI) Revolution will be BORING...And that's Okay!

Wearables, Shareables, Unbearable? The IOT and AI Tech Nobody Asked for But Cybersecurity Criminals Love.Future of Cybersecurity

MSc in Artificial Intelligence - University of Hull

MSc in Data Science and Artificial Intelligence - Leeds Trinity University

Python Crash Courseby Eric Matthes

Codewars

In Praise of Boring AI by Ethan Mollick

Season Two Playlist - Youtube

Vote for us! European Cybersecurity Blogger Awardsand The Real Cyber Awards

ABOUT LIANNE POTTER

As the Head of SecOps for the largest greenfield technology transformation project in Europe, Lianne is building a leading edge security team from scratch to meet the needs of a modern retail organisation while empowering her team to think innovatively to create new standards in best practices.

Lianne has delivered talks across the globe to share her vision for a new type of security function.

Drawing upon her expertise as a cyber-anthropologist (through her consultancy, The Anthrosecurist), her practical experience as a security-focused software developer and as a security practitioner; Lianne combines the human and the technical aspects of security to evangelise a cultural security transformation.

She is on the advisory board for a community enterprise aimed at encouraging diversity in tech, is a published author, podcast regular and Host of Cybersecurity Podcast Compromising Positions, and won Computing.com’s Security Specialist of the Year for her work on human-centric approaches to security.

In 2021 she won two awards for Security Leader of the Year 2021 and Woman of the Year in the Enterprise category and in 2023 she won Cyber Personality of the Year in The Real Cyber Awards.

She is doing a Masters in AI and Data Science in 2024.

LINKS FOR LIANNE

LinkedIn

Compromising Positions Podcast

ABOUT JEFF WATKINS

Jeff is Chief Product and Technology Officer for xDesign.

He is a lifelong technologist with nearly 25 years’ experience in the industry, first having started coding at age 6.

Having worked in the Financial Services, Healthcare and Retail industries, on enterprise and national scale programmes.

Over the years he has become increasingly interested in Cybersecurity and AI and how both will shape our future, both technologically and the human impact.

Jeff has founded multiple CyberSecurity teams and is currently working on several new pieces around the secure development and deployment of Generative AI based solutions.

He is a tech blogger, writer, podcaster and host of Compromising Positions and public speaker, having recently keynote at the Webinale international web conference in Berlin.

Jeff has a Masters in Cybersecurity and will be starting his Masters in AI and Data Science in 2024.

LINKS FOR JEFF

Linkedin

Compromising Positions Podcast

This week we are joined by Dr David Burkus, one of the world’s leading business thinkers and best-selling author of five books on the topic of business and leadership. Dr Burkus has worked with the leadership teams of some internationally known names such as PepsiCo, Adobe and NASA.

In this episode, “It’s a Wonderful Hack! Building a high-performance cybersecurity team“, we discuss the three elements of the “Team Culture Triad”: common understanding, psychological safety and prosocial purpose, and how these elements are the backbone of every successful team.

We delve into how interpersonal trust is a reciprocal process, that trust needs to be met with respect and an open mind, and how we can build a culture that learns from mistakes and people feel safe to challenge at all levels in the business.

We also discuss how being part of a team is more like chess than checkers. We can’t treat all people like they have the same skills or ways of working, we’re a team yes, but it’s a team of individuals.

And the “It’s a Wonderful Life” test. A brilliant thought experiment to show the impact of your team’s contributions, which may not always be tied to revenue.

Key Takeaways:

Try a Little Tenderness: Empathy is important, but it's not just about feeling someone else's pain. To truly collaborate effectively, you need to understand your teammates on a deeper level, including their unique strengths, weaknesses, and working styles. By achieving this common understanding, you can anticipate their responses and adjust your approach to optimize teamwork.

Hey Boss, your Idea Sucks: When was the last time someone in your team challenged your decision? If it was a while ago, you might want to take a look if you’re building a team that fosters psychological safety.

Developing Pro-Social Purpose: A team that prioritizes collective success over individual gain fosters a collaborative environment.  When team members are driven by a common purpose, they're more likely to support each other and work towards shared goals. This sense of purpose strengthens the team and empowers individuals to contribute their best work.

It’s a Wonderful Life: Imagine if your cybersecurity team didn't exist.  What would the consequences be?  While this exercise helps you identify potential negative impacts, it's equally important to consider the positive contributions your team makes.

Links to everything we discussed in this episode can be found in the show notes and if you liked the show, please do leave us a review.

Follow us on all good podcasting platforms and via our YouTube channel, and don't forget to share on LinkedIn and in your teams.

It really helps us spread the word and get high-quality guests, on future episodes. 

We hope you enjoyed this episode - See you next time, keep secure, and don’t forget to ask yourself, ‘Am I the compromising position here?’

Keywords: cybersecurity, storytelling, psychology, networking, silos, purpose, psychological safety, leadership

Show Notes

Dr Burkus has an awe-inspiring career as an author. You can check out his books onAmazon

The importance of psychological safety by Amy Edmondson

Melina Palmer’s episode

The Five Dysfunctions of a Team: A Leadership Fable by Patrick M. Lencioni

The beautiful Hyde Park Picture House Cinema in Leeds - GO NOW

Get your Die Hard Christmas Advent Calendar at ETSY

Vote for us! European Cybersecurity Blogger Awards

About dr David Burkus

One of the world’s leading business thinkers, Dr. David Burkus’ forward-thinking ideas and bestselling books are helping leaders build their best team ever.

He is the bestselling author of five books about business and leadership. His books have won multiple awards and have been translated into dozens of languages.

Since 2017, Burkus has been ranked multiple times as one of the world’s top business thought leaders. His insights on leadership and teamwork have been featured in the Wall Street Journal, Harvard Business Review, USAToday, Fast Company, the Financial Times, Bloomberg BusinessWeek, CNN, the BBC, NPR, and CBS This Morning. A former business school professor, Burkus now works with leaders from organizations across all industries, including PepsiCo, Fidelity, Adobe, and NASA.

LINKS FOR dr David Burkus

Dr Burkus’ Linkedin

Dr Burkus’ Website

Dr Burkus’ TikTok (No dancing unfortunately)

This week we are joined by Dr David Burkus, one of the world’s leading business thinkers and best-selling author of five books on the topic of business and leadership. Dr Burkus has worked with the leadership teams of some internationally known names such as PepsiCo, Adobe and NASA.
In this episode, “Storytelling Superconnectors: Unleashing Purpose Beyond Metrics in Your Cybersecurity Function”, Dr Burkus challenges the concept of Dunbar’s Number as we discuss the power of human networks, and how finding the superconnectors in your organisation will help you get your cybersecurity agenda in front of the right people.

Indulging in a bit of schadenfreude, Dr Burkus shows us how we can use the hacks and breaches of our competitors to demonstrate our value and purpose offering to the c-suite and he also shares his unique insights on breaking down siloes, and harnessing the power of positive engagement in the workplace.
And as if that wasn’t enough (!) how to move away from just metrics to make your security function shine! If you want to change the way your organisation sees your security team, this is the episode for you! 

This is a two part episode (this is part one!) so don’t forget to check back in next week to hear the whole interview!

Key Takeaways:

Find your Superconnectors: Superconnectors are individuals who have lots of powerful connections and can help you expand your network quickly. By networking with superconnectors, you can find new opportunities and build purpose-driven teams in the cybersecurity function.

Embrace the Power of Storytelling: Facts and figures are important, but stories resonate on a deeper level. Security teams can leverage storytelling to educate employees about cybersecurity threats, celebrate successes, and foster a sense of shared purpose.

Break Down Silos: Challenge the stereotype of security as the "office police."  Focus on collaboration and highlight the positive contributions your team makes in protecting the organization. Aim for a 3:1 ratio of positive interactions to negative ones to build trust and rapport.

Learn from Your Competitors' Misfortunes: While celebrating wins is important, so is learning from failures. Use competitor breaches as a springboard for threat intelligence exercises, demonstrating the value your team brings in proactively preventing such attacks.

Links to everything we discussed in this episode can be found in the show notes and if you liked the show, please do leave us a review.

Follow us on all good podcasting platforms and via our YouTube channel, and don't forget to share on LinkedIn and in your teams.

It really helps us spread the word and get high-quality guests, on future episodes. 

We hope you enjoyed this episode - See you next time, keep secure, and don’t forget to ask yourself, ‘Am I the compromising position here?’

Keywords: cybersecurity, storytelling, psychology, networking, silos, purpose

SHOW NOTES

Dr Burkus has an awe-inspiring career as an author. You can check out his books onAmazon

Dunbar's number: Why we can only maintain 150 relationships. BBC

Wham, Bam, That’s a Scam Series by Atomic Shrimps

Freakonomics: A Rogue Economist Explores the Hidden Side of Everything by Steven D. Levitt and Stephen J. Dubner

MGM Ransomware Attack. A write up by Bleeping Computer

Nominate us in the European Cybersecurity Blogger Awards (we’re going for ‘Best Newcomer’ Google Form Here (it’s safe, promise)

ABOUT DR DAVID BURKUS

One of the world’s leading business thinkers, Dr. David Burkus’ forward-thinking ideas and bestselling books are helping leaders build their best team ever.

