There aren’t many things as intricate and complex as information security, but human behavior is probably one of them. At least, that’s the message Michael Hill got after spending an afternoon with independent cybersecurity consultant Dr Jessica Barker.
In today’s world, information security advisors are far from a rarity. However, one of the things that distinguishes Jessica from most of them is that instead of focusing on the technical, she specializes in the ‘human side’ of cybersecurity, advising FTSE 100 companies, central government, SMEs, the media and conference audiences both in the UK and across the globe on how human behavior directly impacts security.
The Cybersecurity Bug
Like all success stories, there needs to be a beginning, and Jessica’s started growing up in the Northeast of England with a passion for “messing around with electronics and tech as a kid.” Yet it was her fascination with human behavior that truly set her on the path to where she is now, inspiring her to study Sociology and Politics in Sheffield before working for the Northwest Development Agency looking at social inclusion. A Masters and PhD sponsorship with the University of Liverpool saw her continue her learning in the discipline of Civic Design, exploring how the changes of the internet and globalization have impacted society and institutional development.
“I was always a people watcher,” she says. “I’ve always been fascinated with why people do the things they do; what makes us different, and what makes us the same. I just found it interesting to think about how we all organize ourselves, and I think that’s still what drives my interest today.”
Captivating notions indeed, but specializing in human behavior is not something that most would necessarily consider an obvious precursor to a career in cybersecurity, so you can imagine Jessica’s surprise when, not long after completing her PhD, she was approached by a start-up cybersecurity firm in the defense industry who were looking to recruit someone just like her.
“It was completely leftfield!” she admits. “They had heard about my PhD work and could see that, although it wasn’t directly related to cybersecurity, there were themes that were relevant to what they were doing. They wanted someone who was more focused on the human side with the technical capability they needed, with my skills, outlook and background.”
Jessica explains that whilst she knew she wanted to do something a little different after her studies, the thought of a career in cybersecurity had never occurred to her, holding the all-too-common belief back then that it was a ‘technical subject’ that didn’t tie in with her specialty.
“However, like a lot of people, once I started reading around the subject, once I started meeting people and talking to people, I found it really interesting and quite quickly started to see how my background was relevant. I caught the bug I guess.”
Going it Alone
Having spent two-and-a-half years at the startup, helping them with cybersecurity assessments of organizations, working on projects at the senior level of central government and designing and delivering awareness-raising training with particular focus on the board-level, Jessica’s next step was to set up a consultancy business of her own, establishing J L Barker Ltd back in 2013, something she describes as the proudest achievement of her career (so far).
“It was always an ambition of mine to set up my own company,” she says glowingly. “I knew there were ways I could contribute to cybersecurity that would only be possible if I worked for myself and set my own direction – and the beauty of working for yourself is that you have the freedom to do that.”
Perhaps the biggest benefit of being her own boss, she adds, is that it allows her the flexibility to dedicate time to non-commercial activities that she believes in, including research, speaking at community conferences and supporting worthwhile initiatives like TeenTech and the Cyber Security Challenge.
“Working for myself means that I can be agile and work on issues I find important, and ones that my clients are particularly concerned about. I have a lot to do, and a lot I want to do. It gives a lot of freedom but with that comes a lot of responsibility, too.”
Recognizing the Importance of the Human
With several years in the industry under her belt and her four-year-old business thriving, Jessica has seen the recognition of the human factor in cybersecurity grow massively, but she argues that people still don’t really know how to deal with it.
“Companies have become far more aware that most of the attacks we see can be traced back to human behavior in one way or another, and that the human problem is fundamental,” she explains, “whether that’s accidental data loss, intentional theft of information by an insider or malicious actions of an external individual or group.”
The difficulty companies face with responding to that, she adds, is that human behavior is essentially all about individual personality and circumstance, and when you are trying to deal with that on a large scale, it gets very complicated.
“You can look at an organization like you look at society; different individuals, different groups, different motivations, different resources, different outcomes – so trying to manage all of that and getting everyone to behave in a way that you might want proves challenging.”
They key here is avoiding the temptation to over-rely on technology alone to solve all of your security problems – something that can be made more difficult when vendors claim to be selling a product that can do just that – and set about creating the kind of culture that helps you keep on top of all the human issues that come into play.
“If people feel like their own objectives aren’t being met, then you can get behaviors you might not want. So it’s really important to set a positive culture, because how people are treated as individuals and how they feel in an organization, whether they are happy and feel rewarded and respected, has such a knock-on effect on security. That’s not something that technology can ever solve.
