In The Human Firewall, we talk to the leading experts in behavioral design, psychology, innovative learning methods and technology to find the key to ensure organizations' compliance and cybersecurity through their employees.
The final episode - Making humans the strongest link
In this final episode, we discuss what we have learned from the 10 conversations we had with leading experts in compliance, security and behavioral design. If you only have time for one episode, this is the one! All the golden nuggets from both seasons are mentioned here.
S2-E5: Luca Dellanna: Chaos and complexity in risk management
Our guest is Luca Dellanna, and your hosts are Lasse Frost and Jakob Danelund.
This episode is about preventing bad stuff from hitting us hard – everything from pandemics to data leaks and cyberattacks - and how understanding terms like ergodicity and antifragility is crucial to do so in the chaotic and complex modern world in the 21st Century.
Follow Luca on LinkedIn here.
Read more about Luca’s work here.
Luca strongly recommends everyone to read Nassim Taleb’s book Antifragile. Find it here.
During the episode, we refer several times to the Pyramid of Risk. Find it here.
Luca talk us through a compliance case about fixing a warehouse floor. Read more about it here.
Luca’s vision: That we create a world where we care a bit less about ticking compliance boxes or just imitating what other people do without understanding, and a bit more about clipping tail risks. Basically, I hope that Nasim Taleb becomes required reading material in high school. And then that we remember basics of risk management: We are not magically exempt from risk, unless we take explicit action to protect us from it and, if it happens, keep it from destroying us.
Luca’s 3 advice:
What can we do tomorrow: There are two basic tools that do not require any expertise to understand and use, and that you can teach to a very wide audience in 15 minutes: Pyramid of Risk and Pre-Mortems. Many companies do post-mortems in talking about what went wrong and what to do better next time after the fact. Pre-Mortems are the same thing, but just done before the fact. Let’s say that you want to launch a new product, and before you launch it, you ask yourselves: “Let’s imagine that the launch fails. What could have been the reasons for it, and what can we do about it today?”. And once you come up with some answers, you ask: “If we do X / Y / Z about it, is there no way that it can fail now?” Oftentimes there is, so you simply repeat the exercise a bit, and then you get really good answers. What can we do in 6 months: Ensure that the Pyramid of Risk and Pre-Mortems are implemented in practice. That means that the moment you explain it, you need to create an area of application and set clear targets for it in 6 months. It is crucial to select a very small area, and to be consistent in how you plan to measure and encourage performance, so that it is clear to everyone what you expect them to do and why. If you do a good job, after 6 months, then you can expand it to other areas. What can we do in 5 years: It is extremely important to go back to the principals, the foundations. One mistake that some companies do is that they achieve an objective, and then they think that, because they’ve achieved that objective, they can stop talking about everything they did to achieve that objective. People forget, get other priorities, and then there is a decay or a decadence. I think it is extremely important that this attention to the fundamentals is sustained, even when in theory we could aim for more. I would consider the latter a nice-to-have.
S2-E4: Francesca Gino: Rebels vs. rules
Our guest today is Francesa Gino from Harvard Business School, and your hosts are Lasse Frost and Jakob Danelund.
This episode explores how we can use the hidden potential in rebels and rule-breakers to make better compliance and security – and even drive organizations forward.
Follow Francesca on LinkedIn here.
Learn more about Rebel Talent here.
Francesca’s vision: When people are not showing authenticity or stay curious in their jobs, the leaders are often to blame. People need to be truly trusted and empowered to bring their best contributions into the work that they do. I hope that 10 years from now, organizations are filled with leaders who are not afraid of being more transparent, being clear in expectations and giving more control away.
Frarncesca’s 3 advice:
What can we do tomorrow: Let’s have clear expectations. Let’s make sure that as part of developmental plans, there are not only performance goals spelled out, but also learning goals. Let’s make sure that we have more conversations more often with more vulnerability, even about difficult topics like not finding energy in a specific set of task. What can we do in 6 months: Let’s not sit, waiting for others to change work – or how we approach it – for us. Let’s roll up our sleeves and get to action, thinking like the leader that I mentioned earlier from the airforce. What can we do in 5 years: Let’s try to make habits for behaviors that do not come so easily for us. Being curious and challenging the status quo, those are behaviors that we have in us, but that do not necessarily come out naturally. Therefore, it’s important on the long term that we continue to flex and use those muscles of agility that we have worked out a lot over the past year’s Pandemic.
