Poor communication is a major roadblock in getting people to adopt cyber-safe habits. It also created a major disconnect between information security specialists and the people they serve. This makes empathy essential in the cybersecurity space because it’s a constant reminder that things which are quick and easy for technical specialists can be complex and unnecessary to people with a different background.
Poor communication is a major roadblock in getting people to adopt cyber-safe habits. It also created a major disconnect between information security specialists and the people they serve.
For instance, threat-filled emails with a negative or sometimes threatening tone only confuse non-IT experts who need simple explanations and psychological safety to learn.
This makes empathy essential in the cybersecurity space because it’s a constant reminder that things which are quick and easy for technical specialists can be complex and unnecessary to people with a different background.
By revamping security training and communication, we can make people feel comfortable with digital security practices and appreciated for their continued efforts. This is the most effective way to encourage compliance with safety measures such as strong passwords and secure document handling.
Leading organizations and their leaders through this change takes a special kind of person.
Today, we're thrilled to welcome Ceri Jones, Head of Security Awareness & Community at Lego, to the podcast!
Ceri is a brilliant specialist who turns research from multiple fields into real-world tactics that build security-focused internal cultures. With over a decade of experience in people-focused security and awareness, Ceri is a true champion of positive security and language. She's a firm believer in fresh approaches to security awareness that “make security more approachable, conscious and considerate.“
Tune in to:
In this episode we cover:
Connect with Ceri:
[00:41] Andra Zaharia: Ceri, I wanted to start with a tiny excerpt from one of your articles, where you talk specifically about empathy. And I just wanted to use that as the starting point of our conversation. You wrote that we talk about the need to have empathy and security awareness in the field of security, yet we still use terms like changing behavior. But to have empathy isn't based on the idea of changing people, you have to meet people where they're at, see them and their lived experiences, and be able to put yourself in their position to be considerate of their needs. I thought that was such a perfect way to start this conversation simply because you really put the spotlight on this-need-to-change things and to change human behavior, which is a big goal, a lofty goal in itself. So, what do you think, not necessarily awareness, but let's say acquiring cybersecurity skills is more about than changing behavior?
[01:46] Ceri Jones: To me, one of the things that I think is really important is that when people come into cybersecurity and being here for a long time, there's all of this existing language that people adopt, and nobody really questions where that really comes from or why it's said in that way, and changing behaviors is one of those things. So, you will hear the words repeated constantly, but nobody really challenges. But what do you really expect of people? Is that expectation realistic? Does it make sense to people? Is the information that you give them accessible? Is the task that you're assuming they can do actually achievable? And that's because we know that IT systems have been built over years, one on top of the other, often independent from each other as well; so when you add in the human element into that, you just think that they can suddenly do everything because you've written it down on a computer. But in actual fact, they're often the ones to fill in the gaps but we consider the fact that because we've brought in something new, that now they're doing something wrong, now we need to tell them to change. And in actual fact, it could be the process that has never worked, they've actually added a lot of extra resilience that you don't see. But you have predetermined that they need to change to you, instead of you meeting them where they're at, and understanding and learning what they actually need. And it might be tweaking a process or policy, it may be that you need to take something away or make it more streamlined, whatever it may be. But with this focal point on behavior change, it looks like everything is the person at the end of the computer's problem as if they need to just change and then everything would be perfect.
[03:25] Ceri Jones: But the systems are not built in that way, and we know that that isn't a straightforward relationship either — it's not that linear. So what happens is then this narrative has held itself for a long time in this space — people hear it all the time, and then that spreads to those outside of security awareness and to the people in the organization themselves and then to seniors. So, there is this expectation that it is relatively linear, that you can just tell people to do something and they will just change. But we know from all of the research and from psychology that it really isn't that straightforward, it takes a lot of time, and has to be done very thoughtfully. So, that's why I came out with the piece that you read out. When we talk about empathy in this area, there's still a lot of misunderstanding about empathy isn't about solution-izing; it's just about listening to people and understanding, reflecting, and not trying to then change them or solution-ize for them; it's just allowing them space to say something and then you trying to do something about it maybe later. But in that moment, you don't have to, you don't need to change them, you don't need to do this or that. Look at the way we use language because it really predetermines what people expect and what they think can happen. And it builds really interesting and slightly weird behaviors in people then in the security professional because they won't achieve it in the ways that they expect, so the metrics become weird, and they're looking at this, they don’t have anything to say — it's just starting to make no sense whatsoever. So, always go back to what we're doing this for, who is the security really trying to help? And what is the best way to do that?
