David Rimmer picture

Editor's Note: David Rimmer is the European security lead for Equifax. David will be talking about the importance of role modelling, Data Guardians and his love of security analogies in his lightning talk – “lessons I learned from my dog” – at the SANS European Security Awareness Summit. Below he discusses the aims of his security programme, on the theme of Population Immunity.

Population immunity (or less flatteringly, “herd immunity”) occurs when most of the population become immune to a given disease, making it more difficult for the disease to take hold and spread. By preventing an outbreak, population immunity provides protection even for people who can’t become be vaccinated against a disease, such as people with compromised immune systems.

Security awareness programmes must pursue their own “population immunity” outcome to reduce the likelihood and limit the impact of security incidents. The goals of an effective awareness programme should include changing the behaviour of staff not only to reduce their likelihood of falling victim to phishing, but to ensure that the group mindset of acting securely affects their colleagues and their wider community. It’s vital that our awareness programmes don’t just aim to influence colleagues with an e-learning package, a poster or an email, but with a set of co-workers who are role modelling how to work securely within their team.

One of my team’s successes is our Data Guardians scheme, in which we work with a handful of staff from each key team to ensure that we have trained, enthusiastic and engaged volunteers to report broken processes, provide security messages in their team meetings, and tell us what’s worked well (and what hasn’t!) in our awareness programme. On top of acting as a “human firewall”, our Data Guardians are visible and friendly role models for security, ensuring that a new employee can emulate their behaviour or can approach them with any questions. Our security version of population immunity therefore relies on strong engagement from the majority of staff, who default to secure working practices and exert their influence over the minority who may never be directly engaged with our message.  After all, it’s unlikely that your programme is resourced to consistently deliver the right message for all staff, via the right medium, all the time.

In my SANS lightning talk, I'll (quickly) cover how you can create security role models in key areas such as operations, how you maintain that level of engagement and drive improvements in culture without a big budget, and how the same approaches have met with success in other areas of life (such as dog training!).

BIO: Currently leading the European security function for Equifax, David has been involved in security leadership roles (focussing on culture change and security engagement) in public and private sector roles over the past 10 years. Contributing to industry programmes such as The Analogies Project, his passion is for making security transparent to the business and to employees - promoting common sense over Cyber jargon.