Introduction (00:30) You're listening to KBKast, the cybersecurity podcast for all executives. Cutting through the jargon and hype to understand the landscape where risk and technology meet. Now here's your host, Karissa Breen. Karissa (00:45) Good morning, Anne. Well, it's morning where you are. It's actually evening where I am in Australia, which is obvious because you are based in France. I'm really keen to talk to you today because you've got quite an interesting background, a nontraditional technical cyber background. And I think it's interesting because listening to people like yourself, we get to hear your opinions as well as your objective look into the industry. So I'm really keen to get into some of the specifics of the conversation today. But before we do that, we always like to start our podcast off. We're talking about you and your journey. So welcome in. And please tell everyone a little bit more about yourself. Anne Leslie (01:22) Thank you so much. I'm delighted to be with you today. So my name is Anne Leslie. I work for IBM in the IBM cloud financial services team on cloud risk and controls leader. I didn't start in cybersecurity. I came into cybersecurity via a side door almost. I spent most of my career working in financial services, financial services slash financial regulation, and then more and more technology. And I had a kind of a career moment three or four years ago where I just questioning myself about what it is that I'm doing, you know, that sort of search for purpose. And I just happened to meet somebody who's a longstanding cybersecurity practitioner and who has a sort of a side hustle, runs a programme to get young graduates and also midcareer women into cybersecurity. And we were chatting and he was explaining to me what he does, and he says, have you ever thought about a career in cybersecurity? And I looked at him and he's now a friend mentor. But I looked at him and it was just to me at that time a preposterous suggestion. How on Earth could I possibly move into cybersecurity? It really seemed like the bounds of the impossible. Anne Leslie (02:47) Anyway, we chatted for a little bit longer, and I took his card and didn't really give it that much more thought. But a change in my personal circumstances caused me to reevaluate a whole bunch of things, and my career was one of them. And I got to thinking, I'm going to be working for quite a few more years is my skill set. And what I currently know how to do is that going to allow me to stay relevant in an increasingly technology-driven jobs market. I was a software seller at the time. And that combined with sort of an emptiness that I was feeling about my current job and the trajectory that I was on in my career, made me think, well, hang on. Maybe that was not just a random encounter. Maybe that was the universe sort of throwing me a bone going, There might be another way. So I got back in contact with him, and he's a wonderful human, and he's just an amazing cybersecurity practitioner, amazingly generous. So a shout out to Patrick Wheeler, who runs Cyberway Finder. And when I contacted him, I said, Listen, I'm sorry for laughing the first time you suggested that maybe I should think about a career in cybersecurity. Anne Leslie (04:06) I'd actually love to have a conversation about that. And that's one of the things that I really like about cybersecurity as an industry and as a domain. I know we have our issues, but one of the things that I think does characterise cybersecurity practitioners is a generosity in terms of sharing expertise, in terms of giving time, in terms of wanting other people to succeed. And that's been a huge factor in me getting to where I am today. It's the generosity of other people. So he put me on a path of considering how might I take what I already knew how to do and the experience that I had, the transferable skills that we worked on identifying and by connecting me with other people and ISC Square actually were super helpful in this regard. We came up with a plan that because I'd spent time in financial services and because I knew about financial regulation and because cloud is such a big topic for so many banks and it's shrouded in complex regulations, that that was a good segue for me. So I kind of got myself organised and got myself into the headspace of, I'm going to do this. Anne Leslie (05:29) And I headed off to Amsterdam for a one week immersive training camp to get my CCSP, which is the certified cloud security practitioner certification from ISC Squared. And I turned up to that boot camp, and I was the only woman there, apart from the woman trainer. And that was kind of a pivotal moment for me. I had to commit to doing this or else back out. And I did have a moment where I made a terrible mistake. I'm not sure I should be there. And that came from a comment, a random comment from a tech probe. There were ten guys around the table and me, all of whom had a very similar background. They were trained in engineering or computer science, and they were all system administrators or network engineers. This was their day job, and it has been for quite a while. And then there was me. And when I introduced myself and my background, one of these guys turns to me and very unkindly said, what are you doing here? And I had this sort of shrinking feeling in my soul. It was sort of my inner five year old, my imposter, all of these very negative feelings. Anne Leslie (06:51) And it all got triggered in that moment. And I was there kind of going, oh, what, what do do I do? What do I do? And I caught the eye of the person who was training. And she held my gaze a fraction of a second longer than she probably normally would have. And in that moment, I interpreted it as sort of a moment of solidarity, where she was looking at me and saying to me and willing me to stay going, rise above it, it doesn't matter, ignore it. And I had to make that choice in that moment, which was, Am I going to commit to this with the risk I might fail? Or am I going to go all in? And at least even if I fail, I won't have the regret of not having tried. And in the end, it wasn't easy. But I nailed the certification. I realised in that week that I totally had a space where I could add value in cybersecurity. It didn't matter that I wasn't like these guys. The fact that