Hi-5 brings together InfoSec leaders for peer-to-peer sharing via five short questions and insights.
Ceri Jones has studied and worked in security for a little over 10 years and been in her current role with RBS for just over 9 months.
What is the biggest challenge security leaders face today and how are you looking to tackle it?
There are many amazing security awareness leaders out there if you know where to find them. They are challenged with how to push boundaries, be creative in the workplace, and engage employees to truly get involved with security programs.
To tackle this, I would remind security professionals how important it is to create relationships with people so they know security is an area to support them. Security awareness doesn’t need to be formal; there are no rules; It’s about how to get people to pay attention, take on a message and then if needed, make it actionable without overloading them.
In your view, how important are security awareness programs, and what’s a CISO’s main role in making them effective?
Security awareness programs suffer from the fact that a lot of security messages are basically the same at their core. So it can suffer from looking like common sense and indecision of knowing what is the ‘best’ thing to do at that moment. Most people bring a pragmatic approach to security, mixing and matching their behaviours to the demands in front of them. This can be interpreted as people not understanding or not being aware, but in reality security messaging and language can be confusing and lack consistency. People can’t do all things at once, which means prioritising behaviours to focus on, and being realistic in our expectations. It’s the role of a security program to create clear, consistent messaging that goes further than common sense, and shows employees what’s expected of them.
What’s the one thing you’ll never tell an employee who’s made a security error, and how would you suggest handling the situation instead?
I would never tell someone they did something wrong. Life and work is complex, it’s nuanced and as any security professional really knows, the real answer to security is often: ‘it depends’. So it’s about being realistic and looking at the processes to see if they are fit for purpose, and if they’re keeping up with the pace of change. Instead of telling someone they did something wrong, it’s about being open to learning from those who are interacting with the processes and policies, and building a collective understanding of how to improve as a whole.
When it comes to recruitment – what approach do you take to attract and keep the best talent, and what would be your best tip for a new hire?
Security needs people who are intrigued by difficult problems, willing to adapt and evolve. For me personally, I look for people who can reflect and challenge themselves with “Is that the best way? Could we do something different?”
I believe in mentoring people to have that confidence. Security is all about balance between the needs of the business, and how that marries up with security. My best tip: ask to join meetings so you can listen to your peers and seniors discussing topics. It’s the best way to learn, so don’t be afraid to ask!
Finally (just for fun): if you could have dinner with any renowned figure (dead or alive), who would you choose and why?
Alexandria Ocasio-Cortez. The more I see of her, the more I admire her passion and her vision. A lot of life is believing in yourself and having confidence you can have a voice and you are allowed to speak up, to take opportunities and actively look for them.
I think she shows that anyone can try and hope, but to move forward you have to continue to learn and reflect, and coupled with some luck you can achieve great things.
The Royal Bank of Scotland was established in 1724, and nowadays operates 700 branches, mainly in Scotland. RBS provides a full range of banking and insurance services to personal, business, and commercial customers.