As I was figuring out how to get from my hotel to the conference venue, I was struggling with Google maps. I mean, Google has a sense of direction, but Nadja much less so. Eventually, I found my way and noticed the big construction building just beside the conference with a line. That must be it!

I saw a tall man with a beard who looked friendly, so I joined the line with him. We started chatting, and he shared his objectives for the conference: competitor's analysis.

I almost went into judgment mode, even though I knew this was a common practice when attending these security conferences.

I proceeded to take my badge and leave my coat until I joined another line behind a wonderful lady. We started chatting and ended up having coffee at the conference venue, sharing our passions, our work, and what we were looking for in this conference.

That's where I felt a sense of clarity and focus as the morning of the conference I had written my intentions.

Before I go to any gathering or meeting, I reflect and set an intention on what I want to achieve.

What is my outcome and how am I going to show up? 

My intention for the UK Cyber Weeks was to listen.

To actively listen, to ask questions so I could better understand how we can disrupt the cyber security awareness industry and make it less about the technology, and more about the human.

That's what today's reflections are about, my personal insights, views, and thoughts on the topics presented that I had the pleasure to attend. I will look at these topics through the lens of emotional intelligence.

The main topics that were of interest to my mission and which I attended were the digitization journey to the cloud, user experience in SAAS products, Ransomware, Social Engineering, and Operational Technology (OT) & Information Technology (IT) security.

So let’s dive into these!

Cloud Bound: A Journey of Digitization and Discovery

When we listen to presentations on how businesses should embrace the journey onto the cloud, how they can manage the business risk and how they can automate the security management of the cloud - it heavily leans on the technical side. The presentations given were brilliant, with beautiful tech depictions of the interdependencies of an organizational digitization journey onto the cloud.

The stats were fascinating when it comes to both the innovative potential of cloud use, but also the risk for data breaches as the third applications being connected with basically data being processed from all corners.

What I missed in these conversations is the fundamental partnership with human resources.

When we look at the employee experience and even customer experience, from A to Z, we look at their behavioral patterns. An experience that helps the company grow and sustain its business bottom line.

What are they thinking and feeling, and how do their thoughts and minds contribute to a better employee and customer experience?

When we place the employee and customer experience within the context of digitization towards the cloud, how are we understanding the behavioral risks that are contributing to data breaches?

Let me give a personal example where employees were allowed to bring your own devices (BYOD) to work, and even connect personal apps to the company's cloud. 

It was open space and people left their WhatsApp conversation out and about on a 27-inch screen for everyone to read and notice. They were using excel sheets to manage and update data, using a simple password protection method that was available to anyone. They knew it was not the most secure way of working, but they did not have the resources, capacity, or bureaucratic freedom to embark on a safe and secure user experience.

And this is how we increase the human surface attack and then blame it on human error.

How can we make it more difficult for people to make digital mistakes by reducing the surface attack?

Not including the human behavioral user experience when designing, developing, and updating your digitization into the cloud is asking to be breached successfully and simply with one click!

The Human Touch in SAAS: Elevating User Experience

The Service as a Software (SAAS) Industry is booming. In 2022, the global SaaS market reached $261.15 billion. SaaS companies are revolutionizing customer experience where it becomes easier to use technology and automate our day-to-day burdens through a technical app. They keep innovating and pushing the boundaries of what is possible, especially now with the limitless possibilities that Generative AI brings to the table. But here is the problem:

Often design and upgrades are driven by speed and not by security.

Security is seen as a barrier, a disabler, and is counterintuitive when it comes to user-friendly apps that deliver our services in the blink of an eye. 

That's why the developers' teams and security teams are always in a push and pull dynamic. Every team is thinking within their map of the world, and are not keen on stepping outside of their map and into each other's map of the world.

When we collaborate with our functional hats, we are likely to do what's best for our functions, not what's best for the greater good. 

Because let's face it, a customer may prefer speed, but it values secure data processing and integrity more. Because if their personal data is hacked, guess who is accountable?