LINKS FOR DR DAVID BURKUS

Dr Burkus’ Linkedin

Dr Burkus’ Website

Dr Burkus’ TikTok (No dancing unfortunately)

This week we are joined by Jenn Calland, a seasoned Data Analyst, Analytics Engineer, former Platform Engineer and Full Stack Developer with expertise spanning Google Cloud, Looker, BigQuery, and many other technologies.

In this episode, Data, Data Everywhere, But How Do We Make It Safe to Share? We are going explore the relationship between data, cybersecurity and our personal and organisational desire for convenience which can sometimes lead to insecure and risky behaviour. 

Jenn warns data analysts about working under the assumption that by the time they get their hands on the data, that it’s all ‘safe and secure.’ She cautions the data team that they shouldn’t think they don’t need to be ‘secure’ because it has been taken care of either by the cloud providers, compliance or the security team themselves - but in fact, we all need to be accountable in our data/security journey.

We also discussed the challenges around anonymising data and the handling of medical data, how AI is changing things and what security teams can do to make sure we collaborate with the data team in a way that works for all parties involved. 

Key Takeaways:

Data Security is a Journey, Not a Destination: Just like data travels through a lifecycle, so too should your security measures before any data hits the databases.

In Cloud we Trust?: Can we ever be certain our data is secure in the cloud? It’s crucial to scrutinize who is looking at the data and how it got there.

Data Security is a Team Sport: From GDPR compliance to the psychological impact of data breaches, understand the human side of data security and why it matters to your business through communication and collaboration.

Security vs Convenience: The trade-off of security for convenience is a real risk to data handling.

Links to everything we discussed in this episode can be found in the show notes and if you liked the show, please do leave us a review.

Follow us on all good podcasting platforms and via our YouTube channel, and don't forget to share on LinkedIn and in your teams.

It really helps us spread the word and get high-quality guests, on future episodes. 

We hope you enjoyed this episode - See you next time, keep secure, and don’t forget to ask yourself, ‘Am I the compromising position here?’

Keywords: cybersecurity, data, cloud security, GDPR, AI, data privacy

SHOW NOTES

Darknet Diaries (a fantastic cybersecurity podcast) did a brilliant episode on the VTech Hack

Learn more about Sir Tim Berners-Lee’s data project, Inrupt

ABOUT JENN CALLAND

Jenn Calland is a seasoned Data Analyst, Analytics Engineer, former Platform Engineer and Full Stack Developer with expertise spanning Google Cloud, Looker, BigQuery, and many other technologies. Not only recognized for her technical acumen, Jenn is a fervent advocate for Diversity & Inclusion in tech. Her leadership and mentorship have made significant strides in promoting supportive work environments especially for Women in Tech, emphasizing the balance between career and personal responsibilities.

LINKS FOR JENN CALLAND

Jenn’s LinkedIn

Jenn’s X (aka Twitter) account

Last episode we ended by talking with Bec about how cybercriminals leverage the fight-or-flight response and get you to do things you wouldn’t normally do, like share bank details, through amygdala hijacking. Bec concluded the episode by giving us some great advice on how we can retrain ourselves NOT to be so reactive and hopefully, stop ourselves from doing something rash.

In this episode, Awareness ≠ Behavioural Change - Rethinking Cybersecurity Training, we’re going to build upon what Bec discussed last week, a cyber psychology 101 if you will, and see how we practically apply key psychological concepts like cognitive agility, convergent and divergent thinking and meta-cognitive skills to things like tabletop exercises and security awareness training.

Key Takeaways:

Embrace Cognitive Agility: The world is too complex for a one-size-fits-all approach. Learn when to adapt and think critically in the face of unexpected situations.

Awareness does not equal change in behaviour: One size doesn't fit all, and quantitative is usually valued over qualitative, which needs to change.

Leverage Divergent and Convergent Thinking: Don't just train for specific scenarios. Develop the flexibility to both explore diverse solutions and converge on the best course of action when the time comes.

Build Diverse Teams: Groupthink can be your worst enemy in a crisis. Foster diverse perspectives within your team to avoid this critical blindspot.

Make Reflective Learning a Priority: Learn from every experience, good or bad. Debrief after incidents and ask: What went well? What didn't? How can we improve?

Focus on Impact Skills, Not Just Technical Knowledge: Decision-making, communication, and collaboration are the foundational skills needed to navigate complex cyber threats.

We hope you enjoyed this episode - See you next time, keep secure, and don’t forget to ask yourself, ‘Am I the compromising position here?’ 

Keywords: cybersecurity, training, incident response, crisis management, soft skills, impact skills, cognitive agility, reflective learning, diverse teams, behavioural change

SHOW NOTES

Full show notes can be found here: https://www.compromisingpositions.co.uk/podcast/episode-23-awareness-does-not-equal-behavioural-change-rethinking-cybersecurity-training

ABOUT BEC MCKEOWN

Bec McKeown CPsychol is the Founder and Director of Mind Science, an independent organisation that works with cyber security professionals. She helps businesses to advance the human aspect of system resilience, so a collaborative culture of innovative thinking and an agile threat response becomes the norm.

As a Chartered Psychologist with extensive experience of carrying out applied research for organisations including the UK Ministry of Defence, Bec has gained a unique perspective on the ways humans react in times of crisis. She works at both operational and strategic levels, with a focus on situational awareness, decision-making and problem-solving in complex environments.

LINKS FOR BEC MCKEOWN

Bec’s LinkedIn

Mind Science LTD

This week we are joined by Bec McKeown, a chartered psychologist with extensive experience in carrying out applied research for organisations including the UK Ministry of Defence and the founder and director of Mind Science, an independent organisation that works with cybersecurity professionals

In this episode, Hands Off My Amygdala! The Psychology Behind Cybersecurity, we are going to hear about Bec’s varied and interesting career in advising people in highly stressful situations to be reflective and not reactive, and how they cannot only learn from their actions but become masters of them. 

This episode is a smorgasbord of psychological concepts that will make you think twice about how you normally run your security awareness programme and but also your tabletop exercise too. And crucially, learn why people act the way they do during an actual cybersecurity incident.

Key Takeaways:

The curse of knowledge: Understanding what it's like to not understand cybersecurity from a technical perspective can be an advantage in helping you communicate better. By putting yourself in the shoes of the listener, you can convey complex ideas in a way that is easy to understand and relatable

Zero trust: While zero trust may make sense from a technical standpoint, it can lead to frustration and workarounds when it hinders employees. Theory Y suggests that people given more agency and autonomy are likely to work well, if not harder, than when constantly surveilled.

Just culture: Accepting that mistakes will be made and analysing the steps that lead to that mistake happening with a view of learning how to avoid it without blame can improve the learning culture. Most people don't come to work to be malicious, if a mistake happens it is due to other factors like stress or bad processes.

Microlearning: Nobody wants to sit in training for three hours! Microlearning helps by breaking up information into bite-sized chunks that are easy to digest. It's also important to account for different learning styles and provide information in various formats.

Amygdala hijacking: Cybercriminals leverage amygdala hijacking, which occurs when the amygdala activates the fight-or-flight response when there is no serious threat to a person's safety. It's essential to recognize the contextual cue that led you to act that way and develop strategies to deal with it before it happens.

Links to everything we discussed in this episode can be found in the show notes and if you liked the show, please do leave us a review.

Follow us on all good podcasting platforms and via our YouTube channel, and don't forget to share on LinkedIn and in your teams.

It really helps us spread the word and get high-quality guests, on future episodes. 

We hope you enjoyed this episode - See you next time, keep secure, and don’t forget to ask yourself, ‘Am I the compromising position here?’

Keywords: cybersecurity, curse of knowledge, covid, zero trust, psychology, reciprocity, autonomy, security awareness, military, learning styles, gamification, leader boards, crisis, tabletop exercises, amygdala hijacking

SHOW NOTES

Immersive Labs

Bec’s Article in Immersive Labs on Workforce Resiliency

Christian Hunt’s episode - Compromising Positions

Article on Theory X and Theory Y - Mind Tools

Influence by Robert Cialdini

Actionable Gamification -Yu-Kai Chou

ABOUT BEC MCKEOWN

Bec McKeown CPsychol is the Founder and Director of Mind Science, an independent organisation that works with cyber security professionals. She helps businesses to advance the human aspect of system resilience, so a collaborative culture of innovative thinking and an agile threat response becomes the norm.

As a Chartered Psychologist with extensive experience of carrying out applied research for organisations including the UK Ministry of Defence, Bec has gained a unique perspective on the ways humans react in times of crisis. She works at both operational and strategic levels, with a focus on situational awareness, decision-making and problem-solving in complex environments.

LINKS FOR BEC MCKEOWN

Bec’s LinkedIn

Mind Science LTD

This week we are joined by Sabrina Segal, an integrity, risk, and compliance advisor, with almost 20 years of experience in the public, private, and third-sectors. 

In this week’s episode, Bringing the Curtain Down on Risk Theatre and Applauding objective-centred Risk Management, Sabrina shares with us, a quite frankly amazing model to work from: The OCRM, Objective-centred Risk Management. 

