Can you tell us a bit about your winning Real IT Awards (RITA) 2016 entry for the 'Innovation in Security Awareness' category and how it came about?
We control critical infrastructure at Tullow Oil so we had identified security as an issue. I was in constant touch with the ‘Head of Information Risk and Security’; Spencer Summons, and through our conversations, we became aware of the unique challenges we were both experiencing. These were largely around adoption of security, best practices amongst staff and the different reactions we were having across different cultures in our various holdings in Africa, South America and Asia. We decided that for security, or a compliance issue that is global you need people to behave in a certain way and this made us think about how culture played into this, as it seemed the issues we were having, although we didn’t understand them, were predictable. We began discussing how the issue of culture both at the organisational level, but then at the nation level impacts susceptibility to phishing, but also the ability for a programme to affect a change. That was really the impetus of it, and over the years we began to look at literature within the social sciences, applying theories of human behaviour to a lot of the security awareness initiatives that Spencer was rolling out. We could then measure the ability that those culturally tailored programmes were having to move the needle.
What was your main role?
I’m a trained anthropologist, so I was responsible for putting into practice the theory and thought process behind the initiative, looking at how national culture and its characteristics could relate to organisational culture and tie into cyber security. That said, it all happened in collaboration with Spencer, we spent a ton of time talking about it, and it wouldn’t have gone anywhere without the excellent and comprehensive security set up he had developed. The elements that made it interesting for the submission were the things we collaborated on together, but this was only possible because of the work he had done over the last five years to build up the core capability.
What challenges did you face alongside the cultural aspects?
The behavioural elements of trying to get an individual to do something different can be very challenging. Without an imminent threat, there isn’t a sense of personal fear about cyber security, meaning trying to elicit a response in someone to change a password because it’s ‘not as strong as it could be’ is difficult. Not only do they not perceive that immediate danger of threat, but also once they do change it, they don’t really notice a benefit either. It is becoming slightly easier as people become more aware and unfortunately, as more people get their information breached, but by and large there’s still that sense of people staying in their own bubble, looking at these measures as extra work.
What do you feel are the main benefits of winning a Real IT Award?
I think the validation we got from winning was incredible, and I think that’s part in parcel of the value of The Corporate IT Forum in general. You can put yourself into context; is what you’re doing crazy? Is what you’re doing two steps behind, or a little bit ahead? The ability to submit something and have it come back, having been peer reviewed, with people saying “wow this is really cool stuff”, firstly makes you feel great, but it is also a reward for bravery. What we were doing wasn’t normal and wasn’t tried or tested, so it gives us a bit more latitude internally to go experiment and to be more innovative in the future. It provided us with a very tangible justification that what we’re doing makes sense. I think that enables you to continue to garner the resources and political latitude to carry on trying new things.
Are you planning to enter the Awards again this year?
Unfortunately, we don’t have any projects at the moment that we felt were legitimately unique or different. Every time we get nominated it provides us with more validation, so we will submit again but just not this year.
What advice would you give to those submitting this year?
The narration is important, you need to find someone who will write the application well. Try and figure out what the beginning, the middle and the end of the story is and understand that the narration and the anecdotes that you can hang of that narration are really important to tell the whole picture.