BarCode
Barcode is a cocktail powered podcast that dives into the technology, personalities, criminals, and heroes that have come to define modern security across the globe.
Hosted by Chris Glanden.
BarCode
Human Element
Dr. Jessica Barker is an esteemed figure in the realm of cybersecurity with a commendable history of influencing cybersecurity awareness, behavior, and culture across the globe. As the co-founder and co-CEO of Cygenta, she has made notable strides in providing face-to-face cybersecurity awareness sessions to over 50,000 individuals. With accolades such as being named one of the top 20 most influential women in cybersecurity in the UK, her expertise, especially in the human aspect of cybersecurity, is widely recognized and respected. In addition to her corporate achievements, Dr. Barker has also recently been honored with an MBE (Member of the Order of the British Empire) for services to cybersecurity, cementing her status as a leading voice and advocate in the field.
Our discussion focuses on the human element of security breaches and the importance of cultivating a culture of cybersecurity awareness within organizations. Dr. Barker shares her journey into the world of cybersecurity and discusses the evolving landscape of cyber threats, including the use of AI by cybercriminals for social engineering and deepfake technology. We highlight the significance of leadership commitment and values congruence in cultivating a robust cybersecurity culture. The effectiveness of gamification in training, a practical aspect, is also explored. The segment concludes with a personal touch, as Jessica shares her experience of receiving an MBE at Windsor Castle from Prince William. She then provides insights on her new book "Hacked: The Secrets Behind Cyberattacks".
TIMESTAMPS:
00:02:53 - From Civic Design to Cybersecurity: A Human-Centric Journey
00:06:21 - AI's Escalating Role in Cybercrime and Social Engineering
00:09:18 - Strategies for Enhancing Digital Critical Thinking
00:13:00 - Cultivating Successful Cybersecurity Cultures in Organizations
00:16:57 - Rethinking Security Culture and Training Effectiveness
00:20:27 - Dreamlike Investiture: Receiving an MBE from Prince William
00:22:15 - Royal Recognition for Cybersecurity Expertise
00:25:40 - Demystifying Cybersecurity Through Engaging Stories and Practical Advice
00:31:20 - Discovering Local Vegas Gems and Cybersecurity Bar Concepts
SYMLINKS
LinkedIn (personal): https://www.linkedin.com/in/jessica-barker/
Twitter (personal): https://twitter.com/drjessicabarker
Twitter (organization): https://twitter.com/CygentaHQ
Cygenta (company): https://www.cygenta.co.uk/
Hacked: The Secrets Behind Cyber Attacks (book): https://www.amazon.com/Hacked-Uncovering-Strategies-Secrets-Attacks/dp/1398613703
Las Vegas Arts District (location): https://dtlvarts.com/
DRINK INSTRUCTION
Purple Haze
2 oz Gin
1 oz Violet Liqueur
1 oz Fresh Lemon Juice
1/2 oz Honey Syrup
1 Dash Orange Bitters
Combine all ingredients in ashaker with ice. Shake well and straininto a chilled glass. Optionally, garnishwith a twist of lemon peel or a sprig of lavender.
CONNECT WITH US
www.barcodesecurity.com
Become a Sponsor
Follow us on LinkedIn
Tweet us at @BarCodeSecurity
Email us at info@barcodesecurity.com
This episode has been automatically transcribed by AI, please excuse any typos or grammatical errors.
Chris: Dr. Jessica Barker is an award winning cybersecurity expert with over a decade of experience in the human aspect of cybersecurity. She’s the co founder and co CEO of Cygenta, where she influences cybersecurity awareness, behavior and culture in organizations worldwide.
Chris: Jessica has delivered face to face cybersecurity awareness sessions to over 50,000 people and has been recognized as one of the top 20 most influential women in cybersecurity in the UK. Welcome to BarCode, Jessica.
Jessica: Thanks for having me. It’s such a pleasure to be here, for sure.