The Emotional Art of Ransomware Negotiations

This presentation was fascinating in many ways, I admit. I still can't wrap my mind around it that we are now explaining how to negotiate with criminals who stole your data, are after your money, and are likely to use it as a precedent.

But that's the reality we live in and what I learned is that businesses count a lot on insurances to cover them in case of a ransomware attack. The problem clearly highlighted during the conference is the complexity of these insurances and the caveats that are introduced to cover less, and less. 

Which is only to be expected with the surge in ransomware attacks. Ransomware affected 66% of organizations in 2023, according to Sophos' "The State of Ransomware 2023" report.

I enjoyed this discussion particularly because often we tend to highlight the problem, issue a report as an academic exercise that is of no practical use to businesses, and fail to teach and help business leaders practical strategies to prepare and navigate such incidents.

The discussion highlighted the different steps when a ransomware was executed and how business leaders could prepare themselves to face these steps with higher levels of preparedness.

What I missed though from these discussions is the emotional dimension.

Negotiating 90 million or billion US dollars business deals is quite different from negotiation with criminals who have hijacked your customer, shareholder, financial, R&D or commercial data in return for x amount of money often in the form of cryptocurrency.

Your personal reputation, your organizational reputation, the worst-case scenarios all running through your mind at the same time, igniting negative emotions of fear, anxiety, and stress. 

And from that place, you need to make sound decisions, coordinate response options internally and with external stakeholders, have an impact analysis ready that is somewhat close to reality, and a long list of other things.

That's something you want to prepare business leaders for ahead of time, because it is an emotional process, not a business one.

Decoding Social Engineering: The Emotional Playbook

This discussion was mind-blowing in many ways, and one I enjoyed a lot. I will share a powerful example that was shared by the presenters and one you can watch in the video below.

Basically, they conducted an OSINT. Open-Source Intelligence (OSINT) is defined as intelligence produced by collecting, evaluating and analyzing publicly available information with the purpose of answering a specific intelligence question. 

This is what scammers and criminals use to gather information and prepare, then execute their subsequent data breaches and ransomware attacks. In this experiment, customers would have free coffee if they clicked on ONE link on Facebook. Which they did. 

By the time they went back to grab their coffee, their entire biography was written on their coffee cup. It only took one link for the OSINT experts to find all this information.

I was shocked by how much data is out there for the grabbing and how much it plays into both the sophistication and massive scale-up of social engineering attacks. Over 82% of breaches are caused by ‘Human error".

Social engineering is the tactic of manipulating, influencing, or deceiving a victim in order to gain control over a computer system, or to steal personal and financial information. It uses psychological manipulation to trick users into making security mistakes or giving away sensitive information. - Kaspersky

As I mentioned in the beginning, it is easy to brush it off as human error and we are not going to expect people to stop sharing their data at such a scale. Even if they wanted to, and even if we put processes and technology in place to reverse this data availability - it will take years. So what can we do now, today to help and guide people to resist the urge and impulse to respond to the emotional manipulation tactics of these criminals?

That's an emotional issue that needs an emotional dimension of education and awareness to speak to people's emotions of speed, stress, anxiety, fear, belonging, trust, and more.

Bridging Worlds: The Emotional Convergence of OT and IT

When we hear about OT and IT, many may feel confused or unsure about the differences. From my own time at the NATO Communication & Information Agency, I experienced a sense of nostalgia and enjoyed the presenter's brilliant depiction and explanation of the link between these two dimensions, and how cyber threats represent a distinct challenge within each of these dimensions separately.

The presenter used the example of having a car from the 1960s that is basic in design, but fulfills all your operational requirements. It drives you from A to B in a secure way within its locus of control. That's OT, the Operational Technology allowing you to use the car in a safe and secure way to meet its purpose of existence.

Then you have the accessories that have been added over the decades. When we look at cars now, they far exceed their original purpose and some even feel like a 5-star hotel, enhancing the user experience. The Bluetooth, the electrically heated seats, the large screen on our shields, the sophisticated computer on our dashboard, and the list goes on. That's IT, the Information Technology aimed at improving user comfort and experience.

