Government Keynote: Creating a Workforce Culture of Vigilance and Continuity for a Hybrid Working Future
Philip Wagner
Director of Cyber Security,
National Disability Insurance Agency (NDIA)
A new way to look at cyber vigilance
Cyber security is about ensuring the protection of both hardware and software, which is about physical protecting against threats, but in many ways, in order to have a secure cyber environment, it is also about having the right kind of attitude. At least that is the view of Philip Wagner , the Director of Cyber Security at the National Disability Insurance Agency (NDIA). He says that the NDIA is a “very unique organisation that exists nowhere else in the world.” It is predicted that the NDIA will spend “$120 billion over the next four years on about 600,000 of our most vulnerable Australians to give them a better quality of life.”
The problem though, especially from a cyber security perspective, is that the organisation has already been set up so “we are building the house while we’re living in it.” This is especially challenging since because of COVID-19 “we’ve compressed seven years of technological investment into two.” The pandemic has meant that “the concept of work has changed forever,” whilst the impact has been “profound on all of us, individually, collectively and organisationally.” Yet at the end of the day, people and organisations are mostly concerned by what all the chaos and confusion means for them. The “culture of vigilance” needs to personalised.
Though it might seem basic, one of the ways to personalise vigilance is to put into the context of “fundamental human needs.” According to Tony Robbins, the American life coach and speaker, there are “six human needs: certainty, variety or uncertainty, the need for significance, the ability to grow and evolve, connection – especially human connection as exposed by COVID-19 – and the desire to contribute.” All of these “shape human behaviour.” The thing people forget though is that they shape everyone’s behaviours, “including those of our opponents.” So the only way to drive any kind of change, including a culture of cyber vigilance, is through “leadership. It has to be driven from the top. And it has to involve everyone.” Without individual and collective involvement there can be no commitment. One of the ways of including everyone is to craft messages for different audiences. At the NDIA this is part of their DNA because “we have to craft messages for those who are hard of hearing and for those who are visually impaired.” In other organisations too, the messages have to resonate with the different cohorts.
These messages need to not only be customised but they need to be direct and specific. “You need to tell your people how you want them to respond to cyber incidents and what you want them to do.” For instance, it is very important to lock PC’s when they are not being used, but this behaviour needs to be modelled by the leaders and done by everyone. “Only through leadership can we build trust, and it is trust that underpins everything.” The pandemic has shown that “through no fault of our own,” trust in many institutions has been strained. The way to get it back, and the way to generally build it up in the first place is to go back to “cyber first principles.”
Building and creating the appropriate tools
To start with, every new process and culture needs to be reinforced by context. A federal agency like the NDIA is a different environment to a local or state agency. This is important to take into account at the outset. The next thing is to create a plan. “What are the key principles we want to live by in terms of security? How do we want to be protected and what do we want to detect?” Once this is resolved, “write it out as a policy document.”
“Too many times I’ve seen situations where people say something must be done, so they go out and do something to plug a whole rather than fix a problem. It should be that a plan, a policy and a process must be developed first, and then you go out and get the tools to support your process and your policy, not the other way around.”
Philip Wagner, Director of Cyber Security, National Disability Insurance Agency (NDIA)
As a result of the tools not fitting the situation, “too many times the individuals don’t use them, but who could blame them?” The way to get people to use the tools is to involve them in creating them, and then to “review, revise, test and adjust.” Getting people involved in creating the tools helps them to use them but also helps them to “be part of the discussions and the conversations.” It also makes the tools “readable and understandable” because without others involved, IT tools and processes often involve “jargon and specific words that few others understand.”
When creating a new culture and a new way of doing things, there are “two incredibly important parts.” The first is to try to make the point using “visual storytelling.” In other words, “tell a story that is relevant and relatable,” and one where people can see themselves being part of it. For instance, elderly and other vulnerable people are often more susceptible than others to online scams. In fact, they are often specifically targeted because they are vulnerable and don’t know better. “At the NDIA we see this a lot. We see our most vulnerable Australians being taken advantage of,” and sometimes there is little that can be done to stop it, especially after the scammers have broken through. But maybe “through storytelling we can better tell people what to look out for. We can connect to them and make it relevant and relatable directly to them.”
The second thing is that once the story has been developed, it needs to be articulated – “told, shown and reviewed.” It needs to be published widely within the organisation and people need to feel that they are part of the process. “Tell them why you want them involved,” and adjust the story and the processes as circumstances change.