This week we are joined by Sabrina Segal, an integrity, risk, and compliance advisor, with almost 20 years of experience in the public, private, and third-sectors.

In this episode, Not New, but Novel - Tackling Risk in the Third Sector, We take a look at the challenges facing the third sector when it comes to cybersecurity and technology risks. The third sector, which includes charities and non-profits, is often overlooked or underestimated when it comes to cybersecurity and risk management. But this sector faces unique challenges and opportunities that require a novel and holistic approach to risk.

Sabrina has a really refreshing take on risk and we will hear how she enables her clients to get to grips with what she calls ‘tolerable risk’ and why we can’t avoid risks, but we can reframe risks to not only identify threats but also opportunities. While at the same time, making sure everyone cares about risk, not just people with ‘risk manager’ in their title!

Key Takeaways:

Forget Risk Appetite and Risk Matrices - Embrace ‘risk awareness’ tailored to your mission and your organisation’s objectives

Identify Your ‘Tolerable Risk’ - Risk can’t be avoided but we can identify and work within our ‘risk tolerance’ for better informed decisions

Risk is a Two-Sided Coin - It’s not just about threats but opportunities too, and it’s much easier for people to get excited about opportunities than threats!

Don’t Greenwash Those “Charity Days” - Forget painting the fence, litter picking or sorting cans, instead donate your cybersecurity expertise for maximum impact

Risk Is Everyone’s Job - Ditch the ‘risk manager’ title and empower everyone to be a risk champion!

This Episode we are joined by Amy Kouppas, a Scrum Master, D&I lead, and founder of a Women’s Health & Wellbeing group at Sky. 

We are talking about all things agile and scrum! Most organisations have some form of agile methodologies, and the likelihood is, yours does too but what is it? What is Kanban? What is Scrum? What does a Scrum master do and why are they always sprinting? Amy helps us answer these questions and more in this episode: Fun with Purpose - A Scrum Guide! 

In this Episode we cover:

Scrum Master: Coach, Not Boss: Ditch the project manager stereotype. A scrum master is a facilitator, coach, and mentor, guiding the team towards self-organisation and autonomy. Their ultimate goal? To make themselves obsolete by fostering a team that thrives independently.

Empowerment & Creativity: Scrum unleashes the full potential of your team. They become accountable, empowered, and free to be creative within the sprint framework. This fosters a culture of continuous improvement where everyone contributes to success.

Documentation - Enough is Enough: The agile manifesto doesn't advocate for zero documentation. It emphasises "just enough" documentation. Focus on clear, concise information that supports transparency and efficient collaboration.

Retrospectives with a Twist: Retrospectives are the beating heart of scrum. Make them engaging and fun with themes, games, and even time capsules. This playful approach fosters honest reflection and continuous improvement.

This Episode we are joined by Damjan Obal, Head of design at Ardoq, lecturer and international speaker on all things design and data.

In this episode, And the Bafta for Best Cybersecurity Awareness Training Goes To…, we are looking at how we practically apply design principles to our security awareness programmes, with things like design thinking, the double diamond design method, opportunity solution trees and much much more!

We also look at the dangers of gamification and how to get your bafta-winning moment when delivering your security message to the business!

In this Episode we cover:

Convenience vs. Security: The Eternal Battle: You’re late for a meeting, and that pesky password reset pops up. What do you do? Convenience often wins, and that’s where security takes a hit. We’ll explore shortcuts, trade-offs, and the delicate balance between ease and safety.

Data Storytelling: Making Ones and Zeros Relatable: Security teams deal with mountains of data. But how do they turn it into compelling narratives? Whether it’s the sheer quantity of incidents or the relentless attacks, we’ll reveal how to tell data-driven stories that resonate.

Infographics: A Picture Is Worth a Thousand Alerts: Enter the superhero of visual communication: infographics! We’ll explore how these bite-sized graphics simplify complex security concepts. From breach timelines to threat landscapes, infographics make data digestible for everyone.

Tangibility in the Intangible: Making Cybersecurity Real: Cybersecurity can feel abstract, like chasing shadows. Think metaphors, analogies, and relatable scenarios. Because securing data isn’t just about 1s and 0s—it’s about protecting our digital existence.

The Gamification Dilemma: Fun vs. Functionality: Gamification is all the rage, but is it always the answer? Not necessarily. Remember, not every challenge needs a leader board.

This Episode we are joined by Damjan Obal, Head of design at Ardoq, lecturer and international speaker on all things design and data.

In this episode, F.U.D OFF! - Cybersecurity Awareness Beyond Compliance and Boredom, we learn from Damjan about the importance of storytelling, the difference between game theory and gamification, what accessibility champions get so right that we in security get it so wrong, and how to design a security awareness programme that resonates with people and encourages empathy and behavioural change.

F.U.D - Fear, uncertainty and Doubt have been a mainstay in cybersecurity messaging but is it serving us or is it just turning people off our messaging? Find in this episode if there is another way and if we should just tell F.U.D to F.U.D off for good!

—————————————————————————————————

In this Episode we cover:

How to use storytelling effectively: Why do we only talk about the stuff nobody cares about when we have such great stories to tell!