This model a great antidote to what Sabrina describes as ‘risk theatre’ which is the performance of risk governance activities, without real substance or accountability but with the dangerous consequence of making an organisation still feel like they have ‘done something’ when really it’s not worth the paper, or Excel doc, it is written on. This approach is scalable, practical, and effective, and it can help you achieve your goals while managing your risks and opportunities.

Key Takeaways:

Shift the Focus: Ditch the risk register and start with your objectives. What are you trying to achieve? What could stop you? This simple change aligns risk with your mission and drives informed decision-making.

Price Your Risks: Don't just identify risks, quantify them. Calculate the resource and software costs associated with each. This transparency reveals your true risk appetite and exposes gaps between rhetoric and reality.

Go-No-Go Decisions: OCRM empowers you to make clear, objective decisions based on risk pricing. Is the potential upside worth the cost? This eliminates wasted time and resources on low-impact risks.

Psychological safety: How to create an environment where employees feel empowered to speak up and challenge the status quo, even about risks.

The "halo effect": How the good work of charities and non-profits can sometimes mask poor risk management practices.

Utilising External Board Members: How to ensure they have the full picture and can effectively advise on cyber risks.

Links to everything we discussed in this episode can be found in the show notes and if you liked the show, please do leave us a review.

Follow us on all good podcasting platforms and via our YouTube channel, and don't forget to share on LinkedIn and in your teams.

It really helps us spread the word and get high-quality guests, on future episodes. 

We hope you enjoyed this episode - See you next time, keep secure, and don’t forget to ask yourself, ‘Am I the compromising position here?’

Keywords: cybersecurity, risk management, objective-centred, OCRM, risk appetite, RACI, psychological safety, halo effect, board members, third sector, technical challenges.

SHOW NOTES

Tim Leech’sLinkedIn

A Post Sabrina did on Objective Mapping

The Halo-effect with Isabel de Bruin Cardoso - Tolerable Risk Podcast

Governance, Strategy and Risk with Claris D’Cruz - Tolerable Risk Podcast

ABOUT SABRINA M. SEGAL

Sabrina M. Segal is an integrity, risk, and compliance advisor, international development and humanitarian assistance professional, licensed US attorney, and Certified Fraud Examiner with almost 20 years of experience in the public, private, and third-sectors. 

Sabrina's focus is risk in the third-sector as the impact of risk management, when done poorly, can be devastating to both third-sector organizations and the beneficiaries they serve. Sabrina is an active writer on LinkedIn and hosts the Tolerable Risk podcast.

LINKS FOR SABRINA M. SEGAL

Sabrina’s LinkedIn

Sabrina’s Podcast, Tolerable Risk

This week we are joined by Sabrina Segal, an integrity, risk, and compliance advisor, with almost 20 years of experience in the public, private, and third-sectors. 

In this episode, Not New, but Novel - Tackling Risk in the Third Sector, We take a look at the challenges facing the third sector when it comes to cybersecurity and technology risks. The third sector, which includes charities and non-profits, is often overlooked or underestimated when it comes to cybersecurity and risk management. But this sector faces unique challenges and opportunities that require a novel and holistic approach to risk.

Sabrina has a really refreshing take on risk and we will hear how she enables her clients to get to grips with what she calls ‘tolerable risk’ and why we can’t avoid risks, but we can reframe risks to not only identify threats but also opportunities. While at the same time, making sure everyone cares about risk, not just people with ‘risk manager’ in their title!

Key Takeaways:

Forget Risk Appetite and Risk Matrices - Embrace ‘risk awareness’ tailored to your mission and your organisation’s objectives

Identify Your ‘Tolerable Risk’ - Risk can’t be avoided but we can identify and work within our ‘risk tolerance’ for better informed decisions

Risk is a Two-Sided Coin - It’s not just about threats but opportunities too, and it’s much easier for people to get excited about opportunities than threats!

Don’t Greenwash Those “Charity Days” - Forget painting the fence, litter picking or sorting cans, instead donate your cybersecurity expertise for maximum impact

Risk Is Everyone’s Job - Ditch the ‘risk manager’ title and empower everyone to be a risk champion!

Links to everything we discussed in this episode can be found in the show notes and if you liked the show, please do leave us a review.

Follow us on all good podcasting platforms and via our YouTube channel, and don't forget to share on LinkedIn and in your teams.

It really helps us spread the word and get high-quality guests, on future episodes. 

We hope you enjoyed this episode - See you next time, keep secure, and don’t forget to ask yourself, ‘Am I the compromising position here?’

Keywords: third sector, risk management, cybersecurity, charities, non-profits, risk awareness, tolerable risk, cyber threats, data privacy, ethical considerations

Jeff Watkins and Lianne Potter delivering their new talk on AI and Cybersecurity for The Future of Cybersecurity Conference [VIDEO]in Manchester 2024 - WEARABLE, SHAREABLE… UNBEARABLE? THE IOT AND AI TECH NOBODY ASKED FOR BUT CYBERCRIMINALS LOVE!

Lianne Potter appearing on legendary Cybersecurity podcast Smashing Security, 358: Hong Kong hijinks, pig butchers, and poor ransomware gangs

An Article on the Cyber Risks Associated with the United Nations (UN) Sharing Biometric Refugee Data, The Conversation

ABOUT SABRINA M. SEGAL

Sabrina M. Segal is an integrity, risk, and compliance advisor, international development and humanitarian assistance professional, licensed US attorney, and Certified Fraud Examiner with almost 20 years of experience in the public, private, and third-sectors. 

Sabrina's focus is risk in the third-sector as the impact of risk management, when done poorly, can be devastating to both third-sector organizations and the beneficiaries they serve. Sabrina is an active writer on LinkedIn and hosts the Tolerable Risk podcast.

LINKS FOR SABRINA M. SEGAL

Sabrina’s LinkedIn

Sabrina’s Podcast, Tolerable Risk

This Episode we are joined by Amy Kouppas, a Scrum Master, D&I lead, and founder of a Women’s Health & Wellbeing group at Sky. 

We are talking about all things agile and scrum! Most organisations have some form of agile methodologies, and the likelihood is, yours does too but what is it? What is Kanban? What is Scrum? What does a Scrum master do and why are they always sprinting? Amy helps us answer these questions and more in this episode: Fun with Purpose - A Scrum Guide! 

In this Episode we cover:

Scrum Master: Coach, Not Boss: Ditch the project manager stereotype. A scrum master is a facilitator, coach, and mentor, guiding the team towards self-organisation and autonomy. Their ultimate goal? To make themselves obsolete by fostering a team that thrives independently.

Empowerment & Creativity: Scrum unleashes the full potential of your team. They become accountable, empowered, and free to be creative within the sprint framework. This fosters a culture of continuous improvement where everyone contributes to success.

Documentation - Enough is Enough: The agile manifesto doesn't advocate for zero documentation. It emphasises "just enough" documentation. Focus on clear, concise information that supports transparency and efficient collaboration.

Retrospectives with a Twist: Retrospectives are the beating heart of scrum. Make them engaging and fun with themes, games, and even time capsules. This playful approach fosters honest reflection and continuous improvement.

Links to everything we discussed in this episode can be found in the show notes and if you liked the show, please do leave us a review.

Follow us on all good podcasting platforms and via our YouTube channel, and don't forget to share on LinkedIn and in your teams.

It really helps us spread the word and get high-quality guests, on future episodes. 

We hope you enjoyed this episode - See you next time, keep secure, and don’t forget to ask yourself, ‘Am I the compromising position here?’

Show Notes

The Agile Manifesto

Jeff’s quote source for ‘If You’re Not Keeping Score, You’re Just Practicing’ is attributed to Chris McChesney

A Video of Lianne and Jeff’s talk on Ab(user) Stories and Ab(use) cases

The stat 1 cybersecurity professional per 100 developers can be found in Toby Irvine’s article The Ratio

About AMY KOUPPAS

Amy Kouppas is a Scrum Master and D&I Lead for Digital technology at Sky, with a passion for squad wellbeing. She is also a Cribologist and Founder of the Leeds Site Women's Health and Wellbeing Group. Amy's personal brand is "fun with purpose," and she aspires to be a mentor and coach to others and champion her women's wellbeing group and festival one day. In addition, she dreams of owning an animal shelter.

LINKS FOR AMY KOUpPAS

Amy’s LinkedIn

Keywords: cybersecurity, scrum, agile, team management, empowerment, continuous improvement, retrospectives, collaboration, documentation

This Episode we are joined by Damjan Obal, Head of design at Ardoq, lecturer and international speaker on all things design and data. 

In this episode, And the Bafta for Best Cybersecurity Awareness Training Goes To…, we are looking at how we practically apply design principles to our security awareness programmes, with things like design thinking, the double diamond design method, opportunity solution trees and much much more! 

We also look at the dangers of gamification and how to get your bafta-winning moment when delivering your security message to the business!

In this Episode we cover:

Convenience vs. Security: The Eternal Battle: You’re late for a meeting, and that pesky password reset pops up. What do you do? Convenience often wins, and that’s where security takes a hit. We’ll explore shortcuts, trade-offs, and the delicate balance between ease and safety.

