Skip to content


Infosecurity Keynote Review: Establishing an Enterprise-Wide Cybersecurity Culture

infosecurity APMG

Showcasing our new CDCAT cyber-security tool at infosecurity’s APMG stand

Like thousands of others in the industry I piled into the Olympia, London, for the infosecurity Europe conference this week. A highlight for me was the keynote speeches and one discussion in particular struck a chord – the focus of IT has shifted from technology, towards company culture.

The level of interest in the panel discussion, ‘Establishing an Enterprise-Wide Cybersecurity Culture’, was evidenced by the lengthy queue to get in. The moderator justly called it an esteemed panel, with the panellists including David Jones, Head of Information Security, for the BBC; Andrew  Rose, CISO and Head of Cyber Security for NATS and Lee  Barney, the Head of Information Security, for the Home Retail Group (which encompasses retail brands like Argos, Homebase and Habitat).

Panel speakers discussed and shared their experience on how to develop an information security culture within an organization. The first topic broached was how to effectively communicate cyber security. David Jones identified the BBC, as many organizations are, as ‘legacy based’ and compared making changes in the BBC to turning a tanker. He talked about making communications relevant to individuals, a common theme throughout the session.

This point was expanded on by the entire panel with a key point being to use tailored messages for people at different levels within the organization. At non-executive level the recommendation was put forward that security changes needed to fit into individuals’ work routines and there was a need to ensure changes didn’t hinder existing process.

Jones referred to using examples of security breaches that have received media attention to raise awareness, he used the famous Sony leak in 2014 to demonstrate. Mentioning that that this breach occurred ‘because of one person’s mistake’ strongly resonated with many. Staff at a senior level related to the consequences of emails becoming public and creative people could relate to how it would feel to have their creative property leaked.

As well as the theme of making the messages relevant to individuals, the other significant takeaway for me was the recommendation by the panellists to focus on measuring if specific behaviours have changed, not on measuring cyber security awareness. Practical ways to measure change in behaviour before and after awareness campaigns were put forward, including: questionnaires, using phishing campaigns or tools that test cyber security and utilizing the data from technology controls already in place.

As well as offering advice, this discussion kept people at the heart of cyber security, a concept AMPG thoroughly agrees with and one we hope will be central to more panel discussions going forward.

Posted in Cyber Security, Events.

Tagged with , .