Finding your ‘WHY’: The first steps towards making your security engagements salient, relevant and focused on the bigger picture

Game Theory vs. Gamification: How do you use either effectively to make security awareness training more interesting and relevant

F.U.D Off: Why fear-mongering doesn’t work and how the odd joke might engage your audience better

Lessons from the world of accessibility: Learning how the principles of good accessibility might lead to better security controls and buy-in

This Episode we are joined by James Hall, developer and Founder of Parallex, a digital consultancy that focuses on ‘building better digital experiences together’.

In this episode, That’s illuminating! Protecting Aberdeen’s IOT Street Lights from Cyber attacks! James shares his experience on securing public utilities, other IOT devices, how he ‘sells’ security as a value add to his stakeholders, and if Bug Bounties are actually worth doing!

—————————————————————————————————

In this Episode we cover:

Agile means no documentation right? Wrong! While documentation is certainly lighter in agile teams, it doesn’t mean it is completely absent. But this lightweight style does bring its challenges and teams need to avoid keeping it all ‘in their head’ if they want security teams to understand what they are building and the security challenges that may come with that. James tells us about the danger of assuming prior knowledge and gives advice on how to test your documentation by giving it to the most junior member of the team and seeing if they can follow it. But while documentation is important we need to remember that…

Shared documentation is not the same as shared knowledge. It is not enough to ensure that everyone on the team is aware of the security requirements. It is important to have open communication channels and encourage team members to ask questions and share their knowledge.

Paired programming would help fill in the blind spots of any security issues there might be. It is important to acknowledge that there are things that we don’t know as developers and paired programming with a member of the security team can help fill in these gaps. By working together, team members can share their knowledge and learn from each other.

Securing IOT devices is challenging because hardware manufacturers don’t have an incentive to make their products secure. This is a major challenge in securing IoT devices, and it is important to be aware of this when designing solutions that rely on IOT devices.

Bringing risk to life is important otherwise people will ignore it. It is important to communicate the risks associated with cyber-attacks in a way that is easy to understand.

Today we are joined by Paula Cizek, Chief Research Officer at Nobl, where she guides leaders and teams through the change management process, from assessing the organization’s readiness for change to implementing initiatives. In this episode, we explore the fascinating topic of Corporate Change and how its lessons can be applied to cybersecurity.

In the vast ocean of the corporate world, change is as constant as the tides. It can be exhilarating for some and daunting for others. As leaders, we often stand at the helm, eager to navigate new courses. Yet, we must remember, that not all aboard share the same vision or enthusiasm for these uncharted waters.

Why is it scary for many? How do leaders balance the excitement of innovation with the practicalities and emotions of their teams? We’ll explore the dichotomy of change - the loss and the gain, the risk and the reward.

We'll unpack the layers of change management, from the first ripples of a new idea within the executive team to the waves it creates throughout an organization. How do we bring everyone on deck, giving them the time to adjust their sails and embrace the journey?

We'll also navigate the treacherous waters of resistance. Not every objection is an excuse, and sometimes, they signal hidden icebergs. How do we, as leaders, distinguish between the two?

So, tighten your lifejackets and get ready to dive into the deep end of transformation. In this episode “Shift Happens: The Art of Navigating the Seas of Cyber Change”.

—————————————————————————————————

In this Episode we cover:

Why there’s such a gap between the exec team and boots on the ground when it comes to accepting and being excited by change

The difference between “Fail Safe” and “Safe to Fail” changes and projects

Why we should Start with the Skateboard

That not every objection to change is an excuse

How to communicate change effectively

Being comfortable with being uncomfortable when it comes to negotiation

Why Risk and Uncertainty are different beasts

Welcome to the third part of our AI mini-series.

In this episode, Jeff and Lianne discuss how AI is transforming the world of cybersecurity, and what you need to know to stay ahead of the curve.

They share their personal experiences with using AI tools, such as the custom GPT suite and the tool they are creating, Security Sage, to enhance their security practices and workflows.

They also explore the challenges and risks that AI poses to cybersecurity, such as phishing, vishing, OSINT, data leaks, and model inversion attacks.

They offer some practical advice on how to use AI safely and responsibly, and how to leverage it to become a better cybersecurity professional.

In this Episode we cover:

How AI is democratizing and disrupting the field of cybersecurity

How to use prompt engineering to get the best out of AI models

How to protect yourself and your organization from AI-enabled cyberattacks

How to use AI to improve your cybersecurity function and become an ally and enabler for your business

How to keep up with the latest developments and trends in AI and cybersecurity

No episode this week!

We’re back to finish off our AI mini-series on the 4th January where your hosts, Jeff Watkins and Lianne Potter discuss how they utilise AI in their work as cybersecurity and tech specialists, their own hints and tips on how to get the best out of the tool, and their predictions for AI usage within the security field in 2024.

If you’re missing your Compromising positions fix, why not visit our back catalogue of 13 fantastic episodes, or watch our festival special, The 12 Days of Breachmas for short, bursts of sweet cybersecurity content!

Links in the show notes and see you next Thursday!