This week we are joined by Sabrina Segal, an integrity, risk, and compliance advisor, with almost 20 years of experience in the public, private, and third-sectors.

In this episode, Not New, but Novel - Tackling Risk in the Third Sector, We take a look at the challenges facing the third sector when it comes to cybersecurity and technology risks. The third sector, which includes charities and non-profits, is often overlooked or underestimated when it comes to cybersecurity and risk management. But this sector faces unique challenges and opportunities that require a novel and holistic approach to risk.

Sabrina has a really refreshing take on risk and we will hear how she enables her clients to get to grips with what she calls ‘tolerable risk’ and why we can’t avoid risks, but we can reframe risks to not only identify threats but also opportunities. While at the same time, making sure everyone cares about risk, not just people with ‘risk manager’ in their title!

Key Takeaways:

Forget Risk Appetite and Risk Matrices - Embrace ‘risk awareness’ tailored to your mission and your organisation’s objectives

Identify Your ‘Tolerable Risk’ - Risk can’t be avoided but we can identify and work within our ‘risk tolerance’ for better informed decisions

Risk is a Two-Sided Coin - It’s not just about threats but opportunities too, and it’s much easier for people to get excited about opportunities than threats!

Don’t Greenwash Those “Charity Days” - Forget painting the fence, litter picking or sorting cans, instead donate your cybersecurity expertise for maximum impact

Risk Is Everyone’s Job - Ditch the ‘risk manager’ title and empower everyone to be a risk champion!

This Episode we are joined by Amy Kouppas, a Scrum Master, D&I lead, and founder of a Women’s Health & Wellbeing group at Sky. 

We are talking about all things agile and scrum! Most organisations have some form of agile methodologies, and the likelihood is, yours does too but what is it? What is Kanban? What is Scrum? What does a Scrum master do and why are they always sprinting? Amy helps us answer these questions and more in this episode: Fun with Purpose - A Scrum Guide! 

In this Episode we cover:

Scrum Master: Coach, Not Boss: Ditch the project manager stereotype. A scrum master is a facilitator, coach, and mentor, guiding the team towards self-organisation and autonomy. Their ultimate goal? To make themselves obsolete by fostering a team that thrives independently.

Empowerment & Creativity: Scrum unleashes the full potential of your team. They become accountable, empowered, and free to be creative within the sprint framework. This fosters a culture of continuous improvement where everyone contributes to success.

Documentation - Enough is Enough: The agile manifesto doesn't advocate for zero documentation. It emphasises "just enough" documentation. Focus on clear, concise information that supports transparency and efficient collaboration.

Retrospectives with a Twist: Retrospectives are the beating heart of scrum. Make them engaging and fun with themes, games, and even time capsules. This playful approach fosters honest reflection and continuous improvement.

This Episode we are joined by Damjan Obal, Head of design at Ardoq, lecturer and international speaker on all things design and data.

In this episode, And the Bafta for Best Cybersecurity Awareness Training Goes To…, we are looking at how we practically apply design principles to our security awareness programmes, with things like design thinking, the double diamond design method, opportunity solution trees and much much more!

We also look at the dangers of gamification and how to get your bafta-winning moment when delivering your security message to the business!

In this Episode we cover:

Convenience vs. Security: The Eternal Battle: You’re late for a meeting, and that pesky password reset pops up. What do you do? Convenience often wins, and that’s where security takes a hit. We’ll explore shortcuts, trade-offs, and the delicate balance between ease and safety.

Data Storytelling: Making Ones and Zeros Relatable: Security teams deal with mountains of data. But how do they turn it into compelling narratives? Whether it’s the sheer quantity of incidents or the relentless attacks, we’ll reveal how to tell data-driven stories that resonate.

Infographics: A Picture Is Worth a Thousand Alerts: Enter the superhero of visual communication: infographics! We’ll explore how these bite-sized graphics simplify complex security concepts. From breach timelines to threat landscapes, infographics make data digestible for everyone.

Tangibility in the Intangible: Making Cybersecurity Real: Cybersecurity can feel abstract, like chasing shadows. Think metaphors, analogies, and relatable scenarios. Because securing data isn’t just about 1s and 0s—it’s about protecting our digital existence.

The Gamification Dilemma: Fun vs. Functionality: Gamification is all the rage, but is it always the answer? Not necessarily. Remember, not every challenge needs a leader board.

This Episode we are joined by Damjan Obal, Head of design at Ardoq, lecturer and international speaker on all things design and data.