[05:09] Andra Zaharia: Thank you so much for touching on so many essential points, a tiny masterclass that you gave us just now. I think that that's so important. The part about listening and reflecting really stood out for me, especially because I did a specific course on listening last year and I discovered how bad of a listener I was, which was shocking to me, because I work in communication and I thought that I was a better listener. But it turns out, I wasn't. Obviously, there's always a lot to learn. But this part stood out for me so much because what I have seen in my experience with people and talking to them about security is that they already have the abilities, and they already have the skills that they can apply around cybersecurity concepts, behaviors, and products, and actually integrate them in a more natural way into their lives without it being forced. But most people don't realize this because it's such a foreign concept, the language is foreign; it feels very “This is not for me. This is not part of my life. This is external.” And I feel that the same kind of perception is sometimes present in cybersecurity people as well in the sense that they see employees or people that they're trying to protect or that they're tasked with protecting as bad actors, they kind of put them in the same category sometimes, they see them as external, not as part of our group, they see them as “us versus them.” And this instant barrier cannot possibly sustain an empathetic approach. So, I was wondering, what kind of specific positive language do you use or have you found to be effective in changing that perception, both the perception that people in cybersecurity have towards the people they're tasked with protecting, but also for the people we're supposed to be serving at the end of the day.
[07:09] Ceri Jones: It's something that lots of people ask is, “Well, what do you use as an alternative?” For example, I don't believe in using words like “easy” and “simple”. I don't use the words “good” or “bad” or things like “mistake” or “have you”, or “because”. In English, especially they're really, really weighted, and it can be interpreted in many different ways. But their initial word, that wording can be quite negative as an initial reaction from people. So, my question to people all the time is, “But why do we need to put it in that way?” So, when I was doing a project in my previous job, they wanted to use the word “simple” — for example, “Simple cybersecurity,” which a lot of people use. So, I had the normal kind of random soapbox issues that I normally have, and I spoke to them about it, and they understood and they got it and it was all good. But then they came back to me about a week later and said, “Well, what else do we use?” And I said, “Nothing. You don't need to replace the words.” And then people hear like, “Good cybersecurity.” But realistically, those words aren’t essential in the sentence. So, it's to be a bit more creative around. Because most organizations will have their own tone of voice, most organizations want you to speak positively. And these days, a lot of it is informally to create relationships. It’s to think about that instead of trying to often prove knowledge, which a lot of security experts do without realizing by putting really, not an overly complicated language sometimes, just terms that don't make sense and then certain statements. It’s to actually just think, “But does that make sense? And is that really what I mean?” And often having people double-check your work from outside of the space or asking a lot of people when they're reviewing it, “Can you check? Do you think this may be perceived differently?”
[09:01] Ceri Jones: So, it's not that I use particularly different words or such, like I could just tick off that I can just give you; it's more of a sense of, “Well, it depends on the situation.” For example, if you're telling somebody about reporting phishing, I don't use the word ever really calling them victims or really saying things like “threats” or that they're vulnerable. Because when you put people in that state of feeling like they're a victim and that they're vulnerable, their decision-making and their ability to cope change because you are instantly putting them in a position of concern. So, what you need to think about is are you having that effect with the language that you're using. What will people feel? How do they feel as a result of what you're saying? And to realize that that stops people often because they feel stuck between a rock and a hard place because then often the security behavior then we're expecting that they could possibly do isn't always the most achievable. Even when you look at things like setting up two-factor authentication or multi-factor authentication, you have different words for different things, most people really struggle with it because the idea of copying and pasting a number out of an app, going back to the app on your phone to paste it in, that's a lot of extra steps and most people will struggle. So, we're not really honest about it, either. We just write it as much as possible. So, if I just write it down, it's then something everybody can do. It's just about double checking, “Will it work in this way? How will it make people feel if I write it in this way?” And just to be honest, not all people are victims, do not tell them that they're making mistakes or anything like that, just say “this is something you can do” as an alternative to reframe the content so you don't labor the point of upfront what social engineering is to terrify them, and then have the advice at the bottom where they won't ever get to or scroll to because we know from web design and usability, people don't scroll that far or reach that that much. And to just reengineer the content so it is accessible to people.