Chris: I feel like this has been a long time coming, hasn’t it? Just so. Yeah, super excited to have you here today, if you don’t mind. Tell us about your entry path into cybersecurity. And what was it about the human element that captivated you?
Jessica: Yeah, of course. The origin story. I would never have picked myself for a career in cybersecurity. And when I was first approached for a job in cyber security, I had to go and Google, what is cyber security? It was so left field for me. And then as soon as I started reading about it, and then when I eventually took the job. It’s like never looked back before this industry. My first degree was in social and political studies.
Jessica: I then worked in urban regeneration, did a master’s and PhD in an engineering field in civic design, where I was looking at the impact of the growth of the Internet on society, on communities, on different types of cities. And then I was headhunted for cyber security. And when I first was looking into it, I was thinking, this is really technical, and how would I fit into this? And then the more I delved into it, the more I realized, of course, that the human element is a huge part of cyber security.
Jessica: And that’s what I had been approached about. My first job working with a team where they had all the technical skills and capability that they needed, but they wanted someone who could bring a different perspective, they wanted someone who could lead interviews, they wanted someone who could deliver awareness raising and who could really look at the problems we have in cybersecurity, but from our more people angle. And that then was me.
Chris: So that previous training or that previous experience that you had helped, you sort of hit the ground running, right?
Jessica: Absolutely. I was just in a meeting before talking about this. One thing that I do a lot of is lead focus groups with our people in our clients, asking for their opinions, their feelings, their experiences around cyber security to help to understand the culture of the organization in terms of security. And I’ve been running focus groups for over 20 years. It’s depressing. Maybe about 25 years, but before, before cybersecurity, it was just on different topics.
Jessica: So I feel like a lot of what I did before all of the interviews I did for my PhD, this interest that I’ve always had in people and in trying to understand what makes people tick, what drives behavior, why certain groups behave in certain ways. I feel like it was all really leading me to this career where technology and people come together.
Chris: So as an expert on the human element of security and social engineering, how do you feel AI is changing the way that bad actors approach social engineering and psychological manipulation? You know, do you feel like this is an area of growing concern?
Jessica: Absolutely. And we’re already seeing it with organizations that we work with. We’re seeing it in some of the research that’s being put out there recently in terms of how cyber criminals and state affiliated groups are using AI. There’s definitely been an increase in the last year or so, of course, of cybercriminals using AI, for example, to shape their phishing emails, to make phishing emails more persuasive, more convincing, and then, of course, we’ve seen this rise in the use of deepfake, whether voice or video.
Jessica: We’re seeing cases out there hitting the headlines. We’re also hearing about cases part of our day to day work, where there are more voice CEO fraud calls happening. We have seen these awful cases of the fake kidnapping where parents or grandparents are getting phone calls saying, your child has been kidnapped. We have them. You need to pay a ransom. And then the parent or grandparent hears what sounds very much to them, of course, like their child’s voice, but it’s an AI mimic using deepfake.
Jessica: We’re seeing a lot of those. And the criminals are either using kidnapping or they’re saying that the child is in hospital or they’re in prison. They’re in trouble one way or another. Money needs to be transferred and the voice can be heard, which makes it just so much more and so much more traumatizing to receive a call like that and then be told, this is a scam. This is actually done with technology, with AI?
Chris: We used to only fear this. We knew it was coming, but now it’s an unfortunate reality, like you said. And we’re actually seeing cases now where this is happening.
Jessica: Absolutely. For years we were saying, weren’t we, like, this is coming, this is coming. It’s going to happen. It’s going to have huge impact on social engineering. We’re really, truly seeing the start of that now. And the good news is, you know, we have known it’s been coming for a while. We are seeing AI being used in cyber defense as well. But the tricky thing is that we were already struggling with social engineering, with phishing, emails, texts, phone calls. Add AI into the mix and it’s suddenly more persuasive, more convincing, more sophisticated.
Jessica: We really need to help people develop their digital critical thinking skills. We can’t tell people to look for bad spelling and grammar and hover over the links and look at the sender’s address and all of these tactical things that we have relied on for too long, really. We need instead to take a more strategic approach.
