Tom: Welcome and thanks for joining me today for Cyber Security Inside. Before we get started, I want to remind everyone listening to reach out to me on Twitter. I would love to hear your comments and questions about our show and now hello to my co-host and colleague Camille Morhardt. Hi Camille, how are you doing today?
Camille: I’m doing well. How are you?
Tom: You know, I have been wrestling with something for some time. I’m baffled by this dilemma that we seem to have around security, where the people who know security understand how important it is. But when you try to go out to people who maybe don’t live security day in and day out, it’s hard to get them to really, truly appreciate how important it is to change behavior.
Camille: Yeah, you’ve said. Kind of recounted, I think, um, experiences of talking with different CSOs who are trying to help the rest of the C suite understand the importance. And I think you said some of them have said, you know, the only thing that would really get us to change is if we were attacked.
Tom: Yeah. Which is crazy. It’s like buying fire insurance after your house burns down; it seems so backwards. But I think there’s an interesting topic around how can we talk about security in a way that really touches and gets them to sort of get out of just listening mode, but figuring out how do I take action as a result of what I just said, right?
Camille: Like, is there a way to jumpstart that understanding without actually experiencing the problem?
Tom: Yeah and maybe that’s, maybe it starts with storytelling and different ways– You know I only hesitate a little bit when we say the word “storytelling.” It’s like, well, you’re telling a fable or something like that; but there really is a set of techniques and so forth about how to talk about security in a way that makes it matter and makes it emotional and visceral to the listeners.
Camille: So we’re sorta talking about getting an expert in storytelling or getting people to understand or see the light, that sort of an expert in the context of security or cyber security threats?
Tom: That’s right. I think that would be a fascinating podcast. Let’s go for it.
Camille: Yeah. I would love to hear somebody talk about that.
Tom G: Our guest today is Simeon Quarrie. He’s the founder and CEO of VIVIDA focusing on helping organizations drive change through powerful vision and immersive storytelling. His personal mission is to make understanding subjects like cyber security, diversity, and inclusion, impactful and enjoyable. So welcome to the podcast Simeon.
Simeon: Thank you. Thanks for, for having me. I’m really excited to be here, particularly having listened to a number of episodes myself. So thank you.
Tom G: Oh, great. Yeah. You know, part of our mission seems like it’s very much in line with your mission in terms of talking about cyber security and making it understandable. I wonder how, how did you get started in this line of work?
Simeon: So my background is outside of cyber, outside of security. My team was a team of storytelling, ninjas that take really complex subjects, um, dull subjects may be subjects are un-engaging, or maybe they’re subjects that people feel apathetic towards cause they’ve heard the message over and over again. And we try to make those subjects interests. As I described that, that description probably links really well with cyber security.
Um, but the reason I got involved and really interested in, in cyber security was because, um, just before payday, um, it was four days before payday. Um, I went into the account to prepare to do the payroll and my account was zero. Um, uh, the bit that’s alarming there is that my account shouldn’t have been zero. It should have had some money in it because we had spent a lot of time and effort doing it.
Um, had a panic, rang up the bank and the bank said, “don’t panic at all. We’ll put the money back in there and we’ll do some type of fraud investigation.” Brilliant. I went to then pay and my account was in empty again. I said, “did you put that money back in?” They said, “Yes.” But it’s gone again and even worse is now in my overdraft. So I’ve gone to my overdraft limit and they said to me, “I’m sorry, Mr. Quarrie. Um, we’re not going to put the money back into your account. We need to investigate further.” To which I had to tell my staff that I couldn’t pay them on time. And that was a really heart-stopping moment, not pleasant.
And I realized that something had happened likely to do with cyber security whereby we had done something or someone had done something we’d been scammed and it was empty. I thought, “why on earth is a subject like this as so important not mattered to me.” Um, and that’s where I then started to dig deeper into trying to really understand it.
Tom G: That’s a great story. Um, you know, it reminds me of a, uh, we have a board of advisors that we talk to and we talked to them about all kinds of different technical topics and what features would they value and not value and so forth. And, and we’ve, we’ve shared with them in the past security related items. And, um, we showed why it was so important, uh, that newer generation products had security built into them. Whereas older ones didn’t we asked them would this change now that you’re purchasing plans and so forth? And all of them said, uh, “no, it won’t.”
