Joining Records Management and Cyber Security Martin Fletcher Assurance and Information Management Consultant Cyber Security Summit 16 November 2017

The National Archives Provide advice to government on how to manage and transfer its information Train boards, SIROs, IAOs and end users Advocate a joined up approach to managing information and keeping it secure

Questions how good is the relationship between security experts and Information Management Professionals in your organisation? what challenges do you have engaging staff? Have you seen anything that worked well? what would you like to see from training and engagement experts to help in this area? On question three we’re asking them to think about it in the context of 1 and 2 -What can we do to help foster relationships between cyber security and Information Management Professionals? -What else can we be doing to engage staff?

Relationships Frequent communication and catch ups are key Ensure that both professions are involved in projects from an early stage Senior managers should help encourage communication © Daniel Kulinski 2008 Records management professionals were more positive about relationships than cyber professionals. Note that this may be down to organisations having less developed records management structures, meaning it was more difficult for CS experts to build relationships with them. Organisations with good relationships had frequent communication. Often sat near each other, sometimes reported to the same managers. When these managers encouraged communication that helped too. In good organisations both sets of professionals were involved in risk decisions from an early stage. They both worked closely with the SIRO to ensure that information risks were captured and where appropriate escalated. Solutions developed were more practical for end users as they were considered from more than one perspective.

Communicating with end users: Challenges Over-reliance on technical solutions to solve problems Attitude across the business that information management was “an IT problem” Size and complexity of the business Getting heard above the noise One thing that was noted in organisations that were performing less well was that professionals got too hung up on technical solutions, rather than engaging with end users. This was particularly so after physical records were digitised and they were then considered the IT team’s problem Other common concerns included The size of the business Staff working across multiple sites Getting heard against the background noise of other important things

Overcoming challenges Blended learning solutions Case studies “what does good look like” Consistent messages Senior level suport Blended learning approaches to suit staff from a range or backgrounds and across lot so of sites. Face to face Online (must be kept bite sized) Just in time approach (Posters, vlogs, webinars, cost of carelessness) Phishing campaigns. Effective, but make sure to involve HR and possibly unions from the beginning Case studies “what good and bad looks like” Lots of news stories about cyber incidents The ICO has lots of investigations about poor records management Senior managers would either attend sessions to give an intro and underline why it was important. Or they would submit videos, for example training is taking place across a lot of sites. © Atiben 2008

What can training and engagement experts do? Facilitate sharing and communication Ensure messgaes are consistent Bring our talents into play Don’t use blame language Help encourage communication between RM, CS experts, Senior Management (sometimes the RM and CS experts may not be the best people to communicate issues to seniors and secure their buy in) and end users Make sure that when RM and CS experts produce communications that they do not contradict each other. Also ensure that they are in line with company policy, if not then is the message wrong or does the policy need to be revisited. Training experts are often great at sniffing out good case studies, brininging in examples from previous classes they’ve taught. They also make a living out of ensuring that courses are interesting and learning is cemented. You can use their skills in this area. A final point I found particularly interesting was in how communications describe end users. It was mentioned that ‘too often end users are referred to as though they are a problem that needs fixing’. When we are writing our training courses, blogs posts, videos, even research articles we need to make sure that the language we use doesn’t give staff this impression. We ought to communicate in a way that advises on best practice, but also listens to staff concerns and adapts to support them in their roles. Earlier this year the NCSC produced a great video on just this subject.

Conclusions Organisations benefit when records managers and cyber security experts have good relationships Risk decisions are more thorough Learning among end users is more effective Senior management take an increased interest © CPNI