[11:12] Ceri Jones: And then, of course, to try to put it into a positive lens. Now, I will say, I have worked with many people and copywriters, and so forth. And I had a copywriter say to me recently when I'd met him and he needed to do a piece of work and I was talking to him about the things I wanted, he did take me, “Even as a copywriter, writing to the positive is one of the most difficult things for people to do because it's really easy to be negative.” It's really easy to write into the negative because that's just what people do. But to write into the positive is actually quite a different skill set to double-check yourself. But the main thing that people need to remember is that most of the content that you're writing or most of the advice that you give as a security expert isn't advice for you, it's advice for somebody else in support of a task they need to do. So, how do you make sure that you're conscious and considerate of their needs, instead of just trying to get your point across? It's about actually—to go back to the first question—to meet them where they're at and to realize they have other things going on; they have other hopes, dreams, and jobs; they have other demands. So, fitting in is really important. And it's not to pinpoint things and to call on things; it's about building knowledge, coping strategies, and thinking about how can I support them.
[12:35] Andra Zaharia: And how to bring clarity to that. There's so much value in what you just said and the questions that you offered. I feel like questions are a great way to elevate your learning, your understanding, and your self-awareness because they don't provide set answers, just like you said, but they rather lead to exploration because I feel that that is the theme of your approach to cybersecurity, which is a constant exploration, a constant search for flexibility in both language and understanding, in mental patterns and behavior, just trying to cast a wider net into our point of view to see how we can understand more and seek more nuanced answers to our questions as well because I feel like there's always, obviously, this good versus bad theme as the main underlying theme, the main paradigm for cybersecurity in general. So, finding nuance and flexibility in that feels strange because you can put it in a box, you can put a label on it, you can make those very clear rules that you can use then to filter out the bad and then protect the good, which is what the technology part of this environment is all about. So, that idea of not trying to oversimplify things, which leads to over-promising, which leads to disappointment, which leads to this vicious circle; that is a very important part that you surfaced here. Also, in your article, you mentioned building a conscious system. Now, I wanted to ask because this is something that's difficult to propose in companies. What have you found is successful? What kind of experiences have been successful in demonstrating that this approach is, obviously, a lot more effective than just the usual checkbox awareness training?
[14:40] Ceri Jones: I don't know how many people listen to you, but if anybody's ever heard me before, I will repeat a story, so I apologize. Probably the best example is—I never expected this from the work that I've done because a lot of it is trial and error and I'm still learning—when I was doing a project around improving passwords and the way people construct passwords. I wasn't running the project, it was someone else. So they got the emails, but they had three emails, basically thanking them for they've never read such a good email around how to improve their passwords and how to do that really constructively and positively. To have somebody email the head of the area who was leading the project to thank them for an email about passwords, I have to say, I was shocked. They've had an email there, like a lot of people in organizations will get, to remind you that your password is due to expire so if you want to change it early, you can. But most people when they write those sorts of messages or emails, they don't mean to write it as a mild threat, but it's written in a way as you have to do this and you have to do it in this way, and these are the reasons because of these threats, and if you don't create a secure password, then everything is vulnerable and you know the world is over because you can't create passwords, that sort of messaging is how it generally comes across. So, what I did was I took out most of the content and flip the email around, it's not like there was anything really wrong with a lot of, it's just stripping out all of the random extra content with the veiled threat and so forth. That's what's written a lot in security — “If you don't do this, something bad is gonna happen.” That isn't motivating to people because they will feel that it's something — as a security department or an IT department, depending where it's coming from — “Well, shouldn't you be protecting me? I come into a workplace, and you're there to create the systems that I work within. I can't be the ultimate person.” It's not a very believable story I feel for people.
