Meet the expert: Amy Rose to speak at PrivSec Global

Streaming live November 29 and 30, PrivSec Global unites experts from both Privacy and Security, providing a forum where professionals across both fields can listen, learn and debate the central role that Privacy, Security and GRC play in business today.

Amy has more than 20 years’ experience working in the not-for-profit sector, largely operating in Governance Risk and Compliance (GRC), but also within marketing, communications and fundraising. She is currently Head of Governance and Compliance at NHS Confederation.

Amy appears exclusively at PrivSec Global to discuss the role that employees must play in corporate security culture.

Below, Amy answers questions on her professional journey and the themes of her PrivSec Global session.

Could you briefly outline your career pathway so far?

My career to date has always been in the not-for-profit sector, mainly charities and membership organisations in the health and environmental sectors.  

Over a decade of that has been working in GRC, but I’ve also had substantial successful stints in marketing, communication and income generation. I’m currently working at the NHS Confederation, a membership organisation that brings together, supports and speaks for the whole healthcare system in England, Wales and Northern Ireland.

What does it mean to build a human-centric security culture?

Security systems and policies have their limitations, and unless you’ve taken the time to properly consider, engage, and empower your staff, you won’t make much progress in enhancing security.

Staff members are a crucial line of defence. To me, this approach involves placing a strong emphasis on building and reinforcing relationships with staff throughout the organisation. It’s about understanding how people work, what their needs are, and ensuring that security policies take these factors into account and reflect the realities of what is happening in the organisation. if you don’t, someone always ignores policy or finds a work-around and the policy becomes pointless. 

So, it’s about really engaging staff and helping them to play their pivotal role in security – working together in partnership adult-to-adult rather than security feeling like something being imposed. 

Therefore, relationships are key, building that trust that enables open discussions and highlighting security risks or threats without fear or blame – after all, we’re all human!  

Building those relationships also helps to gauge different teams’ behaviours and approaches to security risks so you know how to adapt your style and approach. It also enables those ongoing discussions around security, keeping it front of mind and building common values.

What are the primary hurdles companies face as they bid to build a human-centric security culture?

I find the biggest hurdle is time; staff are busy, and listening to anyone talk about risks or policies can be a real distraction for them on what they really want to get on and do. It can seem bureaucratic, and any training can become an exercise in “how quickly can I get through this?”, rather than “what can I learn?”.  

So, the important thing is to make it real and meaningful and build those relationships – after all, it’s harder to ignore a colleague you respect. It’s important to think where the person is ‘at’ and adapt to them: what’s relevant, what’s going to make a positive impact (even if it’s something that’s light-hearted and fun), what are the stories that might trigger the right response?

You need to constantly be raising awareness in new and interesting ways. It’s also about how you react when someone makes an error – making sure they’re properly supported – as a lot of staff would be devastated if they caused a security issue. And the more supportive your approach, the more likely staff are to alert you to things.