And, and then I, uh, we said, “well, do you see value in what we talked about?” “Oh, yes, it’s fantastic. You should do exactly what you’re doing.” And then I said, “well, why won’t you change your purchasing behavior?” And they said, “yeah, it’s just not a priority for the company.” And I said, “well, what would make it a priority for the company? If it’s not you, you’re not the decision maker and it’s the CEO or somebody else, what would have to happen to those people, you know, what, what needs to change?” And they said, ”it’s very simple. We have to get hacked. (Simeon laughs) As soon as we get hacked, then our behavior will change.”
And I think that that’s part of the, the frustrating part of cyber security and storytelling and so forth is that it’s hard enough to be safe, but then you have to try to convince people to change their behavior. And that is a very, very difficult challenge.
Simeon: Yeah. Do you know you hit on something that, that the, um, we use this line at VIVIDA that our aim is to. Make us subject matter. So it sticks, um, because like yourself, I’m spending a lot of time dealing with the senior leadership for larger organizations But the aim very much is to try and like work out ways of trying to make this subject stick and then make it matter. And I think that is a massive challenge. For me, I think that’s kind of where the storytelling component can start to come in as being a really useful tool, um, to help on that journey.
Camille: Hey, Simeon, could you give us an example of something maybe even not cyber security that you’ve put together, that’s kind of something you do pretty extreme immersion for storytelling.
Simeon: Sure. Um, okay, so there’s a, there’s a, there’s a couple of examples. Um, one that’s related to cyber security. That’s it’s it’s really cool. So, um, we decided to help employees within a large organization understand cyber security by looking at it from a different angle. Well, now what we did is we used the immersive technology–we use any form of storytelling. It could be video, um, animation, um, definitely interactivity and our laboratory with our labs, for VIVIDA utilize, um, immersive like virtual reality.
So what we did is we placed the employees within a recreated dark web mission control center. So imagine I could take you, you put on a headset and then all of a sudden you end up being within a large environment where you can say, Oh my goodness, I can see all the computer screens. I can see their stations. And in virtual reality, we actually start to see the criminals hacking and trying to penetrate the computer systems. And you get two minutes to. Try and understand what are the methods they’re using? what are the approaches? And that becomes really powerful because all of a sudden what you’re doing is you’re starting to create a more lived experience.
Um, Camille, and you mentioned something not related to, um, you know, necessarily security. What you can’t tell on a podcast is that I’m a, I’m a black dude. Um, and so I’m really passionate about, um, helping organizations tap into talent from diverse backgrounds. So for–it for EY actually, um, and Ernst and Young–we wanted to help the senior leadership understand what it was like to be a black person, in this case, a black, young, black man wanting to work at a large organization. And we recreated the wheel experience where you ended up being in the body of a young black man. So you look down at your hands in virtual reality and your arms are black. Your hands are black. And when the telephone rings, you actually need to pick it up and answer it and start to talk to the recruiter, then start to communicate with, with family members.
And what we’re doing is we, that’s where we start to use the power of storytelling. Now, of course, we’re going to a real, like, real levels of innovation in order to be able to help people live the story. But right now, even in things like COVID-19, without the use of headsets we’re working at, how can we use immersive storytelling, the fundamentals, in order to be able to take a subject and then make it matter.
Camille: So is this like a one off epiphany, if you can achieve a, um, an understanding once then people are kind of changed forever? Or is this the type of thing, whether it be cyber security or diversity and inclusion, where people need constant kind of reminders and constant information?
Simeon: Yeah. You know, that’s a really good question. So often when someone has an actual lived experience, you can have, what’s called a real “inciting incident.” In fact, that’s in storytelling structure and inciting incident, which changes your perspective and then changes the course of your story, right? Often what happens is, is if an individual goes through a particular trauma, as an example, they look at the world very differently. It’s why someone who’s had a trauma–let’s say they’ve walked down the street and they’ve been mugged, right? All of a sudden their perception of the world changes because they’ve had that lived experience and their risk assessment is now forever altered and their behaviors forever altered.
So it’s true that you could have a life experience that changes your outlook so fundamentally that your behaviors then change forever. I believe though, that that is very, very difficult to manufacture. The closest might be an immersive experience, but I don’t think that there is much that can be done from an educational training standpoint that has that level of leverage. So what we need to do is we can create the best inciting incident possible, which can leverage on story, but it has to be reinforced repeatedly over again. And that’s where things like nudge theory come into play because there’s not an inciting incident and there’s enough of a lever to make such a huge dramatic change. So we in essence have to. Keep driving a message home in order to create that sustained behavioral change.
Camille: So another question is you were mentioning something in conversation the other day, neurodiversity. Describe that quickly and then I’m also wondering, I’m assuming that neurodiversity would imply that you have to do training or, um, experiences differently for different people. So I’m wondering how that plays in storytelling. Like capturing multiple people at a time, but everybody is looking at it differently.
