Welcome to Trendy Words, the podcast about words and phrases that are popular in business and marketing, but are often misleading, meaningless, or outright bullshit. We talk about these words and what we could be writing or saying instead that is more effective.
00:01.18
Andrew Monro
Welcome to Trendy Words, the podcast about the meaningless, misleading, and nonsense words we use in business marketing and what we can do about them. My name is Andrew, copywriter and part of your attack surface area.
00:13.01
Andrew Monro
And our word for this episode is human firewall from the subset of marketing in cybersecurity. I am joined today by my guest, Sara Carty. Hi, Sara
00:25.72
Sara
Hi Andrew, how's it going?
00:27.29
Andrew Monro
It's doing all right. It's a lovely sunny day here in the UK. And yeah, it's, it's, we're recording this on a Friday, and hopefully we have a nice relaxing weekend ahead of us.
00:40.17
Sara
but's but Let's hope, let's hope.
00:42.01
Andrew Monro
Yeah. Yeah. So what do we start off for for those people that don't know who you are? you want to share a little bit about who you are and what you do?
00:53.12
Sara
Yeah, absolutely. So Sara I live in London, originally from Canada, Montreal. And yeah, basically, I've been working in tech for about 15 years, mostly in startups.
01:08.25
Sara
And I would say probably in the last five years, I've been focused primarily on cybersecurity. So I have a marketing agency that focuses on cybersecurity marketing.
01:20.88
Sara
called Unboring, which I've built with my business partner, Kelly. Shout out to Kelly. And And um so we basically, all of our clients, all of our focus and our backgrounds, especially are within cybersecurity, which is great for us and why we focus on it.
01:42.07
Sara
I'm also working on my doctorate in cyber diplomacy with the University of East London. So that is slightly more, I guess, a little bit different to just a straight cybersecurity focus. It looks at, I would say, the intersection between cybersecurity and geopolitics. So little bit still still relevant, I would say, but slightly different.
02:06.82
Sara
And yeah, i've I think that's probably enough about me, to be fair.
02:12.09
Andrew Monro
Yeah. And one of the ways that I think one of the things that originally got my attention how I met Sara was that you don't usually hear a lot about marketing specifically in cybersecurity spaces.
02:27.80
Andrew Monro
And Sara is one of the few marketers that I've seen that has that a speaking spot at a cyber a conference that I had attended.
02:27.90
Sara
yeah
02:38.55
Andrew Monro
And I think yeah that was probably, I think, the first time that I actually heard saw your name in print and I thought, who are these people? This is great because yeah marketers don't, yeah we don't usually have much of a platform and in the very sort of technical jargony world of cyber.
02:50.90
Sara
Yeah.
02:56.15
Sara
Yeah, exactly that. I mean, i I was probably just as surprised as you were, to be fair. But I think there's what I was talking about at that session, as far as I remember, was fishing for awareness. So how you can leverage marketing psychology for security engagement and security awareness and training.
03:17.30
Sara
And i think that's something that I'm quite passionate about. It's something that I tend to research quite a bit as well. There's a lot, I think there's a lot that can be done and said about it, but from my perspective, you know, it is all about engagement. It is all about getting that employee to really sort of perk up and show interest and then retain the information.
03:42.76
Sara
you Marketers are fantastic at that. That's what our job is. Our job is to engage.
03:47.42
Andrew Monro
me.
03:48.25
Sara
Our job is to build brands that are memorable. And so, you know, being sort of a fleeting thought or sending a in my experience at least, ah you know, sending through a two-hour security awareness training that I'm likely going to forget.
04:06.04
Sara
you know, as soon as I turn it off and and finish it up isn't really effective. But what can be effective is building campaigns in the same way you would a marketing campaign.
04:18.35
Andrew Monro
Yeah, and I feel like that that segues really nicely into talking about our phrase today upon human firewall, because so much of, I feel like the entrenched jargon in cybersecurity marketing is subtly and sometimes more overtly tries to make people feel kind of bad about their fallibility as human beings. Yeah.
04:42.55
Sara
Yeah, yeah, I totally agree with that. I think that if you take it back to what we learn in in marketing psychology, especially, you know, fear will only take you so far, but blame is never going to get engagement. So I think looking at it from the perspective of how would I really leverage this or launch this campaign, I should say, you know, I think that's a better approach. I think there's There's a lot to be said when you, you know, when you on one side say something like the human firewall, like you said, and, and you know, sort of put people in a position of somewhat, you know, responsibility.
