Designing Risk Awareness Around People, Not Policy - A conversation with Janette Bonar Law

Introduction to Risk

0:00and it's my role to show them the bigger picture so they feel the risk and are wanting to be on board with reducing risk to themselves and to the organization.

0:24Hello, everybody. This is Belen Santaolalla from Conductor Crisis Exercise Platform. You're listening to the Crisis Designed podcast, where we share tips, thoughts, and concepts to help you create impactful crisis management exercises. So if you're involved in crisis management, reputational risk, business continuity training, information warfare, or immersive simulation, this show is for you.

Guest Introduction

0:50Today, I'm joined by Jeanette Bonar-Law, Information Security Manager for Culture and Awareness at Channel 4. With a background that spans cyber-esque behavior change and storytelling, Jeanette brings a fresh and human-centered approach to cybersecurity training. Her focus isn't just on policies or phishing stats, but on the everyday actions, emotions, and decisions that shape a truly secure organization.

1:25She champions insight-driven thinking over blame, curiosity over compliance, and design rooted in how people actually work and not how we assume they should. Jeanette, welcome to the Crisis Designer podcast. How are you today? I am great, Belen. Thank you very much for having me. We're delighted to have you here. So let's get it started.

Role Importance

1:49How would you say that your role is important in Channel 4 today? The beauty of what I do is that I deal with people and the people end of cyber security. And I'm very privileged in that the role takes me right across the business. So many of my colleagues, they work in particular areas and they've no insight really into what other teams do.

2:20They're just really grateful and happy that the teams are doing the things that need done. Fortunately, I get to talk to everybody, so I get a real sense of the culture and the temperature of the organization with regard to risk. I'm going to call it risk rather than cyber security because it's the more user-friendly term. And because I hear all those voices, I'm able to feed those into policy and behavior change.

2:56So, yeah, that's why I'm important. I get to tell everybody's stories and shape the future of the organization. Oh, my God. That's amazing. It's so inspirational, the way you frame it, like from that human perspective. Why would you say, like, culture and awareness are so critical in risk?

3:21Because risk remediation only works if it's consistent and if everybody's on board. So, if I come in waving a big stick and say, you can't do that anymore, the minute I leave the room, they'll be doing it, but they'll just be doing it more secretly, which actually makes the risk worse than it was to begin with. So, that's not a good idea.

3:44So, in terms of risk, it's important to understand why the risk has grown. So, why are people feeling the need to work in the ways that they work, that may be out of compliance or out of policy? And maybe it's the policy that's wrong. So, maybe we need to change the policy. Or maybe they just don't see the bigger picture. And it's my role to show them the bigger picture so they feel the risk and are wanting to be on board with reducing risk to themselves and to the organization.

4:20I really like how you're approaching it from, like, the human perspective, like, what they do or what tend to do. And if it's not working and the rules are not working, maybe we have to change the rules because we need to adapt to what humans do, right? Yeah, and it might be that what they're doing is better. Just because it's not part of the rules doesn't mean it's wrong. It means it's not part of the rules. So, both sides of that equation need to be looked at.

4:52You know, maybe our rules are just not fit for purpose and need to be revisited. I mean, every business, every business currently is struggling around what compliance in an organization ought to look like around AI usage. And we're all finding our way there. And we're being led as much by our colleagues as we are by our policies, which are, at this point, because we don't understand the impact, we're working alongside fear in terms of AI in an organization.

5:30So, if our colleagues who are more educated in some ways about AI have found a better way of doing things, then, yeah, let's adopt that and put some rails around it so that we can do the thing and be safe at the same time. Good. Good. I've been investigating a little bit about you. I know that you're like, it sounds terrible, but it's not, don't worry.

6:02I know that you're sort of like a renegade voice that we've been talking about this earlier. And I know that you have like an artistic background. That's right. Yeah, I'm a painter. Aha, good.

Artistic Background

6:15Do you think that that artistic perspective has shaped your approach to resilience or to awareness?

6:23So, there's two answers to that question, really. One is I don't see being a painter as being at odds in any way with cybersecurity. The way that I paint is quite technical. So, I have to understand all of the pigments, all of the binders for the pigments, how the pigments interact with each other. You know, this is starting to sound a bit like a network, right? So, you have to understand what your tech stack looks like.

