Ian Anthony Baxter. PHOTO: Cybercrime Magazine.

CISO Report: Educating Nurses And Boards On Cybersecurity

Ian Anthony Baxter, CISO (UK) at Bank of Ireland helps develop good attitudes towards cybersecurity

David Braue

Melbourne, Australia – Sep. 26, 2022

The CISO Report is sponsored by KnowBe4.

Educating staff about cybersecurity is one of the many parts of a security professional’s job, but Ian Anthony Baxter has done it enough that he can tell when the message isn’t getting through — and in one memorable presentation to around 2,000 nurses, he could tell.

“I was trying to talk about security for them, but my pitch wasn’t landing very well at all,” the longtime cybersecurity consultant — who took up a role as CISO (UK) with the Bank of Ireland earlier this year —  told Cybercrime Magazine.

“I remember sitting in that room, scratching my head and thinking about how I was going to make this issue alive for these people,” said Baxter, who eventually took a different tack.

“I hadn’t planned it,” he explained, “but I just said to them ‘if you care about your patients, you’d care about their data, and you’d care about their privacy.’”

“It landed with a lot of them,” he continued, “because they do care and they want to do a great job. But [the key was] finding the language that was a hook for them to say ‘yes, that makes sense to me… patient data is pretty critical stuff that you wouldn’t be put in the public domain.’”

Finding the right language to make cybersecurity matter can often be tough — and as Baxter knows all too well, it’s a common issue even at the highest levels of many organizations.

Baxter experienced similar issues when engaging with boards of directors that are still, on the whole, getting their heads around the idea of cybersecurity and the risks it poses for them.

That has made for some uncomfortable conversations in situations where senior executives have often been given unfettered power to compromise security simply due to their seniority — as did the chairman “who didn’t like passwords, so had set his login to not require a password, then set up the network at his home to automatically log into the company network.”

“You could do a drive-by and login as him from his driveway, and get right back into the company organization,” Baxter said, laughing as he recalled the conversation — just three years ago — in which security staff admitted “it had been set up that way because that’s the way he liked it, and no one said no to him back then.’”

Learning to say no

Now managing information security at a major regulated financial institution, Baxter’s years as a consultant have shown him how bad security attitudes can be when stakeholders fail to grasp the importance of security in a way that resonates with them.

And while intense pressure from industry and government regulators has forced boards to develop viable and usable cyber risk management practices, Baxter says, “there’s still a discomfort with the topic” within boards where one member is often tasked with investigating cybersecurity issues and explaining them to the rest of the board.

Those investigations have shaped the board’s relationship with the CISO, who has typically become the first point of contact for board members wanting to meet their new obligations.

“There’s a shift from avoidance several years ago, to a tacit acceptance, to a realization that they have to take it on board, to actually just seeing it as part of their job,” Baxter explained.

“It has been written to them very, very clearly that they’re accountable for this — so they have to be able to challenge me effectively and ask the right questions. And that’s just them doing their job properly.”

That doesn’t mean boards are automatically working in unison, however. One recent “casual conversation” about whether a company should pay a ransomware ransom, Baxter said, turned into a heated 15-way debate as a chorus of “yes” and “no” voices pressed their respective opinions.

Such discussions are an intrinsic part of the process of coming to grips with cybersecurity — but, Baxter said, the divergence of opinions reinforced the importance of doing so before an actual incident forced heat-of-the-moment decisions.

“You realize that if you were in the situation where you needed to make a decision, you’d be stuck real bad. We realized that we maybe want to act this out beforehand, and get to the point where we would understand if we would, when we would, when we wouldn’t — and do scenario planning so we could get some consensus within those groups ahead of time.”

Facilitating executive consensus around cyber risk management remains a key task for CISOs that are still fleshing out their new roles as cybersecurity risk increases in profile and engages with new stakeholders in new ways.

The unfillable cyber skills gap

Yet executive education is only one of the CISO’s tasks, which also include wrangling robust cybersecurity outcomes from frequently-changing teams that are constantly changing as workforce trends like the Great Resignation continue to take their toll.

With cybersecurity staff increasingly testing the waters and often moving between companies as a result, Baxter said, “recruiting is hard — and retaining is even harder.”

“We’ve trained people up internally, brought them to a great level, and then off they go because the market is very active right now,” he explained. “We’re starting to realize that we’ll never fill all those vacancies. We will never get to the end of painting that bridge.”

Younger people, he said, often seem more familiar with cybersecurity concepts and it may well be that they prove easier to train and engage over time.

Yet language has also become an issue in recruiting, with Baxter recently involved in an effort to boost the inclusion of women in the cybersecurity sector and realizing that many potentially good candidates weren’t even bothering to apply.

“We learned that the language was itself a huge barrier,” he explained. “The way you write a job ad can just turn people off immediately — so we went back and thought about how we could rewrite those ads and start to appeal to individuals sooner in the cycle, so they could see that there is a pathway from what they’re doing now into cyber, and that it could be a useful and meaningful one.”

“We’ve got resources that could move into this space, but haven’t thought of it as a career. And that’s the way we’re starting to tackle some of those pockets of opportunity.”

– David Braue is an award-winning technology writer based in Melbourne, Australia.

Go here to read all of David’s Cybercrime Magazine articles.

Sponsored by KnowBe4

KnowBe4 is the provider of the world’s largest security awareness training and simulated phishing platform that helps you manage the ongoing problem of social engineering. We help you address the human element of security by raising awareness about ransomware, CEO fraud and other social engineering tactics through a new-school approach to awareness training on security. Tens of thousands of organizations like yours rely on us to mobilize your end users as your last line of defense.