We’re all about the human factor, and this means that we’re interested in the humans in our industry, and their story. So in continuing our theme of putting cyber security professionals in the hot seat, this week we’re shining a light on cyber entrepreneur David Shipley.
David Shipley is an award-winning entrepreneur and head of the pack at Beauceron Security, and is this week’s sponsor of the Re-thinking the Human Factor Podcast. We were thrilled to dive into great discussion with David Shipley on the podcast which you can find out more about here.
Tell us a bit about you, Beauceron Security and what you do?
At Beauceron Security we’re helping empower individuals by putting them in control of the technology they use every day. We provide the right information, at the right time to help individuals, leaders and organisations make better cyber risk decisions. We’re doing what smart watches have done for exercise and applying the concept to cybersecurity awareness.
Our cloud-based platform gives employees a powerful personal cyber-risk coach empowering them to improve their cybersecurity practices and behaviours. We serve clients in North America and Europe in every vertical – from banking to government, from manufacturing to IT and health care. They’re working with us because of the powerful combination of insightful analytics, turnkey automation and behaviour change development and sustainment.
Our platform combines concepts such as phishing, security awareness and risk scores to create a powerful experience that uses data to drive better decision making throughout an organisation.
How did you get into doing this?
I’ve been a Canadian Army soldier, a newspaper reporter, a digital marketer for a university and most recently an accidental cybersecurity professional. I went down the rabbit hole of cybersecurity on Mother’s Day 2012. That’s when my employer, the University of New Brunswick, was hacked via SQL injection by hacktivist group called Team Digi7al, who was on a tear hacking public institutions across North America. I became aware of the breach early that Sunday morning and helped alert the IT team and helped the CIO work through incident response using my military and journalism experience.
The CIO then recruited me from the marketing department at the university to build out its cybersecurity practice. For five years, I built the incident response, security monitoring, threat intelligence and security awareness functions at the university.
I was initially focused on finding a technology solution to cybersecurity. UNB was the birthplace of the QRadar SEIM and the start-up Q1Labs that built it. Q1 was later acquired by IBM for reportedly more than $600 million in 2011, one of Canada’s top cybersecurity firm exits.
For the first two years of my role I tried to build a technological silver bullet, a digital immune system that would detect cyber threats and automatically respond. But I constantly ran into the practical realities of cybersecurity – technology’s limitations and most importantly, budget and time limitations. As we hit that wall, I discovered the huge untapped human potential for cybersecurity.
What’s the big idea behind what you do at Beauceron Security?
We turn people from the passive victims of cyber crime into the active defenders, or as we like to say, from the sheep to the sheepdogs. We called that the sheep dog effect. That’s why our company and our technology is named after a sheepdog from northern France, the noble Beauceron (well, that and Sheepdog Security was already taken as a name).
To enable the sheepdog effect, we had to overcome two biggest current problem in traditional computer-based security awareness and phishing. The first is that people don’t see the connection between their knowledge, attitudes and behaviours and their personal and organisational cyber risk. The second is they don’t know if what they do matters.
That’s why we pioneered an easy to understand personal cyber risk score. The personal risk score is an individual’s cyber risk coach. It tells them if they’re headed in the right or the wrong direction and gives an opportunity to improve by correcting risky behaviours or filling in knowledge gaps. The risk score applies some of the key concepts of gamification by incentivising good security behaviours through our revolutionary approach to status and recognition-based rewards which clearly contribute to improved scores.
Ultimately, we’re trying to bring balance back to cybersecurity. When you dive into the original meaning and intent behind the word cyber, you find it is related to three key concepts: people, control and technology. For the past 30 years we’ve continuously tried (and failed) to use technology to solve this problem or worst to put technology in control of people. If we’re going to have a better future in cybersecurity, it has to be about putting people in control of technology.
What are some of the key challenges facing the security industry today?
Getting the attention of chief information security officers beyond check-the-box compliance. Many struggle to show the value of the insights that can be gained from security awareness and behaviour change to helping improve business processes, security tools and how the organisation detects and reacts to incidents to CISO’s focused on technology solutions. This struggle is clearly reflected in fact that security awareness spending represents a paltry 1.5 cents of every security dollar spent globally.
To change that story, as an industry, we need to provide better tools that generate more meaningful metrics that can help demonstrate and sustain individual behaviour change while generating valuable, proactive active or left of breach insights organisations can use to genuinely reduce cyber risk. We need to find and enable CISOs who want to engage and empower every individual in their organisation.
What big changes do you see happening in the industry over the next 3 years?
We have the opportunity to exceed the compliance stage of cybersecurity awareness and enter the data driven decision making or metrics stage. We have to move beyond training completion rates or phishing completion rates to find better indicators of success and better leading indicators of cyber risk. For example, we’ve helped hundreds of organisations gain deeper insights into people, process and culture (as well as technology) based risk through our platform.
We’re also pushing the state of the art by exploring the emotional side of social engineering, new approaches to celebrating positive behaviours and by providing new incentives and reinforcement models for individuals to learn from their mistakes.
What drew to want to sponsor the Re-thinking the Human Factor podcast?
The key for us to advance the state of the art in cybersecurity awareness for us all to share ideas with each other and continue to improve and iterate. We wanted to support this fantastic initiative and contribute some of our thoughts and ideas. We’re excited for the chance to get feedback from our peers and hopefully we can help a few folks along the way.
What’s been your favourite episode and why?
Season 1, Episode 9 with Dan Ariely. I loved Predictably Irrational as a book and thoroughly enjoyed the conversation between Dan and Bruce and the focus on understanding the root causes for why people make decisions and how we can use that knowledge to provide not just better awareness, which is good, but better processes and tools as well, which is fantastic.
What one thing do you want the RHF listeners to take away about your service?
When we first started Beauceron, our goals were to reduce the burden of building and executing the digital components of a cybersecurity awareness program. Our goal was to reduce the burden by 70%, freeing time up from tactical, repetitive tasks such as reviewing spreadsheets by leveraging automation while also creating a more engaging experience for the individuals we’re trying to help. That time then could be spent planning better strategies, engaging stakeholders through other means including in-person.
Over the past two years we’ve brought forward massive innovations that have helped many firms thanks to our partners in the financial sector. We’d love to work with even more passionate security awareness professionals to continue to iterate on what we’ve built so far.
We’re looking to work with people who want to move beyond compliance, who are driven to excel and to take the best ideas from marketing, behaviour economics, psychology and more so we can take ideas like re-thinking the human factor and turn them into reality.
Listen to the podcast
You can listen to Bruce and David in conversation right here.
Find out more