6:55And that's the same for painting as well. If you're going to make a painting that's going to last hundreds of years, you can't just slap anything on there because two years down the road, it might be peeling off. So, I do see painting, particularly the way that I do it, not for everybody, it's not for everybody, as quite technical. And so, that sort of process-driven analysis of interoperability between systems or pigments, it's a similar mindset.

7:39And in addition, you know that thing where you might have some kind of thorny problem on your mind that you don't really know how to solve and you've been chipping away at it all week and getting nowhere with any kind of solution, I think we've all been there.

7:58And then, maybe you go to bed one night and you wake up in the morning and you think, Christ, I know exactly how to fix the problem, right? It just came to me overnight. I have a similar thing when I'm painting. So, I'll go into the studio, something will be on my mind about work because work's always on my mind. I struggle to shut it off. It's just how I'm wired. So, I'll go into the studio and I'll start painting, doing that very technical thing, you know, the hundreds of layers to make up a painting and all of that.

8:32And it's so immersive, it makes my brain function in a different kind of way.

8:39And it means that the bit of my brain that is now not focused on painting is free to process all the things that got backed up around this problem that I was thinking about. So, quite often, I'll come out of the studio and I've done the painting, but as I walk out the door, I'll know what to do about the thing that was bothering me. So, I see them as completely complementary.

9:09That's fantastic. Like, how to process what's going on from a different mindset. Yeah. Thinking about or focused or immersing in your process helps you see problems differently. And find a new avenue to approach those. Your brain can trick you into thinking on railway lines, like railway tracks. Yeah. So, instead of getting anywhere closer to solving a problem, you're just rerunning the same track over the time.

9:40And you can't see what's to either side. And we're all subject to that. It's just the way we're wired. Yeah.

Risk and Culture

9:49Definitely.

Risk and Culture

9:49And in one of those painting sessions or in the office, when you're just thinking about situations, if you think of the bigger picture, what behaviors or risks are most on your radar right now? So, currently, my biggest concern is around stress in the workplace because stress massively ramps up the risk around human beings in relation to what they do with technology.

10:25And also around human beings in terms of burnout. You can only be stressed for so long without it taking a horrible toll on your body. And maybe you go off work sick. You know, you're out for six months. It takes three months to get you back up to speed. And then maybe that was too quick. So, you have to go off work again. So, that's awful for any human being to have to experience. And it's also really bad business to be treating some of our most valuable assets and repositories of knowledge in that way and allowing them to be downtimed like that.

11:11So, I see that as one of the major risks, and it's in my strategy for this year to address burnout. We're working on getting a company-wide stress app installed as part of a standard build for our computers so that our colleagues have access to support in the form of binaural beats or colors or guided meditation right there on their desktop.

11:41So, they can get little micro-breaks to reset their brains as the days go on.

11:53That's so different from that concept of risk being like there's a threat and you have to be alert and that alert is generating stress. And it's quite the opposite. It's the stress is the origin of risk itself, right? Very interesting. There will always be risk. We can't have a threat. There's always a threat. We can't control that environment. All we can control is our response to that threat. And part of that is technical. Part of it is having process and policy and procedure to manage our response to threat.

12:29But a huge part of it is making sure we are fit for purpose as humans to regulate our own behaviors through stressful periods. Got it. And what do you think a strong awareness program should always include?

12:49Let me think. Well, I'm thinking about my own awareness program over the coming month, which includes petting llamas at the Horniman Museum. Craft workshops, where we make Insta, well, it's led by an Instagram influencer. And we're going to make jewelry lanyard charms that represent fishing at Halloween and Channel 4.

13:21And we're going to be talking about fishing because we're about to change the way that we do fishing. And we've got lots and lots of video, right, because we're Channel 4. And what we do is telly. So the people I work with, they're telly literate. So that's how they best take in information. So we've got a whole series of cyber drama set to drop called the Cyber Police.

13:56This is all over Cybersecurity Awareness Month.

14:01And we're about to launch an on-demand training platform where you can search for what you want to know about, in addition to any sort of mandatory training that I, in my wisdom, will assign.

14:18But that sounds like a super engaging program. I mean, how do you do it so it feels like, oh, I want to do all this?

14:30You know that thing I said right at the beginning about going around and talking to people? It's all about going around and talking to people. So I do house calls. I go into my colleagues' regular team meetings and drop in and say hi and, you know, give them a bit of an update on what's current. And then they can raise anything that's bothering them with me. Back in the day when doctors used to do house calls, that was the kind of thing I was thinking of.