Data Storytelling: Making Ones and Zeros Relatable: Security teams deal with mountains of data. But how do they turn it into compelling narratives? Whether it’s the sheer quantity of incidents or the relentless attacks, we’ll reveal how to tell data-driven stories that resonate.

Infographics: A Picture Is Worth a Thousand Alerts: Enter the superhero of visual communication: infographics! We’ll explore how these bite-sized graphics simplify complex security concepts. From breach timelines to threat landscapes, infographics make data digestible for everyone.

Tangibility in the Intangible: Making Cybersecurity Real: Cybersecurity can feel abstract, like chasing shadows. Think metaphors, analogies, and relatable scenarios. Because securing data isn’t just about 1s and 0s—it’s about protecting our digital existence.

The Gamification Dilemma: Fun vs. Functionality: Gamification is all the rage, but is it always the answer? Not necessarily. Remember, not every challenge needs a leader board.

Links to everything we discussed in this episode can be found in the show notes and if you liked the show, please do leave us a review.

Follow us on all good podcasting platforms and via our YouTube channel, and don't forget to share on LinkedIn and in your teams.

It really helps us spread the word and get high-quality guests, on future episodes. 

We hope you enjoyed this episode - See you next time, keep secure, and don’t forget to ask yourself, ‘Am I the compromising position here?’

Keywords: cybersecurity, compliance, user experience, storytelling, human-computer interaction, behaviour change, security champions, accessibility, cybersecurity awareness training, behavioural change, data, design thinking, gamification

SHOW NOTES

The wonderful Bec McKeown will be joining us in a few weeks! Make sure you’re subscribed to the channel because you won’t want to miss that one!

Privacy is a Crime Video

Double Diamond Design Method

Opportunity Solution Trees

Actionable Gamification: Beyond Points, Badges, and Leader Boards by Yu-Kai Chou

Zombies Run App

ABOUT DAMJAN OBAL

As a Head of design at Ardoq, Damjan works with internal and external stakeholders to help asset-heavy industries understand, orchestrate, and operationalize their data. As part of the team working on data products, his research focuses on data observability and data quality.

He spends days uncovering user needs and helping R&D teams turn those needs and challenges into business opportunities.

Previously, he led user experience teams with Cognizant, Pexip, and Cisco, and before that managed the global UX team at Entain.

LINKS FOR DAMJAN OBAL

Ardoq

Damjan’s Website

Damjan’s LinkedIn

This Episode we are joined by Damjan Obal, Head of design at Ardoq, lecturer and international speaker on all things design and data. 

In this episode, F.U.D OFF! - Cybersecurity Awareness Beyond Compliance and Boredom, we learn from Damjan about the importance of storytelling, the difference between game theory and gamification, what accessibility champions get so right that we in security get it so wrong, and how to design a security awareness programme that resonates with people and encourages empathy and behavioural change. 

F.U.D - Fear, uncertainty and Doubt have been a mainstay in cybersecurity messaging but is it serving us or is it just turning people off our messaging? Find in this episode if there is another way and if we should just tell F.U.D to F.U.D off for good!

——————

In this Episode we cover:

How to use storytelling effectively: Why do we only talk about the stuff nobody cares about when we have such great stories to tell!

Finding your ‘WHY’: The first steps towards making your security engagements salient, relevant and focused on the bigger picture

Game Theory vs. Gamification: How do you use either effectively to make security awareness training more interesting and relevant

F.U.D Off: Why fear-mongering doesn’t work and how the odd joke might engage your audience better

Lessons from the world of accessibility: Learning how the principles of good accessibility might lead to better security controls and buy-in

——————

Links to everything we discussed in this episode can be found in the show notes and if you liked the show, please do leave us a review.

Follow us on all good podcasting platforms and via our YouTube channel, and don't forget to share on LinkedIn and in your teams.

It really helps us spread the word and get high-quality guests, on future episodes. 

We hope you enjoyed this episode - See you next time, keep secure, and don’t forget to ask yourself, ‘Am I the compromising position here?’

Keywords: cybersecurity, compliance, user experience, storytelling, human-computer interaction, behaviour change, security champions, accessibility

Show Notes

Using Cartoons to Teach Internet Security - Sukamol Srikwan and Markus Jakobsson

I couldn’t find the bank that interviewed its customers - Sorry! - If you know do tell us and we’ll update the show notes!

About Damjan Obal

As a Head of design at Ardoq, Damjan works with internal and external stakeholders to help asset-heavy industries understand, orchestrate, and operationalize their data. As part of the team working on data products, his research focuses on data observability and data quality.

He spends days uncovering user needs and helping R&D teams turn those needs and challenges into business opportunities.

Previously, he led user experience teams with Cognizant, Pexip, and Cisco, and before that managed the global UX team at Entain.

LINKS FOR Damjan Obal

Ardoq

Damjan’s Website

Damjan’s LinkedIn

This Episode we are joined by James Hall, developer and Founder of Parallex, a digital consultancy that focuses on ‘building better digital experiences together’.

In this episode, That’s illuminating! Protecting Aberdeen’s IOT Street Lights from Cyber attacks! James shares his experience on securing public utilities, other IOT devices, how he ‘sells’ security as a value add to his stakeholders, and if Bug Bounties are actually worth doing!

—————

In this Episode we cover:

Agile means no documentation right? Wrong! While documentation is certainly lighter in agile teams, it doesn’t mean it is completely absent. But this lightweight style does bring its challenges and teams need to avoid keeping it all ‘in their head’ if they want security teams to understand what they are building and the security challenges that may come with that. James tells us about the danger of assuming prior knowledge and gives advice on how to test your documentation by giving it to the most junior member of the team and seeing if they can follow it. But while documentation is important we need to remember that…

Shared documentation is not the same as shared knowledge. It is not enough to ensure that everyone on the team is aware of the security requirements. It is important to have open communication channels and encourage team members to ask questions and share their knowledge.

Paired programming would help fill in the blind spots of any security issues there might be. It is important to acknowledge that there are things that we don’t know as developers and paired programming with a member of the security team can help fill in these gaps. By working together, team members can share their knowledge and learn from each other.

Securing IOT devices is challenging because hardware manufacturers don’t have an incentive to make their products secure. This is a major challenge in securing IoT devices, and it is important to be aware of this when designing solutions that rely on IOT devices.

Bringing risk to life is important otherwise people will ignore it. It is important to communicate the risks associated with cyber-attacks in a way that is easy to understand.

—————

Links to everything we discussed in this episode can be found in the show notes and if you liked the show, please do leave us a review.

Follow us on all good podcasting platforms and via our YouTube channel, and don't forget to share on LinkedIn and in your teams.

It really helps us spread the word and get high-quality guests, on future episodes. 

We hope you enjoyed this episode - See you next time, keep secure, and don’t forget to ask yourself, ‘Am I the compromising position here?’

Visit www.compromisingpositions.co.uk for full show notes

Today we are joined by Paula Cizek, Chief Research Officer at Nobl, where she guides leaders and teams through the change management process, from assessing the organization’s readiness for change to implementing initiatives. In this episode, we explore the fascinating topic of Corporate Change and how its lessons can be applied to cybersecurity.

In the vast ocean of the corporate world, change is as constant as the tides. It can be exhilarating for some and daunting for others. As leaders, we often stand at the helm, eager to navigate new courses. Yet, we must remember, that not all aboard share the same vision or enthusiasm for these uncharted waters.

Why is it scary for many? How do leaders balance the excitement of innovation with the practicalities and emotions of their teams? We’ll explore the dichotomy of change - the loss and the gain, the risk and the reward.

We'll unpack the layers of change management, from the first ripples of a new idea within the executive team to the waves it creates throughout an organization. How do we bring everyone on deck, giving them the time to adjust their sails and embrace the journey?

We'll also navigate the treacherous waters of resistance. Not every objection is an excuse, and sometimes, they signal hidden icebergs. How do we, as leaders, distinguish between the two?

So, tighten your lifejackets and get ready to dive into the deep end of transformation. In this episode “Shift Happens: The Art of Navigating the Seas of Cyber Change”.

————

In this Episode we cover:

Why there’s such a gap between the exec team and boots on the ground when it comes to accepting and being excited by change

The difference between “Fail Safe” and “Safe to Fail” changes and projects

Why we should Start with the Skateboard

That not every objection to change is an excuse

How to communicate change effectively

Being comfortable with being uncomfortable when it comes to negotiation

Why Risk and Uncertainty are different beasts

——————

Links to everything we discussed in this episode can be found in the show notes and if you liked the show, please do leave us a review.

Follow us on all good podcasting platforms and via our YouTube channel, and don't forget to share on LinkedIn and in your teams.

It really helps us spread the word and get high-quality guests, on future episodes. 

We hope you enjoyed this episode - See you next time, keep secure, and don’t forget to ask yourself, ‘Am I the compromising position here?’

Keywords: Cybersecurity, Cyber threats, Change management, Organisational, transformation, Risk management, Innovation, and Leadership

SHOW NOTES

Find them here

ABOUT PAULA CIZEK

Paula Cizek is the Chief Research Officer of NOBL, where she guides organizations through large-scale transformation. A thought leader in change management and change resistance, she specializes in translating complex concepts into simple, practical tactics that deliver immediate and meaningful change.