[16:53] Ceri Jones: So, it's not going to be the thing that motivates them. The thing that is going to motivate them is just tell them what they need to know, be really upfront about it, and just say things like this, “Look, we're changing the way the passwords need to be constructed. This will take you a little bit longer to start with, but to help you, here is some advice we would recommend. The date of this change will be here, so anytime past this date that your password comes out to be renewed, you will have to use this process. And change your password in different ways, and this is just a recommendation that you can use. We're not saying you have to, but this is our recommendation.” It probably was no more than, I would say, 10 sentences and then an example of what they needed to do. So, it was short, it wasn't something you need to scroll on or anything like that. It was really upfront to the point, really honest, and positive to allow them to see that we're sharing, we're changing something, we're being really upfront about it. You're going to need to do something to change your password if you don't meet the minimum requirement. And if you feel that you don't know what that means, this is a method that will get you through that bar. So, we're not going to try and make it awkward for you.
[18:07] Andra Zaharia: Predictability, openness, and just treating people as partners go such a long way. I bet that security people feel great as well when they see that they're making a real change, when they have that human connection, that real human proof and emotional proof that things work and things are going in the right direction because they're also overwhelmed all the time with negative stuff, things they have to take care of, fires to put out in a constant avalanche of problems. So, having these positive moments also helps them. And I feel that that's only possible through human connection. You can't get that kind of satisfaction from a dashboard or from a report. It just can't happen this way. At the end of the day, having that ability to open yourself up to these experiences, I feel that that's so valuable and it helps you on every level, obviously, the personal one as well. So, speaking about personal stakes because the work that you do is so connected to this emotional universe that people have, are their very personal experiences that led you to choose the path that you're on now and to do things the way that you do them?
[19:23] Ceri Jones: Actually, nobody really asked that question, so it's really interesting to me. Yes, there is. I've been in the security world for around 12 years. And before that, what I used to do was web design and IT support mainly. But I used to do both of those things in the NHS. I started my career with working in the NHS and I remember a very distinct moment when I was in IT support that would bring you up to do, obviously, various things at different levels. And one of these tasks of mine at that day was to change printer cartridges, and it was on an inkjet printer years and years ago when people didn't have so many network printers. I went to the nurse's station, they had all of the ink so I just got it out of the box. And I was taking the top off the bottom to put it into the machine and one of the nurses came in, and I said to her, “Instead of you waiting for me because, realistically, it's probably going to be an hour or two before I can get to you. Instead of you waiting for me, should I just show you how to do it yourself?” Because realistically, for most people who are in IT, an inkjet printer, you basically lift the lid, the ink moves across, and you take it out, and then you just replace it. That's relatively straightforward. I mean, that's can't be too much issue for lots of people. But in that moment, and like I said, this was probably 20 years ago, that nurse turned to me, and basically looked at me and said, “I have better things to do with my time, I would rather call you.” And I thought, “Sure. I mean, you're a nurse, and these people are generally ill needing your support, who am I to determine what you need to concentrate on?” And really, from that moment onwards, I've kind of had that always in the back of my head of people generally don't come to work to do things like security or generally IT, if you think about it; they've been forced to have it in their environment because they just randomly adopted computers. So, these are just facilitation items that they have to do and that they have to use.
[21:27] Ceri Jones: So, when we come in with our slightly nuanced expectation of behavior, you’re just like, “Yeah, but.” They really are just trying to do something else, and this is just a facilitation mechanism for them, whether it's a computer or phone. So, just let them do their job, why are we trying to put barriers in their way? And to accept that, not to challenge that mindset of people like nurses and so forth, and anybody really — yeah, I'm not going to argue with you. Fine, if you're gonna ring me and wait, and you're happy with that, then I'm happy with that as well. It's not my point to try and force you into doing actions or forcing you to change your behavior so I don't need to come out to see you or anything like that. And realistically, that's carried through then all of the work that I've done — like with web design, learning about how content needs to be designed for websites usability and accessibility, all of that, then that's carried through into the stuff that I do now.
