We control critical infrastructure at Tullow Oil so we had identified security as an issue. I was in constant touch with the ‘Head of Information Risk and Security’; Spencer Summons, and through our conversations, we became aware of the unique challenges we were both experiencing. These were largely around adoption of security, best practices amongst staff and the different reactions we were having across different cultures in our various holdings in Africa, South America and Asia. We decided that for security, or a compliance issue that is global you need people to behave in a certain way and this made us think about how culture played into this. We began discussing how the issue of culture both at the organisational level, and a national level impacts susceptibility to phishing, but also the ability for a programme to affect a change. That was the impetus of it, and over the years we began to look at literature within the social sciences, applying theories of human behaviour to the security awareness initiatives. We could then measure the ability that those culturally tailored programmes were having to move the needle.
I’m a trained anthropologist, so I was responsible for introducing the cultural theory and thought; looking at how national culture and its characteristics could relate to organisational culture and tie into cyber security. That said, it all happened in collaboration with Spencer, we spent time talking about it, and it wouldn’t have gone anywhere without the excellent and comprehensive security set up he had developed. The elements that made it interesting for the submission were the things we collaborated on together, but this was only possible because of the work he had done over the last five years to build up the core capability.
The behavioural elements of trying to get an individual to do something different can be very challenging. Without an imminent threat, there isn’t a sense of personal fear about cyber security, so trying to elicit a response in someone to change a password because it’s ‘not as strong as it could be’ is difficult. Not only do they not perceive that immediate danger of threat, but also once they do change it, they don’t really notice a benefit either. It is becoming slightly easier as people become more aware and unfortunately, as more people get their information breached, but by and large there’s still that sense of people staying in their own bubble, looking at these measures as extra work.
I think the validation we got from winning was incredible, and I think that’s part in parcel of the value of The Corporate IT Forum in general. You can put yourself into context; is what you’re doing crazy? Is what you’re doing two steps behind, or a little bit ahead? The ability to submit something and have it come back, having been peer reviewed, with people saying “wow this is really cool stuff”, firstly makes you feel great, but it is also a reward for bravery. What we were doing wasn’t normal and wasn’t tried or tested, so it gives us a bit more latitude internally to go experiment and to be more innovative in the future. It provided us with a very tangible justification that what we’re doing makes sense. I think that enables you to continue to garner the resources and political latitude to carry on trying new things.
Unfortunately, we don’t have any projects at the moment that we felt were legitimately unique or different. Every time we get nominated it provides us with more validation, so we will submit again but just not this year.
The narration is important, you need to find someone who will write the application well. Try and figure out what the beginning, the middle and the end of the story is and understand that the narration and the anecdotes that you can hang of that narration are really important to tell the whole picture.