Wednesday, 10 August 2016

Smooth Sailing in the Dragon’s Den

On a beautiful morning on the Thames, aboard the HQS Wellington, our very own Jim Shields participated in an ISSA-sponsored, Dragon’s Den-style program to tout the benefits of Twist & Shout, “Restricted Intelligence,” and the challenges of information security training, without hearing the words everyone entering the Dragon’s Den fears most: “I’m out.”

It’s an event organized every year by the ISSA. Speakers are given 10 minutes to sell the judges on a big idea, with keynote speakers included throughout the day.

Jim felt confident. Armed with a solid presentation (including key video pieces) Jim felt assured of a positive outcome, even in the face of the challenges one would expect presenting on a big boat (sea sickness, capsizing, being swallowed by a whale, etc.).

Hushed with anticipation, Jim started with the sad facts surrounding information security training. In spite of increased malware and cyber attacks, traditional training methods aren’t working. Management wants visceral responses to know their employees are engaged. In order for this to work, you need to get everyone’s attention and you need relevance and appeal.

Unfortunately, when it comes to infosec, what’s relevant is not all that appealing. Further, awareness is not the same as engagement. For example, we know speeding is a crime. However, when we’re late for a meeting and there’s no one around…

We could sense from Jim’s recording everyone in the room was on the edge of their seats, literally dying to know what the solution could be.

Jim replied with a key question: So how do we get their attention? Which lead to another key question: What else gets their attention? Meaning, what are people passionate about?

For one, people are passionate about things like “Breaking Bad.” Call lines were set up to help people cope with the end to this ground breaking show. Listening to the audio, we could tell the audience was nodding, maybe even weeping. “Breaking Bad” was amazing.

Then, Jim said, “Everything I know about thermonuclear dynamics, I learned from ‘The Big Bang Theory.’”

You learn when you’re laughing because the information becomes memorable.

And bigger than these shows is the marketing surrounding it.

The solution for informing employees and getting them engaged with compliance is to create a show like “Breaking Bad” or “Big Bang Theory.” To create characters and situations viewers can relate to. To provide materials both management and employees can use to keep the conversation going long after the credits roll. And to have a few laughs.

To keep the show, now in its fourth season, relevant, “Restricted Intelligence” addresses possible threats like third-party suppliers, over-sharing on social media, physical access, phishing, whaling, ransomware, and public Wi-Fi.

The results? 25 episodes over four seasons, 150 campaigns, 35 languages, 4 million employees engaged, a major international award, and a new series, “Tuesdays with Bernie,” a light-hearted look at compliance issues surrounding bribery and corruption.

Why does it work? It’s a formula that makes information security issues relevant to employees. There are always personal consequences at the end of each episode. Protecting Generic Corporate Data can be very abstract for employees, who are left asking “What does that actually mean?” “Why do I care?” Whereas if you make the issues and the consequences personal, they’re more likely to change their behavior.

This creates a fan base of engaged employees who know the show, know the characters. Which in turn trains employees to behave like, say, the Mentalist. They notice more, they’re more aware. They become a network of sensors, reporting little things that they spot and behaviors they see. Ultimately, it’s very hard to be a “bad actor” (excuse the pun) in the middle of this culture. It’s very hard to get away with anything when you’re surrounded with concerned, engaged employees.

Needless to say, after we accidentally turned up the volume on our speakers, the audience erupted into a frenzy of accolades and applause. It was deafening. Did Jim win the Dragon’s Den? Unfortunately, the recording ended before we could find out. But we didn’t care.

We were engaged.

Thursday, 7 July 2016

One small step for Restricted Intelligence…


…One giant leap for entertainment-based awareness training.  

If I am running around the office like a 12-year-old on Red Bull, it’s because we are less than a week a way from our appearance at the UK’s National Space Centre, right here in our hometown of Leicester.  The East Midlands Chamber of Commerce is holding a cybersecurity conference and exhibition in the amazing surroundings of the rocket tower and the planetarium. We can hardly contain our excitement!  

We’ll be presenting some of our work in the 3600 HD planetarium, and I shall be speaking at 2.25pm on the best way to engage employees in a security culture, if you don’t own an actual rocket ship.  Jess & Katie will be on hand to show you new episodes of Season 4 in case you haven’t seen them yet. This is probably going to be the highlight of our year. Speaking as a 12 year old boy, that is.     

