Dr Jessica Barker is an award-winning global leader in the human nature of cybersecurity. Together with her husband, FC, they are the founders of Cygenta, a boutique company that advocates that the best, sustainable defence against threats needs to take into account all aspects of security risk – human, technical, and physical. Alongside her work at Cygenta, she is a best-selling author, speaker, and media commentator.
Jess is one of my favourite cybersecurity professionals not only because of the breadth and depth of her knowledge, but also because of her kindness and empathy. It was, therefore, a great pleasure to sit down a chat with her about how we can empower the human element of security. The interview has been edited and adapted for brevity and clarity.
What should we know about Cygenta? What is your offering?
Jess: At Cygenta we help clients with human, technical and physical cybersecurity, and sometimes all three at once. We do everything from penetration testing and that includes typical pen testing and smart devices and smart buildings. We also have expertise in physical security, so that comes into the smart building element, of course, but also more traditional penetration tests and assessments. And then on the human side, we help our clients with understanding their cybersecurity culture and with building more positive awareness and behaviours around cybersecurity in their organizations.
I know that your background is not on cybersecurity. Do you think that this diverse knowledge has helped you navigate the complex cybersecurity sector and how?
Jess: It absolutely helped me. When I was approached for a job in cybersecurity about 11 or 12 years ago, I had no background in it at all. In fact, the first thing I did when I was approached was Google what is cybersecurity?
My background is in sociology, politics, and urban regeneration, civic design. It took me a couple of years to understand because I was surrounded by people who had a more traditional background. But then I started to realize why I had been approached for that job, and where my skills could help me and help the people I was working with.
When we think about human behaviour, we have learnt so much about that in the last 50 years, more than we have ever learnt in the history of humanity before that point. Being able to draw on those disciplines and bring them into cybersecurity is a real benefit. And it is great that in the last few years, we have seen more people coming from more human-based disciplines, like psychology, marketing, sociology, and anthropology.
Do you think we can teach people to become better and safer digital citizens or our biases are a hurdle in this effort?
Jess: That will always be the case as it is in the physical world as well. We are always going to have to manage those elements of human nature that make it hard to have awareness. Certain elements of our ways of thinking as human beings are so hardwired into us that we are always going to have to work to overcome those. But I think we are making progress.
For example, we have helped people become so much more aware of phishing emails. Obviously, it’s still a big problem, but we know that we have helped people become so much more aware of that because cybercriminals have pivoted to using other methods and phishing campaigns that are more sophisticated. That is why we see so many more attacks happening over WhatsApp or other social media, because we have successfully raised awareness. When it comes to cybersecurity, we are in this difficult position that cyber criminals will always try to find a way around whatever defences we put in place. So, we must keep evolving.
We have witnessed the last few years the accelerated digitalization of every aspect of our lives. Do you think that this kind of digital transformation has created more pains or more benefits?
Jess: I think the answer is that it has created both. I have been talking about this, particularly in keynotes I’ve delivered over the last couple of years. We were in this position where we were suddenly not able to trust the physical world in the way that we had been accustomed to. So, we were suddenly questioning the air that we were breathing, the surfaces that we were touching.
At the same time, that forced us into trusting the digital world much more radically than we had before, like trusting the education of children to online platforms. Obviously, that also forced the digital transformation of organizations, especially as people were working from home.
That level of digital transformation was planned to take place over years, but organizations had to put into effect in a matter of weeks or days for most. So, it opened so many opportunities. One thing that we learned at ClubCISO is the resilience of a lot of those organizations that had long term plans for digital transformation. They could pivot so much quicker, and the security stood up really well.
But we need to see what the long-term impact of that will be. We need to see what this means for physical and digital trust moving forward.
Empowering and engaging people in cybersecurity is essential for all organisations. You have talked a lot about this and how we can do that. But we see that there are failures. What are the mistakes we are doing?
Jess: A lot of the issues that we see come down to culture. We often have organizations saying they want to build a security culture. And my reply to that is you already have a security culture. You just don’t know if it’s positive or negative, or you don’t know why you have that culture. Maybe you don’t understand the security culture that you have, but every organization has a security culture. It depends on whether culture is aligned with the wider company culture. And it depends on whether it is working for security or against security.
When we do culture assessments of organizations, we often find that there are contradictions. For example, there may have been some great awareness-raising efforts taking place, but behaviours are not changing. This goes beyond awareness, this is culture.