Chris: Yeah, you know, it’s especially dangerous for individuals not really versed in security or the effects of AI either. I mean, we often think of this containment unit of industry professionals that are already familiar with the aspects of deepfake. But how do we extend the message of impact to those outside of our industry? Is there a way to do that?
Jessica: Breaking out of our bubble and our bubbles, I think, is something that everybody struggles with to some extent. It can be really hard to reach, particularly more vulnerable groups of the population. I think we can try to think of those groups, try to think about how we frame our messaging, try to communicate these messages as widely as we can, and make sure that we are not simply scaring people, but that we’re giving people, of course, a realistic view of the threat, but at the same time, helping people understand what they can do to stay safe, because the danger is that we try and shout about this so loudly, but in a way that just scares people and actually just alienates them and doesn’t help them stay safe, but just actually puts them off even listening to what we have to say.
Jessica: So how we shape our messaging, I think, is really important. Not using too much technical jargon, translating our messages and empowering people to feel more confident with cyber security. For me, this is a big driving force behind why I try to have an impact beyond just the security community, if you like, but try to get out there on the radio, on the tv, in the media, write books, make content, just trying to get that message out as far and as wide as possible and really thinking about the different audiences and how I can frame messages so that they will be heard.
Chris: And I mean, you do a phenomenal job connecting with those both inside and outside of the industry, and you can’t assume everyone knows the concepts and you really know how to simplify it and get that point across to them, which is incredibly important.
Jessica: Thank you, Chris. So it really means a lot to me, and it’s a challenge. It’s a balance, because we want to simplify our message, but we don’t want to patronize people, and that’s a really hard balance to hit. We also have the curse of knowledge, and this is a burden that I feel like every day I’m longer in the industry, I have to fight the curse of knowledge even harder. And trying to stay in touch with actually what people do know about security, what they don’t, what they feel they know, and how that might be different, what they actually know, the kind of language that people are using, what messages are getting through, which aren’t. If they aren’t getting through. Why is that?
Jessica: It’s complicated, and I feel like it’s a work in progress for all of us. Something that I try to stay focused on because it means so much to me to try to help people who maybe don’t get advice from their workplace, maybe aren’t hearing about this from their friends or the community groups that they’re part of, just trying to get that message out because cyber security applies to basically all of us in one way or another in our lives.
Chris: So refocusing then, on the enterprise side, I’m curious, from your experience, what really works or what area do most organizations miss the mark on when they do fall short of developing a successful cyber aware culture?
Jessica: I’m going to start with the classic cyber security answer of it depends.
Chris: Okay.
Jessica: But I am going to expand, I promise. I’m not just going to leave it at that.
Chris: I expected that.
Chris: There’s definitely not a straightforward answer to this.
Jessica: Yeah, yeah. There are a bunch of common factors. One that we often discuss is, of course, leadership, championing of cybersecurity. Leadership buy in the tone from the top. And by the top, I do mean the top of the business. So not just the security leadership, but we’re talking about the executive leadership in an organization. Do they truly care about cybersecurity? Do they understand that it applies to them, that they need to practice the behaviors as well, to be a model for the rest of the organization?
Jessica: Do they provide the resources on the budget, for example, to be able to invest in security culture, often recognized as the most important factor in the security maturity of an organization, but still under resourced compared to, say, technology. So what is security? What is leadership doing to champion security? Are they instilling a no blame culture when there’s an incident? Do they want to blame and shame, or do they and the security team want to find out what went wrong than who they can blame? So this idea of a just culture is hugely important.
Jessica: Then we really have the values of the organization. And again, this is led very much from the top. But what we sometimes see is people being asked to practice certain security behaviors, but actually they are at odds with what the organization values and talks about and promotes and incentivizes. So, for example, we will have customer support teams and they maybe are told, you need to run through the security questions at the start of every call. You need to take your time, make sure that you have verified the identity of the caller.
