The Human Firewall

In this final episode, we discuss what we have learned from the 10 conversations we had with leading experts in compliance, security and behavioral design. If you only have time for one episode, this is the one! All the golden nuggets from both seasons are mentioned here.

Our guest is Luca Dellanna, and your hosts are Lasse Frost and Jakob Danelund.  This episode is about preventing bad stuff from hitting us hard – everything from pandemics to data leaks and cyberattacks - and how understanding terms like ergodicity and antifragility is crucial to do so in the chaotic and complex modern world in the 21st Century.  Follow Luca on LinkedIn here.  Read more about Luca’s work here.  Luca strongly recommends everyone to read Nassim Taleb’s book Antifragile. Find it here.  During the episode, we refer several times to the Pyramid of Risk. Find it here.  Luca talk us through a compliance case about fixing a warehouse floor. Read more about it here.  Luca’s vision: That we create a world where we care a bit less about ticking compliance boxes or just imitating what other people do without understanding, and a bit more about clipping tail risks. Basically, I hope that Nasim Taleb becomes required reading material in high school. And then that we remember basics of risk management: We are not magically exempt from risk, unless we take explicit action to protect us from it and, if it happens, keep it from destroying us.  Luca’s 3 advice: What can we do tomorrow: There are two basic tools that do not require any expertise to understand and use, and that you can teach to a very wide audience in 15 minutes: Pyramid of Risk and Pre-Mortems. Many companies do post-mortems in talking about what went wrong and what to do better next time after the fact. Pre-Mortems are the same thing, but just done before the fact. Let’s say that you want to launch a new product, and before you launch it, you ask yourselves: “Let’s imagine that the launch fails. What could have been the reasons for it, and what can we do about it today?”.  And once you come up with some answers, you ask: “If we do X / Y / Z about it, is there no way that it can fail now?” Oftentimes there is, so you simply repeat the exercise a bit, and then you get really good answers. What can we do in 6 months: Ensure that the Pyramid of Risk and Pre-Mortems are implemented in practice. That means that the moment you explain it, you need to create an area of application and set clear targets for it in 6 months. It is crucial to select a very small area, and to be consistent in how you plan to measure and encourage performance, so that it is clear to everyone what you expect them to do and why. If you do a good job, after 6 months, then you can expand it to other areas. What can we do in 5 years: It is extremely important to go back to the principals, the foundations. One mistake that some companies do is that they achieve an objective, and then they think that, because they’ve achieved that objective, they can stop talking about everything they did to achieve that objective. People forget, get other priorities, and then there is a decay or a decadence. I think it is extremely important that this attention to the fundamentals is sustained, even when in theory we could aim for more. I would consider the latter a nice-to-have. 

Our guest today is Josefine Ehlers Davidsen from AP Pension (at the time of the interview: The Danish National Agency for IT and Learning), and your hosts are Lasse Frost and Jakob Danelund. This episode delves into how you can utilize insights from psychology to bolster your organization against cyberthreats. Follow Josefine Ehlers Davidsen on LinkedIN here. Read Josefine’s article “How to build real information security in 5 steps” here. Learn more about Bsides Copenhagen here.  Josefine’s vision: That everybody is as excited about cybersecurity as we are. But I also know that that’s not going to happen. Just as we cannot have 100 percent compliance, we are going to have to accept that only a few people will have an intense love for cybersecurity.  Josefine’s 3 advice to get there: What can we do tomorrow: Identify what’s really important to you. Ask yourself or ask relevant people what they really care about in this organization, what do we need to protect.  What can we do in 6 months: Start documenting. Qualitatively and quantitively. As you’re going along in your process, it’s going to help you to get more and more data-driven. Document the touchpoints you have with people. This will make it gradually easier for you to report to senior management. What can we do in 5 years: Stay curious and keep on listening. The threat landscape is constantly evolving, employees come and go - and it is futile to check boxes. So keep your eyes and ears out. 

Our guest is Mikkel Holm Sørensen from /KL.7 – part of Implement Consulting Group, and your hosts are Lasse Frost and Jakob Danelund.  The episode explores how we can utilize behavioral design and data to enable more ethical behavior.  Follow Mikkel on LinkedIn here. Learn more about /KL.7 here.  Mikkel’s vision: That data-ethics has gone from a elitist and philosophical discussion to something that companies just do. And then, of course, I would LOVE to have this posterboy case, where a company does it right and earns a lot of money.  Mikkel’s 3 advice: What can we do tomorrow: Use behavioral design to communicate about ethical data use in a more nuanced way than just claiming that it’s either extremely dangerous or harmless. Use straight-forward language, concrete cases and relevant metaphors. To engage and mobilize people, we should ASAP find a more engaging word than “data-ethics” to describe what we mean. What can we do in 6 months: Use the upcoming Danish labelling program for IT security and responsible use of data and encourage the development of like-minded initiatives.  I would like to see more consumers leaving companies that does not get this right. What can we do in 5 years: Developing further trust in data-use by simply not using data for bad things. Data will only be more potent in 5 years, and therefore, it’s crucial that influential companies lead the way in showing that weaponizing it is not the only way to achieve commercial success. 

Welcome to our second season! We have learned a lot from the first 5 episodes – and we want to share some great news with you. Tune in and find out why we are so excited about the coming season.