15:01So, yeah, it's about connections, really.

15:09And then the engagement grows organically. So if you talk to one person and they go off and talk to two people and those people go off and talk to two more people, it takes a while. I've been in post now 12 months and I've seen the engagement grow over that time just through conversation. And I think we overlook the power of conversation. It is the most powerful tool that we have as cybersecurity awareness professionals. You are right.

15:39What a good point. And do you, you were mentioning like some mandatory training, some optional training. What does the training look like? Do you do realistic exercises? What type of training do you do? All right. So we have, what do we have? We've got so many layers of training. So on the way in, so anybody joining the business gets the lightest, well, lightest weight InfoSec induction training ever.

16:10We have six two-minute videos and that covers, you know, just the basics. It's to get you through the door, really. And then once you are part of the business and you become enrolled in our security school and there are core modules in there, which are actually another drama series, another video drama series. That's the core modules. And then throughout the year, I think it's about five minutes a month, we have little drips of training on topics that are going around on like an itinerary.

16:51And we back those up with articles online and like little talks that we do here and there to the teams. So there's that level of training. We also have targeted training for particular groups. So we recently took the technology leadership team to the National Archives in Kube. And we commissioned an interactive drama to take place there where we staged.

17:22They didn't know this was going to happen, which was hysterical. They thought they were coming for me to drone on about a PowerPoint or something. So we started the meeting as if that's what it was going to be. And then suddenly there was a disruption on screen to the meeting. The video we were playing didn't play anymore. And then a thing popped up saying this is a ransomware attack. You are now in organization X. You have two hours to resolve the situation and a bunch of actors were involved in it and they played different characters from the business, feeding information to the leadership team.

18:03And they had to make a decision at the end. Do we pay the ransom or don't we pay the ransom? And there were so many brilliant conversations had. Both during the playing of the game and as a follow up to that about, right, so if this had really happened to our organization, how ready are we? You know, what does our readiness look like? And it was just perfect. And getting them away from work and into a different environment allowed them the headspace to think about that, which was absolutely brilliant.

18:41And the National Archives at the time had on an MI5 exhibition, which was just amazing. So that made for the best lunch excursion ever.

18:54Well done. And when you're preparing something of this sort, like this type of event of exercise, how do you choose which scenario to design? So, obviously, we have threat intel around, like any organization, we have threat intel around what's specific to our business. We know what our scheduling is going to look like and what might provoke a response from various quarters and when.

19:26So, we kind of tie it into that, to what our particular threat landscape looks like. I mean, it's a problem. It's run somewhere. It's on everybody's threat landscape, isn't it? Yeah. And it's escalating and they're just getting better at what they do. So, we all need to be prepared for that. So, that was a no-brainer, low-hanging fruit one for me. Of course. And when you're designing a scenario, do you have any type of best practices?

20:00How do you approach the scenario design? So, I work with a third party to design those scenarios and they are supplied with our policies. So, everything that happens is within our policy response. And then, it's a very long process to get the script just right. So, we had lots of brainstorming and, oh, wouldn't that be a good story?

20:31And, no, I don't think we should do that because people would be very upset. And then, we settled on the story. We settled on the cast. We had a run-through to make sure it all works. So, it was just like a proper theatre production, except it was in the National Archives and it had a very limited audience.

20:57Nice. And in those kind of cases, do you facilitate those exercises somehow? Or is that something that is facilitated by someone else or there is no facilitation? So, I would not guide the story part of it. I'd let the actors run the story that we'd agreed. Let the TLT respond in a very organic way. But what I would and did do is to maybe shape the conversation afterwards just by asking questions.

21:36So, something simple like, how confident are we that we are ready for this scenario in Channel 4? And then, they're all brilliant. So, they talk about it freely and there's, you know, lots of discussion about, oh, maybe we need to do this a little bit better. Or, I thought we had this, but it turns out we don't. And it was just such a great conversation. And for them to have the opportunity of the space and time to have that conversation was the most important part for me.

22:16Do you capture that learning somehow or how do you go forward with those conversations held after the event? So, it's immediately after the event, right? So, people, as it's going forward, the conversation, people are making notes about their own action points and questions they want to follow up. And that's absolutely the best outcome for it. We wouldn't record the session itself because there's all sorts of GDPR stuff going on there that we don't want to get tangled up with.

