Your articles

 Ken Cohen  (MBA Management 1995)

Information security and data protection can be interesting

Three years ago, whilst working as a Learning and Organisation Development specialist for a medium sized management consultancy, I was asked to design and manage the delivery of a training programme to reach several thousand employees for a large UK financial services firm, both here and offshore. 

Out of the blue? Not really. I had managed similar large-scale programmes for UK corporates in the past. Exciting? Of course!  Programmes such as these pose real challenges; no organisation and no programme is the same, so the opportunity to be creative is vast. 

Downsides? Yes, one. The subject of the training programme was information security and data protection. I yawned, as I did when I myself sat through information security and data protection training years ago. PowerPoint slides; bullet points; legal jargon; dry; dull; technical. “There are eight data principles enshrined in law...”, etc. 

The challenge was two-fold. First, could I bring to life a subject in which, mostly, people have little if any interest? Second, how could I approach this assignment in a way that would make me feel proud to be associated with it?

I needed an angle. So I trawled the internet, searching for articles published in the national and local newspapers over the previous eighteen months.  There was no shortage:
• The records of 25 million people in the UK lost by a government department;
• Hundreds of laptops with unencrypted patient information lost by NHS trusts;
• Financial services firms fined sums from £1m to over £3m for losing the personal information of hundreds of thousands of their customers;
• Top secret documents left by senior intelligence officers on commuter trains and aeroplanes only to later surface in the newsrooms of a national television channel.
There were hundreds of articles and reports. And two themes emerged.

First, individuals whose personal information was among the lost or stolen data, were at increased risk of falling victim of financial crime, and in some circumstances to identity theft and fraud.

Second, the extreme distress caused to victims, be it through having their bank accounts raided or their identities hijacked, was as great as for those whose medical records were found intact on the street.

There was clearly good reason for people to understand their responsibilities as employees for protecting personal information. So, with billions of pounds per annum spent on IT solutions, systems lockdowns, full disk and email encryption, and the like, why were firms up and down the country, from retail to pharmaceuticals, from financial services to government departments, haemorrhaging the personal information of their customers and employees? 

Then I found the connection. Two independent pieces of research conducted in the UK, (also replicated around the world), found that up to 60% of people interviewed would hand over their personal information including passwords to strangers on the street. If, in their own private lives, people place such a low premium on their personal information that they fail to protect it, why would they see the need to protect the personal information of their colleagues and customers they serve?

Suddenly, this training programme was lifted up the value chain. Its emphasis shifted to changing the personal attitudes and behaviours in order to plug the gap that IT solutions do not fill.

None of the newspaper reports I had read were about ‘stupid’ people doing ‘stupid’ things so putting their customers at risk. They were typically about ordinary people. People like me. People like you. People who, in a momentary lapse, did something out of character. Something which resulted in huge consequences for them as individuals and for all those who may subsequently have fallen victim to financial crime.

By now, it was simply a means of being creative! I developed a series of scenarios, scripted them, hired actors who played out the scenarios on film. The resulting videos, alongside supporting materials, formed the core of the training programme which was targeted at thousands of employees.

My ‘eureka’ moment led me to establish The Fifth Business Experience Ltd. This specialises in designing and delivering bespoke information security, data protection and anti-bribery and corruption training that resonates with employees, captures their imagination, challenges their existing assumptions and changes their behaviours. 

Every client and every opportunity is different. For some, it’s about creating a ‘face to face’ training programme delivered by experienced trainers.  For others, it’s about training managers to train their teams, providing everything they need in a simple and clear format so that none of the power of the training is lost through delivery by those who have never previously trained people. At other times, it’s about designing and delivering high quality e-learning programmes.

What all these approaches have in common is that they exploit the use of storytelling. Everyone likes a good story – and crime dramas are amongst the most popular of TV genres. Research shows that people learn from stories, whether told to them by a trainer or a manager, presented to them on an e-learning platform, or played out to them by actors on video. The approach enables us to firmly link actions to consequences and to lift information security from the abstract to the personal and emotional.

So what part has Cass played in all this?

Frankly, it changed me. Not perhaps in the short term, but certainly as my career grew and developed. I graduated in 1995 from the Management MBA programme, a consortium based MBA with sponsors as diverse as Sainsbury’s, Anglian Water, Norwich Union and Ford Motors. 

Sixteen years later, the words of our esteemed academic leader, Ronnie Lessem, continue to ring in my ears. He implored us not simply to ‘do’ the MBA to get a better job, to increase our promotion prospects, or to command ever rising salaries. For him, the MBA was a route to bringing about change. Not just in the organisations in which we worked, but in and across our local communities and society at large. “Be passionate about what you do, and feel it from in here,” he would say, as he patted his gut!

And now? I don’t just design and deliver learning and development programmes and bring regulatory training to life. I have a higher purpose; a vision, which, as it is played out, makes me “tremble with excitement”, to quote Ronnie again. My purpose is to change the attitudes and behaviours of those I work with. To open their eyes and become more aware of how they can better protect themselves, their customers and their businesses so that collectively, we can fight the rising tide of identity theft and financial crime. 

Client feedback tells me I make a real difference – and I am fortunate enough to do it in a way that is creative, impactful and great fun!