REA Group’s CISO Craig Templeton has been in the job for just a few months. While the information security business has been largely focussed on technical skills, Templeton told his team they needed to develop a new ability; the Jedi Mind Trick. I spoke with Templeton about this and some of the challenges he sees when it comes to security and privacy.
Templeton says security has more to do with people than technology. When he started with REA Group in February this year, he told his team “The number one priority in this year is to build good relationships with the business. Your superpower is Jedi mind tricks”.
He said the expectation was that his team was already “cyber awesome” and equipped with sorting technical skills. But security is as much about psychology as anything else.
Craig Davies, the CEO of the Australian Cyber Securty Growth Network, backs this up. When I recently told him my son was planning a career in cybersecurity he told me to ensure he hit the books and study behavioural psychology as many of the technical skills we depend on now will be usurped by AI and other automated systems.
Amongst the challenges facing security is a compliance culture. Templeton says “Compliance is the lowest form of maturity. People do something because they have to do it because there’s someone beating them over the head if they don’t do it. Where the value is moving into culture”.
This is why he advocates a values-lead approach, where people follow good cybersecurity practice – he hates the term “best practice” by the way – because they want to do and they believe in it.
This is why traditional programs don’t work he said. The old model, where staff attend mandatory training each year and complete a multiple choice test after doesn’t build sustainable, positive behaviour.
“We want people to follow good practice because they believe it makes a difference. It’s about incentivising people to do the right thing when somebody isn’t watching”.
Templeton did some work with Royal Holloway Univeristy which was supported by the UK’s GCHQ through a grant into what constitutes secure behaviour. Two things need to be in place.
“The first thing is if you ask someone to do something they have to be able to achieve it themselves. It has to be an action they can do personally. The second thing is that they have to believe the thing you’re asking them to do actually makes a difference. If you’ve got those two things in place, you’re more likely to get that person adopting secure behaviour”.
One of the things Templeton rails against is “security theatre” – doing something that looks secure but doesn’t really make us any more secure. Things like having a “stupidly complex” password is an example. He said “People don’t believe in it and think it’s bullshit”.
The security industry has not done itself any favours, he said, as it often treats people like “idiots”.
One of the studies Templeton recently read pointed to giving people confidence as being important. People are more likely to act securely if they are confident their actions warri.
“We shouldn’t be trying to turn people into security experts. We should be giving them strategies they can enact themselves so when they’re outside the corporate protective zone, at home or when travelling, they know what they can do to protect themselves”.
He pointed to how we teach children to cross the road. While we might teach children to only cross when traffic lights permit it, we also implore kids to look left and right before they walk. Although the signals might say it’s safe “photons don’t stop cars”. It’s combination of technology and safe behaviour that protects users.
“Security is not a technology challenge; it’s a psychology challenge,” he said.
One of initiatives Templeton has used at REA was to create a bar during Security Awareness Week where his team would help staff members review the security of their social media profiles. He likened these to “digital tattoos”.
He then gave staff temporary tattoos as part of the session as a reminder and to add a fun element to the exercise and as a method of making a dry topic into some fun.
“It’s about how you engage with people,” he said. “It’s like ‘Think before you ink’. A digital tattoo is like a real tattoo – it can last forever”.
By appealing to people’s self interest, it’s possible to engage with them and create behavioural change that benefits them and the the business.