1 00:00:00,399 --> 00:00:02,720 but hi um it's gonna be pretty tough to 2 00:00:02,720 --> 00:00:05,440 follow gabe um what i heard of gabe so 3 00:00:05,440 --> 00:00:07,040 it's pretty sick so let's have a go 4 00:00:07,040 --> 00:00:08,080 anyway 5 00:00:08,080 --> 00:00:10,719 um i'd like to start with a question 6 00:00:10,719 --> 00:00:12,480 uh but let's stop i'm not i'd like to 7 00:00:12,480 --> 00:00:14,799 ask you how many of you are completely 8 00:00:14,799 --> 00:00:17,039 up to date on your organization's 9 00:00:17,039 --> 00:00:18,720 mandatory training 10 00:00:18,720 --> 00:00:20,400 so whether that's your fire safety your 11 00:00:20,400 --> 00:00:24,240 hr your manual handling blah blah blah 12 00:00:24,240 --> 00:00:26,480 how many of you are completely up to 13 00:00:26,480 --> 00:00:30,039 date on that training 14 00:00:30,160 --> 00:00:31,599 and please put your question please put 15 00:00:31,599 --> 00:00:33,920 your answers in the chat 16 00:00:33,920 --> 00:00:35,840 so hi my name is oliver bets richards 17 00:00:35,840 --> 00:00:38,320 and you won't remember me from any 18 00:00:38,320 --> 00:00:40,800 other information security conferences 19 00:00:40,800 --> 00:00:42,960 but i'm an information security analyst 20 00:00:42,960 --> 00:00:45,760 at the university of derby 21 00:00:45,760 --> 00:00:47,520 i've dabbled in information security 22 00:00:47,520 --> 00:00:48,960 awareness training for the last couple 23 00:00:48,960 --> 00:00:50,160 of years now 24 00:00:50,160 --> 00:00:52,239 much of that experience has been virtual 25 00:00:52,239 --> 00:00:54,640 to drink covered times and i've done a 26 00:00:54,640 --> 00:00:56,640 couple of in-person sessions as well 27 00:00:56,640 --> 00:00:59,039 the aim of this session is to 28 00:00:59,039 --> 00:01:01,840 give some advice and some practical tips 29 00:01:01,840 --> 00:01:03,440 to help us with both of those settings 30 00:01:03,440 --> 00:01:04,799 it shouldn't really matter whether we're 31 00:01:04,799 --> 00:01:07,520 virtual or in person for this 32 00:01:07,520 --> 00:01:10,080 because most importantly i want you to 33 00:01:10,080 --> 00:01:11,119 join me 34 00:01:11,119 --> 00:01:13,280 in making more impactful 35 00:01:13,280 --> 00:01:16,320 interesting and resonating content 36 00:01:16,320 --> 00:01:18,479 this won't be a self-deprecating talk 37 00:01:18,479 --> 00:01:20,400 but the content is based on lessons that 38 00:01:20,400 --> 00:01:22,000 i've learned and things that i feel i 39 00:01:22,000 --> 00:01:24,400 could have done better 40 00:01:24,400 --> 00:01:26,479 and if you want to find out more about 41 00:01:26,479 --> 00:01:27,200 me 42 00:01:27,200 --> 00:01:29,200 you can find me on the socials at the 43 00:01:29,200 --> 00:01:31,600 foot of the deck i'm on twitter 44 00:01:31,600 --> 00:01:32,720 discord 45 00:01:32,720 --> 00:01:34,400 and linkedin 46 00:01:34,400 --> 00:01:36,560 all that hail nolly 47 00:01:36,560 --> 00:01:38,560 yeah 48 00:01:38,560 --> 00:01:40,320 and if you have kind things to say 49 00:01:40,320 --> 00:01:42,240 please join the conversation on twitter 50 00:01:42,240 --> 00:01:44,159 and use the hashtag beercon3 as you can 51 00:01:44,159 --> 00:01:45,360 see on the deck 52 00:01:45,360 --> 00:01:47,520 and if you have unkind things to say 53 00:01:47,520 --> 00:01:48,720 i'll still like to hear them but please 54 00:01:48,720 --> 00:01:50,560 do dm me on twitter and i'm happy to 55 00:01:50,560 --> 00:01:54,600 talk about anything in this conversation 56 00:01:55,200 --> 00:01:56,640 so you're probably wondering why we're 57 00:01:56,640 --> 00:01:58,479 even having this conversation if i'm 58 00:01:58,479 --> 00:01:59,680 saying that information security 59 00:01:59,680 --> 00:02:02,320 awareness training doesn't work 60 00:02:02,320 --> 00:02:04,079 people are still clicking on phishing 61 00:02:04,079 --> 00:02:06,240 links people are still giving away their 62 00:02:06,240 --> 00:02:07,759 credentials 63 00:02:07,759 --> 00:02:09,840 and verizon are still saying that most 64 00:02:09,840 --> 00:02:11,840 breaches have some form of mysterious 65 00:02:11,840 --> 00:02:13,599 human element to them 66 00:02:13,599 --> 00:02:15,760 so you might think it's about how our 67 00:02:15,760 --> 00:02:17,920 customers understand technology 68 00:02:17,920 --> 00:02:20,840 but i think it's more fundamental than 69 00:02:20,840 --> 00:02:23,520 that most people 70 00:02:23,520 --> 00:02:25,280 don't understand what we're talking 71 00:02:25,280 --> 00:02:26,640 about 72 00:02:26,640 --> 00:02:28,959 most