I wasn't like these guys meant that together, their profile plus mine, that's where the magic happens, right? Anne Leslie (08:03) And it was a big learning, obviously a learning experience. It was a boot camp, but a learning experience in more ways than one. I learned the domain knowledge. I learned what I needed to get through that certification. But it showed to me what Patrick Wheeler had been saying to me, which was, we need different profiles, we need not just gender diversity, like, sure, we need more women in cybersecurity, but we need diversity of thought. We need people coming into our industry who think differently. We've had different life experiences, who see the world through a different lens, because when we have only deep subject matter experts who think in the same way, who have been in some ways formatted to problem solve in the same way, we're losing out on so much potential for coming up with different ways of addressing issues and different ways of solving really wicked problems that security practitioners have. So I learnt a lot of theory that week, but I learned that I needed to have more self beliefs. And I learned that if I was going to succeed, I needed to change my self talk. So that was, like I say, a pivotal moment. Anne Leslie (09:28) I needed to stop saying to myself and about myself, you're not technical, you're always going to be an imposter, you shouldn't be. Here. I've stopped labelling myself as non technical. I say I'm not an engineer, but I am continually reminding myself that I am technical in my own way. And that's been something that I also try and share with other, particularly women, but not only who are moving into our industry. We need to stop saying we're not technical because it limits the value that we think we can add. And we need to expand our self belief and the potentiality that we accord ourselves. Because once we embrace the fact that sure, we don't know everything, but nobody does. And that's why we have teams. The magic that you have when you get people who share values and who share a commitment to an outcome, when we have the intellectual humility to say, I don't know, can you explain to me why that might be the case? Can you explain to me how that works? That's one of the things that I think we can really keep on building on in cybersecurity, because there is, like I say, a generosity of spirit, but we need to get more comfortable with embracing the humility that comes with being able to put your hands up and saying, I actually didn't understand that. Anne Leslie (10:59) Can you explain that to me? Karissa (11:00) I love that. I love your story. I love your journey. Look, yes, people are technical, but skills atrify like what I was doing historically probably couldn't really do that today. That was a long time ago. And then there's so many different domains as well. I've sat in a room of people and then someone is saying, do you know what? That guy's going out of it? And you're like, no. So it happens. It's just human nature. No one wants to be the outcast. No one wants to say, I don't know what's going on, but guarantee if you put your hand up, the next five people do as well. So totally can relate to a lot of things that you said. I really appreciate that. So one of the things I'm curious about now is because you've come from that nontraditional background, like system admin and then engineer, architect, whatever it is. I like this because you do bring a fresh perspective to the market. Now, as your mentor was saying, Patrick Wheeler, that this is exactly what we need. And he's absolutely right. That's exactly what we need because we can't have everyone with the same pedigree or else we would get the same outcome. Karissa (12:06) So completely second his thoughts on that. So I would like to sort of unpack and address some of your observations as sort of, not a newcomer, so to speak, but someone who has looked at the industry objectively and you can sort of perhaps shed some light on what are you sort of seeing in this space. Because one of the things that you raised when we did catch up last year and it was interesting because I don't think I've ever had anyone say this, and I speak to a lot of people in this space. You mentioned that security people are focused on getting the business to understand security. But do security people get the business? Anne Leslie (12:53) Oh, yeah. When I came into security first at the beginning, I wasn't feeling super confident. And even though my confidence has grown over the past years and months. I still try to listen more than I speak. I love to talk, but I learn so much from listening to what other people say and the interactions that people have. And what I've noticed is that there is a big divide. It's almost tribal. Right. We talk about the business and we talk about security, and we talk about it as though they are disconnected tribes. And it's like never the train shall meet. And I have read so much in the press and blogs about how we need a security practitioner is how we need to educate the business. There's truth in that, right. I'm not undermining that as a point of view, but what I have noticed is that I have come across very few security professionals who are able to explain clearly and succinctly how their business, like the company that they work for, earns money in terms of what's the economic engine that drives the business. What is it that company does that customers want to buy, and how do we prioritise different critical functions in the business and the technology that underpins it in terms of, well, if that went down, what would it mean for our customers? Anne Leslie (14:49) What would it mean for the revenue stream we have, what it would mean for our financial results? Now, that's a critical question for a small to medium sized company, right up to the largest Corporation that's listed on stock exchange. Fundamentally, companies have an economic engine. They deliver something. They sell something product or service that customers buy, because without that, there really is no reason for the company to exist. And I really haven't come across that many security professionals, even at executive level, who are able to explain to you in really clear, simple terms how it is that the company earns money and what the decision criteria are