Simeon: In essence, um, we all think. Differently from a neurological standpoint and we’ve got different leavers. And sometimes you might have those that are, we call it on the spectrum, right? So some have got, you know, you might have things like Autism, but then you can have degrees that lead up to Autism—Aspergers–degrees that can lead up to that. Often a lot of those things might be linked directly with something that’s got a negative connotation. But as we know, that when we look at many of those, who’ve made, had such massive, substantial impact on our society, they’ve often there may be a deficiency in an area, but a massive exceptional ability in another.
But I think the principle is, is regardless, that from the way our brains work, we all work slightly differently. And there may be areas of training upbringing that deal with the masses, but actually there are differences. So for example, for me growing up, um, I was labeled as at some stages of being a little bit learning difficulties, right? My writing, I remember if I was to do writing of letters on a piece of paper, my letters would take up two or three lines because I couldn’t fit within the lines, right? If you get that kind of picture. And my parents were worried. I was worried because of the way people were looking at me.
It turned out, though, that as I was learning when the teacher involved forms of interactivity and engagement, I sparked up. If the learning involved elements of story, I was like, “ah, now I get it.” And if it tapped into things that were a little bit used, more of my senses, I was fully captivated.
I thought I was the anomaly. It turns out actually there are millions and millions of people like me, probably like yourself, that actually, if you had the preference, would love to have some form of utilizing more senses–sound visuals, can we utilize touch of a component story–would that subject matter more to us? And typically the answer is yes.
Tom G: Yeah. Boy, that really resonates with me. I’m thinking back to college. I, there were kids that could like read a book and, uh, they just got it and was the opposite. But if, if the professor would draw a picture for example, and I could visualize it, I had it. You know, and I had it solidly, you know, and so for me, it was visual learning versus sort of textbook learning. But, um, so I wonder if we can, if we can try to maybe narrow into some of your, either best practices or things that you’ve learned.
So you you’ve obviously been working on cyber security with companies and how to talk about it in ways that make a difference and, and, you know, change people’s behaviors. You know, absent of, of, you know, putting a virtual headset on everybody, I wonder if you can share what you have learned, how to talk about cyber security to make it matter to people, techniques that you’ve used in the life that you could share with our listeners.
Simeon: So. Um, often I’ll end up coming back a lot of the time to try to utilize, um, story and storytelling structure. Now, when we talk about story, we don’t just mean “Once upon a time, ” right? Which is what people tend to think. Oh, that’s a story. Actually. Storytelling structure defines that you lay a bit of context, like it then also means that you start to define what’s called a protagonist, i.e. a character or a, a force that is positive that you want to root for, right? So when you think—
Tom G: … and do you use, do you use things like the company? or do you try to personalize it down to a person?
Simeon: Okay, really good question. Really good question, Tom. So actually the answer is both. So who do you want to root for? So in a lot of our interactive, online experiences that don’t use the, on, you know, the headset, what we’ll do is we’ll go right, as a business, we want to be safe and secure. Okay, that’s Protagonist 1. But we need your help as an individual, right? Protagonist 2, the main is actually you. You almost root for yourself and then maybe others involved in the experience.
So, then what you end up doing in a storytelling structure is you end up going, well, actually what’s the main objective right? In a movie, what happens is, is that there’s an end goal, right? There’s a journey you need to get from where you are and that individual that you’re watching in that movie–let’s say Lord of the Rings, right? They need to get from– climb over the mountains, fight against the obstacles, et cetera, et cetera, to take the ring across.
All stories have that big journey. In security it might be, um, a secure culture, secure behaviors, um, having a certain amount of understanding. But who’s the antagonist like who’s the opponent that’s always trying to push you back? Well, it might be yes, cybercriminals, or it might be the thing, the mistakes that you make along the way related to security.
Um, and what this framework starts to do is start to give you and provide you with a vehicle that automatically starts to make things easier to understand. When you’ve got that storytelling structure, all of a sudden you start thinking, ah, how can you add, um, additional context to that? We use imagery. We use audio. We use all these, these different components and they really start to, to make a difference.
The other thing is, is utilizing as many individual senses as possible. So just like you said, Tom, like you when you, your teacher gave you a professor showed you text or a book, it was like, “Uh!” But the moment you showed an image, you got it. How can you utilize imagery? But then can you go a step further in line with what Camille was mentioning where you actually go, actually, what can you actually embed and start to use audio or video, um, and then start to use interactivity.