people don't understand our 73 00:02:28,959 --> 00:02:30,959 terminology 74 00:02:30,959 --> 00:02:32,400 and here's the kicker most people 75 00:02:32,400 --> 00:02:35,360 probably don't care either 76 00:02:35,360 --> 00:02:36,959 i know that information security is 77 00:02:36,959 --> 00:02:38,959 important to you and me 78 00:02:38,959 --> 00:02:40,640 it's just otherwise why would we be here 79 00:02:40,640 --> 00:02:42,560 in the first place 80 00:02:42,560 --> 00:02:44,239 it's just a lot less important for just 81 00:02:44,239 --> 00:02:45,920 about everybody else and we need to 82 00:02:45,920 --> 00:02:48,720 empathize with those people 83 00:02:48,720 --> 00:02:50,239 because we see all the time that we're 84 00:02:50,239 --> 00:02:53,599 busy that we're overworked 85 00:02:53,599 --> 00:02:56,239 and reaching burnout but guess what 86 00:02:56,239 --> 00:03:00,000 everybody else is just as busy as we are 87 00:03:00,000 --> 00:03:02,640 and it's our job to inspire them to care 88 00:03:02,640 --> 00:03:03,519 more 89 00:03:03,519 --> 00:03:05,599 about information security as well as 90 00:03:05,599 --> 00:03:07,599 the rest of the cognitive plates that 91 00:03:07,599 --> 00:03:11,040 they're spending on the on the daily 92 00:03:11,040 --> 00:03:14,000 all hope is not lost 93 00:03:14,000 --> 00:03:16,800 i hope that this conversation 94 00:03:16,800 --> 00:03:19,360 can give you some practical steps on to 95 00:03:19,360 --> 00:03:21,360 help you build effective information 96 00:03:21,360 --> 00:03:24,159 security awareness campaigns 97 00:03:24,159 --> 00:03:25,519 and what i want you to take away from 98 00:03:25,519 --> 00:03:28,080 this is that most people don't know 99 00:03:28,080 --> 00:03:30,480 anything about information security 100 00:03:30,480 --> 00:03:32,640 particularly most adult professionals 101 00:03:32,640 --> 00:03:34,879 and they probably carry less and it's 102 00:03:34,879 --> 00:03:37,920 our job to change that 103 00:03:38,480 --> 00:03:40,239 and there's quite a lot of work to do 104 00:03:40,239 --> 00:03:41,680 before we can even get started in our 105 00:03:41,680 --> 00:03:42,799 campaign 106 00:03:42,799 --> 00:03:44,400 and most of it doesn't even involve 107 00:03:44,400 --> 00:03:46,799 information security but please stay 108 00:03:46,799 --> 00:03:48,640 with me 109 00:03:48,640 --> 00:03:50,000 planning an information security 110 00:03:50,000 --> 00:03:52,080 awareness campaign is more than about 111 00:03:52,080 --> 00:03:54,080 information security and how to 112 00:03:54,080 --> 00:03:56,640 communicate with people 113 00:03:56,640 --> 00:03:58,720 you need to have empathy with your 114 00:03:58,720 --> 00:04:00,640 colleagues and you probably heard me say 115 00:04:00,640 --> 00:04:03,040 empathy quite a lot during this talk 116 00:04:03,040 --> 00:04:04,400 so that's one of the most important 117 00:04:04,400 --> 00:04:06,959 things to me here 118 00:04:06,959 --> 00:04:08,720 your colleagues have day jobs to do that 119 00:04:08,720 --> 00:04:10,879 doesn't involve directly carrying out 120 00:04:10,879 --> 00:04:12,959 information security and then most 121 00:04:12,959 --> 00:04:15,040 likely is under resourced as we are and 122 00:04:15,040 --> 00:04:17,040 they're being asked to engage with us on 123 00:04:17,040 --> 00:04:19,918 top of all those things 124 00:04:19,918 --> 00:04:21,759 i can't see the chat right now but i 125 00:04:21,759 --> 00:04:24,639 know from my phone conversations at work 126 00:04:24,639 --> 00:04:26,479 with others i know that a heck of a lot 127 00:04:26,479 --> 00:04:29,280 of people are not up to date on their 128 00:04:29,280 --> 00:04:30,720 mandatory training 129 00:04:30,720 --> 00:04:33,040 so how on earth can we expect people to 130 00:04:33,040 --> 00:04:34,479 engage with us and something that's 131 00:04:34,479 --> 00:04:35,840 important to us 132 00:04:35,840 --> 00:04:37,919 when we don't engage fully with 133 00:04:37,919 --> 00:04:40,080 something that may be important to some 134 00:04:40,080 --> 00:04:43,040 somebody else 135 00:04:43,040 --> 00:04:44,880 oh crap 136 00:04:44,880 --> 00:04:48,240 i've toggled through this fight sorry 137 00:04:50,320 --> 00:04:53,680 sorry i've gone ready wrong here 138 00:04:55,680 --> 00:04:57,120 we also need to remember that it's 139 00:04:57,120 --> 00:04:59,919 horrifically difficult to do this alone 140 00:04:59,919 --> 00:05:01,520 you need to identify who you need to 141 00:05:01,520 --> 00:05:03,199 support you 142 00:05:03,199 --> 00:05:05,120 and i'm very lucky to have supportive 