Forum members share their experience, advice and perspectives with the IT community.

Chris Rivinus - Tullow Oil 

Chris Rivinus is the Head of Business Systems at Tullow Oil, and co-facilitated the project that won the 2016 RITA Award for ‘Innovation in Security Awareness’. The initiative effectively challenged the hackers at their own social engineering game, through coupling social science and behavioural psychology principles with a cutting-edge network monitoring capability.

1. Can you tell us a bit about your winning Real IT Awards (RITA) entry for the ‘Innovation in Security Awareness’ category and how it came about?

We control critical infrastructure at Tullow Oil so we had identified security as an issue. I was in constant touch with the ‘Head of Information Risk and Security’; Spencer Summons, and through our conversations, we became aware of the unique challenges we were both experiencing. These were largely around adoption of security, best practices amongst staff and the different reactions we were having across different cultures in our various holdings in Africa, South America and Asia. We decided that for security, or a compliance issue that is global you need people to behave in a certain way and this made us think about how culture played into this. We began discussing how the issue of culture both at the organisational level, and a national level impacts susceptibility to phishing, but also the ability for a programme to affect a change.  That was the impetus of it, and over the years we began to look at literature within the social sciences, applying theories of human behaviour to the security awareness initiatives. We could then measure the ability that those culturally tailored programmes were having to move the needle. 

2. What was your main role?

I’m a trained anthropologist, so I was responsible for introducing the cultural theory and thought; looking at how national culture and its characteristics could relate to organisational culture and tie into cyber security. That said, it all happened in collaboration with Spencer, we spent time talking about it, and it wouldn’t have gone anywhere without the excellent and comprehensive security set up he had developed. The elements that made it interesting for the submission were the things we collaborated on together, but this was only possible because of the work he had done over the last five years to build up the core capability.

3. What challenges did you face alongside the cultural aspects

The behavioural elements of trying to get an individual to do something different can be very challenging. Without an imminent threat, there isn’t a sense of personal fear about cyber security, so trying to elicit a response in someone to change a password because it’s ‘not as strong as it could be’ is difficult. Not only do they not perceive that immediate danger of threat, but also once they do change it, they don’t really notice a benefit either. It is becoming slightly easier as people become more aware and unfortunately, as more people get their information breached, but by and large there’s still that sense of people staying in their own bubble, looking at these measures as extra work. 

4. What do you feel are the main benefits of winning a Real IT Award?

I think the validation we got from winning was incredible, and I think that’s part in parcel of the value of The Corporate IT Forum in general. You can put yourself into context; is what you’re doing crazy? Is what you’re doing two steps behind, or a little bit ahead? The ability to submit something and have it come back, having been peer reviewed, with people saying “wow this is really cool stuff”, firstly makes you feel great, but it is also a reward for bravery. What we were doing wasn’t normal and wasn’t tried or tested, so it gives us a bit more latitude internally to go experiment and to be more innovative in the future. It provided us with a very tangible justification that what we’re doing makes sense. I think that enables you to continue to garner the resources and political latitude to carry on trying new things.  

5. Are you planning to enter the Awards again this year?

Unfortunately, we don’t have any projects at the moment that we felt were legitimately unique or different. Every time we get nominated it provides us with more validation, so we will submit again but just not this year. 

6. What advice would you give to those submitting this year? 

The narration is important, you need to find someone who will write the application well. Try and figure out what the beginning, the middle and the end of the story is and understand that the narration and the anecdotes that you can hang of that narration are really important to tell the whole picture.


Special Interest Groups 

Office 365

Actively supporting organisations through their O365 journey.

Gender Balance Committee

Collaborating to improve diversity to the benefit of the organisation.


Establishing best practice principles for using/deploying Salesforce

Supplier Relationship Management

Building a Best Practice Framework for the SRM lifecycle.

Registered in England No. 3356661        VAT No. 927157412         Legal         Privacy and cookies         Accessibility

© 2016 The Corporate IT Forum