The American businessman and philanthropist Warren Buffett once said, “I don’t know that much about cyber, but I do think that’s the number one problem with mankind.” If that is the case, why are so many people put off by cybersecurity? In my experience it’s a belief that it’s too complicated, it costs too much money or it’s something that they do not need to worry about. Unfortunately, when people have those beliefs, it can be very difficult to get them to change their mind.
If you work in IT, then you understand the importance of cybersecurity. The same can be said for those that have experienced a breach and it’s a safe bet to assume they wish they hadn’t been put off security in the first place. However, these are not the people that still need to be convinced. It’s the sole trader, micro and small business owners who have no IT experience at all that need to take steps to secure their business.
So how do we get them onboard?
I’m showing my age here but when I first started working at Grampian Police in 1998, we did use computers, but not for everything. There was still a lot of paperwork flying about between departments. I would hazard a guess that no one knew what cybersecurity was. That was the case for me for the first 10 years I worked there.
It wasn’t until I became a Counter Terrorism Security Advisor (CTSA) that I started to learn more about cybersecurity. The role of a CTSA is to provide protective and counter terrorism security advice to all businesses, both public and private. I found myself engaging with a whole host of organisations from energy firms and laboratories to shopping centres and companies that provide vital functions to the running of the UK.
However, as important as physical security is, I realised that the expensive CCTV system could be taken out by a phishing email and some malware, and you could bypass the security gate by having someone pick up a random USB stick, walk past security and plug it into a networked computer.
It was clear that cybersecurity had to be considered as part of a holistic approach to security. But what did I know about cybersecurity? I didn’t have a degree in IT, computer science, or ethical hacking. That was when I learned that being cyber secure was about more than just processes and technology.
My last job within Police Scotland was with the Cybercrime Prevention Unit where I worked with businesses, public sector organisations, charities and schools delivering cybercrime security information. I travelled thousands of miles across Scotland speaking to as many people as I could, and my main objective was to influence the behaviour of both individuals and businesses to improve their resilience in tackling the threat of cybercrime. I even won the Police Scotland Police Staff Member of the Year award.
On a mission to educate
When I joined Converged Communications Solutions in the summer of 2020 the company were on their own mission to educate. You could argue they took a risk when they employed me as Chief Security Officer because I don’t fit the typical profile. So why did they?
When I saw the then CEO of the National Cyber Security Centre, Ciaran Martin, speak at the Scottish Police College in November 2018, he said that businesses need to stop seeing cybersecurity as “techie” and “geeky” and he is right. But for businesses to not see it as such, we need to employ people who can demonstrate this, and that comes from embracing people from all sorts of backgrounds and experiences. I guess that is where I fitted the bill.
So back to that question I posed earlier. How do we get the sole trader, micro or SME business onside? As technology continues to seep into all areas of business, the scope of the cybersecurity industry has grown exponentially, and the result is a need for greater transferrable skills. Clearly there are many roles that require a technical capability, but as important is the ability to communicate clearly, listen, problem solve, resolve conflict, and never underestimate the importance of a positive attitude.
Taking the technical out of cybersecurity
My job is not to seek out the people who understand and embrace cybersecurity, but to find the person who hasn’t yet started on their cyber journey. The people who are still, for whatever reason, put off. The way to do that is not to baffle them with technical terms and overly complex, superfluous details, but to explain in a simple way that cybersecurity does matter to them and that it doesn’t have to be complicated or expensive.
My career took many different paths, and despite not having the “traditional” background for someone in my role, I have been welcomed into the industry. I want to tell others that anyone can work in cybersecurity. The majority of people I speak to day-to-day are not interested in the technical aspects of cybersecurity. In fact, many of them have found themselves in a similar situation to me where cybersecurity, data protection or cyber training responsibilities have been added to their job spec. And as cyber security is everyone’s responsibility this is no bad thing.
I want to educate, change misperceptions and break down barriers so that organisations can be more cyber confident but also to encourage more diverse people into the industry.