#RISK Founder Nick James in conversation with Victoria Guilloit

Transcript:

Nick James:

Hello, I’m Nick James. I’m the founder of #Risk, a series of events that starts in London in November 2022. I’m delighted to introduce another of our #Risk ambassadors, Victoria Guilloit.

Victoria Guilloit:

Thank you so much, Nick. I’m delighted to be here.

Nick James:

Victoria’s 20 years cross sector experience in information security, including investment banking, consumer goods, retail and government. Vicky, first question from me, the lines between cybersecurity, privacy, risk management and compliance that were once straight and delineated are now blurred emerging. How have you seen the risk landscape change over say the last 10 or so years?

Victoria Guilloit:

I think it’s a bit like myself surprisingly fast and not necessarily in ways I might have imagined. These disciplines were definitely a lot more siloed 10 years ago. And cyber security for example, was certainly considered as a business risk, but privacy was usually only feature in that world as a category of personal information to be protected. And then we had the application of GDPR and that was a seismic shift in the privacy and data protection landscape. And this really provided an enormous opportunity for the CSOs to contextualize risk and compliance at the sea level and secure their budgets with the threat of the data breach of course, and the significant fines there that followed. And then of course, you have the explosion of social media. Now we’ve got AI, we’ve got machine learning and the continuing an astonishing growth of cyber crime. And it always seems to be one step ahead. Apparently, it’ll soon be the world’s third largest economy after the US and China, if it isn’t already. And that means that these one siloed functions really need to work together seamlessly to protect and advance their organizations.

Nick James:

Wow, that’s a staggering stat. The third economy could be cyber crime. Yeah, scary. We’ve talked many times about this in the past, but culture. How do you create a culture of security at an organization?

Victoria Guilloit:

Goodness, it always feels like a really big unwieldy thing to start with, but I will try. And we have talked about it many times and I hope that I can provide a consistent answer this time, but hopefully with a sprinkle of something a little bit different. So a good company culture, let’s start there. It should be easy to observe because the people who work there are going to be comfortable and it’ll be a company that they’ll want to aspire to work for perhaps. And they’ll say, everything just feels right. Most of the time they’re going to enjoy going to work. And really importantly, the boss’ door will always be open or at least their ear will be open and they’ll feel confident asking questions, they’ll feel well informed from the top and from all levels about the direction of travel in the organization. And as any business leader knows, any organization, a healthy culture like that takes a considerable amount of effort and a really sustained amount of effort will be like this swan gliding along the top, furiously paddling underneath.

Victoria Guilloit:

And so developing and embedding your privacy and security culture won’t be any different. In a sense, you need to keep working on it. And most importantly, if you consider your employee, and this is really key for of me as a human being and not potential for human error, it’s a really good place to stop. Because no matter how many technical or procedural safeguards there are in place, the hackers are going to hack and the people are going to make mistakes. Your people have a job to do first and foremost. And if you want them to consider privacy and secure, any advice that you give them has to be in the context of the business purpose and their role, and any process or procedure that you are going to introduce.

Victoria Guilloit:

For example, privacy insecurity by design in systems development, that your data is classified and labeled, potential data instance and rights requests are quickly and reported. All of these things need to be super easy and efficient. It’s not about a general annual e-learning, although that is a start if there’s nothing else in place. It’s an ongoing program and it’s going to take time. It’s going to take patience, resource, sponsorship, ownership, collaboration, commitment, community, and last of all and really importantly, risk management. That was really long answer, Nick, I realized.

Nick James:

Not at all. And I guess this is a supplementary question, once you’ve done as many of those things as you possibly can, how do you then measure the effectiveness of the training, education and awareness?

Victoria Guilloit:

That’s a great question. And one, I very frequently get asked and often sort of a lot of head scratching goes on, how are we really going to do this? But essentially, even if an employee knows very little about privacy or security, but they’re confident and that’s the key in speaking up quickly, if something doesn’t look right, you’re in a pretty good place. Someone said to me a few years ago that in the post-evaluation of a data incident, if it was found that the potential incident was known about, but not reported, then your awareness, education and training program is failing. And I think that’s pretty sage advice. A lot of security people talk about incident reporting, rising after training on the topic and that’s absolutely what you should expect. And then over time it should improve as people understand what should be reported. And at the same time and more alert to protecting sensitive information and looking out for unsolicited emails.

Victoria Guilloit:

Now you’ve got data loss prevention technology and processes that help organizations understand how their employees are behaving as well. And whether their awareness, education and training need to be improved. And it’s always helpful to gauge the opinion of the employees themselves through a survey or workshop is actually one of my favorite things to do because it involves a conversation. And most of the time, we always need to remember that employees actually want to do the right thing and giving them a voice will help you understand where your processes could be difficult to navigate, or your training is confusing and you need to improve it.