In this episode, F.U.D OFF! - Cybersecurity Awareness Beyond Compliance and Boredom, we learn from Damjan about the importance of storytelling, the difference between game theory and gamification, what accessibility champions get so right that we in security get it so wrong, and how to design a security awareness programme that resonates with people and encourages empathy and behavioural change.

F.U.D - Fear, uncertainty and Doubt have been a mainstay in cybersecurity messaging but is it serving us or is it just turning people off our messaging? Find in this episode if there is another way and if we should just tell F.U.D to F.U.D off for good!

—————————————————————————————————

In this Episode we cover:

How to use storytelling effectively: Why do we only talk about the stuff nobody cares about when we have such great stories to tell!

Finding your ‘WHY’: The first steps towards making your security engagements salient, relevant and focused on the bigger picture

Game Theory vs. Gamification: How do you use either effectively to make security awareness training more interesting and relevant

F.U.D Off: Why fear-mongering doesn’t work and how the odd joke might engage your audience better

Lessons from the world of accessibility: Learning how the principles of good accessibility might lead to better security controls and buy-in

This Episode we are joined by James Hall, developer and Founder of Parallex, a digital consultancy that focuses on ‘building better digital experiences together’.

In this episode, That’s illuminating! Protecting Aberdeen’s IOT Street Lights from Cyber attacks! James shares his experience on securing public utilities, other IOT devices, how he ‘sells’ security as a value add to his stakeholders, and if Bug Bounties are actually worth doing!

—————————————————————————————————

In this Episode we cover:

Agile means no documentation right? Wrong! While documentation is certainly lighter in agile teams, it doesn’t mean it is completely absent. But this lightweight style does bring its challenges and teams need to avoid keeping it all ‘in their head’ if they want security teams to understand what they are building and the security challenges that may come with that. James tells us about the danger of assuming prior knowledge and gives advice on how to test your documentation by giving it to the most junior member of the team and seeing if they can follow it. But while documentation is important we need to remember that…

Shared documentation is not the same as shared knowledge. It is not enough to ensure that everyone on the team is aware of the security requirements. It is important to have open communication channels and encourage team members to ask questions and share their knowledge.

Paired programming would help fill in the blind spots of any security issues there might be. It is important to acknowledge that there are things that we don’t know as developers and paired programming with a member of the security team can help fill in these gaps. By working together, team members can share their knowledge and learn from each other.

Securing IOT devices is challenging because hardware manufacturers don’t have an incentive to make their products secure. This is a major challenge in securing IoT devices, and it is important to be aware of this when designing solutions that rely on IOT devices.

Bringing risk to life is important otherwise people will ignore it. It is important to communicate the risks associated with cyber-attacks in a way that is easy to understand.

Today we are joined by Paula Cizek, Chief Research Officer at Nobl, where she guides leaders and teams through the change management process, from assessing the organization’s readiness for change to implementing initiatives. In this episode, we explore the fascinating topic of Corporate Change and how its lessons can be applied to cybersecurity.

In the vast ocean of the corporate world, change is as constant as the tides. It can be exhilarating for some and daunting for others. As leaders, we often stand at the helm, eager to navigate new courses. Yet, we must remember, that not all aboard share the same vision or enthusiasm for these uncharted waters.

Why is it scary for many? How do leaders balance the excitement of innovation with the practicalities and emotions of their teams? We’ll explore the dichotomy of change - the loss and the gain, the risk and the reward.

We'll unpack the layers of change management, from the first ripples of a new idea within the executive team to the waves it creates throughout an organization. How do we bring everyone on deck, giving them the time to adjust their sails and embrace the journey?

We'll also navigate the treacherous waters of resistance. Not every objection is an excuse, and sometimes, they signal hidden icebergs. How do we, as leaders, distinguish between the two?

So, tighten your lifejackets and get ready to dive into the deep end of transformation. In this episode “Shift Happens: The Art of Navigating the Seas of Cyber Change”.

—————————————————————————————————

In this Episode we cover:

Why there’s such a gap between the exec team and boots on the ground when it comes to accepting and being excited by change

The difference between “Fail Safe” and “Safe to Fail” changes and projects

Why we should Start with the Skateboard

That not every objection to change is an excuse

How to communicate change effectively

Being comfortable with being uncomfortable when it comes to negotiation

Why Risk and Uncertainty are different beasts

Welcome to the third part of our AI mini-series.

In this episode, Jeff and Lianne discuss how AI is transforming the world of cybersecurity, and what you need to know to stay ahead of the curve.

