In the latest episode of the Security Focus podcast, host John Bigelow speaks with Daisy Wong, Head of Security Awareness at Medibank, about the importance of security awareness and culture within organisations. Daisy shares her unconventional journey into the security industry and discusses strategies for translating complex security risks into actionable business insights.

An Unlikely Beginning

Daisy’s path to cyber security is far from conventional. With a background in marketing and dreams of selling lipstick at L’Oreal, she stumbled into IT as a project coordinator at IBM. Recognising the flexibility that IT offered, particularly as a wheelchair user, she embraced the field. A role in penetration testing at a major Australian bank further ignited her passion for security.

Daisy’s experiences highlighted to her a critical gap: the ability to communicate technical vulnerabilities in a way that all business stakeholders can understand. Tasked with managing pen testers, she quickly realised that explaining “CVE scores” and technical jargon to finance and marketing teams was ineffective. This realisation sparked her mission to translate security risks into business-relevant terms.

Translating Tech to Business

Daisy emphasises the importance of using plain English and analogies to explain security risks. She advocates for storytelling and relating vulnerabilities to tangible business outcomes, such as timelines, budgets, and brand reputation. By framing security in terms of potential dollar losses or reputational damage, she makes the risks more relatable and actionable for employees at Medibank.

Daisy also draws parallels to illustrate the importance of security measures. Just as we follow rules and wear seatbelts to mitigate risks in a car or a plane, security protocols are essential for protecting organisations and their customers from cyber threats.

The Human Element

Daisy highlights the critical role of people in cyber security. While technology is essential, employees are not hired to be cyber security professionals. It’s crucial to train them with empathy and provide them with the knowledge and tools they need to protect themselves and the organisation.

Daisy champions the concept of an “always-on” security awareness campaign, drawing inspiration from global brands like McDonald’s and Coca-Cola, which continuously advertise to stay top-of-mind. She believes that security awareness should be integrated into daily routines, both at work and at home, to create a culture of security consciousness.

Nudging Towards Security

Daisy discusses behavioural decision-making techniques, such as nudge theory, to influence security outcomes. Instead of relying solely on mandates, she suggests offering employees choices that incentivise secure behaviours. By framing security measures as beneficial and providing options that cater to individual preferences, organisations can encourage adoption and create a more secure environment.

Ultimately, Daisy’s approach is about empowering employees to make informed decisions and take ownership of their security responsibilities. By fostering a culture of security awareness and providing the right message at the right time, organisations can strengthen their defences against cyber threats and protect their valuable assets.

From Before Daisy (BD) to After Daisy (AD)

Daisy’s arrival at Medibank marked a renewed focus on security awareness and culture. While she couldn’t comment directly on the cyber breach that occurred before her tenure, she emphasised the organisation’s commitment to strengthening its security posture. By embracing a people-centric approach and continuously engaging employees with relevant and relatable messaging, Medibank aims to create a more secure and resilient organisation.