143 00:05:05,120 --> 00:05:06,639 colleagues around me on everything that 144 00:05:06,639 --> 00:05:08,320 i've done on information security 145 00:05:08,320 --> 00:05:10,800 awareness training you need to remember 146 00:05:10,800 --> 00:05:13,039 that your campaign is a project 147 00:05:13,039 --> 00:05:15,600 there's a start a middle and an end to 148 00:05:15,600 --> 00:05:17,759 identify your learning outcomes 149 00:05:17,759 --> 00:05:20,240 identify the narrative of your campaign 150 00:05:20,240 --> 00:05:22,560 and identify what you want your audience 151 00:05:22,560 --> 00:05:26,240 to get from your campaign 152 00:05:27,520 --> 00:05:28,720 you need to 153 00:05:28,720 --> 00:05:30,160 do a heck of a lot more planning than 154 00:05:30,160 --> 00:05:31,919 just our to-do lists 155 00:05:31,919 --> 00:05:34,000 you need to identify the who the what 156 00:05:34,000 --> 00:05:35,120 the what 157 00:05:35,120 --> 00:05:37,120 the why the when and the how 158 00:05:37,120 --> 00:05:39,440 of what you want to say 159 00:05:39,440 --> 00:05:41,280 and that's where a communications plan 160 00:05:41,280 --> 00:05:42,639 comes in 161 00:05:42,639 --> 00:05:45,919 we'll get more on that later 162 00:05:46,000 --> 00:05:47,759 you need to remember that you're not an 163 00:05:47,759 --> 00:05:49,120 educationalist 164 00:05:49,120 --> 00:05:50,960 and that's not an insult i'm just 165 00:05:50,960 --> 00:05:52,560 willing to bet that most people in this 166 00:05:52,560 --> 00:05:55,680 conversation aren't trained educators 167 00:05:55,680 --> 00:05:58,160 i'm not either 168 00:05:58,160 --> 00:05:59,840 you need to remember that marketing is 169 00:05:59,840 --> 00:06:01,360 important as well 170 00:06:01,360 --> 00:06:03,600 you need to get your message out there 171 00:06:03,600 --> 00:06:05,199 and i'm willing to bet that most people 172 00:06:05,199 --> 00:06:06,560 in this conversation 173 00:06:06,560 --> 00:06:09,759 aren't trained marketers either 174 00:06:09,759 --> 00:06:12,000 to document all the skills you need to 175 00:06:12,000 --> 00:06:13,520 put together your campaign and the 176 00:06:13,520 --> 00:06:16,160 people you need to support you 177 00:06:16,160 --> 00:06:17,840 the most important thing for me here is 178 00:06:17,840 --> 00:06:20,000 to empathize with your colleagues and 179 00:06:20,000 --> 00:06:21,280 try and think a bit beyond the 180 00:06:21,280 --> 00:06:25,119 boundaries of information security 181 00:06:27,039 --> 00:06:28,479 it's critical to know the skills you 182 00:06:28,479 --> 00:06:30,479 need 183 00:06:30,479 --> 00:06:31,840 it's also critical that you have some 184 00:06:31,840 --> 00:06:34,080 content 185 00:06:34,080 --> 00:06:35,680 and this is where we you need to think 186 00:06:35,680 --> 00:06:38,960 about what's useful to your organization 187 00:06:38,960 --> 00:06:40,960 you need to identify the risks 188 00:06:40,960 --> 00:06:45,198 and challenges facing your organization 189 00:06:45,280 --> 00:06:46,720 you need to remember that every 190 00:06:46,720 --> 00:06:48,880 organization is unique 191 00:06:48,880 --> 00:06:51,520 every organization has its own people 192 00:06:51,520 --> 00:06:53,599 its imperatives its values 193 00:06:53,599 --> 00:06:56,319 its cultures its politics every single 194 00:06:56,319 --> 00:06:58,560 one is different 195 00:06:58,560 --> 00:07:00,400 so there's a little merit therefore in 196 00:07:00,400 --> 00:07:02,479 prioritizing talks about picking up usb 197 00:07:02,479 --> 00:07:04,240 sticks in the parking lot when your 198 00:07:04,240 --> 00:07:05,599 organization 199 00:07:05,599 --> 00:07:07,520 prohibits using them 200 00:07:07,520 --> 00:07:09,840 and similarly i think it's negligent to 201 00:07:09,840 --> 00:07:12,479 avoid talking about securing paper files 202 00:07:12,479 --> 00:07:14,720 if your organization gets through more 203 00:07:14,720 --> 00:07:18,639 paper than the local library 204 00:07:18,720 --> 00:07:20,479 so i need to think so you need to think 205 00:07:20,479 --> 00:07:23,280 about your audience 206 00:07:23,280 --> 00:07:24,800 i need to think about information 207 00:07:24,800 --> 00:07:26,639 security and how it affects them and 208 00:07:26,639 --> 00:07:28,639 their challenges 209 00:07:28,639 --> 00:07:30,479 and that's where your educationalists 210 00:07:30,479 --> 00:07:33,359 are your friends 211 00:07:34,080 --> 00:07:35,759 your audience might not learn the way 212 00:07:35,759 --> 00:07:37,520 you do 213 00:07:37,520 --> 00:07:39,840 so reach out to them to help guide you 214 