They share their personal experiences with using AI tools, such as the custom GPT suite and the tool they are creating, Security Sage, to enhance their security practices and workflows.

They also explore the challenges and risks that AI poses to cybersecurity, such as phishing, vishing, OSINT, data leaks, and model inversion attacks.

They offer some practical advice on how to use AI safely and responsibly, and how to leverage it to become a better cybersecurity professional.

In this Episode we cover:

How AI is democratizing and disrupting the field of cybersecurity

How to use prompt engineering to get the best out of AI models

How to protect yourself and your organization from AI-enabled cyberattacks

How to use AI to improve your cybersecurity function and become an ally and enabler for your business

How to keep up with the latest developments and trends in AI and cybersecurity

No episode this week!

We’re back to finish off our AI mini-series on the 4th January where your hosts, Jeff Watkins and Lianne Potter discuss how they utilise AI in their work as cybersecurity and tech specialists, their own hints and tips on how to get the best out of the tool, and their predictions for AI usage within the security field in 2024.

If you’re missing your Compromising positions fix, why not visit our back catalogue of 13 fantastic episodes, or watch our festival special, The 12 Days of Breachmas for short, bursts of sweet cybersecurity content!

Links in the show notes and see you next Thursday!

As we’ve been talking to our guests this year, the topic of AI and chatgpt came up several times and It quickly became apparent that their insights deserved a standalone episode. So we’ve been snipping them out of the main episodes to bring you, in the tradition of a season-based show, a lovely clip show! You’ll hear some familiar voices from season 1 and a few that will be joining us next year for future seasons.

Enjoy five hot takes on AI from five very interesting people!

In this Episode we cover:

• In a knowledge economy, is it ethically right to pass off LLMs output as our own?

• Should we ban our employees from using tools like ChatGPT because of cybersecurity concerns?

• AI is only as good as the data is built upon - so not very good according to data analysts worried about bias!

• Will AI replace customer service reps?

• And what companies are putting AI on the risk register?

This week we are joined by Helena Hill, a seasoned UX Strategist and Consultant and AI expert with a wealth of experience spanning diverse clients, from pre-start-ups to global industry giants.

Last week Helena taught us how we in the cybersecurity team can effectively use the User experience team, and its principles to improve our security controls and create a better journey. If you’ve not listened to that episode yet, do check it out. 

This episode we’re asking Helena about her other expertise in AI and how cybersecurity teams can use tools like ChatGPT to make our lives easier

We’ll touch upon cybersecurity concerns around AI, but mostly this will be a practical episode on how to get the most out of these exciting tools.

In this Episode we cover:

• How to use LLMs to enhance the customer experience

• The Ethics of AI and Chatbots

• Malicious uses of GPTs Like FraudGPT

• How to quality check you LLM creations

• The Dangers of third-party GPT plugins

• How to create better prompts and thus get better outputs

• And how to use AI to improve efficiencies in your cybersecurity team and create better security awareness content

This week we are joined by Helena Hill, a seasoned UX Strategist and Consultant and AI expert with a wealth of experience spanning diverse clients, from pre-start-ups to global industry giants.

In this episode, we explore the fascinating topic of UX and cybersecurity.

We’re going to learn from the UX function to see how we can create a better user experience for people on their security journey, learn how to get buy-in from the business about implementing controls such as MFA, and how to ‘sell’ our security value offering as a positive user experience.

And of course, crucially, how to take those first few steps to engage with the UX team!

This is the first of our two part conversation with Helena, next week we will be talking about her other specialism in AI, which kicks off our Christmas miniseries on AI

This week our guest is Melina Palmer, a renowned keynote speaker in behavioural economics and the CEO of The Brainy Business, as well as hosting one of the best podcasts on the subject of the practical application of behavioural economics.

In this episode, we're going to discuss the art of influencing both up and down, and how to tailor your cybersecurity message to different audiences.

Melina teaches us that it's not about the cookie - that is, it's not just about the product or cybersecurity awareness and controls themselves, but it's about how we frame information and communicate change.

With her expertise in behavioural economics, Melina shows us how to make change easier, reduce decision fatigue, and increase social capital through understanding and compromise.

If you're interested in understanding the behavioural science behind cybersecurity and how we can communicate more effectively, then you're in the right place.

This week our guest is Melina Palmer, a renowned keynote speaker in behavioural economics and the CEO of The Brainy Business, as well as hosting one of the best podcasts on the subject of the practical application of behavioural economics.

In this episode, we discuss how silos and tribal mentalities occur in the workplace due to confirmation bias and how we can expand the circle of empathy to create a more cohesive team.

