The Q & A
Tell us about yourself:
"I’m a resident in the UK – in the city of Ely, just outside of Cambridge. I’m married to Diane and we have two grown-up daughters, Philippa and Lauren and a grandson, George. I have been an IT specialist for over 40 years, working in various roles including IT Audit
systems development and project management
. I became interested in the concept of information technology and it’s role in achieving competitive advantage with the support of my current employer I was able to analyse the results many strategic IT investments and approaches in many different types of organisations, resulting in the publication of my first book, 'Infopreneurs – the hidden people behind strategic information systems'. I discovered that although technology is an enabler, people drive everything with their ideas and commitment. Regardless of what area of IT you look at – including information security
– it’s people that make it work. These principles have guided me throughout my time as an independent risk & resilience consultant and led me to focus on the subject of security education design: working with many organisations to establish what works, why it works and how best to make it into a process and deploy it. Why security education? – because our users are the most commonly exploited attack vector and we can (and should)make a significant improvement in the way we educate and develop our people to manage cyber threats in their workplace."
What brought you to teaching on Cybrary:
"What brought me to Cybrary: two things; the opportunity to share and the opportunity to learn. By creating a video course with Cybrary, I have been able to share my approach and principles with infosec practitioners using a medium and delivery approach that suits them. Although my course, 'Creating effective User Awareness Training
' will eventually become a book, working with Cybrary has given me an opportunity to provide the material in to support different learning modalities and potentially reach and receive feedback from a much wider audience than I could possibly expect from a specialised book on the same subject. It also gave me the opportunity to gain some experience of producing a training video whilst having the support and guidance of the Cybrary staffers. Having been through the experience of writing a book, I know the benefit of having a great editor to advise on style and structure. An editor helps with the development of a book not by being a subject matter specialist, but by understanding how to write to be understood. I felt that developing a training video would be a similar process – and I was right. Having the necessary subject matter expertise is not enough – you need to have the skill to communicate it effectively."
Learn how you can contribute on Cybrary >>
Tell us a little bit about your course:
"'Creating effective User Awareness Training
' is based on educational principles that result in learning and skills retention. As I mentioned earlier, I think both end-users and information security
professionals need a better approach than what is currently out there in the market place at the moment. There are just too many approaches to creating awareness that are either not fit for purpose or just plain sneaky in their approach. 'Creating effective User Awareness Training
' is based on two key principles: Creating real skill – threat recognition skill – within our whole organisation. We don’t build real skills by making people take tests after we have lectured them nor by conducting clandestine tests to fool them. Skill is created by support and practice. Helping information security become coaches rather than lecturers (physical or virtual”). A coach has a personal relationship with those they are trying to develop. They may set challenging targets but they are focused on facilitating everyone to achieve those targets using a process of support, guidance and positive feedback. So 'Creating effective User Awareness Training' is focused on the design, development, and deployment of security education that meets your risk management objectives."
Your Experience in Cyber Security:
"I hold an HNC in computer science from the University of East London and was awarded the CISA (Certified Information Systems Auditor) accreditation in 1995. I’ve been both “poacher and gamekeeper” holding posts as a programmer, business analyst, project manager, Head of IT Security and Head of IT Risk Assurance for a number of Fortune 500 and FTSE 100 companies. I’ve written books and articles on many different aspects of IT risk assurance, organisational resilience and IT risk management. I became an independent consultant in 2007 and have specialised in the areas of IT resilience, continuity planning, cyber security incident management and cyber security awareness programs."
Interests in Cyber Security:
"I like breaking new ground – whether it’s applying technology to business problems or addressing risks relating to the use of information technology. I like breaking new ground, challenges and what makes things “tick”. In IT I’m drawn to three areas: - Understanding the root causes of risks and threats and developing frameworks to address them- Identifying areas of best practices within IT Risk Management- Understanding what makes a “best practice” the best way of doing something (it brings out the auditor in me!!)"