22:52Although, I would have loved to have recorded it, frankly. It's so tempting to whip out my iPhone, but there you go. I didn't. I didn't record it.

23:04But, again, it's coming back to the idea of conversation. And it's the same thing when I was in the offices, your offices, earlier this week with our post-production team. And we were designing our first ever awareness training scenario with Conductor that we'll have to carry a, there may be nudity warning on the front of it. But it was, whilst it is so brilliant that as a result of everybody coming into the offices, we will have this scenario which they can play, which the entire business can play and understand better what their role is.

23:44So we're all getting to know each other better. The real learning for that team was in all the conversations leading up to that meeting, where they got to say, you know, what if, what if this went wrong? Like, how, what would have had to have happened to, for the bad thing to happen? And what, and what would we do in response? So it was such a powerful conversation.

24:15And my little heart beat faster when I saw flow charts coming out about possible outcomes and, you know, systems and what the vulnerabilities were on the systems. It was so well thought through, probably because they're engineers, right? They, but they were great. And they took it all in great spirit. And I think we're going to have a great outcome from that once a conductor finished off the scenario for us.

24:45Wow, fantastic. So apart from nudity, are there any other ingredients that you think are important for an exercise? Yeah. I mean, it almost doesn't matter what the scenario is from my point of view. Other people will have different opinions, I'm sure. For me, when you're doing the simulation, it's the idea of getting used to the idea of sitting with uncertainty and having to make a decision under some kind of pressure.

25:22Obviously, sitting in front of a computer screen, playing a game doesn't ramp up the pressure in the same way as a countdown on a ransomware event. However, people do get very immersed in it. And if you can have just that tiny feeling of having to make decisions about important things with suboptimal information and a little bit of pressure,

25:52we kind of get a taster of what that would be like in real life. And having sat with it once, we remember when we get into the real life situation and it ramps up. So, yeah. Got it. And can you share a little bit about the most complex exercise or challenging training or event that you had to put together?

26:23Oh, but they're also complex and challenging. I don't know, the one coming up at the Horniman is quite, so we've got the Horniman Museum event in November where we've rented their learning space and their petting zoo. And it has been, because it's so out of channel to use somewhere like that for training, it's the really boring things that make it really complicated.

27:00Things like getting them set up as a supplier and our terms of business are we pay 45 days after invoice. But obviously, if you're booking a venue, they want payment before they let you in. And similarly, with the catering, all the risk assessments around llamas are quite challenging.

27:24But they also have this marvellous, absolutely marvellous aquarium there that I've got my eye on for future fishing training. I think it would make a great venue to do fishing training. So I'm working on some kind of digital treasure hunt that's based in the aquarium.

27:47I haven't quite got to the end of what this looks like yet. This is just the kind of thing that bothers me as I'm trying to go to sleep at night.

27:55I'm thinking about the best way to present a QR code so it doesn't look like a threat. I love that's what keeps you up at night. Yeah, it does. Yeah, don't worry about anything else. Fantastic.

Final Advice

28:12Okay, well, to wrap up, this is the last question I always like to ask the guests. What advice would you give a younger version of yourself starting out in this field? Try not to worry about the technical side of things too much. You do have to have a basic understanding of technology just so you can go off and have the conversations with people who are really good at that stuff. But to work in cyber security, you don't have to have hacker-grade Linux skills.

28:48It's not necessary. And the biggest part of any system is the people who use it, and that's where the most threat lies. So both to and from the humans. So if you can make an impact and change behavior on the human part of the system, that's massive. So, you know, get out there. Look at behavioral science. Understand psychology. What makes people tick.

29:21The power of getting people to behave as you would like them to behave. Become a social engineer. That's basically what my job is. I'm a social engineer, but for good, a white hat one.

29:36I like that a lot. What a beautiful way to finish up that concept of human at the center of how behavior is the most important and the weakest link and how we should all be not worrying about technical stuff, but the social aspect of everything. I think that it will make us happier to be focusing more on the human aspect of things. Happy, focused people who understand the why of what they're doing are an asset.

30:11Exactly, exactly. Well, Jeanette, thank you very much for being here in the show. It's been a pleasure to have this relaxed conversation about these things that I think matter a lot these days. Thank you for sharing your knowledge, and I wish you the best with your program. It's been my pleasure. Thank you, Glenn. Thank you, Glenn.