“We’ve got an education piece there to help people understand the human dimensions, but there’s not that many people with the human background and human skills in the industry, it has always been more tech focused, so it’s just taking a while to really change that.”
Feel the Fear and Do It Anyway
A self-confessed workaholic, Jessica is the first to admit that her job takes up a lot of her time. However, when she does have some precious downtime, she strives to spend it doing things that not only test her, but allow her to absorb her energy into learning something new.
“I’ve always enjoyed learning things that are different to what I’m working on, so over the years I’ve had singing lessons, guitar lessons, ballroom dancing lessons, fencing lessons – I even did a circus course recently with a bit of trapeze. I’m not good at singing, or playing the guitar, and I’m not great at fencing, but I’ve always liked to challenge myself and I find that’s a really good way to unwind!”
Simple pastimes perhaps, but I see an interesting dynamic here that very much relates to the cybersecurity industry, especially when you take into consideration a recent piece of social media research that Jessica carried out on ‘imposter syndrome’.
“Imposter syndrome is this idea that people may be externally very successful, but internally feel a bit like a fraud,” she explains, “and I think it’s something that is very common.”
In such a complex, diverse and ever-evolving industry as information security, it’s simply not possible to know and understanding everything all of the time, and as Jessica discovered, it can be easy for high-level security professionals to regard themselves as ‘imposters’; feeling out of their depth, confused and, in some cases, unable to cope with the challenges they face. Concerned that they would be ridiculed for admitting so, they opt instead to shy away from opportunities to face new tests and push themselves out of their comfort zone, missing out on valuable learning and development as a result.
“I’ve spoken to friends in this industry myself who have told me they feel this, and these are people who are really successful. I’ve also heard from people that don’t submit to speak at conferences for that reason, or avoid going for promotions or applying for better jobs.
“For some people it can become an overwhelming feeling, and they find it very hard to accept what they do know and where their talents do lie, and that not everyone else is perfect. So for some people this imposter syndrome can become a real issue.”
Nonetheless, the fact is that none of us are born experts. It’s not feasible to grow without driving yourself to face new hurdles, and sometimes that means taking a risk.
“I think pushing yourself out of your comfort zone is really the only way to truly challenge those feelings of imposter syndrome. Often it’s the riskiest things in life – not in terms of cybersecurity!” she laughs, “but the riskiest things in life that can pay off the most.”
What a Year!
Last year was certainly a busy one for Jessica. Aside from her day-to-day consultancy work, she also had her hands full attending and speaking at countless events and conferences; setting up The Risk Avengers − a new team consultancy made up of cybersecurity specialists sharing their expertise in the battle against cybercrime and data loss − leading an information security assessment of a chain of European hotels and designing and delivering social engineering awareness-raising training for an international financial institution.
It was also the year that her public profile skyrocketed, thanks in part to a series of media appearances on both live TV and radio where she shared her thoughts on some of the biggest security topics of the year, including discussing the Yahoo breach on Channel 4, the UK Cyber Security Strategy on ITV and iCloud account compromise on Sky News. “I think I've spoken on every major news show about cybersecurity now!” she adds with a smile.
However, a new year is upon us, and so I wanted to know what’s on the horizon for Jessica as she heads towards the future.
“I’ve never been one to massively plan ahead as to what I want to do [next]” she says honestly. “I’ve always been driven by asking myself ‘Am I enjoying my work? Am I challenged by it? Am I learning new things?’, but a huge thing for me is reaching out to people and driving awareness and changing behaviors. One thing I know I am good at is translating technical things in a way that people who are not technical can understand and not feel intimidated by, so I hope that going forwards I can just keep building on that.”
With such a clear passion for her work and an ever-growing understanding of the industry, I’m sure she will!
Timeline:
2001: Graduated from the University of Sheffield with a degree in Social and Political Studies, before working for the Northwest Development Agency looking at social inclusion.
2010: Completed a Master’s and PhD in Civic Design (Engineering) with the University of Liverpool.
2011: Landed her first role in information security as principal consultant at a cybersecurity consultancy specializing in the defense industry.
2013: Set up her own her consultancy company, working on projects for large, international companies as well as SMEs.
2016: Led an information security assessment of a chain of European hotels, designed and delivered social engineering awareness-raising training for an international financial institution and spoke at a raft of security events.