00:07:39,840 --> 00:07:41,440 towards creating a campaign that will 215 00:07:41,440 --> 00:07:45,039 engage as many people as possible 216 00:07:45,039 --> 00:07:46,720 and document this as well this 217 00:07:46,720 --> 00:07:48,319 information as well 218 00:07:48,319 --> 00:07:49,759 it's critical to have your thoughts in 219 00:07:49,759 --> 00:07:51,280 order 220 00:07:51,280 --> 00:07:53,360 and most importantly 221 00:07:53,360 --> 00:07:56,160 identify what your organization needs 222 00:07:56,160 --> 00:07:59,840 and what your audience need as well 223 00:08:00,639 --> 00:08:03,440 so we've got some great content ideas 224 00:08:03,440 --> 00:08:05,039 you might think now's the time we can 225 00:08:05,039 --> 00:08:07,039 probably start writing 226 00:08:07,039 --> 00:08:08,800 i'm really sorry to say this a little 227 00:08:08,800 --> 00:08:10,400 bit more thinking doing a bit more 228 00:08:10,400 --> 00:08:13,440 exciting work we need to do first 229 00:08:13,440 --> 00:08:15,120 you need a plan 230 00:08:15,120 --> 00:08:17,120 in a plan that's got a bit more detail 231 00:08:17,120 --> 00:08:18,560 on it than oliver plans to talk about 232 00:08:18,560 --> 00:08:20,720 phishing emails today 233 00:08:20,720 --> 00:08:22,960 you need a communications plan and 234 00:08:22,960 --> 00:08:24,800 luckily for you i'm here to tell you 235 00:08:24,800 --> 00:08:27,759 about what that is 236 00:08:27,759 --> 00:08:29,680 this is where your project managers are 237 00:08:29,680 --> 00:08:32,080 your friends as well 238 00:08:32,080 --> 00:08:33,760 what are you gonna say 239 00:08:33,760 --> 00:08:35,440 what kind of content are you gonna put 240 00:08:35,440 --> 00:08:36,240 out 241 00:08:36,240 --> 00:08:38,839 are you gonna put out presentations 242 00:08:38,839 --> 00:08:41,919 articles screen savers digital signage 243 00:08:41,919 --> 00:08:43,279 blah blah blah 244 00:08:43,279 --> 00:08:44,720 what kind of content do you want to get 245 00:08:44,720 --> 00:08:46,640 out there 246 00:08:46,640 --> 00:08:48,640 who are you going to say it to 247 00:08:48,640 --> 00:08:50,560 where are you going to say it how are 248 00:08:50,560 --> 00:08:52,080 you going to say it when are you going 249 00:08:52,080 --> 00:08:53,360 to say it 250 00:08:53,360 --> 00:08:55,839 who is going to say it 251 00:08:55,839 --> 00:08:57,120 it doesn't necessarily have to be you 252 00:08:57,120 --> 00:08:59,839 doing all the talking 253 00:08:59,839 --> 00:09:02,640 i strongly urge you to identify all the 254 00:09:02,640 --> 00:09:04,800 communication channels you have in your 255 00:09:04,800 --> 00:09:06,720 organization and rinse every single one 256 00:09:06,720 --> 00:09:07,920 of them because we need to get our 257 00:09:07,920 --> 00:09:09,519 message out there to as many people as 258 00:09:09,519 --> 00:09:12,320 we possibly can 259 00:09:12,320 --> 00:09:13,839 and this is also where your marketing 260 00:09:13,839 --> 00:09:15,760 friends come in 261 00:09:15,760 --> 00:09:18,640 marketing is much more than about 262 00:09:18,640 --> 00:09:20,560 sales calls 263 00:09:20,560 --> 00:09:22,720 from vendors pitching us the same stuff 264 00:09:22,720 --> 00:09:25,839 over and over and over again 265 00:09:25,839 --> 00:09:27,760 marketing will probably be your biggest 266 00:09:27,760 --> 00:09:30,160 supporters 267 00:09:30,160 --> 00:09:31,519 and they need to know there's a campaign 268 00:09:31,519 --> 00:09:33,360 in the first place 269 00:09:33,360 --> 00:09:34,640 and this way you have to empathize with 270 00:09:34,640 --> 00:09:36,480 them as well because this is not their 271 00:09:36,480 --> 00:09:38,240 day job 272 00:09:38,240 --> 00:09:39,600 they've probably got heaps more 273 00:09:39,600 --> 00:09:41,440 campaigns on the go as well whether 274 00:09:41,440 --> 00:09:44,160 that's fire safety hr new new systems 275 00:09:44,160 --> 00:09:46,080 blah blah blah they've probably got lots 276 00:09:46,080 --> 00:09:48,480 of stuff on there on their plates and we 277 00:09:48,480 --> 00:09:50,000 need to work with them to land your 278 00:09:50,000 --> 00:09:52,800 message amongst the constant stream of 279 00:09:52,800 --> 00:09:54,320 information overload 280 00:09:54,320 --> 00:09:56,399 that your colleagues are experiencing 281 00:09:56,399 --> 00:09:58,720 every day 282 00:09:58,720 --> 00:10:00,399 and support them to get the word out 283 00:10:00,399 --> 00:10:02,240 there and don't expect them to do all 284 00:10:02,240 --> 00:10:04,720 the work 285 00:10:04,720 --> 00:10:07,680 and document document document 286 00:10:07,680 --> 00:10:10,000 the idea here is a working document for 287 00:10:10,000 --> 00:10:11,600 your campaign now it's all going to take 288 00:10:11,600 --> 00:10:13,519 shape 289 00:10:13,519 --> 00:10:14,800 and the key thing i want to get across 290 00:10:14,800 --> 00:10:17,680 here is the identity to rinse every 291 00:10:17,680 --> 00:10:18,560 single 292 00:10:18,560 --> 00:10:19,920 communications 293 00:10:19,920 --> 00:10:23,360 channel that you have available to you 294 00:10:26,000 --> 00:10:28,160 so we're about halfway through and this 295 00:10:28,160 --> 00:10:29,600 is my rookie talks i'll be immensely 296 00:10:29,600 --> 00:10:31,839 grateful for any feedback in the chat 297 00:10:31,839 --> 00:10:34,720 like to know what i'm doing 298 00:10:35,040 --> 00:10:36,320 i'll be very grateful for anything 299 00:10:36,320 --> 00:10:38,880 you've got to say 300 00:10:39,120 --> 00:10:40,240 and that's what halfway through i 301 00:10:40,240 --> 00:10:42,800 thought we'd have a bit of a recap 302 00:10:42,800 --> 00:10:44,320 because we've documented all the skills 303 00:10:44,320 --> 00:10:46,240 that we need and the people we need to 304 00:10:46,240 --> 00:10:48,480 support us and we've planned our content 305 00:10:48,480 --> 00:10:50,720 we've got a communications plan 306 00:10:50,720 --> 00:10:52,720 that maps how the campaign will all come 307 00:10:52,720 --> 00:10:54,160 together 308 00:10:54,160 --> 00:10:55,680 but there's a tiny bit more work to do 309 00:10:55,680 --> 00:10:57,680 before we can get started 310 00:10:57,680 --> 00:10:59,680 because it's one thing to have a great 311 00:10:59,680 --> 00:11:01,519 campaign lined up it's one thing to have 312 00:11:01,519 --> 00:11:03,360 a lot of great content 313 00:11:03,360 --> 00:11:05,600 but unfortunately most people in our 314 00:11:05,600 --> 00:11:06,880 organizations need some sort of 315 00:11:06,880 --> 00:11:09,040 permission to do things 316 00:11:09,040 --> 00:11:10,640 and that's where your awesome 317 00:11:10,640 --> 00:11:13,279 documentation comes in 318 00:11:13,279 --> 00:11:14,959 you need to sell this to your boss i 319 00:11:14,959 --> 00:11:16,160 mean presumably they care about 320 00:11:16,160 --> 00:11:18,000 information security so she'll be after 321 00:11:18,000 --> 00:11:19,839 a good start there 322 00:11:19,839 --> 00:11:21,440 and that needs to be sold to your boss's 323 00:11:21,440 --> 00:11:22,880 boss as well 324 00:11:22,880 --> 00:11:24,480 i mean hopefully they care about 325 00:11:24,480 --> 00:11:26,399 information security so we might even 326 00:11:26,399 --> 00:11:28,480 get a bit more traction there 327 00:11:28,480 --> 00:11:30,240 but crucially 328 00:11:30,240 --> 00:11:32,880 they can use their influence 329 00:11:32,880 --> 00:11:36,480 to get a bit higher and a lot wider 330 00:11:36,480 --> 00:11:37,920 they can help you get out into your 331 00:11:37,920 --> 00:11:40,399 department 332 00:11:41,120 --> 00:11:42,720 so in your iot department as well 333 00:11:42,720 --> 00:11:44,320 because information security awareness 334 00:11:44,320 --> 00:11:48,000 training isn't just for non-it people 335 00:11:48,000 --> 00:11:50,160 they can also help you implement the 336 00:11:50,160 --> 00:11:52,880 most senior people outside of iit 337 00:11:52,880 --> 00:11:54,880 and engage your biggest stakeholder 338 00:11:54,880 --> 00:11:58,480 group and that's your customers 339 00:11:58,480 --> 00:11:59,920 because your senior leaders need to be 340 00:11:59,920 --> 00:12:01,519 engaged and talk about your campaign as 341 00:12:01,519 --> 00:12:03,040 well 342 00:12:03,040 --> 00:12:05,200 because their employees their staff 343 00:12:05,200 --> 00:12:06,959 spending time engaging with your 344 00:12:06,959 --> 00:12:09,440 training takes away from their time to 345 00:12:09,440 --> 00:12:11,600 do their day job and their managers need 346 00:12:11,600 --> 00:12:14,240 to support this 347 00:12:14,639 --> 00:12:16,560 so it's critical to get support for your 348 00:12:16,560 --> 00:12:18,720 campaign and get the most influential 349 00:12:18,720 --> 00:12:20,480 people on board 350 00:12:20,480 --> 00:12:25,000 and this is a big milestone 351 00:12:25,600 --> 00:12:27,440 so we've planned 352 00:12:27,440 --> 00:12:29,200 an awesome campaign we've got some 353 00:12:29,200 --> 00:12:31,680 awesome content lined up 354 00:12:31,680 --> 00:12:33,279 crucially we've got the buy-in to launch 355 00:12:33,279 --> 00:12:35,440 it so now it's time to put the content 356 00:12:35,440 --> 00:12:37,440 together 357 00:12:37,440 --> 00:12:38,399 please 358 00:12:38,399 --> 00:12:40,800 please please lay off the fear the 359 00:12:40,800 --> 00:12:42,480 uncertainty and the doubt because this 360 00:12:42,480 --> 00:12:45,440 is no time for fear mongering 361 00:12:45,440 --> 00:12:47,200 think about how often you've been 362 00:12:47,200 --> 00:12:49,200 motivated to get out of there 363 00:12:49,200 --> 00:12:50,720 and do your fire safety training when 364 00:12:50,720 --> 00:12:51,839 you've seen an 365 00:12:51,839 --> 00:12:54,639 incident on the news 366 00:12:55,120 --> 00:12:58,160 and empathize again with your colleagues 367 00:12:58,160 --> 00:13:00,320 you're fighting for their attention to 368 00:13:00,320 --> 00:13:02,160 think about what they care about and 369 00:13:02,160 --> 00:13:06,040 what you want from them 370 00:13:06,160 --> 00:13:07,680 most people probably care about data 371 00:13:07,680 --> 00:13:10,480 breaches as much as you do and i do 372 00:13:10,480 --> 00:13:13,279 about how our expenses for example are 373 00:13:13,279 --> 00:13:14,320 budgeted 374 00:13:14,320 --> 00:13:17,440 when we go to conferences 375 00:13:17,920 --> 00:13:19,519 never forget that people are giving up 376 00:13:19,519 --> 00:13:20,399 their time 377 00:13:20,399 --> 00:13:23,120 to engage with you 378 00:13:23,120 --> 00:13:26,079 so produce content that most people can 379 00:13:26,079 --> 00:13:28,320 understand 380 00:13:28,320 --> 00:13:30,480 most people most adult professionals are 381 00:13:30,480 --> 00:13:31,920 i don't think 382 00:13:31,920 --> 00:13:33,279 can give a definition or working 383 00:13:33,279 --> 00:13:34,880 definition of a finishing email let 384 00:13:34,880 --> 00:13:37,440 alone a zero day vulnerability 385 00:13:37,440 --> 00:13:40,399 and keep your content short and sweet 386 00:13:40,399 --> 00:13:43,839 gravity is your friend 387 00:13:44,720 --> 00:13:48,000 and make your content accessible 388 00:13:48,000 --> 00:13:49,680 remember that not everybody who engages 389 00:13:49,680 --> 00:13:50,880 with your content will have the same 390 00:13:50,880 --> 00:13:53,040 abilities 391 00:13:53,040 --> 00:13:54,639 so when you're doing presentations and 392 00:13:54,639 --> 00:13:56,560 articles for example make sure your 393 00:13:56,560 --> 00:13:59,040 images are descriptive alt tags or use 394 00:13:59,040 --> 00:14:00,639 closed captions where you can like i'm 395 00:14:00,639 --> 00:14:04,079 doing on this on this presentation here 396 00:14:04,079 --> 00:14:06,320 now i have the benefit and a privilege 397 00:14:06,320 --> 00:14:08,240 of a great mentor supporting me on this 398 00:14:08,240 --> 00:14:09,279 talk 399 00:14:09,279 --> 00:14:10,880 i also have the benefit and the 400 00:14:10,880 --> 00:14:12,240 privilege of an amazing colleague to 401 00:14:12,240 --> 00:14:14,480 support me 402 00:14:14,480 --> 00:14:16,160 to get somebody to peer review your 403 00:14:16,160 --> 00:14:18,160 content because we can spend hours 404 00:14:18,160 --> 00:14:20,079 crafting the best articles the best 405 00:14:20,079 --> 00:14:21,360 presentations 406 00:14:21,360 --> 00:14:24,560 and we can miss all sorts of horrors 407 00:14:24,560 --> 00:14:26,959 and so fresh eyes will always enhance 408 00:14:26,959 --> 00:14:30,079 the quality of your work 409 00:14:30,079 --> 00:14:33,040 and most importantly empathize empathize 410 00:14:33,040 --> 00:14:35,120 empathize and make the content 411 00:14:35,120 --> 00:14:36,320 accessible 412 00:14:36,320 --> 00:14:37,680 never forget 413 00:14:37,680 --> 00:14:39,519 that people spend the time with our 414 00:14:39,519 --> 00:14:41,600 content it's time they're spending away 415 00:14:41,600 --> 00:14:44,240 from other things they can be doing and 416 00:14:44,240 --> 00:14:45,040 this 417 00:14:45,040 --> 00:14:46,639 having this in the bank is another big 418 00:14:46,639 --> 00:14:48,959 milestone because we've got our content 419 00:14:48,959 --> 00:14:51,920 and we're ready to go 420 00:14:53,440 --> 00:14:55,440 so we've got a great campaign lined up 421 00:14:55,440 --> 00:14:57,279 we've got a lot of buy-in content in the 422 00:14:57,279 --> 00:14:59,040 bank and we're ready to go 423 00:14:59,040 --> 00:15:01,120 so it's time to get the content out 424 00:15:01,120 --> 00:15:03,360 there 425 00:15:03,839 --> 00:15:06,320 now it's time to talk about your content 426 00:15:06,320 --> 00:15:07,839 now it's time to talk to your colleagues 427 00:15:07,839 --> 00:15:09,839 about your content 428 00:15:09,839 --> 00:15:11,279 it's under ask your colleagues to talk 429 