[22:24] Andra Zaharia: That is a very, very powerful example and something that I feel people get disconnected from, especially people who work in cybersecurity simply because they reach a level of technical skill and the familiarity bias just kicks in and takes over, and they feel like the world runs on technology, which is true, but not for technology's sake, just like you mentioned, it runs because we need it for something else. And security is the very same thing; we need to feel safe and to be able to do things for different goals and objectives. Something that you mentioned led me to think about cognitive load and the way that people are coping these days with the past years that have made us all a lot more tired with a lot of things going on with the simple overwhelm that we feel on our mental capacity. And I've seen this across jobs, not just in our area, but across the world in general. How have you seen things change in the way that people react to, again, new information, information that comes at them, not that they have asked for or sought? How have you seen things change in this sense?
[23:42] Ceri Jones: Obviously, there's been a lot going on, but the world we live in as well is changing with regard to how we interact with things like social media and so forth. So, with the small grabs of information with things like if a TikTok video is three minutes, I'm sure most people think, “Do I really want to watch three minutes?” So, people have this expectation of very digestible content these days because they're always bombarded with information. That has been heightened with things like the pandemic, taken a lot of mental loads. Because if you look at some of the messaging that came out of governments across the world, it was always things like, “Be aware.” And you’re just like, “But that doesn't mean anything.” But when you look at security messages, they are the same thing: “Beware.” I can't be aware all the time, that is mentally exhausting. And if I'm constantly being aware of everything, how am I getting anything done? We live in a world that is based on the concept of trust, so we expect certain things to happen in certain ways and we're not always constantly aware to the nth degree. So, of course, there's something in the background. But realistically, we trust the environment that we're working within. We trust that certain things will happen in certain ways. So, when you're constantly telling people to be aware because things like security or the pandemic is around, this actually becomes a really heavy burden for people because be aware of what? At what time? What do you mean? What am I going to do about it? Where am I going to go? What are the alternatives? How do I cope? And it always comes back to this, how do I cope? And then how do I trust that I am being aware enough? Am I doing enough? So, people get into this whole spiral of thought. There's a lot of research that shows that people then step away from the entire thing and disengage. And once people have started to disengage, it's actually almost impossible to reengage them because why would they want to try again? Because you've left them feeling in such a way that it's distressing. And once they felt that distressing element, why would they know that that's going to come? And most of our decisions are run by emotion, so why would they put themselves through that again? We have to be really cautious of this stuff that we're putting out.
[26:10] Ceri Jones: Some of the work that I was doing, like running phishing and stuff. I don't know if this was because of the world that we were in or people would just set up phishing. To be fair, I can't make that judgment call. All I know is that if you look at phishing as an example, we do phishing simulations all the time in the security awareness world. In security, there's an expectation that somehow phishing does something useful. But until you've been at the other end of it and you're running campaigns, and you get emails shouting at you, in capitals, in an email, in an organization, which is not regular behavior, do you understand how distressed and stressed and just bad and shame that they feel and victimized that they actually do feel to write to you in capitals about the fact that they had a phishing simulation sent to them? And the phishing emails were about the fact that it was unfair that they were sending them at this time of day. And the thing I want to point out, though, is all of the people that complained, didn't click, they hadn't done what we consider bad behavior, even though clicking on our link is relatively normal and not bad in any way, realistically. But it created such a reaction that that's how they then responded. And most people [27:32 inaudible] you've done nothing wrong, but they still reacted like that. And it was that because that it was during a pandemic [27:39 inaudible] overdoing it. But the one thing I do think about phishing, for example, is that it's probably one of the most consistent piece of training most people have across all organizations because phishing training has been around for so much longer than most other things. And other training comes around in different ways, but phishing training is always there to trick people and force people to feel a particular way. So, that becomes an embedded reaction to something that looks relatively benign. But you're getting these phishing emails once a month or once a quarter. And then when you click, you're then sent another one relatively soon afterward.
