Welcome to the grand finale of season two of ‘Compromising Positions’, where we delve into the fascinating world of AI security. In this special episode, your hosts will guide you through the labyrinth of securing AI models, one step at a time.

For those who prefer a quick overview, we offer an abridged version on Apple Podcasts and Spotify.

This version deep dives into two key topics:

Jeff’s unique mnemonic C-PTSD for threat modeling AI systems, and an intriguing discussion on the correlation between boredom, worm-killing, and AI efficiency gains.

For those who crave a deeper dive, scroll down or visit our Youtube channel for the extended cut.

This version includes everything from the regular version, plus:

• Jeff’s academic journey in AI at the University of Hull

• Lianne’s preparation for a 100 days of Code in Python for her MSc in Data Science and AI at Leeds Trinity University

• A critical discussion on OpenAI’s transparency and the latest AI wearable technology, along with the complexities of consent and privacy in an ‘always recorded’ lifestyle

Whether you choose the regular or extended version, we appreciate your support throughout season two. Stay tuned for more enlightening discussions in season three! Thank you for being a fantastic audience.

This week we are joined by Dr David Burkus, one of the world’s leading business thinkers and best-selling author of five books on the topic of business and leadership. Dr Burkus has worked with the leadership teams of some internationally known names such as PepsiCo, Adobe and NASA.

In this episode, “It’s a Wonderful Hack! Building a high-performance cybersecurity team“, we discuss the three elements of the “Team Culture Triad”: common understanding, psychological safety and prosocial purpose, and how these elements are the backbone of every successful team.

We delve into how interpersonal trust is a reciprocal process, that trust needs to be met with respect and an open mind, and how we can build a culture that learns from mistakes and people feel safe to challenge at all levels in the business.

We also discuss how being part of a team is more like chess than checkers. We can’t treat all people like they have the same skills or ways of working, we’re a team yes, but it’s a team of individuals.

And the “It’s a Wonderful Life” test. A brilliant thought experiment to show the impact of your team’s contributions, which may not always be tied to revenue.

Key Takeaways:

• Try a Little Tenderness: Empathy is important, but it's not just about feeling someone else's pain. To truly collaborate effectively, you need to understand your teammates on a deeper level, including their unique strengths, weaknesses, and working styles. By achieving this common understanding, you can anticipate their responses and adjust your approach to optimize teamwork.

• Hey Boss, your Idea Sucks: When was the last time someone in your team challenged your decision? If it was a while ago, you might want to take a look if you’re building a team that fosters psychological safety.

• Developing Pro-Social Purpose: A team that prioritizes collective success over individual gain fosters a collaborative environment.  When team members are driven by a common purpose, they're more likely to support each other and work towards shared goals. This sense of purpose strengthens the team and empowers individuals to contribute their best work.

• It’s a Wonderful Life: Imagine if your cybersecurity team didn't exist.  What would the consequences be?  While this exercise helps you identify potential negative impacts, it's equally important to consider the positive contributions your team makes.

This week we are joined by Dr David Burkus, one of the world’s leading business thinkers and best-selling author of five books on the topic of business and leadership. Dr Burkus has worked with the leadership teams of some internationally known names such as PepsiCo, Adobe and NASA.

In this episode, “Storytelling Superconnectors: Unleashing Purpose Beyond Metrics in Your Cybersecurity Function”, Dr Burkus challenges the concept of Dunbar’s Number as we discuss the power of human networks, and how finding the superconnectors in your organisation will help you get your cybersecurity agenda in front of the right people.

Indulging in a bit of schadenfreude, Dr Burkus shows us how we can use the hacks and breaches of our competitors to demonstrate our value and purpose offering to the c-suite and he also shares his unique insights on breaking down siloes, and harnessing the power of positive engagement in the workplace.

And as if that wasn’t enough (!) how to move away from just metrics to make your security function shine! If you want to change the way your organisation sees your security team, this is the episode for you! 

This is a two part episode (this is part one!) so don’t forget to check back in next week to hear the whole interview!

Key Takeaways:

• Find your Superconnectors: Superconnectors are individuals who have lots of powerful connections and can help you expand your network quickly. By networking with superconnectors, you can find new opportunities and build purpose-driven teams in the cybersecurity function.

• Embrace the Power of Storytelling: Facts and figures are important, but stories resonate on a deeper level. Security teams can leverage storytelling to educate employees about cybersecurity threats, celebrate successes, and foster a sense of shared purpose.

• Break Down Silos: Challenge the stereotype of security as the "office police."  Focus on collaboration and highlight the positive contributions your team makes in protecting the organization. Aim for a 3:1 ratio of positive interactions to negative ones to build trust and rapport.

• Learn from Your Competitors' Misfortunes: While celebrating wins is important, so is learning from failures. Use competitor breaches as a springboard for threat intelligence exercises, demonstrating the value your team brings in proactively preventing such attacks.

This week we are joined by Jenn Calland, a seasoned Data Analyst, Analytics Engineer, former Platform Engineer and Full Stack Developer with expertise spanning Google Cloud, Looker, BigQuery, and many other technologies.