for where they place their security investments. And that's one of the reasons that I actually think that the regulatory agenda that we have in Australia, in Europe, in the UK, which is focusing on financial services digital resiliency regulation is nearly always perceived as a burden. But I'm a big champion of this particular type of regulation because it forces the business to come together with it and risk and security to look at what is it that we need to do to make sure that our business causes no harm to our financial services customers? Anne Leslie (16:19) And we're able to know ourselves so well from the inside out that we can make really pragmatic decisions about what we need to protect and how we need to do it. And it's getting to a level of clarity where all of those stakeholder groups, it's like the fundamentals of the strategy that they'll teach you in business school. Right. Or in an MBA, you've got to be super clear on the articulation of your business strategy. And from that theory is that everybody is mobilised and aligned to a common set of outcomes. And the reality is that's really it sounds easy on paper, super difficult to do in Practise. But what I'm seeing is that the resiliency agenda, particularly in financial services, is forcing this to happen now. It's not going to happen overnight. But that's one of the things that I actually love about my role currently is that I get to kind of interact with such a variety of stakeholders, legal, governments and regulatory affairs, through to offering management and security teams. It's basically the whole spectrum of stakeholders involved in rolling out cloud technology that can be consumed by banks and tick all of the boxes along the way. Anne Leslie (17:44) And it's been kind of eye opening to me to see in our customers that these conversations don't happen so fluidly. And I'm loving that I'm getting to be an orchestrator of different kinds of conversations and bringing people together so that we can work together on an outcome that is shared. But how it's shared isn't always very well articulated. Karissa (18:11) So one thing I want to know is you're saying barely anyone that you've sort of spoken to knows how their company makes money. So I'm just curious, how is that the case? Like, why isn't anyone asking? I mean, we're going to get, I want to get into sort of reverse engineering that. But just to go back to behavioural line of thinking, how can people not know that? Anne Leslie (18:40) So let me qualify that, right. People broadly know. I mean, if you work for a bank, you're going to know that you have different lines of business. If you work for a software company, you're going to know that you sell software. So I'm not saying that people are so dumb that they don't know that. Absolutely not. But it's more a question of what is the most critical part of our business. And the reason that that's important is that the businesses that we're working in these days are increasingly digitalized, so they rely on technology. And it's one of the things that's a huge challenge in security is out of all of the things that we need to protect, out of all of the threats that are out there, out of all of the risks and the vulnerabilities that we have, how do we prioritise the ones that really matter? And it's that clarity that is business driven that I see is the missing piece. It's the view that can come from it and from security has historically been we need to protect our infrastructure like a blanket layer of protection. But when you have finite resources in terms of people, when you have finite resources in terms of budget, and when you have an infrastructure that is increasingly sprawling and environments that are on premise and in cloud, your attack surface is growing potentially exponentially, but your budgets aren't. Anne Leslie (20:24) And the resourcing you have available isn't. So you can't go for blanket protection, even though that's the psychological safety net that we would love to have. We're all good. We've protected everything. We're all perfectly locked down as humans. We love that comfort, but we just can't get it. And we need to get to a point where we are comfortable with knowing that some things are uncovered potentially unprotected or not protected to the level that we would love them to be, but that we have put the right protection on the things that really matter. And not all companies, and I would say even only a fraction of companies are really clear on what their Crown jewels are really clear in terms of. If those systems, if that data became compromised or unavailable, it would signal economic ruin for the business. And security 101 When I was making my first steps into this domain, I had somebody sort of sit down and explain to me the basics, and it took a few months for me to get comfortable, to start questioning how well the basics are applied. You know, when you're new in a domain, you kind of assume that other people know better than you, and they're all doing it perfectly. Anne Leslie (21:55) But that's been one of my big takeaways from the projects that I've done. And the interactions I've had with different types of businesses is you can't protect what you don't know you have. And there are so few companies that have a really good grasp of their assets in terms of inventorying. It in terms of visibility into the different systems that they have, the different technologies that they're using, and you really can't start having a sensible, risk driven, prioritised approach to security until you are really clear on what it is you have. And then the dependencies in terms of how that technology relates to the economic engine of your business. It's sort of the stoic philosophers. There's a lot we can learn from the stoic philosophers and insecurity. You've got to know yourself. You can't start worrying too much, really, about what's going on outside and making intelligent decisions. Because if you're worrying so much about the threat landscape without first being very clear on what it is you need to protect, then it's sort of spraying resourcing and funding onto projects and initiatives and technology additions that might be relevant. But you're not doing it mindfully, because you've made the choice on the basis of what you know about yours. Karissa (23:40) It's