05:25.99
Sara
But then on the other side, you say, well, humans are the weakest link. You can't have it both ways. You know, there has to be some sort of empowerment built into the way that you train people so that not only do they think about security in terms of what they're doing in the workplace, but they think about security in terms of how can I keep my kids secure online? How can i be secure when I'm doing my banking? How can I, there's so many other facets. And I think that we almost approach it in a way where it's completely separate. And we focus on these things where, you know, we send the phishing simulation or we, and it it just, it it it has this, you know, uh,
06:09.19
Sara
it feels very much like you're trying to trick people and people don't enjoy that a lot of the time. So I think from, at least from a marketing perspective, it's not how I would build a campaign.
06:15.67
Andrew Monro
Hmm. Hmm.
06:22.15
Sara
And also i have to say, and I've said this in my, in my sessions in the past, and I've said this in the session that you watched, actually, you know, if I build a marketing campaign and it's not effective, don't then just blame people.
06:38.24
Sara
the audience, right? I have to look internally and think, how did I, you know, what did I do here to not get them engaged or not get their attention? Or, you know, how can I optimize or change or pivot or whatever it might be?
06:51.49
Sara
But in security, that happens all the time, you know, oh, it's the people, oh, you know, they're not, they're not taking it in, they're not learning well enough, they're not, you know, they're not taking training seriously. And you think,
07:02.50
Sara
I personally don't take training seriously unless I'm engaged, you know, unless there's an interest for me outside of just, you know, it meets this policy or the tick box.
07:13.02
Andrew Monro
And I think that that that's an issue throughout cybersecurity is that
07:19.73
Andrew Monro
regardless it often seems of the efforts of the people actually working inside of your cyber department, that it's often communicated and made to feel like cyber and the whole practice of just safely being online at work is a burden and it is time and it's time consuming and it is viewed persistently as a cost center.
07:37.93
Sara
yeah
07:43.01
Andrew Monro
I mean, and i to a degree, i kind of get that because, Your security is not generally where your business makes revenue.
07:51.75
Sara
Exactly.
07:52.27
Andrew Monro
But in the same time, just making people feel, making it feel like a burden all of the time. I don't see how that helps the case in any way.
08:02.90
Sara
Yeah, exactly. And I think I feel for... anyone in the security awareness space or doing any sort of training in security, because a lot of the time they don't get that sort of buy-in. They don't get the opportunity to really say, well, let's look at how we can build out this campaign or let's look at how, because they don't have that sense of autonomy, I feel. And and this is just from speaking to, you know, the people that I know in those spaces, in those, in those careers.
08:31.61
Sara
And, it it can feel like, you know, they're kind of like a, like I said, a tick box exercise, let's just get it done. Let's just get it out of the way we need to get it, you know, we need to find something that will work.
08:39.85
Andrew Monro
Mm-hmm.
08:44.56
Sara
And, you know, who cares if they retain the information. But then if you think about, you know, almost any other type of training, you really, you really do prioritize, like, if you think about learning and development departments in larger companies and corporations, you know, you really do have to think about the metrics around retention of information and how it's applied within the company and, you know, because that's how it's measured.
09:10.29
Sara
So I think it, you know, I hate to just blame any one person. i think it's, you know, there's a bigger systematic issue at play here because it's not prioritized.
09:24.41
Sara
Engagement isn't prioritized. It's just looked at as like, know, kind of a tick the box, like I said, and And it doesn't empower anybody.
09:34.30
Andrew Monro
Yeah. And it it I feel like a lot of it ends up being treated a little bit like insurance. Like you're taught all of this stuff, but your hope you're told it's like, hopefully you'll never have to use it. And that you can just, yeah, quietly just sort of oh, we have to do this in the background.
09:44.32
Sara
Yeah.
09:47.41
Andrew Monro
We have to get our our cyberish was it Cyber Essentials Plus certification.
09:52.18
Sara
Yeah, yeah.
09:52.38
Andrew Monro
But once that's done, hopefully we never have to think about it until there's an attack. And then suddenly it's, oh, wow, well, maybe we should have checked to make sure that people actually learned something in that in that security session that we make them take every year.
10:00.15
Sara
Yeah.
10:08.63
Sara
Yeah, and and I understand. I mean, I get the rhetoric around people being, you know, the the weakest link or, you know, whatever you might call it, because, you know, phishing and social engineering breaches are still incredibly high up in comparison to a lot of other types of threat vectors. So it makes sense that that would be something that you would talk about and and sort of prioritize, position it that way.
10:34.93
Andrew Monro
Yep. Yep.
