Industry News


12 Mar 2018

Engaging with your people to make InfoSec an enabler

Mark Nicholls

Ahead of his panel appearance at Cloud Security Expo, Nicholls discussed the best way to help your people stay secure, without creating a ‘blame’ culture.

“Users are the weakest link.” This phrase is often rolled out, and has gained serious traction when discussing cybersecurity. Nicholls, however, is not a fan. He argues that colleagues, customers and partners can actually be the strongest line of defence in the fight for information security.

At Peabody, Nicholls tries to ensure his team are always on hand to give help and support, and encourage people to speak to the team if something doesn’t feel right – even if nothing comes of it, he argues, it is better the team knows.

By combining this approach with awareness and education, and avoiding a blame culture, Nicholls believes his colleagues are empowered to become security champions, rather than being afraid of it.

Changing security culture

It is an unfortunate fact that organisations with this structure are probably the exception. Changing behaviour so that people feel more able to approach their information security team can be difficult.

Nicholls recommends starting at the top. By leading through example and changing the culture at c-level, it’s far easier to instil an enthusiasm for security throughout the organisation.

At Peabody, Nicholls notes that the CEO had previously seen information security as something purely for the IT team to worry about. After the director of finance received an email from somebody masquerading as the CEO, asking for a money transfer, did he realise the importance of security, and the role that everybody has to play.

Following that, the CEO took part in a short video for staff, where he spoke about the importance of information security. Personalising the risk in this way, Nicholls argues, is far more impactful and helps people become aware of what they need to do and need to know.

That human element is key. In Nicholls’ experience, people seem to be relatively adept and aware of security risks when doing online shopping at home, for instance. But once they enter the workplace they tend to see the personal impact to a lesser extent.

Opening up a conversation with an example helps people understand how better practices can directly affect them. Nicholls once explained to a member of HR staff that by leaving their workstation unlocked with the HR system open he could change the bank details of their payroll record so that their salary could be paid to him.

This action would have affected them very directly in the sense that they wouldn’t be able to pay their bills. That person, Nicholls says, now locks their workstation whenever they leave their desk, and encourages others to do the same.

How InfoSec has changed

Having started his information security career in academia 12 years ago, Nicholls’ career developed through traditional IT roles and into more specific security responsibilities. A chance meeting at another university led to him joining a group of security professionals based in London, who collaborated and brought new ideas together.

Discussions at this group made it clear that they were all facing the same challenges. At that time, there were very few full InfoSec teams in academia, and looking back now, Nicholls sees a similar trajectory to maturity in different industries.

What this path to maturity does cause, he argues, is a stifling of collaboration. In the commercial sector, where competition drives a lot of behaviour, this is particularly true. According to Nicholls, this approach doesn’t help the end user. Cross-sector collaboration, he says, has a long way to come.

Saying ‘yes’ – securely

By consistently saying no, and blocking requests, security teams can be seen purely as a barrier, which encourages a move towards ‘shadow IT.’

At Peabody, there is a need to share sensitive information with partners. However, because IT had not previously come up with a solution to securely share this data, they had been telling staff not to do so. That led to some people using Dropbox, which obviously the IT department can’t control.

Nicholls’ approach was to embrace the challenge and look for a solution that would not block business-critical operations. The result was a successful, award-winning solution.

The relationship between InfoSec and the rest of the business

The security team, Nicholls notes, are trusted by the rest of the business to deliver secure solutions and keep them safe. Evaluating risk is a big part of that job, and a mixture of solutions can be put in place that means the InfoSec team can be seen as an enabler rather than a blocker, while also satisfactorily keeping the business secure.

At Peabody, there is backing from the most senior staff on this point. Nicholls says his first exposure to the board was with the signoff of the overarching information security policy. At the time this happened, the chair of the board was also involved with an NHS trust that had been affected by the WannaCry attacks.

This meant they understood the risks and was familiar with the consequences of an attack. As such, Nicholls and his team gained the full support and backing of the board. This, he says, is a vital ingredient to producing an effective and secure InfoSec policy – but also one which allows them to say yes.

View all Industry News

Latest News

2019 Sponsors

Diamond Sponsor

  • Huawei Technologies

Theatre Sponsors

  • Netpoleon
  • McAfee
  • Senetas

VIP Lounge Sponsor

  • Cyfirma

Platinum Sponsors

  • Cloudfare
  • McAfee

Platinum Sponsors

  • Pacific Tech
  • Sophos

Gold Sponsors

  • Aversafe
  • Barracuda
  • BlackBerry Cylance
  • Cato Networks
  • CISCO Meraki

Gold Sponsors

  • Forcepoint
  • Forescout
  • Fortinet
  • IBM

Gold Sponsors

  • Retarus
  • Silver Peak
  • Singtel
  • Telstra
  • Zscaler

Silver Sponsors

  • Halodata
  • Tindo Group
  • Hillstone Networks
  • A10 Networks
  • 689 Cloud
  • Checkpoint
  • Nozomi Networks

Silver Sponsors

  • Alsid
  • Aqua
  • Aversafe
  • ICE71
  • Illumio
  • CyberArk

Silver Sponsors

  • Darktrace
  • Radware
  • Endpoint
  • NSFocus
  • Techfindr
  • Qulays
  • Centrify