S2-E3 Josefine Ehlers Davidsen: Psychology and cybersecurity
Our guest today is Josefine Ehlers Davidsen from AP Pension (at the time of the interview: The Danish National Agency for IT and Learning), and your hosts are Lasse Frost and Jakob Danelund.
This episode delves into how you can utilize insights from psychology to bolster your organization against cyberthreats.
Follow Josefine Ehlers Davidsen on LinkedIN here.
Read Josefine’s article “How to build real information security in 5 steps” here.
Learn more about Bsides Copenhagen here.
That everybody is as excited about cybersecurity as we are. But I also know that that’s not going to happen. Just as we cannot have 100 percent compliance, we are going to have to accept that only a few people will have an intense love for cybersecurity.
Josefine’s 3 advice to get there:
What can we do tomorrow: Identify what’s really important to you. Ask yourself or ask relevant people what they really care about in this organization, what do we need to protect. What can we do in 6 months: Start documenting. Qualitatively and quantitively. As you’re going along in your process, it’s going to help you to get more and more data-driven. Document the touchpoints you have with people. This will make it gradually easier for you to report to senior management. What can we do in 5 years: Stay curious and keep on listening. The threat landscape is constantly evolving, employees come and go - and it is futile to check boxes. So keep your eyes and ears out.
S2-E2 Mikkel Holm Sørensen: Data, ethics, and behavior
Our guest is Mikkel Holm Sørensen from /KL.7 – part of Implement Consulting Group, and your hosts are Lasse Frost and Jakob Danelund.
The episode explores how we can utilize behavioral design and data to enable more ethical behavior.
Follow Mikkel on LinkedIn here.
Learn more about /KL.7 here.
Mikkel’s vision: That data-ethics has gone from a elitist and philosophical discussion to something that companies just do. And then, of course, I would LOVE to have this posterboy case, where a company does it right and earns a lot of money.
Mikkel’s 3 advice:
What can we do tomorrow: Use behavioral design to communicate about ethical data use in a more nuanced way than just claiming that it’s either extremely dangerous or harmless. Use straight-forward language, concrete cases and relevant metaphors. To engage and mobilize people, we should ASAP find a more engaging word than “data-ethics” to describe what we mean. What can we do in 6 months: Use the upcoming Danish labelling program for IT security and responsible use of data and encourage the development of like-minded initiatives. I would like to see more consumers leaving companies that does not get this right. What can we do in 5 years: Developing further trust in data-use by simply not using data for bad things. Data will only be more potent in 5 years, and therefore, it’s crucial that influential companies lead the way in showing that weaponizing it is not the only way to achieve commercial success.
S2-E1 Rory Sutherland: Can advertising make compliance great again?
Our guest is Rory Sutherland, and your hosts are Lasse Frost and Jakob Danelund.
This episode takes a deep dive into how you can use ideas and tools from advertising and the creative industry to make compliance great again.
Follow Rory Sutherland on LinkedIn here.
Learn more about Oligvy here.
Sign up for Nudgestock 2021 here.
That the three areas of business – Marketing, HR, and Compliance – will be deeply psychological in accepting complexity and highly admitting to creativity. That they will escape the quantification bias and deterministic fashions – simple systems that are psychology-blind – that currently deludes managers, simplifies the individual into a single function leaving them highly amenable to automation (and boredom!), and prevents business instead of enabling it.
Rory’s 3 advice:
What can we do tomorrow: Try to understand the internal culture and teams needs from an anthropological and psychological level, not through an artificial mechanistic view. What can we do in 6 months: Put an effort into rewarding brilliance far more and punish deviance far less. What can we do in 5 years: Acknowledge the need for subjectivity and novelty! All rules will be gamed at some point, so it’s important to change them once in a while and not steer towards one goal blindly. Don’t make procurement all about saving money, don’t make compliance all about box-ticking, and try hiring people without a college education.