Hello and welcome to Is your mind fit for cybersecurity? with Johannes Drooghaag, my very good friend I call JD because it’s a lot easier and myself Neville Gaunt. Now if you were listening at the end of the session 2, you will have already downloaded Back to the Future for Cybersecurity from JD’s website. If you haven’t, what we go to into here will be additional but actually going back to that crib sheet as I call it, will be absolutely fundamental to you cracking this nut what we call cybersecurity. But here we go JD. Zou and I have known each other for a couple of years now and we’ve talked about this Mind Fit for Cybersecurity for a little while. You like the MindFit approach, I like your approach to cybersecurity but come on, spill the beans what do you mean by MindFit for Cybersecurity.
Well what I mean with MindFit for Cybersecurity is this foundation of MindFit, that it starts with I can and I do because I know this is my responsibility, and when we on the other hand look at how cyber security and information technology is handled within organizations, it is them. They will solve that for me, they are responsible which is like 180 degrees away from what MindFit is all about. MindFit is about believing in yourself, getting the right mindset to believe in yourself but also taking the responsibility that you own. I will do this. So if we are able you and I, and everybody we get involved in this, to change the mindset of how we treat cybersecurity, it’s going to be tough day for hackers because they will be confronted with hundreds of millions of people saying “this is my responsibility and I pay attention and I make sure that I do the things the right way” and that is what I mean with MindFit for cybersecurity. I am responsible and I want to make sure that I know exactly what to do, and in the area of cybersecurity also I know what I should not be doing so. That’s my view.
It’s great because it comes back to something we said in the very first session, it was about the weakest link and a hacker will go after that weakest link. (exactly) What we don’t recognize is the weakest link could be someone in the organization. Not someone that’s been bribed, you know to do something corrupt. You know this is just an ordinary person that’s sent an email with the wrong encryption, that has accepted an email and not actually looked at who sent that email you know. I on occasion I’ve got an email from Apple, well it says an email from Apple and I’m thinking, you know, what if Apple were getting in touch with me, would they send me an email? The likelihood is no. They would send something through the iPhone so I look at the address. As soon as you click on that address it opens up and says at Apple1.com and you know darn well these not from Apple and these are just simple things. But that’s the MindFit bit so you’re preaching right off the MindFit sheet. So you know, thank you for that. And the thing about where we come from in the MindFit arena is the is that we know, and this the research is done on a fairly regular basis, globally researcher as well, that 85 percent of people in the global workforce are disengaged. Now that’s passively disengaged, we call “the can’t do”, you know that just function in a work, not really pushing any boundaries, just feeling very comfortable in their comfort zone as a lot of people will call it. But there’s an element that are actively disengaged, and my corporate life we would have could those saboteurs. Not necessarily saboteur in the business but stopping things happening within the business so that we didn’t progress at the right road. And typically these are fairly senior people because they feel scared. Cybersecurity from my perspective, what I’ve seen so often, is a classic element where they are scared so they palm it off into another part of the organization. And we’re not talking about me and my team, we’re talking about you, your fault, your problem. (exactly) You tell me what to do. So what you say these music music to my ears. But this 85% disengagement does it does it transfer in and influence the cybersecurity arena?
Well it certainly does Neville and when you showed me this research a few months ago I was shocked by two things. I was shocked by the 85 percent being disengaged. Although I have the same experience in my corporate life of course, but 85 percent was not something I had on my radar screen. That it was that amount. And the second thing that shocked me is 85 percent of the cyber issues have a human influence and then I started to question myself. Is that coming from the same 85 percent? Would it be that 85 percent of a passive and an active disengaged group just don’t care, they don’t care about what the rules are, they don’t care about how to use that technology because they also don’t care about how to do their job or what the interest of the company is, or whatever reason that may be or whatever reason they have rationalized? But I was very intrigued by this overlap of 85 percent and some people passively not doing what they’re supposed to do and some people actively not doing what they’re supposed to do. And then I kept remembering this one sentence which I hate so much. That people told me in workshops but also in trainings and in coaching. “If I was not supposed to do this IT should have made sure that I cannot do it, so I can do this, I can click on this link, that’s a failure from IT” and that fits to me in that bucket of 85% being disengaged. And I started to see the links, and we had several discussions about it, and I’m getting more and more at the point that addressing the disengagement of that 85% is key is crucial to address the 85% human influence in cyber issues.