Before joining NOBL, she was Innovation Manager at the IPG Media Lab, advising brand and media clients on emerging technology. Prior to that, she was Senior Innovation Consultant at Mandalah, where she led consumer behavior and brand strategy research for brands around the world. She's worked with a diverse roster of clients including Warner Bros., Chanel, Capital One, Bayer Pharmaceuticals, Airbnb, Chipotle, Grupo Bimbo, and more, and she's been published or quoted in publications like BrandingMag and Women's Wear Daily. She graduated from Georgetown University, majoring in Marketing and International Business.

LINKS FOR Paula Cizek

Paula’s LinkedIn

NOBL

Welcome to the third part of our AI mini-series.

In this episode, Jeff and Lianne discuss how AI is transforming the world of cybersecurity, and what you need to know to stay ahead of the curve.

They share their personal experiences with using AI tools, such as the custom GPT suite and the tool they are creating, Security Sage, to enhance their security practices and workflows.

They also explore the challenges and risks that AI poses to cybersecurity, such as phishing, vishing, OSINT, data leaks, and model inversion attacks.

They offer some practical advice on how to use AI safely and responsibly, and how to leverage it to become a better cybersecurity professional.

In this Episode we cover:

How AI is democratizing and disrupting the field of cybersecurity

How to use prompt engineering to get the best out of AI models

How to protect yourself and your organization from AI-enabled cyberattacks

How to use AI to improve your cybersecurity function and become an ally and enabler for your business

How to keep up with the latest developments and trends in AI and cybersecurity

—————————————————————————————————————————————————————

Check out the rest of the AI mini-series by visiting our YouTube page or wherever you listen to your podcasts!

Links to everything we discussed in this episode can be found in the show notes and if you liked the show, please do leave us a review.

Follow us on all good podcasting platforms and via our YouTube channel, and don't forget to share on LinkedIn and in your teams.

It really helps us spread the word and get high-quality guests, on future episodes. 

We hope you enjoyed this episode - See you next time, keep secure, and don’t forget to ask yourself, ‘Am I the compromising position here?’ 

Show Notes

What is the Metaverse, Exactly? Wired

AI Winter: The Highs and Lows of Artificial Intelligence. History of Data Science

Over 84% of us are using AI - Jeff got this stat from here

Midjourney

Google Deep Dream

Weird DALL.E

Open AI’s Custom GPT Suite

Jeff and Lianne’s talk on Product Security which includes lots of insight on threat modelling, attack tress and abuser stories

Recommended Coursera Course for CHATGPT Prompt engineering

Helena Hill’s Episode

ChatGPT will provide more detailed and accurate responses if you pretend to tip it, according to a new study. Windows Central.

Report that suggests the younger generation are more permissive with their data and privacy. Cybsafe.

Hear Lianne and Jeff talk about AI at the Future of Cybersecurity Conference in Manchester on 8th February 2024

Microsoft’s Harms Modelling

AI Daily Breakdown

AI Gaming

The Royal Institution Christmas Lectures on AI

About Lianne Potter

As the Head of SecOps for the largest greenfield technology transformation project in Europe, Lianne is building a leading edge security team from scratch to meet the needs of a modern retail organisation while empowering her team to think innovatively to create new standards in best practices.

Lianne has delivered talks across the globe to share her vision for a new type of security function.

Drawing upon her expertise as a cyber-anthropologist (through her consultancy, The Anthrosecurist), her practical experience as a security-focused software developer and as a security practitioner; Lianne combines the human and the technical aspects of security to evangelise a cultural security transformation.

She is on the advisory board for a community enterprise aimed at encouraging diversity in tech, is a published author, podcast regular and Host of Cybersecurity Podcast Compromising Positions, and won Computing.com’s Security Specialist of the Year for her work on human-centric approaches to security.

In 2021 she won two awards for Security Leader of the Year 2021 and Woman of the Year in the Enterprise category and in 2023 she won Cyber Personality of the Year in The Real Cyber Awards.

She is doing a Masters in AI and Data Science in 2024.

LINKS FOR LIANNE

LinkedIn

Compromising Positions Podcast

ABOUT JEFF WATKINS

Jeff is Chief Product and Technology Officer for xDesign.

He is a lifelong technologist with nearly 25 years’ experience in the industry, first having started coding at age 6.

Having worked in the Financial Services, Healthcare and Retail industries, on enterprise and national scale programmes.

Over the years he has become increasingly interested in Cybersecurity and AI and how both will shape our future, both technologically and the human impact.

Jeff has founded multiple CyberSecurity teams and is currently working on several new pieces around the secure development and deployment of Generative AI based solutions.

He is a tech blogger, writer, podcaster and host of Compromising Positions and public speaker, having recently keynote at the Webinale international web conference in Berlin.

Jeff has a Masters in Cybersecurity and will be starting his Masters in AI and Data Science in 2024.

LINKS FOR JEFF

Linkedin

Compromising Positions Podcast

Keywords: AI, Cybersecurity, Threat Modelling, Prompt Engineering, AI Attacks, Human Risk, Data Leaks, Model Inversion, AI Education, Podcast

No episode this week!

We’re back to finish off our AI mini-series on the 4th January where your hosts, Jeff Watkins and Lianne Potter discuss how they utilise AI in their work as cybersecurity and tech specialists, their own hints and tips on how to get the best out of the tool, and their predictions for AI usage within the security field in 2024.

If you’re missing your Compromising positions fix, why not visit our back catalogue of 13 fantastic episodes, or watch our festival special, The 12 Days of Breachmas for short, bursts of sweet cybersecurity content!

Links in the show notes and see you next Thursday!

Show Notes

Watch our 12 Days of Breachmas to Tide you over until next Thursday!

Listen to our back catalogue on YouTube, Spotify, or Apple Podcasts

Welcome to the second part of our AI mini-series.

Last week, Helena Hill, UX and AI expert provided us with some great practical advice on how to navigate Large language models like ChatGPT in our daily work.

She gave us ideas for usage and also what we should be wary of both from a cybersecurity perspective and a quality perspective. See the show notes for a link to that episode, it is a must-listen if you’re interested in this topic!

As we’ve been talking to our guests this year, the topic of  AI and chatgpt came up several times and It quickly became apparent that their insights deserved a standalone episode. So we’ve been snipping them out of the main episodes to bring you, in the tradition of a season-based show, a lovely clip show! You’ll hear some familiar voices from season 1 and a few that will be joining us next year for future seasons. 

Enjoy five hot takes on AI from five very interesting people!

——————————————————————————

In this Episode we cover:

In a knowledge economy, is it ethically right to pass off LLMs output as our own?

Should we ban our employees from using tools like ChatGPT because of cybersecurity concerns?

AI is only as good as the data is built upon - so not very good according to data analysts worried about bias!

Will AI replace customer service reps?

And what companies are putting AI on the risk register?

——————————————————————————

Join us next week for our final episode of 2023 and last in our AI special where your hosts, Jeff Watkins and Lianne Potter discuss how they’ve been using AI in cybersecurity and beyond.

Links to everything we discussed in this episode can be found in the show notes and if you liked the show, please do leave us a review.

Follow us on all good podcasting platforms and via our YouTube channel, and don't forget to share on LinkedIn and in your teams.

It really helps us spread the word and get high-quality guests, on future episodes. 

We hope you enjoyed this episode - See you next time, keep secure, and don’t forget to ask yourself, ‘Am I the compromising position here?’

Show Notes

Helena Hill’s Episode onHow to use ChatGPT and AI to Level UP your Cybersecurity Function

Reema Vadoliya’s Episode on If Data is the New Oil, How do we Prevent Data Spills

Christian Hunt’s Episode on The Human OS - Why We Can’t Just CTRL + ALT + Delete Our Compliance Problems

This week we are joined by Helena Hill, a seasoned UX Strategist and Consultant and AI expert with a wealth of experience spanning diverse clients, from pre-start-ups to global industry giants.

Last week Helena taught us how we in the cybersecurity team can effectively use the User experience team, and its principles to improve our security controls and create a better journey. If you’ve not listened to that episode yet, do check it out. 

This episode we’re asking Helena about her other expertise in AI and how cybersecurity teams can use tools like ChatGPT to make our lives easier

We’ll touch upon cybersecurity concerns around AI, but mostly this will be a practical episode on how to get the most out of these exciting tools.

This episode concludes season 1 and we’d like to say a huge thank you to everyone who has supported this journey, either by just listening, sharing, subscribing, leaving a review or providing feedback. 

We can’t thank you enough for lending your ears and your thoughts on this rather unusual approach to talking about cybersecurity by only speaking to non-cybersecurity professionals! 

And of course, a huge thank you to all our kind guests who have been so generous with their time and expertise. But this is not the end of compromising positions! We have enough episodes already recorded to last us well into summer next year and we intend to keep bring you fantastic guests and new insights for all of 2024. 

We’re going to a few weeks off in January but you won’t have to go cold turkey! We’ll be releasing a AI special mini-series, shorts for our 12 days of breachmas and trailers for season 2! 

Links to everything Helena discussed in this episode can be found in the show notes and if you liked the show, please do leave us a review.

Follow us on all good podcasting platforms and via our YouTube channel, and don't forget to share on LinkedIn and in your teams.