We'll also delve into the issue of time discounting, availability bias and optimism bias to understand why people are drawn to the easy option in the moment.

We shall explore how the cybersecurity team's curse of knowledge can be a barrier to effective communication, and the need to create easier-to-digest content that enables 'buy-in.'

If you're interested in understanding the behavioural science behind cybersecurity and how we can communicate more effectively, then you're in the right place.

This week our guest is Ray Blake. Ray is an advisor on financial crime matters and co-creator of the Dark Money Files podcast. In this episode, we explore the motivations driving individuals to commit such crimes, probing whether it's sheer greed, the allure of victimless crimes, or a complex mix of factors.

We discuss how the lack of direct interaction with victims and the personal rationalizations criminals make facilitate the perpetuation of these crimes. We also talk about the concept of corporate values and how they may not always align with individual morals, leading to a disconnect that can be exploited.

Furthermore, we look at the responsibility and moral hazard inherent in the fight against fraud, highlighting how cybersecurity often wrongfully blames the victim rather than focusing on the perpetrator.

A word of warning listeners, we do discuss the darker side of crime, including human trafficking which some of our listeners may find upsetting. If this isn’t for you, feel free to skip this one and we’ll see you next week.

This week we have a very special guest, Reema Vadoliya. Reema is the passionate business founder of data consultancy, People of Data, a gifted storyteller, and a professional problem-solver.

In this episode, Reema shares her insights on how to collaborate more effectively between cybersecurity and data professionals. She emphasizes the importance of empathetic communication, how sometimes quantifying risks is about gut feeling, not just metrics…

We look at how we can use data-driven storytelling to engage and educate people about cybersecurity, including how to make our phishing simulation stats not only more interesting to non-cybersecurity people but also how to make it actually drive meaningful behavioural changes.

Welcome to part two of our enlightening discussion with Matt Ballentine, Engagement Manager at Equal Experts.

In this episode, Lianne Potter and Jeff Watkins continue this conversation and dive deeper into the nuances of modern-day communication and work dynamics. Do we need to set new etiquette for engaging in conversations? How do we establish norms when our work environment is evolving?

Matt also shares insights on the importance of security in our workflow, the power of networking and the need for effective communication and some unconventional wisdom including our favourite thought experiment ever… what would Dolly Parton do?

Establishing New Norms for Work: Top Tips

1. Build Rapport: To establish new norms for work, you need to know who you need to influence and build rapport with them. Think about the language you use, ask for conversation, and set up a coffee club to create a comfortable environment.

2. Embrace Discomfort: Getting comfortable with discomfort is essential to establish new norms for work. Use metaphors to help address problems and think about what Dolly Parton would do to enable better ideas.

3. Be Inclusive: When off-shoring and outsourcing teams, think of the team as a whole. Be conscious of time zones and make people who are not in the room active participants.

4. Prioritise Communication: Establishing new norms for work requires prioritising communication. If it doesn't get prioritised, it doesn't happen. Avoid firefighting and focus on drills, learning, talking, and listening to create a comfortable and productive work environment.

This Episode we are joined by Matt Ballentine, an Engagement Manager at Equal Experts.

We do a deep dive into workplace culture and user-needs-centric cybersecurity.

Matt believes that the essence of modern leadership isn't just about supervision, but about becoming a nexus between people and ideas.

From the transformative shift of T-shaped managers to the pivotal role of psychological safety, we'll journey through the strategies leaders need to adopt to thrive in today's interconnected age.

Get ready to challenge your understanding of work, play, and the art of connection in this two-part episode.

See you next time, keep secure, and don’t forget to ask yourself, ‘Am I a compromising position here?’

In this episode, our guest Josh Nesbitt, CTO of Glean a Leeds EdTech startup, shares his insights on securing the data of vulnerable people, the importance of accessibility and compliance in production-ready products, and the challenges of achieving usability, functionality, and security in concert. 

Join us as we debunk common misconceptions around agile and explore how security teams can be more creative in their approach. We’ll talk about how to use tooling and engagement to get engineers and security teams on the same page and figure out if security champions are really working in our organisations. 

Today, we've got a super interesting interview with Christian Hunt, the founder of Human Risk. He's a Behavioral Science expert and author of the book 'Humanizing Rules', which explores how we can use Behavioral Science to improve compliance and ethics.

Today, we've got a super interesting interview with Christian Hunt, the founder of Human Risk. He's a Behavioural Science expert and author of the book 'Humanizing Rules', which explores how we can use Behavioural Science to improve compliance and ethics.