Silver Sponsors

  • Git Lab
  • Jetico
  • Senetas
  • Sonic Wall
  • Terrabit Networks
  • BluePIsh
  • Keyless

Silver Sponsors

  • IntSights Cyber Intelligence
  • Kanguru
  • Thales
  • Tufin
  • Uniscon GmbH
  • Senhasegura
  • OneKIY

Silver Sponsors

  • WatchGuard
  • Groundlabs
  • Jiransoft
  • Horanji
  • ViewQuest
  • Zimperium
  • Seconize

Bronze Sponsors

  • ALC
  • AnqLave
  • Utimaco
  • Axway
  • Digital Shadows
  • KeyOptions
  • Zetaris Pty Ltd

Bronze Sponsors

  • AlgoSec
  • Cyberint
  • PT Sydeco
  • AppviewX
  • Netskope
  • Business Intelligence Technologies

Bronze Sponsors

  • HackEDU
  • HaltDos
  • Cyber Intelligence House
  • Tenable
  • Noviflow
  • M2M Connectivity

Bronze Sponsors

  • Hyperg Smart Technology
  • Iconz
  • Proficio
  • SecneurX
  • NSecured
  • Nexright

Bronze Sponsors

  • Icyberwise
  • Privasec
  • Ubiq Security
  • UCWare
  • PI Exchange
  • Bitglass
  • Exclusive Networks

Bronze Sponsors

  • ITEL Learnings Systems (S) Pte Ltd
  • NTUC LearningHub
  • TransWARE
  • Plott
  • Wilson A.I Pty Ltd
  • Wiredhands
  • Audacix

2019 Partners

Knowledge Partner


News Distribution Partner

  • ACN Newswire

Associate Content Partner

  • Uptime Institute

Strategic SEO Partner

  • AdVantage

Strategic Event Partner

  • ISC2

Event Partners

  • AiSP
  • ARC Advisory
  • Asia Cloud Computing Association (ACCA)
  • Asosiasi Cloud Computing Indonesia
  • Fintech Association of Hong Kong
  • Accelerating Asia

Event Partners

  • Best Practice of eCommerce
  • BigDataX
  • CMO Council
  • La French Tech
  • ASME

Event Partners

  • Practical DevSecOps
  • Digital Advertising Association Thailand (DAAT)
  • DevOps Institute
  • Forrester
  • Singapore Chamber of E-Commerce
  • Plug And Play
  • Co Creation Lab

Event Partners

  • IASA
  • IPI Singapore
  • itSMF
  • IFMA
  • European Data Centre Association
  • GS1

Event Partners

  • KinerjaBisa
  • Logistics & Supply Chain Management Society
  • Michael Page
  • NexChange
  • SG Tech

Event Partners

  • Singapore Cyber Security Consortium (SGCSC)
  • Structure Research
  • General Assembly
  • Open Connectivity Foundation
  • Smart Asia India

Media Partners

  • APSM
  • Asia Blockchain Review
  • Asia Research News

Media Partners

  • Australian Cybersecurity Magazine
  • Australian Security Magazine
  • BizClik Media
  • European Data Centre Association

Media Partners

  • Chief IT
  • CIO Advisor APAC
  • Cross Border Magazine
  • AI Time Journal

Media Partners

  • CryptoNewsZ
  • Cyber Security ASEAN
  • Asia Content News
  • Enterprise Security Magazine

Media Partners

  • Data Storage ASEAN
  • e27
  • Fintech Finance
  • CMO Asia
  • GovTech SEA

Media Partners

  • Jumpstart Media
  • My Security Media
  • Retail CIO Outlook
  • Cybersec Asia
  • Frontier Enterprise – Jicara Media

Media Partners

  • Telecom Era
  • Supply Chain Digital
  • Techwire Asia
  • Gigabit
  • Digicon Asia

Media Partners

  • FutureIoT
  • Marketing Ops
  • Payment & Cards Network
  • Techtarget
  • FutureCIO

Official Partner Hotel

  • MBS

Media Partners

  • Wire 19
  • 计算机网络世界
  • Supply Chain Brain
  • Disruptive Tech Asean
  • FutureCFO


  • As cyber security is the hot topic at the moment, there are many exhibitors with new product showcase and conference speakers sharing their expertise, I find it very informative and insightful. My job scope covers a broad spectrum, having other shows like Big Data and IoT in one room is very convenient. Look forward to coming back next year too!
    Deputy Manager, Land Transport Authority
  • I’m interested in a couple of topics (i.e. Internet of Things, eCommerce and cloud & cyber security), so that’s why I’m here. We’ve just finished a conversation with NETSCOUT and are quite interested in their products – we will keep in touch with them to see how we can further collaborate.
    IT Manager, BSH Home Applications Pte Ltd
  • The event was good and informative. I've attended this event to browse for more products and solutions which we can use in our organisation to improve operations efficiency. I'll definitely be back next year.
    Team Lead, FMIS ICT Strategy, Lead and Innovation, Ministry of Economy and Finance
  • I attend this show with no particular focus but the speaker line up is good, the topics covered are wide as well. The speakers provide insightful content that are relevant to my job – cloud, cyber security, networks and the co-location of different shows help to save time too!
    Regional IT Governance Manager, TP ICAP