It really helps us spread the word and get high-quality guests, like Helena, on future episodes. 

We hope you enjoyed this episode - See you next time, keep secure, and don’t forget to ask yourself, ‘Am I the compromising position here?’

This week we are joined by Helena Hill, a seasoned UX Strategist and Consultant and AI expert with a wealth of experience spanning diverse clients, from pre-start-ups to global industry giants.

In this episode, we explore the fascinating topic of UX and cybersecurity.

We’re going to learn from the UX function to see how we can create a better user experience for people on their security journey, learn how to get buy-in from the business about implementing controls such as MFA,  and how to ‘sell’ our security value offering as a positive user experience. 

And of course, crucially, how to take those first few steps to engage with the UX team!

Key Takeaways for this episode are:

UX and Cybersecurity share the same challenge of educating and getting buy-in from the organization to elevate their importance on the business agenda.

Understanding the user journey is crucial for both UX and Cybersecurity teams to build a better usable security journey.

Empathy mapping helps build a picture of a person and understand their needs and expectations.

Leveraging user expectations and their ease of use thresholds can help create appropriate security controls.

Collaboration between UX/UR and Cybersecurity teams can lead to innovation in the security space and improve the user experience.

This is the first of our two part conversation with Helena, next week we will be talking about her other specialism in AI, which kicks off our Christmas miniseries on AI

Links to everything Helena discussed in this episode can be found in the show notes and if you liked the show, please do leave us a review.

Follow us on all good podcasting platforms and via our YouTube channel, and don't forget to share on LinkedIn and in your teams.

It really helps us spread the word and get high-quality guests, like Helena, on future episodes. 

We hope you enjoyed this episode - See you next time, keep secure, and don’t forget to ask yourself, ‘Am I the compromising position here?’

Show Notes

What is a Persona Non Grata? Developed at DePaul University, the Persona non-grata approach makes threat modelling more tractable by asking users to focus on attackers, their motivations, and their abilities. Once this step is completed, users are asked to brainstorm about targets and likely attack mechanisms that the attackers would deploy. Read more: Cyber Threat Modelling: An Evaluation of Three Methods  by FORREST SHULL AND NANCY R. MEAD

Downloadable Empathy Map

The stat 1 cybersecurity professional per 100 developers can be found in Toby Irvine’s article The Ratio

An article explaining Dunbar’s Number

A Usability Study of Five Two-Factor Authentication Methods By Ken Reese et al.

Research Insights: Optimal MFA options for Web3 audiences

The State of the Auth: Experiences and Perceptions of Multi-factor Authentication

“Nah, it’s just annoying!” A Deep Dive into User Perceptions of Two-Factor Authentication By Karola Marky et al.

“Don’t punish all of us”: Measuring User Attitudes about Two-Factor Authentication By Jonathan Dutson et al.

The original, and arguably the best book on Nudge Theory - Nudge: The Final Edition: Improving Decisions About Money, Health, and the Environment by Richard H. Thaler and Cass R. Sunstein. This is a must-read book to learn about influencing behaviour change

About Helena Hill

Helena Hill is a seasoned UX Strategist and Consultant with a wealth of experience spanning diverse clients, from pre-start-ups to global industry giants. Her expertise encompasses fostering in-house UX and customer experience teams, orchestrating and implementing cutting-edge UX methodologies, and collaborating with clients to craft innovative, user-centric digital experiences.

As a thought leader, Helena frequently takes the stage to share her insights on user experience design, customer experience, and service design. She has recently extended her skills into the exciting realm of passenger experience. Furthermore, Helena holds a ChatGPT expert certification, showcasing her high level of expertise in conversational AI and how it can be utilised to exceed user and customer expectations.

Links related to Helena Hill

Helena’s website

Helena’s LinkedIn

This week our guest is Melina Palmer, a renowned keynote speaker in behavioural economics and the CEO of The Brainy Business, as well as hosting one of the best podcasts on the subject of the practical application of behavioural economics.

In this episode, we're going to discuss the art of influencing both up and down, and how to tailor your cybersecurity message to different audiences. 

Melina teaches us that it's not about the cookie - that is, it's not just about the product or cybersecurity awareness and controls themselves, but it's about how we frame information and communicate change.

With her expertise in behavioural economics, Melina shows us how to make change easier, reduce decision fatigue, and increase social capital through understanding and compromise.

What you’ll learn in this episode:

Effective communication is key to influencing both up and down in an organization. Tailoring your message to the audience and framing it in a relatable way can make you a more thoughtful communicator.

Cybersecurity awareness and controls are crucial for preventing breaches, but the way you "sell" the experience matters. By making engagement positive and impactful, you can increase social capital and encourage people to follow the rules.

Change can be overwhelming, especially when we're already dealing with a lot of decisions and cognitive load. To make change easier, it's important to focus on what matters in the moment and avoid overwhelming people with too many changes at once.

By understanding how our brains work and tailoring our communication and change management strategies accordingly, we can make a positive impact on our organizations and help drive progress.

If you're interested in understanding the behavioural science behind cybersecurity and how we can communicate more effectively, then you're in the right place. 

Links to everything Melina discussed in this episode can be found in the show notes and if you liked the show, please do leave us a review.

Follow us on all good podcasting platforms and via our YouTube channel, and don't forget to share on LinkedIn and in your teams.

It really helps us spread the word and get high-quality guests, like Melina, on future episodes. 

We hope you enjoyed this episode - See you next time, keep secure, and don’t forget to ask yourself, ‘Am I the compromising position here?’

Show Notes

Melina has created a fantastic It’s Not About The Cookie worksheet so you can start using it in your organisation today

An article on delivering bad news on a Friday. It isn’t the book Lianne mentioned (she can’t remember what book that was!) but this article covers why bad news from leadership on a Friday is a bad move! ByKorn Ferry

An article on Decision Fatigue

ABOUT MELINA PALMER

Melina Palmer is a globally celebrated keynote speaker showing companies how they can easily get customers to buy and employees to buy in by leveraging the power of behavioural economics.

She is the CEO of The Brainy Business, which provides behavioural economics training and consulting to businesses of all sizes from around the world.

Her podcast, The Brainy Business: Understanding the Psychology of Why People Buy, has downloads in over 170 countries and is used as a resource for teaching applied behavioural economics to many universities and businesses. Melina teaches applied behavioural economics through the Texas A&M Human Behavior Lab and obtained her master’s in behavioural economics from The Chicago School of Professional Psychology.

A proud member of the Global Association of Applied Behavioral Scientists, Melina has contributed research to the Association for Consumer Research, Filene Research Institute, and writes on Behavioral Economics & Business for Inc Magazine.

Her first book, What Your Customer Wants and Can’t Tell You (2021), won first place in the Chanticleer International Book Awards in its category, of which her second book, What Your Employees Need and Can’t Tell You (2022), was also a finalist. Her highly anticipated third book, The Truth About Pricing, is scheduled to be published in January 2024.

LINKS RELATED TO MELINA PALMER

The Brainy Business (Website)

The Brainy Business Podcast

LinkedIn

This week our guest is Melina Palmer, a renowned keynote speaker in behavioural economics and the CEO of The Brainy Business, as well as hosting one of the best podcasts on the subject of the practical application of behavioural economics.

In this episode, we discuss how silos and tribal mentalities occur in the workplace due to confirmation bias and how we can expand the circle of empathy to create a more cohesive team.

We'll also delve into the issue of time discounting, availability bias and optimism bias to understand why people are drawn to the easy option in the moment.

We shall explore how the cybersecurity team's curse of knowledge can be a barrier to effective communication, and the need to create easier-to-digest content that enables 'buy-in.' 

Key takeaways for this episode are:

Understanding the behaviour that leads to insecure cybersecurity behaviour is crucial in developing effective cybersecurity strategies.

Silos and tribal mentalities in the workplace can be detrimental to team dynamics and productivity. Leaders should work towards creating a 'team company' culture.

Confirmation bias and focusing illusion can lead to negative relationships and narrow perspectives. It's important to listen and build positive connections.

Cybersecurity messages should be framed in a way that resonates with users and takes into account their knowledge and habits.

To effectively communicate cybersecurity information, it's important to get into the mind space of the person you're communicating with and provide easy-to-digest content.

If you're interested in understanding the behavioural science behind cybersecurity and how we can communicate more effectively, then you're in the right place. 

Links to everything Melina discussed in this episode can be found in the show notes and if you liked the show, please do leave us a review.

Follow us on all good podcasting platforms and via our YouTube channel, and don't forget to share on LinkedIn and in your teams.

It really helps us spread the word and get high-quality guests, like Melina, on future episodes. 

We hope you enjoyed this episode - See you next time, keep secure, and don’t forget to ask yourself, ‘Am I the compromising position here?’

