Spinning plates: People, complexity, and constant vigilance

“Recently, after presenting at Black Hat MEA, I shared some thoughts on LinkedIn about the profound realisation I had there: the irreplaceable value of the human element.”

Last week, we asked Stephen Bennett (Global CISO at Domino’s) how he became CISO for a global B2C brand, and what’s most challenging about protecting that business. 

Today, we wanted to find out what keeps Bennett up at night – and why Black Hat MEA 2023 had such a big impact on him. 

In terms of cybersecurity, what keeps you up at night? 

“Surprisingly to some one of the main things that really keeps me awake isn't related to tech or the latest cyber threat — it's the welfare of my team. In the cybersecurity world, we're so caught up in our tools, policies, governance and compliance that it's really easy to overlook the human element, our frontline heroes. My team is the heartbeat of our cybersecurity efforts; without them, we'd be in the dark. Their welfare and wellbeing is paramount to me.

“Now, about AI and its role in cybersecurity — I get quizzed on this a lot and it feeds into the above statement. Will it replace my team? Absolutely not. I'm a fan of calling it 'Augmented Intelligence' (which I blatantly stole from someone else!) because that's what it really is: a boost, not a replacement. In fact I am using it right now to help me try and articulate the smattering of unconnected thoughts already thrown onto virtual paper into something more succinct (without losing my usual sense of humour). 

“It's here to make our lives easier, reduce stress, and maybe even make the tedious parts of the job more bearable. And yes, while it does worry me that the bad guys might use AI to up their game, it's also a powerful ally for us. We have so much data at our fingertips and have struggled to make sense of it all into something actionable. Now we have.

“Then there’s the complexity of the job.  Imagine trying to keep a lot of different plates spinning.  When they start to wobble, I need to dive in to just apply just the right momentum to keep that plate spinning. As these plates are spinning and more plates are being added I need some help and need to hand out some spinning plates to someone else, who I need to make sure is applying that very same momentum to keep things spinning. 

“Let’s take it up a notch. We really need some square plates. Those square plates are harder to spin, but well, we need square plates. I need to get them to spin as best I can. Can’t take my eyes off the other plates though! Now all the time someone is actively trying to steal my plates, or trying to knock them off balance, maybe looking for a chain reaction where the result equals a whole lot of broken plates. It's all a delicate balancing act, convincing everyone that yes, we do need to keep all these plates spinning, and yes, it's absolutely critical to our success.

“That's what keeps me up at night. It's not just about the technology or the external threats; it's about people, complexity, and the constant vigilance needed to stay one step ahead.”

How do you structure and manage security awareness initiatives within a company that has such a large number of employees?

“You like the reference to plates and momentum? Well. Our security awareness program is all about keeping the momentum going, not just ticking a box with a once-a-year, one-size-fits-all campaign. We’re constantly feeding our team with training and awareness content, tapping into our own internal social media channels to cast as wide a net as possible. 

“Our aim is to make the information as relatable as it can be, drawing parallels between safe practices at home and at work since good habits seamlessly transition between the two.

“We’re acutely aware of our diverse workforce, from teenagers in our stores to those more seasoned in life (hello). It's crucial that our messages resonate across the board. To ensure this, we’ve got some younger team members, including one leading the awareness initiative, who keep us on track by sharing what clicks with their peers and what falls flat. Their input is gold, helping us tailor our approach so it actually gets noticed and absorbed. We also in recent years have started to attend regular rallies that are focused on stores and franchise partners, having a booth with fun and engaging games that we can draw people in to educate.

“Phishing training often gets a mixed reception, but we've taken a unique tack by focusing on the reporting rate rather than just who gets caught out. This shift encourages a proactive security culture, celebrating vigilance and quick reporting which, in turn, has significantly bolstered our defences. 

“Moreover, adding a bit of friendly competition among departments has turned our phishing exercises into something of an event, sparking conversations about security at all levels, even drawing in ideas from our CEO.

“However, we acknowledge there's room for improvement, especially in engaging our store employees more effectively. The next step for us involves integrating cyber awareness more deeply into the training platforms our store staff already use, from onboarding to ongoing refreshments. Just as they learn about making a new pizza, we want cybersecurity to be part of their learning journey right from the get-go.”

Finally, why are events like Black Hat MEA valuable to you? 

“Recently, after presenting at Black Hat MEA, I shared some thoughts on LinkedIn about the profound realisation I had there: the irreplaceable value of the human element. There’s something genuinely special about face-to-face interactions that we've missed dearly, especially during the COVID times. 

“Regardless of whether you're an extrovert or introvert, we're social creatures at heart, and these events are crucial for reconnecting and building relationships.

“Black Hat MEA, in particular, has been fantastic for this. It’s not just about hearing different viewpoints but also about forming your own, making connections, and realising that even though cybersecurity can feel isolating, you're definitely not alone. Our field is incredibly tight-knit, and there’s a whole community out there ready to offer support when you reach out.

“What struck me most about BHMEA was its lack of gimmicks. It was refreshing to see vendors taking a more laid-back approach, waiting for attendees to engage with them rather than aggressively seeking attention. This made it possible to genuinely explore, engage in meaningful conversations with vendors of interest, and keep my head up without the usual barrage of sales pitches.”

Thanks to Stephen Bennett at Domino’s. Learn more from Stephen at Black Hat MEA 2024.