so true. Just to reiterate, of course, if you're working for an ecommerce company, you're going to know, oh, we sell clothes online, but I guess it's going a few layers deeper. What are the mechanics of that? How does that work? What type of platform are you using that people are purchasing? What are the payment gateways? How are you getting the stock that has been dispatched from the warehouse? How's that sort of like the whole maybe sort of people don't have that granular detail of the company's mechanics. They just go, oh, well, we sell clothes online, and that's the be all end, all of it so I think perhaps asking the right questions on how all of this works, because you are right. And that's what leads me to my next question. If you don't know what you've got. And I mean, I've spoken about this on the podcast with many guests like yourself. You don't know what we've gone, how can you protect it? And you don't know how your company makes money, whether it's okay, a broad, sweeping statement, sure, we sell clothes, but I mean, going a few layers deeper than that. Karissa (24:39) So how are people what's their thoughts on how we're going to protect the organisation? Because we can't even answer very fundamental, rudimentary questions. Anne Leslie (24:52) So where I've seen positive steps happening in this direction, it's in companies that have a healthy culture and humble leaders, leaders who are willing to say we don't know currently we need to get better at this. And that admission of a gap is the first step to being able to do something smart about it. And there aren't all that many leaders who are willing to show that kind of level of vulnerability to say we need to get better and it's okay for us as a company to admit we have gaps, but staying with our gaps is not OK. We need to do something about it. So it's having a leadership message that is giving or legitimising that. It's okay to say we're not perfect because there are so many companies where people spend their days posturing making out everything is good, we're golden and really doing something that's impactful, that will move the dial on better security outcomes and will actually give more satisfaction to the people doing those roles. Because nobody wants to spend their days shuffling paper and preparing decks for meetings that lead to nowhere. I fundamentally believe that people want to feel like they're contributing to something useful. Anne Leslie (26:28) So I've had one experience with a company where we managed to with a really peer sense of direction coming from a senior leader. We started to bring together the security team, the enterprise architecture team, a design team and some other stakeholders that knew of the existence of each other but didn't interact with each other that often. And we brought them into a kind of a design thinking session where it was being facilitated, sort of creating a safe space where we really wanted people to articulate what it is that they are currently hopeful and fearful about. What is it that they are doing? Seeing, thinking, feeling, and then aggregating that into a picture of right, all of you have a piece of the puzzle. How can we bring that together? And the outcome of that was a sort of a targeted task force where the enterprise architects, who are already working on mapping out business processes, started working then with the security architects and with some of the business stakeholders trying to build out not a two dimensional, but a three dimensional view of what does the enterprise look like in terms of business processes, what are the most important processes and data sources that that business has? Anne Leslie (28:08) And then putting a mapping of prioritised security controls so that you have this view of this is what the business looks like in terms of processes. This is where we think we need to put our security bets in terms of the technology systems and the security controls. And it was messy to start with, but it began to get more and more robust and clearer as the discussion progressed. And it's a question of really bringing together those people who have complementary skill sets. So that the lens with which we're looking at the issue is a whole of enterprise one. It's not just the security team doing their thing, it's not just the enterprise architects mapping out something in a silo. We need to bring them together. And it's that crossfunctional crossdisciplinary collaboration that's often missing. But what often blows my mind is when we get into these workshop settings, why do we not do this? More people try it on it. And it's just that I don't actually have a really good explanation. I only have anecdotal insight. It's just nobody thought of it before. And it's not like I'm not coming up with anything that is not accessible to other people and claiming to have a genius idea. Anne Leslie (29:37) But I am often surprised at how hesitant we seem to be collectively to kind of instigate conversations with people that we don't talk to that often. It can often just be a case of somebody who isn't used to talking to another person starting to do that. And there's so much merit, so much goodness that can come from having conversations across organisational lines. That's one of my big learnings in my career is you just never know what opportunities are going to come from having conversations. Karissa (30:14) One of the things that's coming up for me in my mind as just speaking there, Anne, is do you think that people are just more focused on security and like, doing security? I mean, I've spoken to from the United States who is very early on in the podcast, and he really spoke about, yes, independent silos. And he's like, we're not just here to just practise security, we're here to actually support the business. But do you think people perhaps lose sight of that and they're sort of just rocking up to work every day? They're in a security team, they're there to do threat monitoring or whatever it is. Do you think that they lose sight of that overall the business and then they see, I don't know, a truck that goes to the warehouse, that picks up the clothing, that then deploys the clothes, like whatever it is. Do you think that people are too focused because they can't see sort of too far ahead and therefore they're not having