10:35.33
Sara
But then you can't have, again, both sides because if you're not prioritizing the training and you don't care as much about getting the actual engagement rather than just getting it done,
10:47.59
Sara
you know It's the same as as me putting out a campaign and saying, I just need to get something out. I just need to get something out and not really thinking about what it looks like, what it feels like, you know which emotions am I trying to hit?
10:53.49
Andrew Monro
yep
10:59.71
Sara
What is the color like you know what what types of colors am i am I taking into consideration? All of these things are very either emotional or psychological. And so you know if you think about that ahead of time, then you're likely to have something that's more successful. whereas A lot of the time, it's just get it out.
11:18.34
Sara
Just get that training out. Let's get it done. And then we're done for the year. And you'll get what you but you put into it a lot of the time.
11:25.73
Andrew Monro
Yeah.
11:26.46
Sara
Mm-hmm.
11:27.06
Andrew Monro
And I feel like that that attitude is carried over from other areas of the of marketing where the stakes aren't necessarily as high. But when you take that in cyber, where the outcome and results of attack are really meaningful and can potentially financially cripple a business, then that you really do need to be able to go the extra mile in spite of the fact that the
11:41.66
Sara
yeah
11:52.25
Andrew Monro
payoff that you're getting from that is much more difficult to see.
11:58.01
Sara
Yeah, yeah, absolutely. I mean, and especially in the, you know, it thinking about how we consume things these days, you know, it's not like it was 10 years, five years ago, even, you know, we're, we're on social media, that doesn't really require engagement, you know, we flip, think about TikTok, right, you just flip through it you know, you might give it a little like if you if you if you're really inclined to, but a lot of the time, you know, it takes about two seconds to get the interest or not.
12:30.05
Andrew Monro
Mm-hmm.
12:30.27
Sara
And so when you put someone into the position where they have to then watch, you know, a two hour video or one hour video, and it isn't an interesting topic for them. and they're not really getting much out of it, they feel, then of course they're going to, you know, they'll pay it. to I know companies and I won't name any, but I know of companies where their teams have just kind of, you know, chat GBT, what's the answer to this? Give me it I'm going to put it into the quiz and then I'm fine and good to go as part of their security training. And I think, you know, that obviously you're not going to remember anything from that. You're just trying to get it done.
13:06.83
Sara
The same way we did when we were in school and we would take exams and we had classes that we didn't enjoy and we memorized what we needed to do to get it done, but we didn't retain that information.
*BREAK*
00:01.29
Andrew Monro
So Sara, what can people, businesses do to get away from that the ick of the human firewall? And then one of the things that you touched on was the issue of so much of the way that cybersecurity is sold and presented involves a passive consumption of information, which as you see is is like is not proving to be very good for engagement.
00:26.17
Sara
Yeah, yeah. I think, I mean, I think it's like the, I think the way that we consume media these days has changed drastically, like I said. And so you kind of have to meet people where they are, but then you also have to make it somewhat engaging and interesting and, you know, relevant to them outside of just a policy that you're trying to meet or, you know, tick box, like I said.
00:54.23
Sara
One way i've I've seen this done quite brilliantly is there's someone I follow who is in the security awareness space and he does presentations to sort of corporate companies. So we quite, quite large.
01:08.60
Sara
And what he'll do during his presentation is he'll throw in a few slides. And of course, it's not a security awareness tool. So it's slightly different, but ah ah it's still relevant and can be can be implemented into technology as well. But what he'll do is he'll throw in a few slides where he talks specifically about keeping people's children safe online.
01:31.05
Sara
And the reason he does this is because he knows that probably about I would say he's said about 65, 70% of the people in the room that he's speaking to have children.
01:42.63
Sara
So even if they're not paying attention up to that point, when they hear about how to keep their children safe online, they perk up. And then he'll merge some of the information that he's trying to get across to them to sort of retain with some of that information, those takeaways that they will care about, about keeping their children safe online. So it is a lot about developing content that makes the difference that matters.
02:06.80
Sara
If you're just doing it and, you know, I want to create a product and then you have a you know, i don't know cartoons from that look for like they're from the 1990s or, well, actually I won't say 90s because nostalgia is back, but 2005, let's say, or, know, sort of workflows within the tool that just don't make sense or don't give you anything.
02:29.93
Sara
For me, personally, i would do things like choose your own adventure or something that is a little bit more, I guess, representative of the role or the department that they're in. Or there's so many different ways. And I think this is what we do in marketing, right? We come up with campaigns.
02:48.63
Sara
We look at who our ideal customer profile is. We try to, you know, put together lists of of things that there may be some interest in. And we do a lot of research before we actually build something that we want people to engage with.