Jessica: But then they may also be told productivity is really important. You are measured on how many calls you get through. Getting through more calls means you’re doing your job better, that’s your target. And you will be rewarded for getting through more calls or punished for getting through less. Just an example of where people can be told to practice secure behaviors. But actually incentives and ways of working will undermine those security practices.
Jessica: And people, of course, will go with what is truly valued by the organization. So making sure that security is truly valued is really crucial. And then of course we have cultures about a lot more than awareness raising, but awareness raising, how it’s practiced, whether people are provided with awareness raising resources that are relevant, that they can relate to, that supports them, that they don’t find too boring, you know, rather than that kind of click through training once a year, people just kind of click through it, try and like game the training, put in whatever answers and then cross their fingers that they don’t have to suffer through it again.
Jessica: So these are all factors that can influence a culture and that reflect the culture and tell us a lot about security culture in an organization.
Chris: Yeah, I completely agree with that. And you mentioned the training aspect. When you have training that becomes just a click through training just to pass a compliance check. Often that doesn’t resonate with users.
Jessica: Yeah, and people will sometimes have clients come to us and say, you know, people aren’t practicing the behaviors that we want, we don’t know why. And one of the first things we will, we will look at is the training resources and, or we’ll ask them, well, what’s your training like? And they’ll even say themselves, oh, it’s really boring. Everybody hates it, I hate it. Nobody wants to do it. People see it as a nuisance, like, well, there may be a correlating factor here between having training that you all know is terrible and then people not practicing the behaviors that you want or even knowing what those behaviors are.
Chris: How do you feel about gamification? I know it seems to work for some and not for others. Do you see that approach slowing down or do you see it as still being an effective measure?
Jessica: It was certainly a buzzword kind of, or a trend, I should say probably a few years ago, where it came along and it was kind of like the new kid in class and everyone felt drawn to it and like, okay, gamification, that’s our answer. And then, as you say, you get split responses. And I’m not surprised because then people would start to question or find that it wasn’t as effective as they were being promised, or maybe even that it was backfiring in some cases and that people didn’t like it.
Jessica: And that’s because, like so many other things, like phishing simulations, another very controversial topic. But it’s a tool and it all depends on how it is used. It all depends on the expectations around it and it depends on the wider culture that it’s being sort of brought into. So if you’re a video games company and you have great awareness raising material already, say, and an element of gamification is brought in and it’s fun and people are being rewarded when they do well, but they’re not being punished if they don’t do well. You know, it’s being used in a positive way and you have that kind of culture anyway, of kind of friendly competitiveness, then it’s going to fit much better than, say, if it’s brought into a more traditional organization and the training is bad and gamification is being kind of seen as the panacea that will solve it all without any other changes, and then it’s used as a punishment and kind of who’s performing badly, let’s pick on them, then it’s going to make things worse.
Jessica: So it depends on that wider context and it depends on the motives, the expectations and the implementation.
Chris: I want to switch lanes for a second and say congratulations on receiving your MBE investiture at Windsor Castle in February for your contributions to cybersecurity. That’s quite an achievement. Talk to me about that experience.
Jessica: Yeah, it still feels like it was a dream and I suppose it always will. I was awarded the MBE, which is part of the royal Honors system in the UK, so awarded by King Charles, for services to cyber security. And I found out that I was receiving that award last year. And then you are invited to an investiture where they pin the actual medal on you. So I had that ceremony in February 2024, and it was Prince William, so I went to Windsor Castle. Windsor Castle dates back to the days of William the Conqueror, so it’s got some history. It’s a pretty awe inspiring place to visit.
Jessica: And then it’s beautiful. There’s incredible artifacts and armor and lots of just incredibly beautiful things in the castle and there’s string orchestras playing everywhere. And then you walk through, into this room where you kind of shepherded through, until ultimately you’re getting to Prince William and you have to walk a certain amount of steps and then you either curtsy or bow, and then you walk another certain amount of steps and then suddenly you’re face to face with Prince William and he pins the medal on me and asks me some questions about cyber security. We have a nice chat and then he shook my hand and said, you know, thank you.