conversations with people because they don't feel like they need to? Anne Leslie (31:13) I do think people get too focused. And I do think security practitioners have a tendency to see the world through a narrow lens sometimes, but I don't want to say that and sound as though I'm judging because I say that absolutely without judgement. What I think happens is that there can be a sense of relentless pressure, insecurity and a sense of futility that can creep in because there's so much bad news. There's another threat actor, there's another campaign, and it can get very easily overwhelming. And the sense of trying to catch up, being on a hamster wheel of we're never doing enough, we're never going fast enough. And often the perception of feeling misunderstood. A lot of security practitioners that I talk to kind of go. Yet people just don't get what we do, we're trying so hard and yet we're always being told it's not good enough, it's not enough we missed. We only get attention when something goes terribly wrong, otherwise nobody even knows we exist. So there is that kind of feeling of not being appreciated in spite of the monumental efforts that are put in. And it can be very easy to get sucked into a rabbit hole of just looking at complex detail and not having the opportunity. Anne Leslie (32:50) Sometimes I think this comes back down to leadership not having that reiterated message, a benevolent message coming from leadership about what is it that we are all trying to do together and articulating how security fits into that and creating the context for crossfunctional collaboration. That's a leadership thing, right? Security can't fix that on their own. They can do things, but it's not just an issue for security to fix that's. How does the organisation function as a whole? Are we clearly articulating to all of our people and all of our business what it is that we're about, what it is that matters to us? And that I think is something that comes back down to good leadership, clear strategy, articulated around shared objectives and attainable relevant, meaningful goals that resonate with people. Security professionals, well, all people again, fundamental belief that all people want to contribute to something useful. I think that in security we sometimes have the tendency to get sucked up into busy work, which is I've been on projects, for example, where we got totally consumed by log onboarding into a sock. Right. And I'm not saying that that's necessarily an easy thing, but it's really easy to get sucked into details about log formats and are things available and how can you automate that and sometimes get distracted from the outcome of what? Anne Leslie (34:47) Hang on, remind me what it is we're ultimately trying to achieve here, because we can get distracted by the implementation details and forget the points. The initial thing that we're trying to achieve without any criticism or judgement of security professionals, because the efforts that are mobilised are, as I said, monumental. It is always wise to sometimes lift the head and say is what I'm doing here really useful, out of all of the things that I could be doing, is this the thing that is allowing me to add the most value? Might there be a better way? Should I be focusing on something else? That's always useful? And it's not just in security, I mean, that's in any role and just in life in general, sometimes lift the head and go, is this really what I should be focusing on? And it's the difference between going through the motions of doing something and doing something that matters, something that's impactful something that really makes a difference. Karissa (35:57) For example, I mean, I've spoken to people, CFO's and people in all parts of the business that said, I don't really get the security guide. I just don't really get him. He starts talking about the staff or her, and they feel maybe that again, the security people are going very detailed on things which I can relate to. Do you think that perhaps so if I put it like this finance guy talking to a security guy and then finance guy is like, I don't really get what security guys talking about. And then maybe he's a bit dismissive, because sometimes we don't understand things, we dismiss them. And do you think that it's not intentional, but maybe the security guy is just too detailed. The finance guy, I don't get it. So I'm just going to dismiss the guy. And then I guess it sort of then starts to breed this unhealthy culture. And that's why sometimes security people get a bad rap with the police. You're stopping a project. We've heard all these things. So you think there's a bit of that in there? Because again, it's quite easy to do that. I mean, I've been in meetings and I'm in security and I was like, I don't even get what that guy is going on about. Karissa (37:04) So I can relate to that. And I mean, if you're very removed, like a finance guy, he's going to have really no idea what this guy's going on about it. Perhaps he just sort of dismissed it and says, well, that's busy work, because he doesn't necessarily understand the tangible benefits of that perceived busy work. Anne Leslie (37:22) Absolutely. Breakdowns in conversation happen all the time, and there is a single reason for that. A lot of it comes down to individuals emotional intelligence and selfawareness. Again, I'm talking about Patrick Wheeler a lot, but he and I have so many great conversations about this. His big bugbear. One of his big bugbears in security is that we still refer to emotional intelligence and soft skills. And he said, I hate that term soft skills, because it gives the impression that they are a nice fuzzy wrap around. This is the currency of our domain. These soft skills in terms of being able to put yourself in the shoes of somebody else, being able to set aside your disbelief and try to entertain the idea that maybe you haven't seen everything to be able to practise empathy, to be able to really look at the world through a lens and a map that isn't your own. And we haven't got enough people who are able to do that. So again, it's not sort of judging the finance people are judging the security professionals, but the ability to be able to broach a dialogue with people who don't have the same subject matter expertise as you and to get to a point