Camille: So, how does this all happen? I’m taking what you’re saying and I can apply it fairly easily if I think of giving a talk, um, internal or external. But I’m having trouble figuring out how to do this over Zoom, uh, or some sort of an interactive web platform, especially when there’s multiple people on the, on the other end.
Tom G: Yeah, how to scale. And I think I have the same, same question. How do you do this across a company of thousands of employees.
Simeon: Okay, s o we’re going to cover a little bit of uncovered ground here that I’ve actually not spoken about publicly for some of it. We’ve done, we’ve done a couple of things. So most companies, you’ll be aware and they’ve got like a learning management system, right? Typically the educational courses that sit within them are very dry, but just because of how they’ve been created, right? They need to tick the box to say you’ve done them, but they might have just the normal standard text to simple clip art.
But the moment someone sits in front of that mandatory training, what happens is the body slouches back. People are bored already and they don’t want to lean in. So, what we’ve started to do is we’ve created, um, in fact, we did it with, um, in the UK we’ve got, um, the one, the most dominant commercial TV broadcasters, right. And they’ve got thousands of people across the country. We created an interactive immersive—i.e, you can actually move around, look around, click on objects and uncover puzzles, play video clips as part of that mandatory learning and training. We took something that was boring, turned it into something that was engaging and distributed it directly through that, through their platform.
So, as an example, the first mission is, is, um, use an employee on your working from home on your computer system get a mission. An individual from a business has been scammed. You’ve got a detective board of information, including their past social media activity. And you’ve got to work out how the scammer managed to scam this particular organization and this individual. And you’ve got to bring all the pieces together.
Now that’s on a one-on-one basis. So what we’ve tried to do is look at how can we use interactivity, utilize the people as they work from home and change the learning experience and individual training level. Your great point that you mentioned, or how do you do that As a, as a group?
Actually, what we were doing just before this call is our team was building out our technology and capability to start to work as a group discussion, uh, almost like an escape room, but one that is online with multiple parties. And in fact, we’re actually working with, um, uh, an, an investment bank at the moment where we’re actually, we’re, we’re doing this. What we want to do is we want to have multiple people, but like we’re doing now. Um, but utilizing our visual storytelling and the assets, bringing them together to create something that really starts to drive that narrative forward.
But if you were trying to do this yourself, I would do this. Work out as a group, what’s an inciting incident? So, for example, you could decide to as a group, you’ve got this challenge, okay? And then what you need to do in the space of half an hour is you need to be able to solve this particular problem so that this challenge is overcome. Everyone needs to work on it together. And, and just doing that starts to reframe that, that conversation.
Tom G: Yeah. I think this is interesting. You, you’re kind of the way I’m interpreting what you’re saying is, is you’re almost making it into a game or a challenge, a collective challenge that the, the team needs to work toward. And, and in doing that, you’re actually teaching them, even though it may not feel like you’re teaching them.
Simeon: Yes. Yes. So you’re, you’re, you’re a hundred percent, right. Um, you know, we talk about principles of gamification. Gamification can be “structural gamification” is one type and the other is “content style gamification.” Now we’re using both VIVIDA. So our stylization and our visuals have a form of gamification in it. But the other form of structureal, which is, could you work against a clock? Could you need to get a certain score? You know, can you utilize characters? And some of those principles can really help you to make the subject that’s really dry into something that is, um, very, very interesting.
You’ve watched the movie I’m sure and ended up feeling emotional. In some cases, some might cry, some might feel excited. Now, before you walked into that movie theater–mind were the old days, before we go into lockdown–you didn’t care for the character and you didn’t care for the cause. But because the directors of the piece that designed that movie, they designed it using storytelling, which meant that very quickly, you cared for the lead character. You cared, whether they won the battle. You cared whether they were hurt or you cared. Whether the guy got the girl or the girl got the guy. And that’s what we start to do start. So can you utilize those principles, even in security training or insecurity awareness, but utilize that in order to help people understand and care about the subject of security.
Camille: So I think I heard, um, like you’re saying, make it, make it personal if possible or personal to a company, create an, um, an instigating or inciting experience if possible–hard to manufacture, but something that triggers people to, to start to have an epiphany. Um, and then maybe more training after that. But if you can precipitate some kind of understanding, that would be good. Think about how you have neurodiversity, people learning in different ways, so you can try to incorporate visual audio as much as you can, different things. And then simulate or create a game, create a goal, create a team, create something you’re trying to achieve somehow. Is that about right?
