6 reasons your behavioural change plan failed

Or…why behavioural change plans fail to engage and inspire change with your employees. The best laid plans never survive contact with the enemy – so says the military man. Of course, a behavioural change plan for transforming your security culture starts from an altogether more positive place. After all, your staff aren’t your enemy (and […]

Read More
The ethics of ethical phishing

Getting the ethics of deception right is crucial to conduct ethical phishing in a safe manner. A quick search on the term ‘phishing’ identifies about 80,000 items in Google Scholar; ‘ethical phishing’ returns around 9,700. These results are evidence, primarily, of the many methodologies and strategies employed to understand how and why phishing emails succeed, […]

Read More
Not all data is created equal – it’s a question of classification

Information security is not just a legal requirement. It is necessary to maintain an organisation’s reputation, trust and profitability. Evolving technology results in more ways for data to be created, shared and stored. And while it may be easier (and cheaper) to collect and store large amounts of data, the risk to information is increasing. […]

Read More
A CISO’s guide to: creative employee awareness campaigns

Comms campaigns may not be your forte so take a leaf from the Internal Communication handbook to get your message across “What we’ve got here is failure to communicate.” The Captain, “Cool Hand Luke” This line from Donn Pearce’s Cool Hand Luke – the story of a recalcitrant southern states prisoner and 1967 film starring […]

Read More
A CISO’s guide to the end of year report

What should CISOs consider when reporting to the Board? Martin Leggett offers some advice.

Read More
Cybersecurity: Why your board won’t listen

So why exactly isn’t your board listening? Well actually, they are. The problem is that what you are saying and what they are hearing are different things entirely. It may as well be a foreign language. It’s like speaking Vulcan at a Star Wars convention. This isn’t news to most of you. Any CISO worth […]

Read More
Compliance vs Behavioural Change – How to win over your board

Good news! The exec has decided (and the board has concurred): next up on your ‘to do’ list, just moments after you’ve put that hesitant tick against GDPR, is… ISO 270001. Or PCI-DSS. Or COBIT. Or NIST SP 800-53. Or any one of a plethora of industry-specific information security compliance frameworks. There’s no doubt the […]

Read More
A CISO’s guide to the CEO’s difficult questions

It’s a scenario we’re all familiar with: “Good morning, Mr Bailey, please take a seat. The interview will start now.” And although confident I have researched and prepared well, I know some searching questions are coming my way. But I also have a few of my own. After all, a job interview is a two-way […]

Read More
A CISO’s guide to: Baseline Behavioural Research

Changing everyone’s behaviour can be done ‘Know thy enemy’ is a mantra often on the lips of the threat-aware CISO. But knowing your friends can be even more critical. Staff can be your human firewall or your hidden vulnerability. You need to know what makes them tick. Social psychologists might say we are best viewed […]

Read More
A CISO’s guide to: Evidencing behavioural change

“Measures maketh the man” – something, surely, only the board could cobble together. Professor Heisenberg might disagree. He started out with an ‘uncertainty principle’ and ended up with an ‘observer effect’: the idea that when you try to measure something, you end up changing it. It is enough to make the CISO tasked with evidencing change […]

Read More
This website uses cookies, by continuing to use the site you agree to using cookies. Continue Privacy Policy