where they're not defensive and where they're willing to listen and where they actually share what's really going on in their mind. Anne Leslie (39:20) We need more people like that. And that's kind of the space that I've managed to find that I can add value in, because I'm not a deep subject matter expert on architecture, for example. I'm not a deep subject matter expert on any particular security domain. But I know enough to be welcomed into the conversation. And I know enough about finance because my background is in business. I went to business school, and I've been counting for quite a long time. And I have enough broad expertise to be able to be the translator for those different types of stakeholder groups and to try and get them to break down their walls of defensiveness so that I can try and elevate the conversation. I've got a really good example of having a conversation that almost went to the wall before Christmas, where in the group that I was in, we had sort of a hostile customer stakeholder who is trying to defend something that they've been pushing for quite a long time, and a colleague who has a quirky interpersonal manner but massive domain expertise. And it was just a personality clash. The two just didn't get on. Anne Leslie (40:50) But I knew they needed to speak to each other because one of them had a problem. And I knew my colleague had the solution, but they just weren't hearing each other. And we had some fractious meetings. We had almost a refusal on the part of the customers. I don't want to deal with that guy anymore. And I had to sort of take the kid glove and smooth things over. But that was my role in that situation. My role wasn't to be the subject matter expert. My role was to break down the communication barriers so that the person with the problem would interact with the person who had the solution and that they could actually hear each other. And I did have to keep steering my colleagues, saying, totally hear you where you're going on that point. But let's come back to this and that's. I think one of the things again, it's the value of teams, right? Not everybody has to be the subject matter expert or technical expert. There's real value to be had from having people in teams who can orchestrate the conversation, who can get people to communicate a little bit differently. Anne Leslie (42:10) And in the example you've shared, right? Where there's the breakdown in communication between finance and with the security team, you kind of need a mediator, right? You need the mediator who or facilitator who shows that there is actually more that ties them together than separates them. And it's finding that common ground. There could be disagreements about budgeting, there could be disagreements about what needs to be prioritised. But if there's a kind of a level setting at the beginning and an agreement and a commitment to an outcome. And that was the thing that when I was trying to get that conversation going with my colleague and the customer stakeholder, I had said, listen, can we agree if we agree on nothing else, can we agree that this is an outcome that we all want to achieve? And there was a sort of a moment of silence and they went, well, yeah, of course. I said, great, now we know. Now we know that we have something that we all agree on. We have a shared objective. Now what we need to do is figure out how we get to it. And that's a much better conversation. Anne Leslie (43:25) There's a commitment, there's something that ties us together. And I think that's what we need when we're trying to the different functions of our companies and the business is, let's articulate, let's make it explicit that there is something that we all agree on. There is something that binds us together, something that motivates us and resonates with us. And once we have that foundation, then we can start building on how do we get to a consensus view about how to achieve it. But when there's a disagreement, as long as we can always come back to that baseline of we're committed to achieving this somehow, then there's always a way to find a path forward. But that conversation about the commitment to a shared objective has to happen. Karissa (44:19) Do you think just fundamentally people just don't care about security? Like perhaps they're hearing what they're saying, they just don't care. And I say this because I think it's with any part of any business. So I don't know, HR like, keep your details up to constantly update your address and your name. If you get married, your last name, all of that. Now that's a very sort of low level example. But there's always HR, people emailing and saying, you've got to do this, you've got to do that, you've got to do your training and you're on boarding. And people do sort of glaze their eyes over because they know they have to do it, but fundamentally they just don't care. So do you think that people just don't care? Perhaps. Anne Leslie (45:01) I think there is definitely an element of that. But I'll qualify that statement by saying, I don't think it's malicious, right. It's not that they're not caring because they have some sort of evil intense. It's more that it doesn't seem relevant to them. They don't seem to understand that it affects them until something bad happens. And again, I think that's just a cognitive bias of our human nature. Karissa (45:28) You don't do it every day. Anne Leslie (45:30) Exactly right. I mean, we all know in our lives that we should hydrate properly, right? We should exercise, we should eat well, we should get seven to 8 hours sleep, and yet we don't do all of those things. We know it. There are some fundamental principles of staying healthy and yet we don't apply them, even though how to do it is available. There's lots of tutorials, there's lots of guidance, and I think it's the same sort of behavioural trait in relation to security. There is lots of good guidance out there in terms of what you should be doing in terms of security and cyber hygiene, but for the same reason that we don't take enough exercise. Well, we don't apply those principles of good cybersecurity hygiene until something bad happens. And I always say this, it's the same when people have a health incident, it's afterwards that they start taking their health seriously. And it's after there's been a