Nick James:

That’s a great answer. What we’ve seen over the last two something years is digital transformation accelerating at a pace that we just didn’t expect because of the pandemic. How do you think cyber security he should fit into transformation programs?

Victoria Guilloit:

Yeah, that’s a really good question as well. And you know, from what I observed at the time during the pandemic, cyber security were really leading from the front and they still are in these initiatives. They used to be trailing at the back a bit saying, well, how are we going to prove to the business that we are in an enabler and how are we going to try and get bolted on to that transformation or any other technology project and not cost too much time or money. But now, I think the question from businesses is more wherever are we working, is our data actually safe. Because there’s much more recognition now that data is traveling away from the office and into our homes and anywhere else, now that we can work in a more flexible and hybrid way. That people, whether they’re consumers or customers, clients of an organization expect their data to be protected. And businesses are really starting to recognize that. So it won’t be an afterthought anymore, or an expensive bolt on solution. It’s going to be a driver in itself and an accelerator for business change.

Nick James:

And that leads us, I think, quite nicely onto to my next question, which is around trust, which you had sort of alluded to in that answer. Because organizations now prioritize trust in the digital world that we all live in and a robust governance risk and compliance framework is a critical component to building and maintaining trust. But how important is it to have a diverse team in this mix?

Victoria Guilloit:

Yeah, that’s a really great question. So I’m just, I’m going to tackle this from a particular angle that I’ve experienced myself and I’ve seen so much change in and I’m really passionate about. And I think this is why diversity and strength and skills is really important. So I’m going to hark back to the days in security when anyone who wasn’t a techie was a user and I was actually referred to as the token awareness lady. I didn’t really do much. I just sat on the side and I didn’t really know anything about security. But times have really changed and the value and importance of a role who is able to translate and effectively communicate governance risk and compliance security and privacy jargon into the language of the business and they can understand it and they can behave accordingly and minimize risk is now recognized as crucial to the effectiveness of the program of GRC, the management of risk and the attainment of compliance. So there’s been a seismic shift there really just in that particular area. So it’s crucial that we have diverse roles.

Nick James:

Vicky, thank you for that. How do we continue to shift the culture for businesses to keep up with changing regulations, legislations, and threats, particularly as we return to the office or maybe continue in a hybrid work from home environment?

Victoria Guilloit:

A couple of points here. So due to culture, culture doesn’t sit still. So we need to keep up with it, but it can feel quite overwhelming. And I think this is the point in the conversation where I can turn to promote what privacy culture and other specialists services actually do. I often see teams within business is creaking at the seams, trying to do everything themselves. And this is the point at which they start to break. And a threat actually then potentially becomes a disaster. For companies to really keep up with what’s going on, they need to become really effective at understanding and owning their business risks. In doing so, they are going to really recognize where, and when most importantly, they need specialist help to keep up with legislative changes. Such as targeted training, for example. Where you’ve got a particular privacy law in a particular region or country coming into effect, that’s actually going to potentially a change what your people need to do and what they need to know. Now flexible working means that managers really need to find ways to keep their teams together, to continually promote confidence.

Victoria Guilloit:

As I mentioned earlier and trust, and this means making the person working into a bit more, the in person working, sorry, into a bit more of an event when you are actually coming together. So that there’s a bit of socialization so that the people in the team are talking together that potentially don’t always talk together and ensuring there are regular online catchups and one-to-ones with the manager as well. Because a remote worker who isn’t really feeling part of the team might also lack the confidence in speaking up. So for example, if they do spot a strange email, machines behaving in a strange way, they might not feel confident to speak up to anyone or the line manager, and then that could lead to a potential data incident or anything else really. That’s just one example of a lack of confidence in an employee.

Nick James:

Brilliant. I love that. It’s all about socializing and communication really. And I mean, that’s what builds great teams and builds great cultures within great teams. My final question is one that I’m asking a lot of people and it’s from a business angle as opposed to a personal angle, but what keeps you up at night?

Victoria Guilloit:

Oh, cracky many things. But as you say, it’s really hard not to bring the personal into this. Is there such a blur now isn’t there, between work personal life? I think nowadays, I try not to think too far into the future because you know, in any way, the future’s not promised. And I just hope I’m doing the right thing today for myself and for the team and I’m doing the best that I can to make a success of it. I mean, I think I do probably worry that I will fall behind, which is where the communication with the team, especially the ones that are coming up behind us is so important because they’re the ones that know really what’s coming up and they really excite me. So I hope what I’m bringing is useful and will make a difference to the business and to our clients. And hopefully, what I do and some of what I say will inspire everyone that’s coming up behind me.

Nick James:

Brilliant. Thank you so much, Vicky. And well, I think that the one thing that we should take away on that is that we probably need to catch up in person soon and do some socializing and communicating.