Interview: Jo Wise
How Jo Wise ended up as managing director of The Security Company is not exactly a traditional tale. But then the business itself is not exactly traditional either. Its headquarters is a converted barn in the middle of the Cambridgeshire countryside. The founder of The Security Company, ex-RAF officer Martin Smith lives next door. London it ain't.
Wise was feeling at a loose end after taking time off to look after her children. "My little boy went to a nursery in the next village, where I found this sign on the door saying bookkeeping and administrative help wanted, apply within. So I did, because it was only a few hours a week and fitted in with the nursery, and for a few weeks I just tickled around in Martin's office," she recalls.
When Smith found out that Wise was a qualified chartered company secretary he proposed that the two plus Paul Cook (who also lives nearby) set up the business on a proper footing and establish The Security Company. That was in 1999.
Since then her role has developed considerably from simply being a director. She is now actively involved in the consultancy and selling the main offering, the i-wareness software. As its names suggests, this is designed to assist businesses with implementing security awareness programmes.
"We soon found that there was a need in the awareness sector. My background and skills are ideally suited to this work as it's so much more about communication and softer skills," she says.
You can probably count the number of women in positions of influence in information security on two hands, but Wise believes they have something different to offer. "You shouldn't say men can't do communication, intuition and people skills, but I think women have more of those skills," she argues.
"We're looking, almost exclusively, for people with communications skills, who understand internal communications, how to break down barriers and get the attention of employees. We really do find that, mostly, it's women working in those fields and there's got to be a reason for that," Wise warms to her theme. "They tend to be able to cut through the politics a little bit better. Men get embroiled in the who's biggest and best and strongest thing. There are things that some of the girls are better at than the boys."
Many would agree - in fact most of the men in information security would welcome more female input. So how does she go about convincing clients of the need for better-managed, more sophisticated security awareness? And, apart from the alpha male, what other challenges has she faced?
"If you can't win those heart and minds and talk to people about why you're doing what you're doing and what help you need, it doesn't work with awareness; you need everyone on board," she says.
"It may be very simple, obvious stuff, but for some of the security managers I've spoken to it's been like a revelation. It's when they feel you can help them get through to people, that's when you build the respect" she says.
Wise explains that when they go into a business, they do all the usual stuff that "the big three would do", but they put a greater emphasis on employee involvement and communication.
"We always go straight to the communications department to find out how they get messages into the organisation, what they think their employees respond to. And then we talk to the employees, via a survey, to see if that's going to work" she says.
Wise has also seen a change in the type of business her firm is servicing these days. In the early days it was banks, the financials and, as she puts it: "the big ones, at that". "We're increasingly, being asked to help that next level down, smaller insurance companies; the lesser investment banks, it's widening out now," she says.
Recently there have been noises coming from some vendors that awareness is nice but, in the long term, pointless. People will always do stupid things; you need technology to stop them.
Not surprisingly, Wise disagrees: "I think people do stupid things because they haven't been told what to do. They don't understand why it's important. Or, perhaps, they're disgruntled employees, who don't feel that they're being treated as part of a team. But all the time you don't try to address it, it builds," she insists.
She compares the situation to health and safety 20 years ago, when everyone just paid lip service. Now, she says, you've got a critical mass of people who do understand, who do want to follow the rules. "It took many, many years for that to happen, and it's got to be a constant message flow; it's got to be consistent and it's got to be drip-fed. And it's not a one-shot. You can't say: I've trained everybody in January; I don't have to do anything till next year. But, once you've got people to that point where they're all working together to help you, there's no way it can be a waste of time.
"And the few that are left, the 20 per cent who are, probably, not giving it the credence it should, suddenly get told: don't leave your laptop there," she adds.
It all sounds great on paper, but it must be tricky to put into practice. After all, employees, as we all know, are the weakest link. What sort of person do businesses need to employ to get the message across - not a technologist I imagine? "No, they'd be a people person," she replies. "Someone people feel they can approach and talk to if they've got a concern, possibly about a colleague, possibly about something they see everyone doing and they think, we really shouldn't be doing that.
"And it's got to have something in it for the individual, as well. Your messages are not just: we want you to do this because it's good for us. They've got to be: it's good for you; or you should be interested in this because if you learn how to travel safely on business, you'll actually be travelling safely when you're out with your family. And, if you understand the risks to work technology, then you'll also appreciate risks to home technology. There are so many parallels you can use to appeal to people and get their attention."
Wise explains the secret of making an awareness programme engaging. It's got to be personal. It's also, she says, got to be "exciting". Although she admits that this is difficult - given the constraints of corporate branding guidelines and communication restrictions.
"What you do is really look at the organisation, see what channels are available, what people are actually doing in their day-to-day work and where they come upon moments when you can touch them," she says.
"If people have to get a card issued to get in and out of buildings, that's your opportunity; you're in touch with them at that point. And, instead of just giving them the card, you give them something with it, something they'll like, not just a piece of paper saying look after this securely. It varies from one organisation to another, but it's got to mean something to them, that, hopefully, they'll keep with them or have on their desk," she continues.
Wise suggests "a little card-holder" which may have been the first thing she thought of but then again, why not? After all people are often persuaded by the smallest positive gestures coming from their employers.
However, it works both ways and employers need to be careful about the kind of goodies they shower upon faithful staff - and management need awareness too. Wise relates a story to make her point.
"One company told me that every year, because they're nice employers and it makes the staff like them, they give them a new BlackBerry. And because they're really kind, they don't ask for the old one back; they allow employees to pass them on to their family or sell them on eBay, but they give them absolutely no guidance on how to make sure that all their confidential company information and their address books and calendars are deleted.
"But if you've got people who care about security and have been made to understand it, then when you give them a new piece of technology at some point you get to that critical mass where they'll start saying: 'how do I make sure I use this securely?'" Wise words indeed.
From the - June 2008 Issue of SCMagazine UK »