Jessica: We’re very grateful for the work that everybody does in cyber security and thank you for your contribution.
Jessica: And then do another little bow and off you go.
Chris: That is so cool.
Jessica: Really cool. And to have my husband there and my parents, it was a really incredible experience. I feel very, very privileged and very honored that I got to experience that. Yeah.
Chris: Yeah. That’s amazing. Can you share what he had said to you? Do you feel like he was versed in security to some degree?
Jessica: Yeah, I was very impressed. And I can check, because he didn’t tell me his passwords, you know, or.
Chris: I was going to ask you about the security there. I’m sure you did some testing on.
Jessica: Site, you know, have a little look around and you think. But, yeah, he asked me really astute questions and I was impressed because there were 30 of us receiving our honors that day.
essica: And I was the only one for cyber security. There was huge diversity in what people receive and are recognized with in terms of the royal honors. So there’s people who recognize for their charity work, for their military service, for, you know, business, for sport, and I was the only person for cyber security. So he clearly didn’t. You know, he obviously is. When you go into the room, they announce your name. So they said doctor Jessica Barker for services to cybersecurity.
Jessica: So he knows. He hears that. But I didn’t feel like he had a script or he had a pre prepared set of questions for every single person that was there that day. So, obviously, being a royal, they are well versed in how to speak to all sorts of different people. And he asked me what it was like working in cybersecurity. He asked me how challenging it is to keep up with the pace of change and with the huge changes in technology.
Jessica: He asked how challenging it is for, you know, attribution and to identify who is behind cyberattacks. And then clearly showed that he understood the challenges in terms of jurisdiction. He asked about kind of the growing need for people in cybersecurity. So he asked really well informed questions, intelligent questions. We had a great conversation and I feel like, I’m sure that’s the case with everybody in all these different walks of life, different areas of contribution on that day and other days.
Jessica: It’s just incredible to be able to speak to and ask and be interested in all these different fields.
Jessica: And then the papers showed that he went from the investiture and then that evening was at an event with Tom Cruise. So, you know, his day started on a high, pinning the medal on me. And then he just, you know, just had to hang around with Tom Cruise. Oh, how terrible.
Chris: How terrible. Now, was it the real Tom Cruise or was it deepfake Tom Cruise?
Jessica: That’s the question, right?
Chris: That is the question. I also want to mention that you recently published a book titled Hacked the secrets behind cyberattacks. Do you mind speaking to what inspired you to write that book and also what readers can expect from it?
Jessica: I find with the work I do raising awareness in all sorts of different organizations, that stories are so impactful. People hear about cyber security now more than ever. It hits the headlines, like, on pretty much a daily basis, and yet I think people still feel a bit removed from it until, unfortunately, the worst happens and they experience something, you know, they’re scammed or somebody they know has an experience.
Jessica: So what I really wanted to do was peel back some of those layers of what people might be hearing in the headlines they might see in a movie and really bring it to life by running through the different threats in cyber insecurity and help people understand what that actually means for them. So, telling lots of stories, I did lots of interviews with all sorts of people who could share their experiences in cybersecurity investigation in, you know, being advocates for victims, ex fraudsters, people who could really help give even more depth to the book and bring this subject to life for people in a way that is accessible, is jargon free, and also is empowering.
Jessica: So every chapter is a different threat. Every chapter involves lots of stories, lots of information, but ends with real practical takeaways that people can apply to help themselves, their family, their business, their community, stay safe. So it’s hopefully opening people’s eyes, helping people understand the reality of cybercrime, but then equipping them with the information that they need to go on and be more secure.
Chris: Yeah, I have my copy. I cannot wait to read it. Where are you pointing people to pick that up? Is it just through Amazon or do you have a preferred distributor that you use?