SHOW NOTES

The original, and arguably the best book on Nudge Theory - Nudge: The Final Edition: Improving Decisions About Money, Health, and the Environmentby Richard H. Thaler and Cass R. Sunstein. This is a must read book to learn about influencing behaviour change

The Power of Us: Harnessing Our Shared Identities for Personal and Collective Successby Jay Van Bavel and Dominic J. Packer

A short video on the philosophy of Ayn Rand

Melina’s episode on Confirmation Bias

Melina’s episode on Focusing Illusion

We couldn’t find the exact study Melina mentions in regards to teachers bias and the impact on grades but we did find another similar study that shares almost the same results - (Biased) Grading of Students’ Performance

Melina’s episode on Availability Bias

Melina’s episode on Time Discounting

Melina’s episode on Optimism Bias

ABOUT MELINA PALMER

Melina Palmer is a globally celebrated keynote speaker showing companies how they can easily get customers to buy and employees to buy in by leveraging the power of behavioural economics.

She is the CEO of The Brainy Business, which provides behavioural economics training and consulting to businesses of all sizes from around the world.

Her podcast, The Brainy Business: Understanding the Psychology of Why People Buy, has downloads in over 170 countries and is used as a resource for teaching applied behavioural economics to many universities and businesses. Melina teaches applied behavioural economics through the Texas A&M Human Behavior Lab and obtained her master’s in behavioural economics from The Chicago School of Professional Psychology.

A proud member of the Global Association of Applied Behavioral Scientists, Melina has contributed research to the Association for Consumer Research, Filene Research Institute, and writes on Behavioral Economics & Business for Inc Magazine.

Her first book, What Your Customer Wants and Can’t Tell You (2021), won first place in the Chanticleer International Book Awards in its category, of which her second book, What Your Employees Need and Can’t Tell You (2022), was also a finalist. Her highly anticipated third book, The Truth About Pricing, is scheduled to be published in January 2024.

LINKS RELATED TO MELINA PALMER

The Brainy Business (Website)

The Brainy Business Podcast

LinkedIn

A word of warning listeners, we do discuss the darker side of crime, including human trafficking which some of our listeners may find upsetting. If this isn’t for you, feel free to skip this one and we’ll see you next week.

——————————————————————This week our guest is Ray Blake. Ray is an advisor on financial crime matters and co-creator of the Dark Money Files podcast.

In this episode, we explore the motivations driving individuals to commit such crimes, probing whether it's sheer greed, the allure of victimless crimes, or a complex mix of factors.

We discuss how the lack of direct interaction with victims and the personal rationalizations criminals make facilitate the perpetuation of these crimes.

We also talk about the concept of corporate values and how they may not always align with individual morals, leading to a disconnect that can be exploited.

Furthermore, we look at the responsibility and moral hazard inherent in the fight against fraud, highlighting how cybersecurity often wrongfully blames the victim rather than focusing on the perpetrator.

Key Takeaways for this Episode:

Financial crime and cybercrime are closely related, and the lines between them are blurring.

The lack of interaction with the victim makes it easier to commit financial crime, and rationalisation is the story of organised crime.

Companies need to take responsibility for fraud and liability, and regulation and refunding customers can incentivise them to make the system safer.

Personal stories are key to creating empathy and driving change, and bad security communications can cause rebellion.

Links to everything Ray discussed in this episode can be found in the show notes and if you liked the show, please do leave us a review. Follow us on all good podcasting platforms and via our Youtube channel, and don't forget to share on LinkedIin and in your teams.

It really helps us spread the word and get high-quality guests, like Ray, on future episodes.  We hope you enjoyed this episode - See you next time, keep secure, and don’t forget to ask yourself, ‘Am I the compromising position here?’ 

Show Notes

Jenny ‘The People Hacker’ Radcliffe

People Hacker: Confessions of a Burglar For Hire by Jenny Radcliffe

PSR announces plans to stop APP scams

Cybercrime To Cost The World $10.5 Trillion Annually By 2025

Goldfinger Quote Jeff was referring to was:

"Man has climbed Mount Everest. Gone to the bottom of the ocean. He has fired rockets at the Moon. Split the atom. Achieved miracles in every field of human endeavour...except crime!" - Goldfinger

Statistics on human trafficking

About Ray Blake

Ray is a commentator and adviser on financial crime matters and has worked extensively across regulated financial services and related fields for many years, working frequently with Boards, MLROs and Compliance teams to help them meet their regulatory accountabilities. He’s also co-creator with Graham Barrow of The Dark Money Files Podcast which looks at financial crime from a whole range of angles.

Links related to Ray Blake

The Dark Money Files

Ray’s LinkedIn

This week we have a very special guest, Reema Vadoliya. Reema is the passionate business founder of data consultancy, People of Data, a gifted storyteller, and a professional problem-solver. 

In this episode, Reema shares her insights on how to collaborate more effectively between cybersecurity and data professionals. She emphasizes the importance of empathetic communication, how sometimes quantifying risks is about gut feeling, not just metrics… 

We look at how we can use data-driven storytelling to engage and educate people about cybersecurity, including how to make our phishing simulation stats not only more interesting to non-cybersecurity people but also how to make it actually drive meaningful behavioural changes.

Top 5 Takeaways for Building a Strong Data Culture and Cybersecurity:

1. Collaboration is key: The best way to ensure data security is by fostering good relationships between cybersecurity and data teams. Encourage open communication and explain the importance of keeping data safe.

2. Empathy is crucial: To solve problems effectively, it's important to understand the actual problem. Avoid closed questions and focus on the "why" behind the issue.

3. Checklists can help: Consistent, repeatable, and reusable rules of engagement can prevent insecure practices and reduce the need for constant consultation with the security team.

4. Quantifying risks is complex: Sometimes, you need to rely on gut feeling to balance a complex risk landscape. Business analysts can help identify potential risks that may have been overlooked.

5. Start small: Building a strong data culture takes time. Start by removing barriers that make data feel unobtainable and use storytelling to help people understand complex concepts. Make better use of phishing data to tell better stories and improve outcomes.

Links to everything we discuss in this episode can be found in the show notes and if you liked the show, please do leave us a review.

Follow us on all good podcasting platforms and via our youtube channel, and don't forget to share on LinkedIin and in your teams. It really helps us spread the word and get high-quality guests, like Reema, on future episodes. 

We hope you enjoyed episode 7, If Data is the new oil, how do we prevent data spills?  - See you next time, keep secure, and don’t forget to ask yourself, ‘Am I the compromising position here?’

Show Notes

The phrase ‘Data is the new oil’ was coined by Clive Humby in 2006. In this, he meant that data, like oil, needs refinement and processing to turn it into something useful. We couldn’t find the original conference in which Humby said this, but I did find an interesting article looking at this assertion years later called ‘Data is the new oil of the digital economy’ by WIREDwhich is worth a read.

As of November 2023, GDPR fines can be up to 20 million euros, or up to 4% of a company’s global turnover of the preceding fiscal year (whichever is highest for the company found in breach of this regulation).

A ‘DBA’ is a Database Administrator’. A DBA is a person who manages, maintains, and secures data in one or more data systems so that a user can perform analysis for business operations. DBAs take care of data storage, organization, presentation, utilization, and analysis from a technical perspective.

The meme Jeff was talking about is the ‘Prince or Popstar meme.’ A nice write up of it can be found here.

One of the best books at looking at the successes of checklists is Matthew Syed’s thought-provoking book, Black Box Thinking: The Surprising Truth About Success - highly recommended by team CP!

Data in Practice: Systematizing data quality at Uber

Uber’s Data Blog

About Reema Vadoliya

Reema is a passionate business founder, gifted storyteller and tireless advocate for inclusion in data. By challenging audiences to reshape their perception of data as a dreary necessity, she draws out the real human stories which organically empower intentional inclusion in data and beyond. 

After seven years and multiple roles in data, Reema decided to launch her new, trailblazing company, People of Data. Through this organisation she seeks to create a world in which data can be used as a springboard for understanding the real people that data represents.

Reema is confident speaking about data strategy, analytical exploration, data collection and governance. Her talks offer a passionate manifesto for a world in which Equality, Diversity, Inclusion, and Belonging (EDIB) are the beating heart of all data handling and usage. 

An experienced speaker not afraid of digging into the gristle of the difficult topics, Reema’s talks push beyond a 1D (one demographic) view of data and offer a refreshing, multi-dimensional consideration of how humanised data can pioneer a brighter future.

Links related to Reema Vadoliya

Reema’s LinkedIn

Reema’s Consultancy, People of Data

Welcome to part two of our enlightening discussion with Matt Ballentine, Engagement Manager at Equal Experts.

In this episode, Lianne Potter and Jeff Watkins continue this conversation and dive deeper into the nuances of modern-day communication and work dynamics. Do we need to set new etiquette for engaging in conversations? How do we establish norms when our work environment is evolving?

Matt also shares insights on the importance of security in our workflow, the power of networking and the need for effective communication and some unconventional wisdom including our favourite thought experiment ever… what would Dolly Parton do?

Establishing New Norms for Work: Top Tips

1. Build Rapport: To establish new norms for work, you need to know who you need to influence and build rapport with them. Think about the language you use, ask for conversation, and set up a coffee club to create a comfortable environment.

2. Embrace Discomfort: Getting comfortable with discomfort is essential to establish new norms for work. Use metaphors to help address problems and think about what Dolly Parton would do to enable better ideas.

3. Be Inclusive: When off-shoring and outsourcing teams, think of the team as a whole. Be conscious of time zones and make people who are not in the room active participants.

