The Human Firewall Implement Consulting Group

In this final episode, we discuss what we have learned from the 10 conversations we had with leading experts in compliance, security and behavioral design. If you only have time for one episode, this is the one! All the golden nuggets from both seasons are mentioned here.

Our guest is Luca Dellanna, and your hosts are Lasse Frost and Jakob Danelund. 
 
This episode is about preventing bad stuff from hitting us hard – everything from pandemics to data leaks and cyberattacks - and how understanding terms like ergodicity and antifragility is crucial to do so in the chaotic and complex modern world in the 21st Century. 
 
Follow Luca on LinkedIn here. 
 
Read more about Luca’s work here. 
 
Luca strongly recommends everyone to read Nassim Taleb’s book Antifragile. Find it here. 
 
During the episode, we refer several times to the Pyramid of Risk. Find it here. 
 
Luca talk us through a compliance case about fixing a warehouse floor. Read more about it here. 
 
Luca’s vision: That we create a world where we care a bit less about ticking compliance boxes or just imitating what other people do without understanding, and a bit more about clipping tail risks. Basically, I hope that Nasim Taleb becomes required reading material in high school. And then that we remember basics of risk management: We are not magically exempt from risk, unless we take explicit action to protect us from it and, if it happens, keep it from destroying us. 
 
Luca’s 3 advice: 
What can we do tomorrow: There are two basic tools that do not require any expertise to understand and use, and that you can teach to a very wide audience in 15 minutes: Pyramid of Risk and Pre-Mortems. Many companies do post-mortems in talking about what went wrong and what to do better next time after the fact. Pre-Mortems are the same thing, but just done before the fact. Let’s say that you want to launch a new product, and before you launch it, you ask yourselves: “Let’s imagine that the launch fails. What could have been the reasons for it, and what can we do about it today?”.  And once you come up with some answers, you ask: “If we do X / Y / Z about it, is there no way that it can fail now?” Oftentimes there is, so you simply repeat the exercise a bit, and then you get really good answers. What can we do in 6 months: Ensure that the Pyramid of Risk and Pre-Mortems are implemented in practice. That means that the moment you explain it, you need to create an area of application and set clear targets for it in 6 months. It is crucial to select a very small area, and to be consistent in how you plan to measure and encourage performance, so that it is clear to everyone what you expect them to do and why. If you do a good job, after 6 months, then you can expand it to other areas. What can we do in 5 years: It is extremely important to go back to the principals, the foundations. One mistake that some companies do is that they achieve an objective, and then they think that, because they’ve achieved that objective, they can stop talking about everything they did to achieve that objective. People forget, get other priorities, and then there is a decay or a decadence. I think it is extremely important that this attention to the fundamentals is sustained, even when in theory we could aim for more. I would consider the latter a nice-to-have. 

Our guest today is Josefine Ehlers Davidsen from AP Pension (at the time of the interview: The Danish National Agency for IT and Learning), and your hosts are Lasse Frost and Jakob Danelund. 
This episode delves into how you can utilize insights from psychology to bolster your organization against cyberthreats. 
Follow Josefine Ehlers Davidsen on LinkedIN here. 
Read Josefine’s article “How to build real information security in 5 steps” here. 
Learn more about Bsides Copenhagen here. 
 
Josefine’s vision: 
That everybody is as excited about cybersecurity as we are. But I also know that that’s not going to happen. Just as we cannot have 100 percent compliance, we are going to have to accept that only a few people will have an intense love for cybersecurity. 
 
Josefine’s 3 advice to get there: 
What can we do tomorrow: Identify what’s really important to you. Ask yourself or ask relevant people what they really care about in this organization, what do we need to protect.  What can we do in 6 months: Start documenting. Qualitatively and quantitively. As you’re going along in your process, it’s going to help you to get more and more data-driven. Document the touchpoints you have with people. This will make it gradually easier for you to report to senior management. What can we do in 5 years: Stay curious and keep on listening. The threat landscape is constantly evolving, employees come and go - and it is futile to check boxes. So keep your eyes and ears out. 

Our guest is Mikkel Holm Sørensen from /KL.7 – part of Implement Consulting Group, and your hosts are Lasse Frost and Jakob Danelund. 
 
The episode explores how we can utilize behavioral design and data to enable more ethical behavior. 
 
Follow Mikkel on LinkedIn here. 
Learn more about /KL.7 here. 
 
Mikkel’s vision: That data-ethics has gone from a elitist and philosophical discussion to something that companies just do. And then, of course, I would LOVE to have this posterboy case, where a company does it right and earns a lot of money. 
 
Mikkel’s 3 advice: 
What can we do tomorrow: Use behavioral design to communicate about ethical data use in a more nuanced way than just claiming that it’s either extremely dangerous or harmless. Use straight-forward language, concrete cases and relevant metaphors. To engage and mobilize people, we should ASAP find a more engaging word than “data-ethics” to describe what we mean. What can we do in 6 months: Use the upcoming Danish labelling program for IT security and responsible use of data and encourage the development of like-minded initiatives.  I would like to see more consumers leaving companies that does not get this right. What can we do in 5 years: Developing further trust in data-use by simply not using data for bad things. Data will only be more potent in 5 years, and therefore, it’s crucial that influential companies lead the way in showing that weaponizing it is not the only way to achieve commercial success. 

Our guest is Rory Sutherland, and your hosts are Lasse Frost and Jakob Danelund. 
 
This episode takes a deep dive into how you can use ideas and tools from advertising and the creative industry to make compliance great again. 
 
Follow Rory Sutherland on LinkedIn here. 
Learn more about Oligvy here. 
Sign up for Nudgestock 2021 here. 
 
Rory’s vision: 
That the three areas of business – Marketing, HR, and Compliance – will be deeply psychological in accepting complexity and highly admitting to creativity. That they will escape the quantification bias and deterministic fashions – simple systems that are psychology-blind – that currently deludes managers, simplifies the individual into a single function leaving them highly amenable to automation (and boredom!), and prevents business instead of enabling it. 
 
Rory’s 3 advice: 
What can we do tomorrow: Try to understand the internal culture and teams needs from an anthropological and psychological level, not through an artificial mechanistic view. What can we do in 6 months: Put an effort into rewarding brilliance far more and punish deviance far less. What can we do in 5 years: Acknowledge the need for subjectivity and novelty! All rules will be gamed at some point, so it’s important to change them once in a while and not steer towards one goal blindly. Don’t make procurement all about saving money, don’t make compliance all about box-ticking, and try hiring people without a college education. 

Welcome to our second season! We have learned a lot from the first 5 episodes – and we want to share some great news with you. Tune in and find out why we are so excited about the coming season.