Building a Positive Cybersecurity Culture from the Inside Out: ScottishPower's Journey

Curious about how ScottishPower is fostering a positive cybersecurity culture from within? Meet Michael, the Cyber Culture & Skills Lead who plays a pivotal role in this transformation. 

In this blog, Michael pulls back the curtain on everything - from his own journey into tech to the strategic implementation of cybersecurity culture at ScottishPower, and his vision for a future where every team member is a custodian of cyber safety. 

And if you're wondering how you can transition into cybersecurity roles, Michael provides valuable insights on the transferable skills that matter.

Let's delve in!

Tell us a bit more about yourself/your journey into tech and how you ended up in your current role at Scottish Power.  

I've always had a thing for technology. I mean, it started way back in the era of cassette tape players before DVDs were commonplace. 

My real break into tech came when I was working in the finance industry. I was helping customers manage their banking and found myself drawn to roles in governance and risk management. Mainly because, like customer service, these roles were all about helping people. This time, though, it was about helping payment teams keep track of key indicators and risks, and helping leaders make informed decisions. 

I really enjoyed those roles, and they led me down a path that included building relationships with colleagues and ensuring business controls and processes were working as they should. Then, in 2015, I found myself drawn to a different kind of role, one in Information Security. I was intrigued by the whole 'good versus bad' aspect of it, and because I could use my governance and reporting skills in a new way. 

So, I've done a bit of everything in governance, risk and assurance, plus a few other things that have let me dabble in cyber training and awareness activities. I've seen a huge shift in companies, and even top executives, recognizing the need to manage both the human and technical aspects of cyber security. 

And that's how I ended up where I am today, as a Cyber Skills and Culture Lead at ScottishPower. It's a role that I'm really passionate about because I get to develop our cyber skills framework and continue to improve our awareness, behavior and culture programmes by empowering colleagues to remain secure, all while continuing to serve our customers and keep the UK's electricity flowing. 

Building a positive cybersecurity culture is a focus of your current role. Why is this important and what strategies have you found most effective for influencing behaviors? 

When it comes to cybersecurity, there's a starting point, but there's no finish line. It's an ongoing process that involves continually educating our colleagues on secure behaviors, which benefits everyone at all levels of the organization. As cyber threats evolve, so do our practices—it's a way of life, not a one-and-done project. Culture programmes can have a strategy wrapped around them, but it’s actually very much something that evolves around how colleagues perceive security and decision making on a daily basis by teams across all parts of an organization.

Now, imagine a team without a positive cybersecurity culture. Who's going to know which behaviours to follow? Who's going to take the initiative to implement secure tools and develop our capabilities? Without proper guidance, corners might be cut, and risks could be overlooked. To me, a strong cybersecurity culture is a cornerstone for any business. It starts from the top, with buy-in from executives and leaders, and resonates throughout the entire organization. 

One effective strategy I've found is to make sure that our messages regularly answer the question: 'What's In It For Me (WIIFM)?' Whether it's daily practices in our job roles or elements of our personal lives, we need to ensure our messages resonate. Everyone's time is precious, so we aim to keep it relevant and engaging. 

Our cybersecurity team is here to help and support, especially our colleagues who might need a bit more guidance. We keep our meetings, updates, and content as simple and jargon-free as possible. We never forget that everyone's level of technical knowledge varies, and we all have our job roles to fulfill. Lastly, we value feedback from our colleagues and key stakeholders—it's incredibly helpful for improving our campaigns. 

You discussed the importance of leadership buy-in and feedback from stakeholders. How have you gained executive support and what types of feedback have been most helpful for shaping your programs?

Having support from the top, like CEO and Senior Leaders, isn't just a nice-to-have, it's absolutely crucial. At ScottishPower, they really get why they need to back our cybersecurity programmes, and that's a massive boost. 

We've been talking with the key stakeholders and leaders, making sure they understand how cybersecurity impacts us all. We've shown them how aligning our security initiatives with business goals and investing in cybersecurity aren't just compliance tick-boxes, they actually strengthen our resilience. 

We make sure to keep them in the loop with regular updates about our goals, our roadmap, and any challenges we're facing. We're constantly looking to build on our efforts to improve our cyber skills programmes and keep evolving our awareness and behaviour initiatives. 

I'm a big believer in an open-door policy and making sure everyone knows who they're dealing with. The more we engage and get feedback from everyone, regardless of their role, the more we can help the company and refine our programmes. Whether it's someone demonstrating secure behaviour or reporting something that didn't seem quite right and prevented a security event, all these stories show the value and progress of our cultural programmes and initiatives. 

How do you work to tailor cybersecurity training to different user groups based on their potential risks? Can you provide some examples?

The way I see it, everyone in a company has a role to play in keeping it safe. It doesn't matter if you're in Procurement or Customer Service or Cyber Security - everyone can do something every day to enhance security. This could be as simple as reporting phishing emails, not sharing passwords, or locking your devices when not in use. 

Now, while everyone should be aware, some roles might need more detailed information. For instance, the senior management might need to understand threats like Social Engineering from a different strategic standpoint. In other words, the approach to training or awareness should sometimes be adapted to suit the audience. 

And that leads me to the idea of supporting different groups within the company. Some roles, like executive assistants, privileged access users, developers, and even new entrants to the company might be considered 'high risk groups'. These roles, along with colleagues in Information Technology, Operational Technology, and cyber roles, should be prioritized when tailoring awareness programs and training. Your own company sector and size will most likely determine different priorities.

While we need to provide formal training and certifications, we should also consider what skill sets we should be looking for across certain cyber roles or roles closely facing off to cyber threats and risks. From analyst level to senior management, the knowledge levels will differ and grow. So tailoring skills and pathways to different user groups can only benefit the overall levels within the company and ongoing culture to mitigate the many different forms of cyber risks.

In your view, what are some of the non-technical career paths into cybersecurity roles like governance, risk management or training? What transferable skills are valuable in these areas? 

You might think that cybersecurity is a tough field to crack, and it's true that some roles, like penetration testers, forensics experts, and security operations team members need particular education, training, and experience. 

However, there's room for people with all kinds of backgrounds in cybersecurity. I mean, look at me! I started off in banking risk and governance, and from there, I stepped into a cyber risk and reporting role. Sure, the topic was different, but if you have confidence in your own abilities and the support of a great team, there's a ton of potential for you in this field. 

You might be surprised by the kinds of backgrounds that can transfer into cybersecurity. People with experience in audit and compliance, for example, could find a good fit in cyber governance, risk, and assurance teams. If you've been working in a tech role and know your company's architecture inside and out, you might be well-suited for a cyber consultancy role, helping to plan and maintain secure developments. 

Every company is different and will have different opportunities, but when the timing's right and you've got the right team around you, there's no reason why individuals from other roles can't transition into cybersecurity. We've got people from teaching, psychology, communication, and marketing backgrounds, and they're all doing great work. Not all roles will be a fit for folks from 'non-technical' backgrounds, but there are definitely opportunities out there. 

Want to join Scottish Power?

If you’d like to join the team at ScottishPower, then create a profile on the hackajob platform, where they’re currently hiring for a variety of roles or log in to your profile here. Follow what they are up to on their hackajob profile. 

Like what you've read or want more like this? Let us know! Email us here or DM us: X, LinkedIn, or Instagram, we'd love to hear from you.