We are very happy to announce that Governance and Compliance leader, Amy Rose will speak at PrivSec Global, this month.

Amy Rose

Amy Rose is the Head of Governance and Compliance at the NHS Confederation.

Streaming live November 29 and 30, PrivSec Global unites experts from both Privacy and Security, providing a forum where professionals across both fields can listen, learn and debate the central role that Privacy, Security and GRC play in business today.

Amy has more than 20 years’ experience working in the not-for-profit sector, largely operating in Governance Risk and Compliance (GRC), but also within marketing, communications and fundraising. She is currently Head of Governance and Compliance at NHS Confederation.

Amy appears exclusively at PrivSec Global to discuss the role that employees must play in corporate security culture.

Below, Amy answers questions on her professional journey and the themes of her PrivSec Global session.

  • Human-Centric Security Culture - Day 1, Wednesday 29th November, 12:30 - 13:15pm GMT


PrivSec Global

Could you briefly outline your career pathway so far?

My career to date has always been in the not-for-profit sector, mainly charities and membership organisations in the health and environmental sectors.  

Over a decade of that has been working in GRC, but I’ve also had substantial successful stints in marketing, communication and income generation. I’m currently working at the NHS Confederation, a membership organisation that brings together, supports and speaks for the whole healthcare system in England, Wales and Northern Ireland.

What does it mean to build a human-centric security culture?

Security systems and policies have their limitations, and unless you’ve taken the time to properly consider, engage, and empower your staff, you won’t make much progress in enhancing security.

Staff members are a crucial line of defence. To me, this approach involves placing a strong emphasis on building and reinforcing relationships with staff throughout the organisation. It’s about understanding how people work, what their needs are, and ensuring that security policies take these factors into account and reflect the realities of what is happening in the organisation. if you don’t, someone always ignores policy or finds a work-around and the policy becomes pointless. 

So, it’s about really engaging staff and helping them to play their pivotal role in security – working together in partnership adult-to-adult rather than security feeling like something being imposed. 

Therefore, relationships are key, building that trust that enables open discussions and highlighting security risks or threats without fear or blame – after all, we’re all human!  

Building those relationships also helps to gauge different teams’ behaviours and approaches to security risks so you know how to adapt your style and approach. It also enables those ongoing discussions around security, keeping it front of mind and building common values.

What are the primary hurdles companies face as they bid to build a human-centric security culture?

I find the biggest hurdle is time; staff are busy, and listening to anyone talk about risks or policies can be a real distraction for them on what they really want to get on and do. It can seem bureaucratic, and any training can become an exercise in “how quickly can I get through this?”, rather than “what can I learn?”.  

So, the important thing is to make it real and meaningful and build those relationships – after all, it’s harder to ignore a colleague you respect. It’s important to think where the person is ‘at’ and adapt to them: what’s relevant, what’s going to make a positive impact (even if it’s something that’s light-hearted and fun), what are the stories that might trigger the right response?

You need to constantly be raising awareness in new and interesting ways. It’s also about how you react when someone makes an error – making sure they’re properly supported – as a lot of staff would be devastated if they caused a security issue. And the more supportive your approach, the more likely staff are to alert you to things.

Don’t miss Amy Rose debating these issues in depth in the PrivSec Global panel debate: Human-Centric Security Culture.

Traditionally, building a security culture is based on strict industry certifications, policies, laws, and regulations. Security professionals are taught that employees in the organisation are the most significant risks and to “manage those risks.”

But what does it take to integrate human centricity into your security culture? Tune in to this exclusive PrivSec Global panel debate to find out!

Also on the panel:

  • Igor Gutierrez, Information Security Officer & DPO, B. GROB do Brasil S.A.
  • Adam Low, CTO, Zivver
  • Federico Iaschi, Head of Cyber Security Resilience and Observability, Virgin Media O2
  • Miriam Mwonge, Information Management; Data Privacy Operations, East African Breweries


  • Session: Human-Centric Security Culture
  • Time: 12:30 – 13:15pm GMT
  • Date: Day 1, Wednesday 29 November 2023

Click here to book your place at PrivSec Global today

Discover more at PrivSec Global

As regulation gets stricter – and data and tech become more crucial – it’s increasingly clear that the skills required in each of these areas are not only connected, but inseparable.

Exclusively at PrivSec Global on 29 & 30 November 2023, industry leaders, academics and subject-matter experts unite to explore these skills and the central role they play within privacy, security and GRC.

Click here to register

PrivSec Global