Jessica: Anywhere you buy books, I am delighted for anybody to pick up a copy wherever they buy books, whether that’s Amazon or elsewhere, whether it’s digital or physical. I’m really excited for the book to get out there and for people to read it and let me know what they think. When you write a book, it’s really a labor of love, I think, unless you’re the kind of Stephen King type level, which probably still is, but when you’re running a company and you’re doing lots of other stuff, writing a book is something that you have to be pretty dedicated to.
Jessica: So I’m excited for it to go from this project that I was working on to actually being in people’s hands and then hopefully helping people and helping people to understand cyber security a bit more and bring it to life and also be an interesting. Read that, then equips people with information that they can use to enjoy the Internet and worry less about the threat.
Chris: So I know this is your second book. So with that and then the awesome awareness content that you’re consistently distributing online, I’m just curious, how do you stay sharp with industry content? Do you read? Do you listen to podcasts? You know, what’s your poison?
Jessica: Yeah, obviously. Barcode, top of the list. I do listen to podcasts, and I’m so excited to be on this podcast, which I really enjoy listening to. I listen to a lot of podcasts, and not just in security, but I also enjoy listening to podcasts about business and about psychology and about different fields where we can take inspiration in cyber security. I do enjoy reading and listening to books. And then, of course, I think, like many of us, I get a lot of information from social media and find that our network, you know, people sharing resources, reports, statistics, experiences on social media can be another really great place.
Jessica: But I think. I think you have to, or it’s definitely beneficial to enjoy learning and to want to know more to work in cybersecurity. I think if I didn’t enjoy learning, I would find cyber security a much more challenging field to be in because this field is so broad and so deep. There’s always so much to learn.
Chris: Yeah, absolutely. So I mentioned that you co founded Cygenta. Tell me more about your services there.
Jessica: So at Cygenta, we work with clients around the world to help them in different areas of cyber security, from pen testing to physical security assessments, to the work I lead, delivering cybersecurity culture assessments and awareness raising. So we really help our clients with areas of cybersecurity they can be struggling with, that have such an impact on how they manage risk.
C: Perfect.
Chris: And what’s the website?
Jessica: Cygentasecurity.com.
Chris: So I know you’re based in Vegas now, so I have to ask you, do you guys hit the strip often when you guys go out, or do you prefer to stay locally? And if so, give me a good Vegas venue that’s sort of undiscovered for people that visit Vegas.
Jessica: Good question. We do occasionally go to the strip, and it’s weird when we do because we’re like, oh, yeah, this is here. Forgot about this. Because it’s so different to the rest of. Well, the world, but it’s so different to the rest of Vegas. So Vegas is kind of split into different neighborhoods. So depending on which neighborhood you’re in, there’s different bars, restaurants, and there’ll be a different kind of vibe.
Jessica: So there’s an arts district in Vegas that has a lot of very cool places not too far from the strip. Great restaurants and bars and public art and exhibitions and, you know, thrift stores and cool things happening there. But every. Every neighborhood has its own cool places. Maybe I should do a. Like, a list before black hat and Defcon of, like, this is some. Some places you should maybe check out off the strip.
Chris: You should absolutely do that.
Chris: I just heard Last call here. You got time for one more?
Jessica: Always.
Chris: If you decided to open a cybersecurity themed bar, what would the name be, and what would your signature drink be called?
Jessica: Okay, so given what we’ve spoken about in terms of the importance of awareness, behavior, and culture, I think I’m gonna have to call it the culture club.
Chris: Yes.
Jessica: Right?
Chris: We know what’s playing in there.
Jessica: Exactly. Exactly. I mean, I may. I’m worried about copyright and things, so we’ll see how that works out. And I think my signature cocktail, I’m gonna call it Hex on the breach.
Chris: Hex on the breach.
Jessica: Yeah. And it’s gonna be. I think it’s gonna be rum based.
Chris: I love that there is some thought that went into that. And I love it. I love it. All right, Jessica. Well, thank you so much for joining me today. This was great catching up with you. And I’ll see you in Vegas soon.
Jessica: Sounds good. Thank you so much.
Chris: Take care