03:01.80
Sara
And I think that needs to be consistent. And so with these kinds of security awareness tools, the same rules apply. you know Media is consumed the same across the board.
03:13.35
Sara
Whether you're in in your office or not, you're still scrolling TikTok the same way or you're still on on LinkedIn the same way. So that needs to be implemented in the same way.
03:23.94
Andrew Monro
and And really working on building and communicating these things with a real sensitivity to this is the way that people behave. This is the way that people consume content rather than a the they more corporate authoritarian of is you need to comply with this.
03:39.36
Sara
Yeah, exactly. Yeah.
03:42.37
Andrew Monro
Yeah.
03:42.47
Sara
You're telling people that they just need to do it because is no longer, I don't know if that was ever effective. It might've been, but it is not, it is not going to be effective in this day and age people, you know, it's a different, it's a different life now, right?
03:57.82
Sara
We've, we've been online, we've, we've got social media, we've got, you know, there's so many things that have changed so drastically over the course of the last 10 years. Yeah.
04:07.97
Andrew Monro
And so much of it as well, I feel, is also it's become a lot more nonlinear, whereas we've come a long way from being able to get from idea to result in a sort of a more or less linear process pattern, especially when it comes to doing corporate work.
04:25.43
Andrew Monro
And now it's, you don't really know always at all where you're going to get the result. And it may come linearly. It may not. Especially when we talk about the way that but marketing works, which is often incredibly non-linear is the, we are often, despite, I feel like the the the talk about always being constantly data-driven, a lot of what we end up doing are really just like,
04:36.45
Sara
Yeah.
04:50.12
Andrew Monro
what we safe gambles on what we are believing the tendency of human behavior to be.
04:57.06
Sara
Yeah. Yeah. And I think that that's, you know, the correlation between a great marketer and someone who understands both marketing and human psychology, you know, that there's, there's, in my, in my opinion, you know, great marketers are probably also yeah or not also, but could be the probably the greatest of cyber criminals, to be fair, hackers in general, because there's so much overlap between the two.
05:23.23
Andrew Monro
yeah
05:27.71
Andrew Monro
Yeah. So when you're giving, say, you have to go and give these kinds of workshops to your clients and in front of other businesses, what is what do you hope that that your audience like understands going into that?
05:47.88
Sara
I think it's more of the, I guess there are a few things. There are a few, I would say, say, ah there are a few things that marketers will use when they're building campaigns that can be incredibly useful for um for um for building security awareness.
06:04.29
Sara
and And I guess by that same token for, you know, are being used by cyber criminals. So why not leverage what we're seeing happening for good, you know, why not build that into products that we're using to train people, rather than shying away from it, let's leverage things like social proof, let's leverage things like the curiosity gap and, and a sense of urgency. It's to say, you know, when we see an email come through inbox, and we say, Oh, you know, it says sale, there's only three days left, you know, to get this two for one deal of something that you really enjoy.
06:39.49
Sara
you know, it's, it's doing its job, it's giving you that sense of urgency. And and you see that a lot, sort of with social engineering, they leverage all of the same tools as marketing does, the most part, you know, better than some marketers do.
06:54.21
Sara
But I think it's it's understanding that that can also be leveraged for training purposes. So making sure that you are educating people about the fact that you know, there are these terms like social proof or urgency or whatever it might be that be that are being used in marketing.
07:10.22
Sara
And then they're more knowledgeable about it, not only for criminal activity, but, you know, they can have a better sense of themselves when they see an email come through that says, you know, sale ends in three days.
07:22.57
Sara
and going Oh, that's the curiosity. Oh, that's the urgency. Oh, that's the curiosity gap, whatever it meant it is.
07:26.66
Andrew Monro
no
07:27.98
Sara
Or, you know, they give you a little bit of a peek of something and then, you know, try try to draw you in. That's all, those are all marketing tactics. And so they're being leveraged in many different ways.
07:37.24
Andrew Monro
No.
07:40.18
Sara
They're just not being leveraged in the best way for training purposes.
07:45.22
Andrew Monro
And your're it I feel like one thing to really underline is like, it's nothing that we are doing. We we we have all these fancy names for it in terms of social engineering and social proof.
07:52.63
Sara
No.
07:57.05
Andrew Monro
And like in marketing, we love like half the reason this podcast exists is we have a ah ah deep abiding love of of putting funny labels on things.
08:04.92
Sara
Yeah.
08:05.17
Andrew Monro
What we're really talking about our are human behaviors that have been around since the pyramids were being built.
08:05.98
Sara
Yeah.