Wow. Well you and I have not talked about that really in the past, you know, and despite the fact we come from different areas, it’s all about in many respects the same people, but this the 85% disengagement as you well know, in my world is a shock. And if you talk to a lot of people around the world they said “well my business is never like that” and the fact is they’ve never asked. You see, these wonderful terms on their website that say “we are innovative and we look after our people, when we take people along a journey, and we listen to them all the time when we implement new things” and the first manager you talk to in the organization says “well I don’t know where they’ve got those words from”. And typically they’ve come from the board because it seems to be the right thing to say. I don’t want to be over critical but this fact you know. You and I have talked about SDG’s, sustainable development goals. There are some organizations that embrace sustainable development goals and some that actually talk about them, and there’s quite a wide disconnect. You might call it part of the 85% disengaged arena, so let’s focus on that then. How can we actively and aggressively address this 85% disengagement in cyber security?
Well purpose is a very important driver, right. It motivates you to do things because you have a purpose in mind and purpose comes from WHY, from understanding why. Why am I doing this. Why am I not doing this. So let us start by explaining why cyber security is important and then we get into a lot of different areas. Cybersecurity is important because we protect the company and by protecting the company we protect your job. This one example. The second thing is that purpose must be not only put on posters by the leadership team, but actively carried by the leadership team, and I have one example from my own experience. The CEO, new in an organization got me in as a coach and he did that same testing which everybody had to do, and was the same for the last five or six years already. And he did that test and had a very bad score. So what he then did was he posted his own score and he did two things. He said “I promise that I will repeat this test and I will do much better but can you please send me the resources where I can find this information?”. And what then happened was two very interesting things. Number one is a lot of people basically explained him “what resources do you want because we have none?” and secondly people started to make suggestions and people started to have a conversation with him, and he went along with that. He led that conversation to the end to a point where they’re basically together came to the conclusion “ladies and gentlemen we have to improve our cybersecurity training and the way we inform our team” and that was done a little bit on purpose. And one thing that this CEO wanted to make sure is, it’s not the new guy posting a new memo, it is the organization coming to the conclusion that we definitely have to improve something. So the why was clear and he had the nerve or the courage to say “it starts with me because I messed up this test and I demonstrate you that I don’t know all the cybersecurity rules and then together we come to the conclusion nobody actually knows them so let get this done” and I do think that that’s a very fantastic approach. I will not suggest that every CEO must now post some very bad testing but it shows what you can achieve if it comes from leadership into the organization and then start building this together. And there’s one other thing I would like to mention in this perspective. One of my first coaches in the manufacturing environment was Fred Bentley, and Fred Bentley had a simple rule: “if you need to polish the plant when I come it’s a mess when I’m not there, and if you show me the plant the way it’s in production and I’m satisfied that’s when you’re doing a good job”. The same applies to cybersecurity and the same applies to how as an organization with a purpose and a why you can get things done and still keep a clean plant, right?
I’m almost crying as well as laughing here, because you know what I always say. Leadership starts at the top. If you’re gonna change the culture you actually look at yourself at the top and are you prepared to change the culture to what everybody wants and that’s, as you say, that’s courage. So I would actually encourage all chief execs to do their own cyber security check and post it outside their door and send it to everybody else because that’s true leadership and that the other thing is, it demonstrates engagement. If it’s right for me it will be right for you. So that’s that to me, that’s fantastic, fantastic leadership. So let’s look at each organization. Is there a universal, you talked about your back to the future cybersecurity questionnaire I suppose, but is there a universal roadmap for MindFit for cybersecurity?