00:15:11,279 --> 00:15:13,120 to their their friends about your 430 00:15:13,120 --> 00:15:14,560 content 431 00:15:14,560 --> 00:15:16,959 because people need to know that your 432 00:15:16,959 --> 00:15:19,199 message is out there 433 00:15:19,199 --> 00:15:20,880 because you need to get your material in 434 00:15:20,880 --> 00:15:24,160 front of as many eyes as you can 435 00:15:24,160 --> 00:15:26,160 so get yourself out there and present 436 00:15:26,160 --> 00:15:29,120 present present 437 00:15:29,279 --> 00:15:30,800 people need to hear about information 438 00:15:30,800 --> 00:15:32,800 security in a way that resonates with 439 00:15:32,800 --> 00:15:35,040 them and the way in which they can make 440 00:15:35,040 --> 00:15:36,399 more informed 441 00:15:36,399 --> 00:15:38,160 and more secure decisions about their 442 00:15:38,160 --> 00:15:40,320 personal their personal lives online and 443 00:15:40,320 --> 00:15:43,199 also when they're at work 444 00:15:43,279 --> 00:15:46,240 and you are the key to that 445 00:15:46,240 --> 00:15:47,519 because you are the ones that are 446 00:15:47,519 --> 00:15:49,120 empowering people to make positive 447 00:15:49,120 --> 00:15:50,560 changes to our collective security 448 00:15:50,560 --> 00:15:52,959 postures 449 00:15:52,959 --> 00:15:54,959 and the key from here is to get that 450 00:15:54,959 --> 00:15:57,360 content out there as far and wide as 451 00:15:57,360 --> 00:15:59,600 possible 452 00:15:59,600 --> 00:16:01,759 because we have to make that change we 453 00:16:01,759 --> 00:16:04,880 have to affect that change 454 00:16:06,000 --> 00:16:07,519 and now that's a heck of a lot of work 455 00:16:07,519 --> 00:16:09,199 going out the way and now it's time to 456 00:16:09,199 --> 00:16:10,480 celebrate because this is a huge 457 00:16:10,480 --> 00:16:12,720 milestone we've done a lot of work with 458 00:16:12,720 --> 00:16:14,240 our colleagues and hopefully we've made 459 00:16:14,240 --> 00:16:15,680 a massive impact 460 00:16:15,680 --> 00:16:17,519 so it's really time to give ourselves a 461 00:16:17,519 --> 00:16:18,880 bit of a pat on the back and celebrate a 462 00:16:18,880 --> 00:16:22,120 little bit 463 00:16:23,199 --> 00:16:25,920 so the contents out there 464 00:16:25,920 --> 00:16:27,519 the article has been read the 465 00:16:27,519 --> 00:16:30,000 presentations have been watched 466 00:16:30,000 --> 00:16:31,680 and it feels amazing to share knowledge 467 00:16:31,680 --> 00:16:32,800 doesn't it 468 00:16:32,800 --> 00:16:36,079 but there's only one thing we have to do 469 00:16:36,079 --> 00:16:37,519 it's one thing knowing we've put out 470 00:16:37,519 --> 00:16:40,079 some awesome content but we also need to 471 00:16:40,079 --> 00:16:41,680 know that we're not howling into the 472 00:16:41,680 --> 00:16:43,199 void 473 00:16:43,199 --> 00:16:44,880 you need to know if your audience has 474 00:16:44,880 --> 00:16:46,720 learned anything and you need to know if 475 00:16:46,720 --> 00:16:49,199 your campaign has made an impact 476 00:16:49,199 --> 00:16:50,399 you need to know if it's worth doing in 477 00:16:50,399 --> 00:16:52,160 the first place really 478 00:16:52,160 --> 00:16:54,320 and there are some handy and quite easy 479 00:16:54,320 --> 00:16:57,279 ways we can do this 480 00:16:57,279 --> 00:16:58,959 you can invite comments on your articles 481 00:16:58,959 --> 00:17:00,079 for example 482 00:17:00,079 --> 00:17:01,680 we can encourage people to give feedback 483 00:17:01,680 --> 00:17:03,360 during the presentations 484 00:17:03,360 --> 00:17:05,119 or encourage them to fill out evaluation 485 00:17:05,119 --> 00:17:06,959 forms after them 486 00:17:06,959 --> 00:17:09,679 i've even done quizzes during sessions 487 00:17:09,679 --> 00:17:11,520 just to get a bit of a gauge with how 488 00:17:11,520 --> 00:17:14,079 our messages are getting across 489 00:17:14,079 --> 00:17:16,079 and talk to people i think that's one of 490 00:17:16,079 --> 00:17:17,599 the most important things here to talk 491 00:17:17,599 --> 00:17:18,559 to people 492 00:17:18,559 --> 00:17:22,240 invite all the feedback you can get 493 00:17:22,240 --> 00:17:24,000 it's critical that we get every bit of 494 00:17:24,000 --> 00:17:25,919 it so we know we're not howling into the 495 00:17:25,919 --> 00:17:28,880 void and we're making a positive impact 496 00:17:28,880 --> 00:17:31,440 on all of our collective security court 497 00:17:31,440 --> 00:17:33,840 postures 498 00:17:35,200 --> 00:17:37,200 so what are the key things i want you to 499 00:17:37,200 --> 00:17:38,400 take