08:13.01
Andrew Monro
we're just we've just studied them a lot more and we've defined them in such a way that we can talk about them as discrete things.
08:15.89
Sara
Mm-hmm.
08:21.66
Andrew Monro
But really, these are all things that every single human being experiences probably on a day-to-day basis. They just don't have a name for it.
08:31.03
Sara
Yeah, absolutely. I mean, we all get those those emails that, you know, are trying to sell us something. We all get those emails that say, you know, your password might expire or, you know, they're they're one in the same, really.
08:45.17
Sara
i think it's just a matter of leveraging that those types of frameworks for, you know, training purposes more so, so that people are aware of it because we're aware of it. We're marketers. We know we we leverage it. We do Sort of we use it in and out on a day to day basis, but it's not apparent to everyone.
09:03.26
Sara
Of course it wouldn't be, you know, we're leveraging it for our campaign. So we know about them.
09:07.70
Andrew Monro
Yeah, well, no nobody ever nobody ever talks about being like when a friend introduces you to another friend, you don't immediately think, oh, that's social proof right there. That's just not something that we think about when we are dealing with people in person.
09:17.60
Sara
Yeah.
09:21.35
Andrew Monro
It's only something that we start thinking of in that way when suddenly we're doing that in this impersonal space of digital marketing.
09:21.43
Sara
Yeah.
09:29.89
Sara
Yeah, absolutely. and that And that's exactly it. I mean, you, as a marketer, your brain thinks in terms of these these processes and these frameworks and all of that. But if we start to decentralize that a little bit, if we start to share that knowledge, it helps people beyond just security awareness. It helps people to understand a little bit more about human behavior, but also about things like their buying habits or, you know, prompts that might affect them more or You know, there's all of these things that are quite interesting that could be great to share.
10:03.30
Andrew Monro
So if you were speaking to a business person and you were looking for like, where could they start looking in their own business for clues and evidence that this is happening, where would you suggest that they look first?
10:15.15
Sara
mean, think it depends on where the interest is. So if they're looking for anything from,
10:25.72
Sara
just like a people understanding people perspective. Um, there's some really good books. have them right in front of me actually, funny enough. Uh, but there are really some great books about, understanding human behavior. So there's one called sizing people up by Robin Treek, former FBI, and I won't give it away, but very, very useful. but there's the people hacker by Jenny Radcliffe. she's, ah ah Very well known in cybersecurity, so I don't think I have to share too much more about that.
10:54.96
Sara
One that I really, really liked and I think taught me quite a bit was The Psychology of Spies and Spying by Adrian Furnham and John Taylor.
11:08.33
Sara
And that was really interesting because it it kind of brings both sides of, I would say probably the side of obviously, you know, ah ah security, not maybe cybersecurity, but security and and breaches and things like that, but then also the human element.
11:23.03
Sara
So understanding how people would manipulate people, how they would interact with people, how they, so I think it gives a lot more than just, you know, this is what happened and this is, this is like the historical aspect.
11:38.34
Andrew Monro
All right. And I'll make a note of putting those titles into the show notes as your recommendations later on.
11:44.94
Sara
Thanks.
11:46.14
Andrew Monro
Cool. So Sara, if anybody wished to get to know you it better or wanted to reach out to you, how did they find you?
11:54.37
Sara
You can find me on LinkedIn. I'm on LinkedIn probably more than I should probably share. So definitely find me on LinkedIn. You can find me my website, unboring.digital.
12:07.28
Sara
I'm going to be at ICE coming up in September, at the end of September, the International Cyber Expo. I do try to go to most of the cybersecurity events, at least in London, because I'm local.
12:20.75
Sara
So you can find me probably at any of those. And yeah, feel free to connect with me on LinkedIn. Feel free to engage. I mean, I'm always i'm always excited to talk to people about this these topics, especially because I think you know, marketing psychology within cybersecurity is such an interesting topic, but also so relevant and useful.
12:42.20
Sara
If you have that digital marketing background, especially, I find it just fascinating.
12:47.86
Andrew Monro
Cool. Well, thank you very much, Sara And thank you for listening. If you enjoyed this episode, I would really appreciate a like or a comment to let me know what you liked about it. If you're interested in leaving anything, many more direct feedback, you can find me on LinkedIn at A.G. Monro
13:06.76
Andrew Monro
You can also send me an email at Andrew at Andrew Monroe dot com. And like Sara I do also plan to be at the International Cybersecurity Expo in London at the end of September.
13:19.67
Andrew Monro
If you're there, i look forward to meeting you. All right, then. I'll see you in the next episode. Bye.