Wednesday, 6 July 2016

Looking Forwards and Back: A Peek at Series 4 of “Restricted Intelligence”

On June 7, we launched series 4 of "Restricted Intelligence". Since four seasons is an impressive achievement for any production - especially one only available online and via subscription - we decided to throw ourselves a little launch party. For better or worse (better at the time, worse the next morning), things got a little rowdy. So please pardon us if we whisper through this breakdown of the new series with our hands grasping our heads. We -- and our fans -- make the most of the rare opportunities we’re allowed to socialize. But series 4 is well worth celebrating and here’s why. Series 4 finds the “RI” team tackling some new territory. In particular, ransomware and a few of its many dreadful varieties. In one episode, we find Lionel has been hit with “individual ransomware.” We won’t spoil the episode, but we will say Lionel reacts in a way a lot of people might with the simple exception that we can laugh at Lionel here.

In this episode, hackers don’t just take control of the network, they leave ransomware in their wake. Unfortunately, just like in real life, hackers target organizations like hospitals who will pay the ransom because it’s urgent. So instead of investigating or finding ways of circumventing the attack, the quickest thing they can do is just to pay the ransom. And the hackers, of course, know this. If they pitch the ransom at a certain price, the hospitals just pay it. Viewers get to learn new ways to avoid such the drama of these attacks without being the victim. But it’s our pleasure. We don’t mind taking one for the team.

This is also the first season where a member of our American cast appears in the UK. Ian gets to enjoy standing out like an American (no offense to our American friends) while he develops a sweet geek romance with one of the app developers. Love is in the air, like the fake Wi-Fi networks Ian’s episode addresses.

Speaking of characters, series 4 sees the return of Ellie from series 1, when she was the only person who knew how social media worked. Ellie has put that social media expertise to good use and has become the VP of Social Media. She’s also developed a superpower that allows her to know who you are, what you’re thinking -- even who you voted for. I guess we have Facebook to thank for that.

We’ll stop before we give away too much, but know we’re already thinking about series 5. Our community always does a great job of supplying us with new areas of interest as soon as they come to mind. For example, we’ve had requests for an episode based on a call center in India. And seeing as though we’ve never been to India, maybe we’ll go.

You know, for research.

Wednesday, 15 June 2016

And the winner for best user awareness campaign is...

I have been to over 10 events this year alone - from Infosec, to smaller regional meetings of other information security related professional “bodies”. The names might change (although there’s the inevitable overlap of familiar faces) but the one issue that comes up again and again, in presentations, in conversations and online, is the PEOPLE issue. It’s always a top bullet point no matter how lofty or technically explicit the presentation might be. People are the way in, the weakness, the unreliable, unpredictable factor that renders the most sophisticated technical protection useless.

And yet - the recent SC awards haven’t even got a category that comes close to serving this burgeoning sub-industry. It defies logic.

The investment in experts in behavioural change (for which I shall use the euphemism “Marketers”, for that is what they are) is a tiny fraction of the total expenditure on security measures. It’s the fat ginger kid in a schoolyard of alpha males. There’s training - but this is simply a repackaging of facts designed to tick a compliance box, as we all know. Even those who claim to “engage” users are often just bolting on cartoons to an otherwise patronising or overly simple message.

To get true engagement, take note of at what people like to do / watch / eat / experience and just do that. Ask yourself, “what would get my attention? What would make ME see sense?"

Until the institutions take awareness as seriously as they take Data Loss Prevention Solutions (or whatever), we will always be standing at the peripheral of the cool kids group. Because we don’t have a box, or a policy, or any “software as a service”. We just have personality, and communications skills. Something that will engage those who are creating the weaknesses.

Next time you notice this kind of absence (in the trade press, or the awards circuit) - ask why.

It just might start a change.
Jim Shields

Tuesday, 7 June 2016

Your Attention, Please

It’s 9:00 am on a Monday morning. There are about a million other places you’d rather being than a training session, but here you are. The Training Program Specialist gets up, fumbles with his laptop, searches desperately on the cluttered desktop for the PowerPoint, finds it double clicks and… Still loading. Lots of images. Hold on. Almost… There it is!

A title slide, five different fonts (just to make sure you notice), some swooshy graphics in the background (you see this, right?), and a clipart drawing you’ve seen in a million other places of a successful team moving forward into a paradigm of a new tomorrow.

Some opening remarks, the agenda, and then you’re into the meat of the session. Yes, the Training Program Specialist speaks in a monotone. Yes, you might have laughed at his opening joke if you could hear him, but you’re finally going. Things seem to be moving along and he’s covered a number of slides and you’re positive the session is half over until you check your watch and-- FOUR MINUTES!?!?!?!?!