breach that sometimes it's a sustained effort, sometimes it's just kind of a flash in the pan kneejerk reaction. Oh, we need to do better, but it tends to be only after they feel the pain of a data compromise, a breach, some sort of attack, that's when it captures people's attention. Anne Leslie (46:57) And I don't think that it's anything other than people. We're overloaded with a sense of responsibility. So many things that we need to get to and it doesn't feel pleasurable. We're not drawn to it because it's going to make us feel good and we don't perceive the danger, I think, until it actually hits us. Karissa (47:19) Yeah, it's so true. People got enough on their plate and it's like they're not being KPI on how good security is, right? They're like, hey, I'm just a HR person, so my job is to on board people. So maybe there's a little bit of transferring of the responsibility. It's not with them. So therefore it's not directly my problem, perhaps like, yes, I can contribute to it, but at the end of the day, I'm not getting KPI, I'm not going to get performance managed, I'm not going to get fired. It still is on those guys sitting across from us, really that it's somebody. Anne Leslie (47:49) Else'S problem and that somebody else is taking care of it. It's something that I think about a lot. I mean, I haven't got a set up, a perfect solution to this other than awareness. One of the things that I was looking at, I did some work in public sector healthcare and I was looking at some of the parallels between how health care professionals try to drive better health outcomes for populations. And there are models, actually, and it's really interesting to kind of look at how the health care sector tries to drive awareness and education so that incrementally people begin to take ownership of it. And I think there is definite merit in trying to look at how that type of Behavioural change gets propagated because it works in health care. Right. They have some really interesting case studies around educating communities so that they go from being totally clueless to resisting change to embracing the idea. Well, maybe. Okay, I'll give you a little bit of my brain space on that, to really taking ownership and changing their behaviours. And I think that's what we need to do. But it's psychology, right? I mean, when I was looking at how they do this, there are demonstrated proven ways of achieving it, but it's all about influencing behaviour, it's all about nudging. Anne Leslie (49:29) And I think as a domain in security, we could learn a lot and be a lot more impactful if we lent a little bit more on or lean differently lent on the insights from Behavioural economics, behavioural Sciences, in terms of how can we better understand human behaviour and how can we nudge people and collectively, then individuals and collective groups towards better behaviours for better outcomes. I think it's something that the insight and the expertise and the research exists, it would benefit our industry massively, I think, if we borrowed from it. Karissa (50:14) No, I love that. I love that example. And look, everyone's going to say securities, everyone's responsibility. Yes, that's absolutely true. But it still goes back to the psychology of the human of. Well, it's not on my KPIs, therefore I am not tasked to care about it. I mean, it's the same thing. If you're in the street and there's rubbish or litter on the ground, it's everyone's responsibility to pick it up. So we have a better, healthy Earth and you have litter everywhere. There's a side of respect for our own land, people still will pass it. So again, it comes back to, well, they're not tasked to do it. They're not forced to do it. So that it's not going to do it. Anne Leslie (50:50) Absolutely. There's a gentleman called Charlie Munger who works with billionaire investor Warren Buffett, and he comes out with sort of pithy pieces of wisdom. But there's one that I read and it stayed with me, which is if you're not thinking about incentives, you're not thinking. And I think that's something that we would really benefit from applying more insecurity. We need to think about how can we incentivize people to embrace the behaviours and embrace the mindset that we need to get to better security outcomes? It's not just going to happen organically. We need to put in place the incentives and the context and the conditions for people to start behaving differently and stop blaming people for when things go wrong. We're in such an industry for pointing fingers and for chastising and for victim. Blaming is terrible, really. Karissa (51:53) It is a big vendor in the media at the moment, which I'm not going to name. People are just being awful towards them. It's really unnecessary. And it's not again, generating that camaraderie. And it's like, what if that was you rolls reversed, you're in their shoes. You want everyone pointing at you and talking about you. It's just not the way to go about things. I think people think they're trying to help us again, how they are going about it. Anne Leslie (52:17) Absolutely. It's terrible to see that. But I like seeing on social media the people calling that out and saying, don't do it, don't go there, be better. It could have happened to any one of us. Don't be the person who points the finger. But absolutely, it's something that's still rife. My reading of that is that it is a symptom of people feeling vulnerable. I think that is often what happens when there is that kind of behaviour and something bad happens and they point the finger and the name and shame. It's a way of deflecting from the vulnerability that you might yourself be feeling. And I think what we need to do is build up a feeling within people individually and then more collectively of let's take away the anxiety. We're in a tough industry. There's threats coming at companies and individuals from every which way. But again, what I've actually done since Coban and the lockdown is I really tuned out a lot of media noise and I choose very carefully what I listen to and what I read. And I've gone back to sort of some timeless writings, not because I'm trying to be pompous and, you know, pseudo intellectual, but because I find comfort in things that have been written hundreds, thousands of years ago and sort of things like Epictitus, Markus