4. Prioritise Communication: Establishing new norms for work requires prioritising communication. If it doesn't get prioritised, it doesn't happen. Avoid firefighting and focus on drills, learning, talking, and listening to create a comfortable and productive work environment.

Links to everything Matt discussed in this episode can be found in the show notes and if you liked the show, please do leave us a review and share on LinkedIin or in your teams, it really helps us spread the word and get high-quality guests, like Matt, on future episodes. 

We hope you enjoyed this episode - See you next time, keep secure, and don’t forget to ask yourself, ‘Am I a compromising position here?’ 

Show Notes

Goodharts law

The Victorian Internet: The Remarkable Story of the Telegraph and the Nineteenth Century’s On-Line Pioneers by Tom Standage

Copy, Copy, Copy: How to Do Smarter Marketing by Using Other People’s Ideas by Mark Earls

Smells Like Team Spirit by Nirvana

Britain Admits Defeat in Online Safety Bill Encryption Wired

The Laws of Mathematics Don’t Apply Here Says Australian PM New Scientist

100 Coffees Project

About Matt Ballantine

Matt is a sociologist who has accidently found himself working in the world of technology for thirty years. Today he's an engagement manager for software development business Equal Experts, and previously he's held leadership roles at the BBC, Microsoft, Reuters, global marketing agency Imagination and London housing provider RHP.

In a parallel work universe he produces and presents a long-running technology management podcast WB-40, he's created a playing card deck to help inspire better innovation called PlayCards and most recently run a project to build a relationships through the medium of coffee (or tea). 

Matt lives in South West London with his partner, two children and a small family of saxophones.

Links related to Matt Ballantine

His PlayCards: https://stamplondon.co.uk/

His Website: https://mmitii.mattballantine.com/

His Podcast: https://wb40podcast.com/

This Episode we are joined by Matt Ballentine, an Engagement Manager at Equal Experts.

We do a deep dive into workplace culture and user-needs-centric cybersecurity.

Matt believes that the essence of modern leadership isn't just about supervision, but about becoming a nexus between people and ideas.

From the transformative shift of T-shaped managers to the pivotal role of psychological safety, we'll journey through the strategies leaders need to adopt to thrive in today's interconnected age.

Get ready to challenge your understanding of work, play, and the art of connection in this two-part episode.

Links to everything Matt discussed in this episode can be found in the show notes and if you liked the show, please do leave us a review and share on LinkedIin or in your teams, it really helps us spread the word and get high-quality guests, like Matt, on future episodes. 

We hope you enjoyed this episode - See you next time, keep secure, and don’t forget to ask yourself, ‘Am I a compromising position here?’ 

Show Notes

Collaboration by Morten Hanson

Praise for Cyber Saint, Ben Aung @ Sage!

Did Using Militaristic Language Make the Pandemic Feel Even Worse?

The Protestant Work Ethic

100 Coffees Project

Talk: The Science of Conversation by Elizabeth Stokoe

Campbell’s Law

About Matt Ballantine

Matt is a sociologist who has accidently found himself working in the world of technology for thirty years. Today he's an engagement manager for software development business Equal Experts, and previously he's held leadership roles at the BBC, Microsoft, Reuters, global marketing agency Imagination and London housing provider RHP.

In a parallel work universe he produces and presents a long-running technology management podcast WB-40, he's created a playing card deck to help inspire better innovation called PlayCards and most recently run a project to build a relationships through the medium of coffee (or tea). 

Matt lives in South West London with his partner, two children and a small family of saxophones.

Links related to Matt Ballantine

His PlayCards: https://stamplondon.co.uk/

His Website: https://mmitii.mattballantine.com/

His Podcast: https://wb40podcast.com/

His PlayCards: https://stamplondon.co.uk/

His Website: https://mmitii.mattballantine.com/

In this episode, our guest Josh Nesbitt, CTO of Glean a Leeds EdTech startup, shares his insights on securing the data of vulnerable people, the importance of accessibility and compliance in production-ready products, and the challenges of achieving usability, functionality, and security in concert. 

 Join us as we debunk common misconceptions around agile and explore how security teams can be more creative in their approach. We’ll talk about how to use tooling and engagement to get engineers and security teams on the same page. 

Links to everything Josh discussed in this episode can be found in the show notes and if you liked the show, please do leave us a review and share on LinkedIin or in your teams, it really helps us spread the word and get high-quality guests, like Josh, on future episodes. 

We hope you enjoyed this episode - See you next time, keep secure, and don’t forget to ask yourself, ‘Am I a compromising position here?’ 

SHOW NOTES

Great blogs on how Shopify do engineering: https://shopify.engineering/

The ‘curse of knowledge’ Jeff mentioned came from our discussions with Christian Hunt - Check out his episodes here

Github Actions

Nice guide on how to get started with Linting (a tool the analyses source code to flag programming errors and bugs)

Rubocop - A Ruby static code analyser

About Josh

Josh is a software engineer and technical leader based in the UK. He’s been working on the web for the last 17 years, and during that time, he’s worked with a wide range of clients, from indie start-ups to some of the largest organisations in the world. His work spans from hands-on projects building large platforms to leading some of the best-performing teams in our industry.

Alongside his work as a consultant, he also runs an internationally recognised conference called All Day Hey!, which brings people from all over the world to the heart of Leeds to learn, inspire and share stories.

Links Related to Josh Nesbitt:

Josh on Linkedin: linkedin.com/in/josh-nesbitt

Josh at Hey! Including his amazing conference ALL DAY HEY!: https://heypresents.com/

Josh’s podcast: https://heypresents.com/podcast

In this episode, we continue our conversation with Christian Hunt, the founder of Human Risk, a firm that helps organisations with ethics and compliance.

Christian shares his insights on why blanket bans are ineffective and how small acts of rebellion can lead to bigger problems.

He also explains why treating employees with empathy and respect is more productive than treating them like potential criminals.

Finally, he introduces his H.U.M.A.N.S Framework, and guides us in this fantastic example of how to prevent people from clicking on malicious emails. This episode is full of valuable insights on how to be more 'HUMAN' and avoid cyber risks.

Links to everything Christian discussed in this episode can be found in the show notes below and if you liked the show, please do leave us a review and share far and wide! It really helps us spread the word and get high-quality guests, like Christian, on future episodes. 

We hope you enjoyed this episode - Keep safe, Keep secure, and don’t forget to ask yourself, ‘Am I the compromising position here?’ 

Show Notes

Christian is the founder of Human Risk, a Behavioural Science (BeSci) led Consulting and Training Firm specialising in Ethics & Compliance and the author of a book, ‘Humanizing Rules’. He was formerly Managing Director, Head of Behavioural Science at UBS. Christian joined the Firm in Compliance & Operational Risk Control, leading the function globally for UBS Asset Management. Before joining UBS, he was COO of the UK Prudential Regulation Authority, a subsidiary of the Bank of England responsible for regulating financial services.

Links related to Christian Hunt:

His Book: https://www.human-risk.com/humanizing-rules-book

His Website: https://www.human-risk.com/

His Podcast: https://www.humanriskpodcast.com/

This episode we've got a super interesting interview with Christian Hunt, the founder of Human Risk. He's a Behavioural Science expert and author of the book 'Humanizing Rules', which explores how we can use Behavioural Science to improve compliance and ethics. 

In this interview, Christian shares his insights on how important it is to consider the humans behind compliance and cybersecurity.

He explains that it's not just about following documentation, but also about the people who are responsible for ensuring compliance within an organization. 

Christian talks about how we can use Behavioural Science techniques to encourage buy-in for ethics and compliance, despite their negative reputation. 

One of the key takeaways from the interview is the importance of designing things for how people actually behave, as opposed to how we'd like them to behave. Christian emphasizes that we need to enable people to make real decisions in the real world and give them more autonomy to help keep our organisations safe. 

He also touches on the ethics of phishing simulations,  measuring the success of training, and how people really feel about rules they don’t respect! 

There was so much good stuff in this interview that we had to make this a two-parter, so follow the show wherever you get your podcasts so you don’t miss the second episode where Christian uses his HUMANS Framework to help us get the most out of stopping people click on potential phishing links! 

Links to everything Christian discussed in this episode can be found in the show notes and if you liked the show, please do leave us a review and share far and wide! It really helps us spread the word and get high-quality guests, like Christian, on future episodes. 

We hope you enjoyed this episode - Keep safe, Keep secure, and don’t forget to ask yourself, ‘Am I the compromising position here?’ 

Show Notes

Christian is the founder of Human Risk, a Behavioural Science (BeSci) led Consulting and Training Firm specialising in Ethics & Compliance and the author of a book, ‘Humanizing Rules’. He was formerly Managing Director, Head of Behavioural Science at UBS. Christian joined the Firm in Compliance & Operational Risk Control, leading the function globally for UBS Asset Management. Before joining UBS, he was COO of the UK Prudential Regulation Authority, a subsidiary of the Bank of England responsible for regulating financial services.

Links related to Christian Hunt:

His Book: https://www.human-risk.com/humanizing-rules-book

His Website: https://www.human-risk.com/

His Podcast: https://www.humanriskpodcast.com/

Our first episode was an interview with Mr DevOps himself, Kevin Behr, of the Phoenix Project

Episode 0 - Trailer