In this episode, Data, Data Everywhere, But How Do We Make It Safe to Share? We are going explore the relationship between data, cybersecurity and our personal and organisational desire for convenience which can sometimes lead to insecure and risky behaviour. 

Jenn warns data analysts about working under the assumption that by the time they get their hands on the data, that it’s all ‘safe and secure.’ She cautions the data team that they shouldn’t think they don’t need to be ‘secure’ because it has been taken care of either by the cloud providers, compliance or the security team themselves - but in fact, we all need to be accountable in our data/security journey. 

We also discussed the challenges around anonymising data and the handling of medical data, how AI is changing things and what security teams can do to make sure we collaborate with the data team in a way that works for all parties involved. 

This week we are joined by Bec McKeown, a chartered psychologist with extensive experience in carrying out applied research for organisations including the UK Ministry of Defence and the founder and director of Mind Science, an independent organisation that works with cybersecurity professionals

Last episode we ended by talking with Bec about how cybercriminals leverage the fight-or-flight response and get you to do things you wouldn’t normally do, like share bank details, through amygdala hijacking. Bec concluded the episode by giving us some great advice on how we can retrain ourselves NOT to be so reactive and hopefully, stop ourselves from doing something rash.

In this episode, Awareness ≠ Behavioural Change - Rethinking Cybersecurity Training, we’re going to build upon what Bec discussed last week, a cyber psychology 101 if you will, and see how we practically apply key psychological concepts like cognitive agility, convergent and divergent thinking and meta-cognitive skills to things like tabletop exercises and security awareness training.

This week we are joined by Bec McKeown, a chartered psychologist with extensive experience in carrying out applied research for organisations including the UK Ministry of Defence and the founder and director of Mind Science, an independent organisation that works with cybersecurity professionals

In this episode, Hands Off My Amygdala! The Psychology Behind Cybersecurity, we are going to hear about Bec’s varied and interesting career in advising people in highly stressful situations to be reflective and not reactive, and how they cannot only learn from their actions but become masters of them. 

This episode is a smorgasbord of psychological concepts that will make you think twice about how you normally run your security awareness programme and but also your tabletop exercise too. And crucially, learn why people act the way they do during an actual cybersecurity incident.

This week we are joined by Sabrina Segal, an integrity, risk, and compliance advisor, with almost 20 years of experience in the public, private, and third-sectors. 

In this week’s episode, Bringing the Curtain Down on Risk Theatre and Applauding objective-centred Risk Management, Sabrina shares with us, a quite frankly amazing model to work from: The OCRM, Objective-centred Risk Management. 

This model a great antidote to what Sabrina describes as ‘risk theatre’ which is the performance of risk governance activities, without real substance or accountability but with the dangerous consequence of making an organisation still feel like they have ‘done something’ when really it’s not worth the paper, or Excel doc, it is written on. This approach is scalable, practical, and effective, and it can help you achieve your goals while managing your risks and opportunities.

Key Takeaways:

Shift the Focus: Ditch the risk register and start with your objectives. What are you trying to achieve? What could stop you? This simple change aligns risk with your mission and drives informed decision-making.

Price Your Risks: Don't just identify risks, quantify them. Calculate the resource and software costs associated with each. This transparency reveals your true risk appetite and exposes gaps between rhetoric and reality.

Go-No-Go Decisions: OCRM empowers you to make clear, objective decisions based on risk pricing. Is the potential upside worth the cost? This eliminates wasted time and resources on low-impact risks.

Psychological safety: How to create an environment where employees feel empowered to speak up and challenge the status quo, even about risks.

The "halo effect": How the good work of charities and non-profits can sometimes mask poor risk management practices.

Utilising External Board Members: How to ensure they have the full picture and can effectively advise on cyber risks.

This week we are joined by Sabrina Segal, an integrity, risk, and compliance advisor, with almost 20 years of experience in the public, private, and third-sectors.

In this episode, Not New, but Novel - Tackling Risk in the Third Sector, We take a look at the challenges facing the third sector when it comes to cybersecurity and technology risks. The third sector, which includes charities and non-profits, is often overlooked or underestimated when it comes to cybersecurity and risk management. But this sector faces unique challenges and opportunities that require a novel and holistic approach to risk.

Sabrina has a really refreshing take on risk and we will hear how she enables her clients to get to grips with what she calls ‘tolerable risk’ and why we can’t avoid risks, but we can reframe risks to not only identify threats but also opportunities. While at the same time, making sure everyone cares about risk, not just people with ‘risk manager’ in their title!

Key Takeaways:

Forget Risk Appetite and Risk Matrices - Embrace ‘risk awareness’ tailored to your mission and your organisation’s objectives

Identify Your ‘Tolerable Risk’ - Risk can’t be avoided but we can identify and work within our ‘risk tolerance’ for better informed decisions

Risk is a Two-Sided Coin - It’s not just about threats but opportunities too, and it’s much easier for people to get excited about opportunities than threats!

Don’t Greenwash Those “Charity Days” - Forget painting the fence, litter picking or sorting cans, instead donate your cybersecurity expertise for maximum impact

Risk Is Everyone’s Job - Ditch the ‘risk manager’ title and empower everyone to be a risk champion!