Irradius about, it's empowering. Anne Leslie (54:04) You can always choose your response, can't choose what's going on around you, but you can choose your response. And I think that's a message that we really need to vehicle more in our industry, which is we can't stop threat actors being bad actors, but we can choose how we respond and we can feel more empowered. That disruption will happen, but it's not going to be catastrophic. We're going to need to build up more resiliency. And it's technical resiliency, it's operational resiliency. It's human resiliency, so that we get to a point where when the disruption happens, we don't just recover from it, we learn from it, and we become another author of borrowing a term here from NASA. The author of his name is escaping Me, Antifragile. I'm going to have to find the reference for us, but it's a wonderful concept, which is we can't control the world around us, but we can control how we turn up in it, and we control how we respond to external events so that when something happens that is detrimental, adverse circumstances, we can not just resist it, we can emerge from it stronger than we went into it. Anne Leslie (55:27) And I love that concept. It's this notion of antifragility. It's the world is going to keep on turning things are going to keep on happening. Some of them are good, some of them are bad, but a conviction and a belief that we will rise again in spite of the adversity. And I think that's something that we need to instil in security, which is this a positive belief that it's not futile, it's worth fighting for, it's worth the effort. Sometimes it's disheartening, sometimes it's exhausting, but a belief that it's worth striving for and that we can emerge from any adverse situation more resilient and more Antifragile. Karissa (56:18) I love that. I love that. So just lastly, one of the things I'd love to just quickly ask you now is the incentives. Do you have any ideas that perhaps people listening think that, oh, that's a good idea they can implement right away? I agree with you. Dangling that carriage is always a really good idea to get people to do something. So, yeah. Do you have any examples you can share? Anne Leslie (56:38) Well, I have an example again, call out to Patrick Wheeler, my cybersecurity hero. He's a lovely story of something that he did in the company that he works for where there was an attack. And the reason he and the wider security team became aware of it is because somebody in the business alerted them to it, because she had clicked on a link, she'd been fished. But instead of hiding it, she immediately went to the cybersecurity team and said, Listen, I know I shouldn't have, but I have. This is what's happened. And it turned out to be a very sophisticated nation state actor that was behind that. And what Patrick actually did once they'd successfully resolved that issue, was he publicly created an award, which is the Jenny Award, in the name of this young woman who had had the courage to admit that she'd done something that she knew she wasn't meant to do by accident. And Patrick shared that with his wider business and security community as an example of we were able to get to a good outcome for our company because we worked together and they've actually sort of instigated that now as a recurrent award where they call out and champion and celebrate good behaviour, that protects the business. Anne Leslie (58:28) And it's just one example. It's not going to solve the whole incentives issue, but what it does is create a feelgood factor where there wasn't one. It creates a feeling of community, it creates a feeling of, there's a point of doing this. People love to be celebrated publicly. And the fact that it took the shame away from there's a lot of shame sometimes in some companies. I think some people have even been fired for having been fished. So it was a way of changing the paradigm of how we look at the relationship between the business and security. And even when what could be perceived as absolutely the wrong behaviour don't click on what are potentially malicious links, they flipped it so that something positive came out of it. And that award now, which is calling out and celebrating the behaviours that are protecting the business seems to be something that has it's one step. Like I say, it doesn't resolve everything but it's one step that allows future steps to be taken to bridge the otherwise big divide between people on the front line and people in the business and people working in security so that they start feeling that there is something that ties them together and they share a positive experience. Anne Leslie (01:00:06) It was a nice feeling when that Jenny award was shared. People felt good and that's what I think we need more of. We need to put in place cultures where we celebrate the little wins. We don't often we highlight the catastrophes. We focus on the disasters. There needs to be a reason every day to celebrate something and it's just a long ritual, right so that people can feel good and that they can feel good together. It's the only way really of replenishing the energy and finding the resourcefulness to keep on going. Karissa (01:00:45) I love that. That's awesome. I totally agree. We do need to share things a little bit more upbeat. And we shouldn't make people feel bad because they made a mistake. Because we all make mistakes. And even security people make mistakes. Anne Leslie (01:01:00) Everybody makes mistakes. Karissa (01:01:02) Absolutely. So Anne, I really do appreciate your time today. I've definitely loved having this conversation. I think it's definitely been different to have the guests that I've had on simply because you do come from a very different background. So again, I really do appreciate you and can't wait to get you back on the show. Anne Leslie (01:01:22) It was an absolute blast. I loved having this conversation with you and thank you so much for sharing your platform with me. Karissa (01:01:28) Thanks for tuning in. We hope that you found today's episode useful and you took away a few key points. Don't forget to subscribe to our podcast to get our latest episodes. If you'd like to find out how KBI can help grow your side of business then please head over to KBI.Digital. * This is an auto-generated transcription.