Placing People at the Centre of Security by Melonie Cole – Mindshift

Mindshift is a Nelson-based business focussed on the people part of cyber security. Helping organisations reduce cyber risk introduced through training and awareness since 2018, Mindshift are proud to call some of Aotearoa’s biggest brands their customers.  This article by Melonie Cole, Mindshift’s owner talks about putting people at centre of security conversations. Melonie won ‘best security awareness campaign’ in the 2018 ISANZ awards for her work at Spark NZ, was a finalist in the Women in Security Awards Aotearoa 2020, and has spoken lovingly about information security at security conferences and industry events including the ASIS NZ Women in Security earlier this year!

This article has been re-published with permission from the Editor of Security Magazine.  You can view the full magazine article here.

We have one thing in common and that’s people

Whether we’re talking about information, physical, or personnel security, there’s one thing in common, and that’s people.

When we started Mindshift, our mission was to make a positive difference to the online safety of New Zealanders and we came up with the definition “cyber awareness is the information we give people to help them make good cyber decisions”.

After talking at a recent ASIS Women in Security event about my baptism into the world of security, I pondered whether the addition of the word ‘cyber’ to that definition has led me to silo our business into one that focused purely on our online world but should be taking a broader approach.

When it comes to awareness, people are at the heart. It’s not just the information we give people to make good online decisions, it’s the information we give people to ensure they act in secure ways – whether it be handling information or with people directly.

I clearly remember the day I bravely asked a colleague “what exactly is information security”? I’ll never forget the withering look I was given as if this was common knowledge. For most New Zealanders, ‘online safety’ may be a term more easily understood, and that included by me too. How many others in our wider industry would love to understand the terms we assume to be understood? And, who would enjoy learning about what people in different fields within security do? There may be opportunities, both professionally and personally that are lurking, just waiting to be discovered.

Being brave enough to ask questions is something I talk a lot about. This becomes more challenging I’ve found as I’ve become more “seasoned” (aka older and wiser!) and there’s an expectation that ‘seasoned’ means you are the fountain of knowledge! Accepting that questioning and listening are vital life skills is critical for us all, especially those working in security where nothing seems to stay the same for long. Asking and listening is also how we connect with people, I love the saying “speak in such a way that others love to listen to you. Listen in such a way that others love to speak to you.”

It goes without saying there’s a place for formal training in any industry. In fact, for many working in information security, it seems never-ending and no-one ever starts out being an expert in anything. But surely nothing tops the richness of knowledge we absorb when we learn from our peers, friends, and people we respect in our industry. What opportunities are there to share experiences across our industry as a whole, especially those which encourage young people to consider security as a rewarding career choice?

No matter what age or stage of life or career we’re at, or the role we have, we are all contributing to the safety of our country and all New Zealanders. Take a second to reflect on that, that’s got to make you feel pretty good eh?!

Putting people at the centre of security conversations

People have hearts, minds, emotions, feelings – that’s what makes us human. We also have ways of doing things (patterns), which is how we organize information in our lives. It’s possible to change our patterns but our behaviors are unpredictable based on external influences which are often out of our control, like how we’re feeling that day, the pressures of work and life, and time constraints. All of that makes us more vulnerable to people who want to take advantage of us.

And there’s no better place for us to be taken advantage of than when we use the internet.

Undoubtedly, we underestimate risk on the internet because we feel we’re in control. We decide what websites to visit, what files to download, what emails to read. And because we have this sense of control of something we can’t actually see, we underestimate the risks.

What people don’t realise is that the websites they visit may be malicious, the files can be infected, or email could be scams. When attacks happen, people may not even be aware.

Take the way we underestimate risk on the internet and combine that with the fact the internet makes it simple for criminals to imitate communications that people trust, it’s no wonder we’re so vulnerable to today’s cyber threats.

In the work we do at Mindshift, we’ve observed some key reasons why we think people exhibit cyber risky behaviors –

• People will find the easiest and quickest way to do things, but it may not the most secure
• Security policies are not usually written in a way people can understand or connect with
• It’s human nature to need and want for things and not to miss out so we’re lured to scams
• We’re often distracted by other things, especially when we work from home
• People may just not care – attitude is a big contributor to how people behave, especially if they feel unsupported or blamed, or just not engaged with what they’re doing

We often hear and see people referred to as the weakest link in cybersecurity. But when you consider all the external factors that people need to deal with as well as develop their own secure ways of working perhaps describing people as “cyber risky” is more accurate.

So the role we all play in helping people be more aware of security is very important. We need to find ways to give people the information they need to take the necessary actions to keep information secure and people safe. There’s no better time to do this than now, as people make work from home the norm and habits, good or not so good, start to form.

And if we think about doing this in a way that will be most useful and meaningful to people, then we need to put them at the centre of how and what we communicate, supporting and helping them at the right time wherever they are.

And remember, people have vulnerabilities (we are human!) and that’s what makes us risky, not necessarily the “weakest link” in security.