Well from my perspective, Neville, the MindFit roadmap as it is to take you from who you are to a person with a can-do mind fit responsibilities taking mindset, that is the roadmap for cyber security because those are the things we need. We need that every person in the organization, not just one department with a budget, every person in the organization has that mind fit can-do attitude and takes the responsibility and ownership with a can-do mindset, because the majority of the data hacks and the data breaches, willingly or unwillingly, come through a human factor. Somebody who didn’t pay attention, somebody who thought he wasn’t responsible, somebody who thought that somebody else had said that this was okay. Those are the majority of the data breaches, so if we with a mind fit approach, we take out the behavioral waste, we take out the won’t do and the can’t do. and we come to can do, this is what we’re supposed to be doing and we know why and it’s no longer like filling out a checklist for auditors. It is about we do this and we know why we do this because this is part of protecting myself my job, my company, etc. etc. And when we start doing that from a leadership driven position throughout the organization, that’s when we are going to start winning. And this again Neville, and I love every time you say this, this starts in the five inches between our ears.
Yeah you’re so very right and what we’ve done here over these three sessions is covered that from the start. We need to think differently, we need to accept responsibility. Stop passing the buck to someone else. Take that little responsibility for doing cybersecurity as part of your day job. So it’s not a tag on, it’s what you do all the time, a bit like drive in a car to use the driving analogy. When we first start driving a car it’s really clunky, then we manage to pass our test and then after that we learn how to drive the car. (exactly) So this could take a little time but the point is if you start on the road the first step makes the second step a lot easier. (exactly) So we’re coming to the end of our third session. We’ve given lots of advice here so how would you just wrap up those suggestions for people to start acting?
Well the first step is a critical self-view, where am I actually, what risk am I actually undergoing, what could happen in the future? From executive leadership, the board, all the way throughout the organization. I don’t want to sound like a broken record and I don’t want to make this an advertisement for MindFit but the MindFit program gets you with the right mindset for cybersecurity and all the other tasks in the organization, but we need this mindset. We need can do and we need especially I am doing. Right, no longer have that assumed that somebody else will do it. And my most strongest recommendation to every organization is please step away from the thought that compliance is cybersecurity because that’s not the case. Compliance might help you with your security claim but it will not help you preventing the issue. So get the right mindset, get the right training, get the right people, even get the experts you need and then just do it. Get your can-do and start doing. Executive Leadership first, roll it out throughout your organization. Show your progress, show your lessons learned, don’t have fear of saying “oh we discovered that in this particular office area or in this particular part of the factory we had a big security risk, we solved it, this is how we’re now doing it” because that is actually showing people that you’re taking it serious. And showing that you’re taking it serious and showing your progress is motivating the rest of your team. So those would be my three first most critical recommendations.
Fantastic JD and I think we’ve given people a lot of food for thought. We’ve hopefully identified the cybersecurity problem has nothing to do with IT, nothing really to do with just the technical side of life, but it’s a combination of me, you, everyone in the organization right up to the very top chief exec, the chairman of the board and in many respects the shareholders. Because they should be approving the budget to make these changes. Now we’re a different arena for these days, as you said earlier on 80% of the security risk now come from old technology and it’s the hackers that will find a route into that and that’s the concern that all large organizations have. Don’t compartmentalize it, don’t put it into a silo, don’t pass it away as it’s a technical problem. It’s not a technical problem, it’s our problem and actually we can make it really small problem if we engage everybody. I’ve really enjoyed this little chat we’ve had over three sessions. I hope everyone else has enjoyed. That’s Is your mind fit for cybersecurity, the business version. In another episode you’ll see small businesses, employees fundamentally and then actually our future, young people. How parents and teachers can really engage with this cyber problem that actually could be an opportunity. Thanks very much JD and we look forward to seeing you in another session. Thanks very much for listening.