Simeon: Yes. You summarized that really well. And actually, do you know another thing you can do as well as the business? Get other people involved in creating the materials, right? Get their viewpoints, get their insights. I actually feel that the part of the reason why we sometimes struggle to solve this big issue of cyber security–in terms of making the subject matter to people–is because we often are seeing things as an industry from the same vantage point.
If we take people who have got different backgrounds, different skill sets and get them looking at this, we then by definition, get different perspectives and different angles of attack. And that’s what we need is we need to have those different angles of attack. Because the reality is, is, is that often the security industry, um, from past generations has probably attracted the same types of individuals and people.
Whether you think about physical security, having moved from physical to digital, whether you think about those that maybe come from, um, the military and then move into that digital domain or whether you think about the, the equivalent of the “kiddy hacker” that decides to move into the industry and go through the route of ethical penetration testing, what happens is you start to potentially get people who’ve got the same type of mindset.
Is there an opportunity here to actually start to open out that scope so that we get a totally different vantage point on the problem and then start to get a more rounded out, um, approach to the story and then also the solution.
Tom G: We do like to have a little fun on this podcast and talk about fun facts or things that you think the listeners might find interesting or engaging. It could have something to do with security or it could have most of the time it has nothing to do with security.
Simeon: Um, I guess I think one of the things I think becomes really interesting, um, now is because every one starting to work from home, um, uh, in a lot of cases and you’re stuck within the four walls, um, I think it becomes interesting and really exciting to, you know, I’ve been really starting to play around in virtual reality more, but this ability to now start to escape and find yourself in totally different worlds. Whether you’d be fishing on a boat, but in virtual reality, right?
How many of us have got these different things that we used to want? We wanted to do, but we no longer able to do. I’ve been to some crazy places recently, right? Even in lockdown. I have been in buildings I’ve never actually really been in. I have, um, fought and battled against, uh, enemies in, in, in other worlds. I’ve played snooker, but done so in virtual reality. So I’ve been enjoying myself even in lockdown. Yeah. Um, but in more of the, the, the virtual world.
Many of us are struggling to stay sane because we’re stuck in the same four walls. Actually, this could be a really cool opportunity just to provide yourself a little bit of escapism outside of work, switch off work, have some fun.
Tom G: That’s great. That’s great. And, and the, the experiences are so immersive. Like you, your brain does get tricked into the fact that you’re not actually there, but yeah, it’s incredible. So yeah, that’s, that’s a great one. Camille, how about you?
Camille: Looking up, uh, risks around cyber security and, um, critical infrastructure, I was wondering, you know, really what is our biggest threat to energy and power. Uh, and I have learned that it is none other than the squirrel. So, um, a Former Deputy Director of the NSA said, “frankly, the number one threat experience to date by us electrical grid is squirrels.”
Simeon: I’m Googling. As we speak to find some–
Camille: there’s no fact checking allowed on the interesting facts (laughs)
Simeon: (laughs) OK, my hands have moved away from the keyboard.
Tom G: Yeah, that’s okay. It may not be hands have moved away. It may not actually be correct, but it’s entertaining. Uh, so I stumbled on something this weekend. So, uh, for people who know me, they know that I am absolutely passionate about fishing.
And so I was online looking at fishing stuff and, and, um, there was a shirt and it had some sort of interesting quote, on the front and on the side, it had a picture of an American flag. But the picture was, was reversed. And it turns out, uh, on the U.S, uh, soldier outfit, whatever you call it, the product called it an outfit. But you know what? I’m talking about a uniform. There you go. The uniform, uh, their patch is also what I would consider, uh, backwards and, um, and it, and it dates back–it’s actually on purpose–it dates back to the standard bearers, uh, battles where they would hold a flag and he’d have somebody who’s great honor position to hold the flag into battle.
And if you envision a pole holding a flag and going into battle, the flag will be facing the other direction, if you’re going into battle. Right? So if you’re walking towards battle, you’d have the flag facing actually the way that they put the patch on, on your arm. And so it signals or signifies that the American soldier is always going into battle as opposed to retreating.
So I found that very interesting and kind of a cool story and, and, uh, uh, some powerful imagery.
Simeon: I love that.
Tom: Yeah. Well, Simeon, thank you so much for spending the time with us. I think, you know, we have a shared mission on how we talk about security and making security matter to folks. And, um, I found your stories fascinating. So thank you for the time and I wish you the best of luck cause we have the shared mission.
Simeon: Thank you. It’s really great to be a listener. That’s turned into a participant. So I really appreciate that. Thank you.