PeepSec, the world’s first free, online summit on the people, culture and social aspects of cyber security, took place between Monday the 11th and Friday 15th of June.
22 expert speakers offered actionable and practical advice on the most pressing issues facing the security industry today. Hundreds of cyber security professionals and enthusiasts joined us, but for those who couldn’t make it, here’s what you missed on the first three days.
(By the way, you can now get immediate access to all 22 PeepSec talks by simply registering for free here.)
Ben Brabyn, head of the world’s most connected tech community, Level39, kicked PeepSec off with an interesting series of thought-provoking and to-the-point opinions. In a chat with Oz Alashe, Ben covered the importance of the human aspect of cyber security and building a culture of security, amongst other things.
Of particular note were Ben’s views on what makes so many people indifferent to security and, by extension, how to make security more compelling.
Because so often the person whose conduct causes the problem doesn’t immediately see feedback, many people don’t take cyber security seriously. Anything you can do to close that feedback loop clearly has a huge contribution to make.
Ben Brabyn, Head of Level39
Chartered Psychologist and Associate Fellow of the British Psychological Society Dr Emma Williams followed Ben, with an expansive discussion largely born from her academic research. Unlike many in the field, Dr Williams’ research revolves around the influence of context on security practices. According to Dr Williams, our external environments have a hand in our behaviours – and the right environments can heighten our resilience.
National Security Advisor Janet Williams was third to speak on day one of PeepSec. Perhaps unsurprisingly Janet focused her discussion on the security of nation states, explaining the security of nation states is now largely dependent on the security of UK businesses and organisations.
We can’t think, “It’ll just hit our own business.” An attack could have a knock on effect on the whole of the national infrastructure. That’s why the investment in our staff is important. They could have a massive implication.
Janet Williams, National Security Advisor
MD of Priviness Sandy Gilchrist closed day one, with candid advice on data privacy. As the managing director of a consultancy that specialises in helping organisations comply with the General Data Protection Regulations, Sandy’s simple and succinct views stripped reams of regulation all the way back to the European Convention on Human Rights, first drafted in 1950.
According to the convention, we all have the right to a private life. Sandy explained that, over the last 68 years, the convention seems to have been overlooked by certain organisations but by developing privacy policies with that simple fact in mind, salvation is possible and probable.
We don’t actually need legislation to say to people what they can do. If you can change the culture of an organisation to make people think about how they’d like their data to be used, it makes a huge difference.
Sandy Gilchrist, MD of Priviness
PeepSec day two opened with an interview with author, academic and public speaker Professor Adam Joinson. Professor Joinson again offered advice on security from a different slant: this time centring the conversation on systems design.
It’s easy to blame users for poor security practices, believes Professor Joinson, but should we also be thinking about those designing insecure systems in the first place?
Professor Joinson argues convincingly that those designing systems are in a unique position to have a disproportionately positive effect on cyber resilience – and yet, frequently, their impact is harmful.
If you drive a car and the brakes don’t work, that’s not your responsibility. And yet, at the moment, the people who are bearing the cost of insecure systems are the end users or organisations.
Professor Adam Joinson
The Metropolitan Police’s Andrew Gould followed Professor Joinson and discussed the public value of good cyber security. Andrew is on a mission to increase engagement in cyber security for societal wellbeing, and discussed several interesting and novel ways of doing so.
Domain name registrar Nominet UK’s Cath Goulding then followed Andrew. In her interview with Oz Alashe, Cath talked through creating a culture of cyber security by getting the board engaged, before moving on to the dangers of selling-in security through fear.
You’ve got to start at the top. You’ve got to get leaders engaged. I’d love to see better metrics in the space. CFOs have numbers to show how well or how badly an organisation is doing. It’d be really good for the security profession to do the same.
Cath Goulding, Head of IT Security, Nominet UK
Dr Ioannis Agrafiotis of the University of Oxford ended day two, passionately arguing for greater collaboration amongst the security industry.
Dr Agrafiotis claimed our connected world has given us an opportunity that’s potentially too great to pass up and, if we could all admit we all have security issues, we may be better positioned to tackle them.
The Bank of England’s John Scott began PeepSec day three with a considered talk on people being our greatest defence. As with other talks, John offered novel advice on getting people engaged with security – this time by using nudge theory. Interestingly, John talked through a risk-based approach to cyber security, in which each security risk is considered. Some risks are worth taking, John admits, but at the moment too many of us are taking risks without thinking.
KPMG’s Caroline Rivett followed John, with a well-rounded talk that touched on everything from the security industry’s sub-optimal communication to achieving the ever-elusive culture of security so many CISOs desire. Caroline tied her discussion together by showing how the two were interrelated, offering a valuable lesson to all those in security.
Danielle Kingsbury, Founder and President of CyberSecPsych, was next on the bill. Alongside its focus on psychology, Danielle’s talk was characterised by how we might be able to help more people learn and develop cyber security skills, and where we may currently be going wrong.
We each have a particular way of analysing information and being able to address those different learning styles is going to be essential for us to address the cyber issue.
Danielle Kingsbury, Founder and President of CyberSecPsych
Day three came to a close with an energetic talk from Mark Milton, Founder and CEO of Amberlight. After warning against an over-reliance on awareness training, Mark discussed making security a benefit by using it to optimise business processes. Often, security is seen as an added frustration.
Mark discussed the value of security policies that help people achieve their goals – and how such policies can be developed.
Often, security teams aim to secure a business process assumed to be already optimised. Frequently, it’s not. If you involve users in the conversation, you can look at optimising process and making sure secure behaviours are the default.
Mark Milton, Founder & CEO of Amberlight
If you didn’t get a chance to attend PeepSec you can get immediate access to all 22 PeepSec talks by registering for free here.