Meet PICCASO Privacy Awards Winner, Mike Fortune

The Best Educator Award goes to a professor, lecturer or teacher who leads by example to inspire and motivate the next generation of privacy professionals.

An industry subject-matter expert in security and data behaviours, Mike is Senior Manager Data Behaviours and Culture at BT Group. He is also a leading specialist in cyber information security, data compliance culture, and is recognised as one of the foremost trainers and educators within his industry.

We spoke with Mike for reaction to his win and for his views as an industry expert.

Could you briefly outline your career pathway to date?

After spending 25 years with BT Group, I began my journey as an engineer, gradually making my way up the management hierarchy. 

I was selected to work in the people sector, specifically in change transformation, which sparked my interest in psychology. For the past two decades, I’ve focused on behavioural change, and subsequently became a consultant for the company in that capacity. Later, I moved into security with a focus on social engineering and became the head of the security behaviours team.

For a long time, I developed phishing programmes. Our own capability of phishing and various training aspects on social engineering made me an expert on social engineering across the industry and the company.

Two years ago, I transitioned into data and quickly realised that data and security are interrelated. In most cases, cybercriminals target data, and so I’ve become responsible for all data behaviours and culture across the organisation. My task is to raise awareness, ignite interest, encourage change, and make data come to life.

It has been an interesting career path, and my strong background in security still keeps me involved with it. Due to my expertise, I am often called upon as an industry expert, and I can now demonstrate this in different ways, which has been extremely interesting for me. 

Over the past two years, since I began working with data and privacy, I have learned a great deal. I have come to realise the importance of understanding life through a data lens, and it’s an area of life that I find fascinating.

What does winning Best Educator Award at the PICCASO Privacy Awards mean to you?

It was just “Wow!” Winning the award was such a great achievement for me, and it all started with a vision I had a long time ago. As a psychologist, my world revolves around various areas of the subject, such as cyber psychology, psychology of influence, and others, but one thing has always been clear to me – people are the key to success in anything we do.

This vision led me to look at things through a different lens, particularly in areas like security, compliance, privacy, and data. I noticed that most people see them as a guard dog, waiting to bite them when they do something wrong. The result is that people avoid these areas, dealing with them only when necessary and then moving on as quickly as possible.

However, in today’s world, we live in a connected, technical world where data security and privacy are life skills. That’s why I believe the culture needs to change from a guard dog to a guide dog. Data guardians need to be a presence that people want to walk with, seeing them as an advantage rather than a threat.

To make this a reality, we took an approach that recognised that every human is different and unique. We needed to make security, data privacy, and compliance personal and real for people. Our goal was to make people intrinsically motivated to learn and engage in these areas as part of their life skills and switch on peoples’ data and security human firewall.

We realised that we couldn’t just push these things onto people and expect them to comply. Instead, we had to bring it into the life of the individual, making everything we did personal and real, to hit home. This approach challenged us, but it was worth it.

Winning the award meant an awful lot to me because it showed that we were doing it the right way. It was a validation of our approach and a testament to the hard work and dedication of the team. We proved that when we treat every human as unique, bring the learning to them in a personal and real way, we can make data privacy and security a part of everyone’s life skills.

What challenges do you see on the data protection horizon for your sector, and for industries across the board?

One of the major areas of focus in the field of data and cybersecurity is AI. We need to gain a deeper understanding of the privacy implications associated with the use of AI. This is a critical area that we must address. However, we must not forget that the majority of data breaches are a result of human behaviour. 

The advancements in technology have been remarkable, and we are doing an excellent job of defending our systems against attacks. But we can’t ignore the fact that human error is still a significant problem. In fact, 95% of data and security breaches occur due to human error, and this is not likely to change anytime soon. Therefore, it is imperative that we focus on addressing this issue.

We need to put more emphasis on social engineering, fraud, and insider threats. The challenge for us is to find ways to combat and deal with these issues effectively; cybercriminals are becoming increasingly sophisticated in their tactics, and we need to be vigilant in our efforts to protect ourselves.

Our people are still falling victim to basic non-compliance behaviours, which can lead to significant risks for our organisations. Therefore, we must ensure that we are providing our employees with the training and resources they need to make better decisions and avoid costly mistakes. We must also encourage a culture of data and security awareness, where everyone takes responsibility for protecting the organisation’s sensitive data.

While AI is a critical area of focus for us, we must not lose sight of the importance of addressing human behaviour in cybersecurity. Our people and their actions are the two primary challenges that we must tackle to protect our organisations against cyber threats.

What do organisations need to prioritise within their data protection and privacy strategies in order to meet these challenges?

I have come to realise that there is a danger in becoming too focused on technology. While technology is important and necessary to the success of any organisation, it can also lead us to overlook the importance of our people.

Of course, there are times when we need to be focused on technology to some extent. But we should not allow this focus to blind us to the value of our people. For me, the key is to really focus on our people and to help them understand the importance of compliance. We need to find ways to engage them in the process and make them part of it. This is not something that can be accomplished by doing one bit of training once a year. Instead, we need to constantly work to switch on the data and security human firewall that exists within all of us.

To do this, we need to ensure that our people have the knowledge and awareness that they need. But in today’s fast-paced world, this is not enough. Knowledge and awareness are like a river that never stops flowing, and we need to keep up with the changes that are taking place. We need to constantly update our knowledge and awareness, and we need to ensure that our people have access to the information that they need.

Then we need to find ways to bring this information to life in a way that resonates with them. We need to make compliance and security a part of their lives, something that they see as a life skill that they want and need to know more about.

When we are successful in doing this, we will have created teams that are internally and strategically motivated. These teams will be pulling for compliance data and security, rather than being pushed to do so. They will be hungry for more information and eager to learn, and this is what will ultimately lead to success.

As business communities, are we getting better at data protection and privacy?

Yes, I think we are getting better at data protection and privacy. It’s becoming increasingly important in people’s lives and I see more and more individuals realising its significance. It can be a mundane subject and I understand why people may have pushed it away in the past, but we’re now making it more interesting and approachable.

For me, the key is simplifying the language used in discussions about data and privacy. My focus is on making people more data competent. I want to help individuals understand what it means to be data competent in any role they may have. We often focus on bespoke roles, but I believe every person should have a level of data competence and understand what they need to do, not just for the business, but for themselves as well.

Being data competent means being data driven and data interested. It’s about understanding the endgame for data and the journey it takes to get there. I’ve pondered this question myself, and I’ve come to the realisation that data is more than just a security cog in the wheel. It’s on a journey to get the ultimate value. As we strive to get the ultimate value from data, all the CoCs (codes of conduct) help us deliver that value. 

It doesn’t matter what role you play or who you are, everyone can be a defender or an agent of data. This is why we’ve created a narrative in our company to drive the importance of data competency right across the business. It’s about every one of us playing a part.

Whether you’re an engineer, a data scientist, or anything in between, we all have a role to play in making data more valuable. We need to switch people on so they can understand how to contribute to the ultimate value of data. As a company, we’re pushing this narrative massively to make sure everyone understands how important it is to play their part in making data valuable.

About Piccaso

The PICCASO Privacy Awards Europe recognise the people making an outstanding contribution to this

dynamic and fast-growing sector—from the professionals ensuring their companies meet increasingly complex legal demands to the academics and engineers pushing privacy thought leadership and innovative protections forward.

Find out more.