I’m always genuinely excited to find someone doing something new in the field of security awareness. This month I caught up with Sarah Janes, Managing Director at Layer 8 Ltd. Sarah started her career running security awareness at British Telecom (BT) and has delivered award winning behavioural change programmes to FTSE 100 companies. Her team have used their background in playwriting, theatre, education and training to create a new approach to defending the security of the home and workplace, whilst aiding an organisation’s strategic development.
Why do you think a new approach to security awareness is needed?
I‘d worked in the field for a long time, and struggled with the usual questions, ‘well does awareness actually change behaviour’, and ‘how do I prove the return on investment to get budget’. Then I was away from the security world for nearly two-years after having a family. When I came back, the first conference I went to I heard exactly the same problems I had two years ago. Nothing had changed. People I talk to seem almost despairing that they’ll ever be able to tackle the human factor with any success. What I had seen change in the two-years I’d been away was loads more ‘papers’ and ‘theories’ on the subject but nowhere was this brought together into a framework and set of tools that could be readily used and implemented. Most behavioural change programmes start with the assumption that if people know how bad it is, or what the consequences are they will automatically change. It is in our nature as security specialists to look for weaknesses and problems that need to be fixed or strengthened. But as humans we work in a distinct way with fear. If the fear gets too big we run for the hills, or dig a hole and let someone else deal with it.
So what are you doing that’s different?
We help organisations tell their story through dramatic communications. Storytelling is a natural way for humans to learn. Stories make what we do meaningful by creating an emotional connection for shared learning. They persuade us what is important and what isn’t. A company’s security culture is a mass of stories which are shared, exchanged, and generated by the people who work for it. Stories reinforce how things are done in the organisation and where the buck stops. Through everyday conversations, people co-construct the organisations they inhabit. If the culture is a largely reactive one it will be because that’s how people currently talk about security in your organisation.
So it’s about emotionally connecting with people?
Absolutely! Drama-based approaches begin with the premise that all new behaviours begin in the imagination. Cultural shift starts with an emotional connection. We have worked extensively with Appreciative Inquiry which is a model for analysis decision-making and the creation of strategic change. If you want to know whether it works just do a search for Appreciative Inquiry case studies on the Internet. The evidence speaks for itself. We‘re using this theory and our experiences to create what we’re calling a ‘Layer 8 Toolkit’ which is being launched in September.
Is a background in corporate communications an advantage when trying to manage the human factor?
Absolutely, in my previous strategic communications roles I was closely aligned with the C-suite. The board had ultimate control over what communications went out across the business, and for them our objective was very clear. It was about ensuring their people had the knowledge, motivation and information to support the strategic objectives of their business. This gave me an understanding of what was on the Board’s agenda and how to get messages out across the business that are supported from the top. So when I moved into the security world I was at the advantage of being able to listen to the needs of the security team, but ensure that they were put into the context of the organisation. If there was a clear line of sight back to the business strategy then they would get coverage and support.
It’s fantastic to see security professionals such as Sarah innovating and trying new approaches. If we want to strive to improve our efficiency and effectiveness at influencing human behaviour then there’s really no alternative than to try new methods. This can be challenging, especially if stakeholders have a perception that security awareness is all about CBT (computer based torture) and are wary of paying for anything else. Slowly but surely, professionals like Sarah are moving the profession forward, one mind at a time.