away from this conversation that 500 00:17:38,400 --> 00:17:39,760 we're having right now 501 00:17:39,760 --> 00:17:41,280 i'm going to read these all from 502 00:17:41,280 --> 00:17:44,160 clockwise from the top left 503 00:17:44,160 --> 00:17:46,000 and that's what most people don't know 504 00:17:46,000 --> 00:17:48,160 anything about information security and 505 00:17:48,160 --> 00:17:50,000 probably care even less 506 00:17:50,000 --> 00:17:51,679 and that that's not designed to be an 507 00:17:51,679 --> 00:17:52,799 insult 508 00:17:52,799 --> 00:17:55,039 it just in my experience most adult 509 00:17:55,039 --> 00:17:57,280 professionals don't and it's our job to 510 00:17:57,280 --> 00:17:58,840 change 511 00:17:58,840 --> 00:18:01,280 that we need to empathize with our 512 00:18:01,280 --> 00:18:02,720 colleagues and think beyond the 513 00:18:02,720 --> 00:18:05,919 boundaries of information security 514 00:18:05,919 --> 00:18:07,679 and the language that we use and the 515 00:18:07,679 --> 00:18:10,320 approaches that we take 516 00:18:10,320 --> 00:18:12,400 you to identify what your organization 517 00:18:12,400 --> 00:18:13,280 needs 518 00:18:13,280 --> 00:18:15,919 and what your audience needs from you 519 00:18:15,919 --> 00:18:17,679 and to use all the channels that you 520 00:18:17,679 --> 00:18:19,919 have available 521 00:18:19,919 --> 00:18:21,919 it's critical to get support for your 522 00:18:21,919 --> 00:18:23,120 campaign 523 00:18:23,120 --> 00:18:24,559 from as far 524 00:18:24,559 --> 00:18:29,160 and as high and as wide as possible 525 00:18:33,360 --> 00:18:34,400 because we are the ones that are 526 00:18:34,400 --> 00:18:35,840 empowering people to make positive 527 00:18:35,840 --> 00:18:37,280 changes to our collective security 528 00:18:37,280 --> 00:18:39,679 postures 529 00:18:39,679 --> 00:18:42,880 and get feedback any way you can 530 00:18:42,880 --> 00:18:44,240 it's important to know you're not 531 00:18:44,240 --> 00:18:46,080 howling into the void and making a 532 00:18:46,080 --> 00:18:48,879 positive impact 533 00:18:49,280 --> 00:18:51,360 and that's been my lessons learned for 534 00:18:51,360 --> 00:18:52,960 this conversation so thank you for 535 00:18:52,960 --> 00:18:55,200 listening i hope you have got something 536 00:18:55,200 --> 00:18:57,280 from the conversation we've had 537 00:18:57,280 --> 00:18:59,360 um i'd like to give some thank yous out 538 00:18:59,360 --> 00:19:01,120 and i'd like to thank stu coulson for 539 00:19:01,120 --> 00:19:02,880 mentoring me through this experience and 540 00:19:02,880 --> 00:19:05,760 giving me so many things to learn 541 00:19:05,760 --> 00:19:07,520 i'm very grateful for all the time he's 542 00:19:07,520 --> 00:19:09,520 given me and make sure you watch his 543 00:19:09,520 --> 00:19:11,440 talk at five o'clock 544 00:19:11,440 --> 00:19:12,880 i want to thank the beer farmers for 545 00:19:12,880 --> 00:19:14,320 putting on this amazing conference and 546 00:19:14,320 --> 00:19:15,919 accepting my presentation in the first 547 00:19:15,919 --> 00:19:17,280 place 548 00:19:17,280 --> 00:19:19,280 i also want to thank ed tucker and tracy 549 00:19:19,280 --> 00:19:20,960 good for all the insights they've shared 550 00:19:20,960 --> 00:19:22,320 with me as i've been developing this 551 00:19:22,320 --> 00:19:24,320 talk 552 00:19:24,320 --> 00:19:26,640 i want to thank my colleague rayna davey 553 00:19:26,640 --> 00:19:28,640 for supporting me to deliver 554 00:19:28,640 --> 00:19:30,000 every bit of information security 555 00:19:30,000 --> 00:19:32,480 awareness content i've done 556 00:19:32,480 --> 00:19:33,600 and 557 00:19:33,600 --> 00:19:36,000 i want to thank my wife for her 558 00:19:36,000 --> 00:19:37,840 encouragement and supporting me and 559 00:19:37,840 --> 00:19:39,600 support for me during this experience i 560 00:19:39,600 --> 00:19:40,640 wouldn't be able to do that without her 561 00:19:40,640 --> 00:19:41,760 either 562 00:19:41,760 --> 00:19:44,320 and most importantly i want to thank you 563 00:19:44,320 --> 00:19:46,240 all for giving me your time it's been a 564 00:19:46,240 --> 00:19:47,760 pleasure talking to you 565 00:19:47,760 --> 00:19:49,840 and it's um and i hope that you've got 566 00:19:49,840 --> 00:19:52,240 something from it 567 00:19:52,240 --> 00:19:54,080 so make sure you stick around to hear 568 00:19:54,080 --> 00:19:56,240 drew jones and he's going to help us 569 00:19:56,240 --> 00:19:58,559 master blind sql injections i'm sure 570 00:19:58,559 --> 00:20:02,200 that'll be great as well