Securing both dimensions is not approached in the same way. OT is all about ensuring a solid and resilient infrastructure to reduce the risk of disruption. IT is all about providing a comfortable user experience and ensuring cyber hygiene is at the heart of how people use technology, which helps reduce the risk.

As these two critical realms become increasingly intertwined, the complexity of managing security risks grows, demanding a more integrated approach. 

This convergence is not just a technical challenge; it's a profound opportunity to reimagine how security protocols are designed, implemented, and managed. Holistic and adaptive strategies that take into account the nuances of both operational and informational technologies are essential.

By fostering a culture of continuous learning, emotional intelligence, and resilience, organizations can empower their teams to navigate these complexities. It requires shedding our functional hats and donning our human hats, free from bias and assumptions. Instead, everyone brings their unique expertise and knowledge to the table to ensure OT and IT security by design, not as an afterthought.

Recommendations for Enhancing Emotional Intelligence in Cybersecurity

Now, you might be wondering, "What next, Nadja?" How do we begin to incorporate emotional intelligence strategies to tackle these digital challenges effectively? 

The recommendations provided below are merely the starting point, offering practical insights to guide your discussions on managing cyber risk—not merely as a technical issue, but as a cultural and performance challenge. These suggestions are not universal solutions; rather, implementing them can spark innovative thinking about safe and secure practices in an era where data breaches can either fortify or fracture your business.

The Digitization Journey to the Cloud

• Cultivate Emotional Ownership: I advocate for a culture where individuals fully grasp and own the emotional dimensions of their digital actions. It's about empowering every team member to feel personally responsible for the security and integrity of our data ecosystems.
• Initiate Resilience Training: Develop resilience-building programs that equip employees to manage the emotional toll of potential data breaches proactively. This approach focuses on cultivating a mindset that is as preventative as it is responsive.

User Experience in SAAS

• Harmonize Speed with Security: Encourage development teams to empathize with the emotional aftermath of security breaches on users. This empathy should drive the integration of robust, yet swift security measures that do not impede the user experience.
• Advocate for Secure User Design: Motivate designers to prioritize the psychological safety of users, incorporating security elements that are both intuitive and minimally invasive.

Ransomware Negotiations

• Enhance Emotional Preparedness: Organize workshops that simulate ransomware attacks to refine leaders' abilities in emotional regulation and strategic decision-making under duress.
• Establish Support Networks: Create organizational support networks that offer both emotional and tactical support during crises, ensuring that no leader stands alone during these trials.

Social Engineering Mitigation

• Illuminate Emotional Manipulation: Deploy training that elucidates how social engineering targets emotional vulnerabilities, such as the innate desire to be helpful or the fear of authority, and teach strategies to counteract these manipulations.
• Strengthen Emotional Firewalls: Assist employees in developing strong emotional boundaries to prevent rash decisions influenced by manipulative tactics, incorporating practices like mindfulness and emotional detachment.

Operational and Information Technology Convergence

• Foster Emotional Intelligence Across Disciplines: Encourage collaborative emotional intelligence training among OT and IT teams to boost mutual understanding and enhance cross-disciplinary cooperation.
• Design Stress-Reduction Programs: Implement targeted stress-reduction strategies in environments where OT and IT intersect, ensuring that personnel maintain clarity and efficacy under pressure.

By integrating emotional intelligence deeply into these themes, we're doing more than just protecting data; we're nurturing the psychological resilience and enhancing the effectiveness of our teams. This approach fosters a cybersecurity environment that is not only more secure but also more supportive and understanding of the human factors at play.

Join the Conversation

Your thoughts and experiences are invaluable as we navigate these complex intersections of technology and human emotion. I invite you to share your insights or ask questions in the comments below. 

Let's deepen our understanding together and explore how we can collectively enhance our emotional resilience in the digital age.