A quick calculation reveals that, at this rate, the entire training program will take 10,000 years to complete. Give or take. Albert Einstein once said when you’re sitting on an open flame a minute feels like an hour and when you’re talking to someone you’re attracted to an hour feels like a minute. That’s relativity.

So, going back to our training session, how would you change things so you no longer feel like you’re sitting on an open flame, but talking to that special someone instead?

This is the question we ask ourselves (though phrased a little differently) whenever we begin a new program or draft a new episode or even write a new scene. What about this is going to win our audience’s attention, defeating such temptations as watches, daydreams, phones, or opportunities to doodle?

Our work has captured the attentions (and the hearts and the souls) of audiences around the world. But not simply because we present our work in a sitcom format. The fact that our audiences are watching a “sitcom” is just a novelty and novelties always wear off quickly. Just ask anyone who owns one of those barking dog Christmas albums.

In order to capture your audience’s attention, we rely on three key ingredients:
  1. Familiar people 
  2. Familiar environment 
  3. Something in return for the audience’s time
Let’s break these down a little further, shall we?

We’ve learned audiences will focus on a show when they recognize the characters involved. They know the “by the book” accountant, the over-zealous sales rep, the timid intern (who also seems to have the best ideas). And they want to see what happens to these recognizable characters as they tackle the challenges in a familiar environment.

The familiar environment means more than seeing, say, a cubicle that looks exactly the one they’re working in. It’s also the situation. The 11th hour fight to submit a proposal on time, the unexpected visit from a client, the training session that never ends. Finally, we give the viewer something in exchange for viewing. But instead of, say, a keychain or pat on the back, we like to give a nugget of wisdom, teaching them to fish rather than giving them a fish.

This is the thing that brings all of the pieces together, so when they’ve finished watching an episode, they think “Now I know when I’m working with that colleague, in that situation, I can avoid that problem by using this shiny new nugget of wisdom.”

Yes, there will always be situations where something will beat our best efforts for the audience’s attention. But we know we’ve got a much better chance of earning their attention (and they have a much better chance of actually learning something) if we give them familiar characters, familiar situations, and something they can use.

Now, turn off your phone or close your laptop and turn your attention back to the training program. You only have several thousands years left.

Monday, 6 June 2016

Seize (Parental) Control!

A recent article in SC Magazine reported UK adults are clueless when it comes to finding advice about how to protect themselves online. Clueless.
Over two thirds (67 percent) of respondents say that they are fairly concerned about the risks of identity fraud when using online services, and 21 percent are very concerned. Only a third (33 percent) were able to identify Cifas' purpose as an organisation. Less than a quarter of men (19 percent) and women (23 percent) said they stopped using an online service due to the concern of their data possibly being at risk of identity fraud.
There are other equally alarming statistics, which you can find here.

And if the adults don’t know how to protect themselves, how can they possibly be expected to protect the kids?

Which is why, starting in June, Restricted Intelligence will premier the Parental Control films* (working title!), a series of videos to encourage parents to take more of an interest in what their kids are doing online and teach them simple ways to make safe online platforms for kids.

Oh. Did we mention they're free?

Over the course of three episodes, we’ll take the proven formula used in “Restricted Intelligence” (along with a few of the show’s actors) to create a show viewers will find entertaining, educational, and share-able.

And if that weren’t enough, the shows two main stars deliver unparalleled performances, according to our Creative Director, who through sheer coincidence happens to be their dad.

Stay tuned. The Parental Control films will be available here beginning in early June.

Friday, 3 June 2016

Twist and Shout Now Have A Podcast

Really? A podcast? You may ask. Hasn’t the Second Wave of the Podcast already happened? Well, yes. You would be right about that, however… We’re never ones to rush into something until we’re absolutely sure we (and the rest of the world) are ready.

Funny, though. It’s taken us, who love to talk at length about anything and everything, so long to get our own podcast. But here we are. And we’re ready.

So, from the platform that brought you Serial and The Nerdist and Stuff You Should Know, Twist and Shout Media are proud to present, the Twist and Shout Media Podcast.

We’re still working on the title.

In this, the inaugural episode, we discuss whether comedy is a risk in B2B Marketing; we talk about the three things you need before you should start a video project; a new, free offering from Twist and Shout; and an old friend returns to “Restricted Intelligence”.

Listen in to our initial offering. Or, better yet, subscribe and listen to them all.


Subscribe via iTunes
Listen online via Soundcloud