[28:17] Ceri Jones: You think to yourself, actually, there is going to be some psychological damage to that person because, to go back to what you were saying before, this depiction often of phishing in the workplace is that if you click on anything, then you're doomed, and you're not great, and that's bad. That's what they remember, and that's the place that they go to even when you're trying to be positive. That's a really hard hill to climb, and to reframe, and to get across to people because it's such a natural place for people to go in the security world with their own language. They may know that that isn't how they should say it, but such a natural place to fall out of people's mouths in a certain way. The phraseology that exists within security that is just kind of blindly accepted, then it kind of just gets embedded both in the security professional’s expectation and then also the person at the end of the computer in your workplace's expectation of their behavior. So they then end up feeling shame, and then they probably disengage, and they're really not paying attention because they just think, “Why would I bother? Because you're just going to tell me I'm doing something wrong.” And of course, then it does create people in a moment of stress, when there is added extra stress, to react. And I have definitely got emails like that. And then what most people forget as well is, as a person who runs those things, it's really draining to have people shout at you and complain to you about a thing that you're being forced to do often because people expect you to be doing it because it's written into compliance, it's written into regulation that you have to do this sort of training, and you know that it's not the best thing, yet you have to do it. And it's not the best either for those who have to perform the action and actually send these things out.
[29:58] Andra Zaharia: That's a very compassionate perspective, and thank you for offering that because I don't think that many people think about this, I don't think that they have time or they allow themselves the space to think about these things. Although cybersecurity is still a young field compared to many others, we're at a point where these things, these cliches, and these stereotypes are becoming embedded and enforced constantly through the use of language and through certain tactics, even in legislation, and again, in compliance regulations, just like you mentioned. I personally feel like there's still time and there's a wave of change that's coming to the industry, which I'm absolutely thrilled to be able to see, to witness, and hopefully to be part of. And what I wanted to ask in the sense is that, is there still a chance to change these things before they become rock-solid patterns that become unbreakable?
[30:58] Ceri Jones: Absolutely, I definitely do. And I think when you look at Twitter these days, there is starting to become a larger body of conversation around things like phishing, passwords, and so forth, and more professionals are willing to put their voice to it and basically say, “Look, this isn't working and we need to be more upfront about it.” But one of the things that I think is really interesting in this space for me, and I think we don't really discuss it much, is how people learn what they learn and where they get that information from. I am not the only one, there are people who have the same concerns that you shared, that they may not say it quite in the same way as me but they are on the same page. So, why does it have this long-lasting effect? Why do people still say the things that they say? And as you say, things about the change, but the question is where do they get it from? For me, a lot of it comes from it. And not in my previous job, but the one before that, one of my colleagues went to do a training course, and she ended up correcting the trainer because he kept referring to people as the weakest link. If it wasn't for her in that room, and this has always been on my mind, and this is probably about five years ago now. If it wasn't for her in the room to try and change that conversation -- These were all new people to the security world, and they were there to do some fundamentals and to go through some of the learnings. If she wasn't there, they would have just left that training with that thought process. So, what is happening in the professional training that people go through where this sort of language is getting embedded first? Because a lot of people these days go through that before they get into the security world because the expectation of some sort of certification has got higher recently definitely in the last five years. So, they're unlikely to just come upon a job like you used to and meet randoms, and more likely to have gone through some sort of training first before they get into the profession. And that's a general question, I don't know the answer. But is the fact that some of this training, although it’s not been updated but they just say what they say because that's the way that they’re training, they've always done it that way, and that then gets embedded in those people.
[33:12] Ceri Jones: And the organization, even though it's set up in a particular way, when you first start in a job, to say something back and to challenge is a lot of mental stress. So most people just go with it because it's what they said in their training, this is what the organization says so I will continue. And it's only once they get to a level of maturity that they realize, actually, perhaps that's not the best, but that's quite a long way away, so can't we try and do something we think about it more in where things begin? Because there are people who can have better conversations, and they understand, and they're trying to do the things that they do and influence the people around them in the ways that they try. But I think there's still a gap that exists because how do people learn what they learn? And where does that attitude come from? Because a lot of the stuff you'll read these days on LinkedIn from governments and so forth is a lot more positive and a lot more engaging, and yet people can still be quite negative. Where is that disconnect happening? Because the conversations are changing. And you see that with — to go back to passwords as an example just for ease — the way that passwords are talked about and not changing them all at the time, that does happen, but it does take time. But human behavior is how does it start? Because why do people come in so negatively about it? Where do they learn that from? I always think of it like that. But I definitely do think things are changing. Just very realistic that anything takes time and there is patience to it, but not to get frustrated at it, and to be really consistent is really important and not to give in to the language just because everybody else is seeing it. Just being able to stand on your own two feet and stand very still and say what you say does take a level of robustness — don't get me wrong, my colleagues have said that to me before. But personally, I think it's worth it just because I do believe in the things that I say and the way that I say them because it's been developed over the years. And I've spoken to hundreds and worked with extremely good academics in this space that have helped me see things differently, and that’s really impacted how I speak. So I try to live through the stuff that I've learned in actually practice it. But that is a lot of reflection on my part as well, and that is a lot of work, so I wouldn't expect everybody to do it. But I definitely see that being filtered through more than more people are saying it and so forth. And I think it's just then a matter of time if I'm honest.