Does the company culture, for example, prioritize productivity over security? Or are people overwhelmed with email? We know that the more email somebody receives, the more likely they are to be a victim of phishing. It may be that technology is not embedded to support people. We may tell people to have better passwords and not to reuse them. But if there is not a password manager in place or a single sign-on hasn’t been rolled out, then this is not going to happen.
So, it is looking at the security culture considering the company culture. It Is about seeing how you can align the cybersecurity culture with the company culture.
If we involve families and local communities in awareness-raising activities, can we achieve better results faster? What is the role of families in raising a security culture?
Jess: When we asked the members of ClubCISO which awareness measures were having the most positive impact on their cybersecurity culture, the number one was messaging that aimed at people’s personal lives and supporting the security of their families. And this makes perfect sense especially nowadays when people are aware that their kids are online so much more, and that their parents are online so much more.
Having that messaging that helps people and is relevant to their personal lives shows the security team actively cares about their colleagues. Traditionally, secure messaging has been quite negative, and security was often seen as the department of no, telling people what not to do, giving them rules.
Whereas when we can give messaging and support that is aimed at people’s families, their kids, their siblings, their parents, and their communities, then we start to build that closer relationship with our colleagues. We show our colleagues that we are not just there to tell them what not to do. We are there to enable them, not just at work, but also at home.
Can you share some simple tips for building culture at home and at work?
Jess: In the workplace, the number one is understanding what your starting point is, what is your baseline, and what kind of culture you have. Only if you understand that, can you think about how you can improve it. And then you can think about how you are going to measure that improvement, how you will know if you are taking the right steps going in the right direction.
At home, it would be listening to your family members, and understanding why they use technology as they do. If there are workarounds in place, why are they using those workarounds? Most incidents happen because people do not understand the risks. It is because people do not understand the why behind those risks, the impact they can have and the why behind security controls. That is a key thing to communicate.
Are people getting mixed messaging about security? Looking for those contradictions, think about the ways you can support colleagues. The technology you put in place, the guidance you give them, and how you can make yourself more approachable.
Have a message that is very clear, does not blame people, encourages reporting and questions, and shows you are listening and taking feedback. For example, if you are running phishing simulations, not naming and shaming or focusing on people who click. Focus more on the report rate rather than the click rate.
The behaviour that you actually want from people is reporting incidents. So, focus more on that using social proof, shining a light on people who report. Pick the person who reports the quickest and reward them publicly. Humanize the security team, make yourself more approachable and reinforce the positive behaviours that you want to drive throughout the organization.
Thank you, Jess. And now it is time for five more personal questions to get to know Jessica behind Dr. Barker. What is your favourite book?
Jess: My favourite book and it’s remained the same for the last three decades is “To Kill a Mockingbird”. It is my favourite book because it had such an influence on me when I first read it. I was at school, and we were asked to do a book review. I picked To Kill a Mockingbird and it had a huge impact on me in terms of thinking about how we treat each other in society, social justice, equality, diversity, and inclusion. It really had quite a profound impact on me, and it was the first book to really do that. That’s very much stayed with me, and I still have the same copy.
Favourite movie or TV series
Jess: I love TV. I do like movies, but I really love good TV and there is so many programs that I could pick, but I am going to go with a funny one that I watched recently, and that’s Hacks.
Jess: I love lots of different types of food. I love Italian food. Particularly I do love pineapple on pizza. I love Greek food. A beautiful Greek salad is impossible to beat. I love Thai food. But if I had to pick like my last meal, I would pick fish and chips from Colman’s Fish and Chips restaurant in South Shields, which is close to where I grew up.
Favourite place for vacation
Jess: For me, it is not so much about the destination as the journey. I love a road trip, and we try and take road trips whenever we can. Probably the best that we had was our honeymoon road trip where we spent four or five weeks driving around America. I also love road trips through Europe. There is something about that experience of being on the road, especially if it is not too planned out.
If you weren’t working in cybersecurity, then what?
Jess: That’s impossible to imagine. I think it would be something sort of probably working closely with nature. I noticed that Andra (Zaharia) said about working with animals. That would be a dream for me. And I hope at some point in my future, I will have enough time to volunteer with something like that.
Thank you so much, Jessica, for a wonderful and insightful interview.