[35:47] Andra Zaharia: That is a beautiful way in which you spoke about alignment and personal goals and how things fall into place but not on their own well but because you've worked on them so much. And the point that you made about maturity, especially emotional maturity, is something that's very, very visible across the board with people who are generous, giving, and who make such a disproportionate impact, even if they don't realize it in a moment but this travels farther than they realize in terms of how it stays with people. Because just like you mentioned and just like you talked about, all of these negative impressions that we leave in people, the positive ones also will stay with you so much. I remember going to a cybersecurity conference in 2017 when I was relatively new to the field and seeing Jayson E Street speak. He was so enthusiastic, so generous, so connected to the people in the room, it was electrifying. And I remember going up to him and saying thank you. And even after all these years, I feel like that was an inflection moment, that was when I realized that this field has so much opportunity for people who want to contribute with their whole person, with their whole being, for people who want to develop and grow as people through the concepts and the work that they do. I feel like this is an incredible, very rich space in which to do this. And the way that you talked about things is a testament to that and prove to that. And the work that you bring is extremely inspiring, although I feel like this word is not enough to really explain the profound impact that you have on me and on the people around you. And I'm so grateful that I got to talk to you and to bring that out to other listeners in perhaps areas that haven't benefited from your presence yet.
[37:51] Ceri Jones: I don't know about that. But I think you are really correct, one of the things that I enjoy about the space is that there are people who are so able to connect to one another. And we often hear that security professionals can't, they don't understand people, and what have you. Yeah, okay, there are people that can't, but there are awesome people who really can, and there are people that really do and inspire others. And it's just really looking around and finding those faces, and finding those people, and finding your network where you can learn and you can express yourself and then grow together. And I think that's something that a lot of people with most things, you don't randomly just know everything all at once. And I think a lot of people in security just suddenly think that because they come into a security world that often gives them the title almost immediately when they meet anybody, they probably don't give it to themselves, but a lot of people give it to them of being an expert. And they will have this then self-doubt and what have you. But in actual fact, realistically, like anything else, this is a journey that takes time and development, and it takes reflection and relearning, and double-checking. By creating that network, and as you say, with those people that you can reach out to, you won't always get obviously if people are busy and out of reach, those sorts of people all the time, but there will be others who are similar. And using that network so you don't feel alone or that you can just express yourself to continually have those conversations and have that dialogue with each other.
[39:24] Ceri Jones: So, like I said, I don't randomly think the things that I think just off the top of my head; I've spent years reading research, having some of the best conversations of my life both with professionals and academics. I've had the real privilege of time because it used to be my job to do research. The way my time was to think about how to think about this space and how to then influence people in the space of the things that I've learned. But to do that then with a team of people, with a team of academics, and to do that in a very collaborative space to learn then also how do you translate that to people so others can make sense of it? And to not hold on to knowledge as if it's some power trip. I don't need my knowledge just for the sake of having it in my own brain. I have, like I said, the privilege of learning. So, to me, it's always about how you give it back to people so they can take it and do what they want with it — I can't predetermine what that will be. But at least they've had a different experience, they've looked and may have come across a different perception. And it allows them just to think a bit more broadly of the space that they're in. And then they can explore that world if they want to, and just be open to that. But like I said, I really have had a lot of privilege and the jobs I've had, where that's what has happened. And that's why I want to give back to people.
[40:46] Andra Zaharia: This episode has been a gift. And I feel like I've been given a gift that is something that I deeply treasure and then want to give to others as well. So, thank you, Ceri, so much for everything. This has been absolutely wonderful.
[41:02] Ceri Jones: Thank you for your time, and thanks for inviting me I have to say. It's been really enjoyable.