Our guest is Rory Sutherland, and your hosts are Lasse Frost and Jakob Danelund.  This episode takes a deep dive into how you can use ideas and tools from advertising and the creative industry to make compliance great again.  Follow Rory Sutherland on LinkedIn here. Learn more about Oligvy here. Sign up for Nudgestock 2021 here.  Rory’s vision: That the three areas of business – Marketing, HR, and Compliance – will be deeply psychological in accepting complexity and highly admitting to creativity. That they will escape the quantification bias and deterministic fashions – simple systems that are psychology-blind – that currently deludes managers, simplifies the individual into a single function leaving them highly amenable to automation (and boredom!), and prevents business instead of enabling it.  Rory’s 3 advice: What can we do tomorrow: Try to understand the internal culture and teams needs from an anthropological and psychological level, not through an artificial mechanistic view. What can we do in 6 months: Put an effort into rewarding brilliance far more and punish deviance far less. What can we do in 5 years: Acknowledge the need for subjectivity and novelty! All rules will be gamed at some point, so it’s important to change them once in a while and not steer towards one goal blindly. Don’t make procurement all about saving money, don’t make compliance all about box-ticking, and try hiring people without a college education. 

ENGLISH INTERVIEW STARTS AT 04:04  Our guest is Andra M. Popa, independent compliance consultant in the US health sector, and your hosts are Lasse Frost and Christian Lykke-Rasmussen.  The episode explores how you can create better compliance by being humble, interdisciplinary, and creative.  Follow Andra M. Popa on LinkedIn here. Learn more about Design + Compliance and find all relevant cases and articles here.  Andra’s vision: That compliance officers do not have to be police officers, but instead focusing on allowing people to be creative help them grow in their roles.  Andra’s 3 advice: What can we do tomorrow: Make sure that the compliance officer is independent. Take a look at your organizational charts and the reality of your organization, and make sure the people in compliance roles are not reporting to anyone in operations.  What can we do in 6 months: Be visible, reachable, and apply concrete design ideas to your compliance work. Not only the compliance role, but also policies and procedures can be designed with different tools. Disseminate your information with readable fonts, maximum 2 pages, more emotional and fun, and targeted to the groups of people who should use them. And then, in the background, keep auditing and iterating, and doing field work how people conceive and make use of your policies and procedures. What can we do in 5 years: Development of tiny habits is key, because things can change so quickly, and we need to be ready for that change. Also, give people autonomy to make decisions for themselves in situations that does not fit into a black-and-white view of e.g. ethics. 

ENGLISH INTERVIEW STARTS AT 04:30The guest is Nick Gallo, Co-CEO and Chief Servant in ComplianceLine,  and your hosts are Lasse Frost and Christian Lykke-Rasmussen. This episode is about how to make compliance a central part of a healthy company culture. Nick Gallo calls this Compliance 3.0.Follow Nick Gallo on LinkedIn here. Listen to Nick Gallo's podcast The Ethics Experts here. Learn more about ComplianceLine here. Nicks' vision: That compliance officers will be adept at bringing personal and professional empathy into the organization, so compliance can release the magic of the workforce. Light bulbs will be turned on at the top, hierarchies will be flattened to an appropriate degree, and employees will be treated more like human beings. Nick's 3 advice:·    What can we do tomorrow: Change your mindset. Be aware that, if you and your organization thinks you’re a call center, you continue to be a call center. ·    What can we do in 6 months: Build your skills as a compliance officer. Not in terms of rules and regulations, but in how can you get people to do what you want them to do. Read a book on influence, start tuning in to sales pitches, and see what strings of influence folks pull, and see how you can better translate what your initiatives are into the core piece of professional empathy: Why should this person care about complying to this or that rule. ·    What can we do in 5 years: Start building relationships between Compliance, HR, Finance, and Strategy. 

ENGLISH INTERVIEW STARTS AT 05:45 The guest is Rob Alvarez from Professor Game, and your hosts are Lasse Frost and Christian Lykke-Rasmussen. This episode is about how to make training and education more fun, engaging, and effective by adding elements from games (i.e. gamification).Follow Rob Alvarez on LinkedIn here. Listen to the podcast Professor Game here. Rob’s vision: That gamification would be better understood and more broadly implemented. We can improve a lot, but there is a dark side to it. The better you understand it, the better you can exploit it. Therefore, in my dream scenario, ethical considerations are top of mind. Rob’s 3 advice: What can we do tomorrow: Read a bit about this – take a look at stuff about gamification. Watch the talks from Gamification Europe 2018-2020.  What can we do in 6 months: Take a course and take it seriously. Game thinking framework by Amy Jo Kim for example. Try them out and start implementing one of those approaches in your own life or organization. What can we do in 5 years: It’s about the ethics! Think about the consequences of your actions, also a bit down the lane. Facebook or Instagram did not start out with an ambition of creating digital addiction – they wanted to make the world a better place, connecting people, but it had some serious downsides to it. 

ONLY DANISH INTERVIEW  Dagens gæst er Laura Lynggaard Nielsen fra Alexandra Instituttet, og dine værter er Lasse Frost og Christian Lykke-Rasmussen.  Episoden handler om, hvordan man kan bruge en antropologisk tilgang til at bygge bro mellem eksperter og ikke-eksperter for at skabe bedre sikkerhed i Internet Of Things-løsninger (IOT).  Følg Laura Lynggaard Nielsen på LinkedIn her Læs interview med Laura Lynggaard Nielsen om IOT-sikkerhed her. Lær mere om Alexandra Instituttet her.  Lauras vision:  At alle små- og mellemstore virksomheder i Danmark tager aktivt og informeret stilling til deres sikkerhed, og sætter det på den strategiske dagsorden.  Lauras tre gode råd: Hvad kan vi gøre i morgen: IOT er en hybrid-teknologi, hvor den viden og kompetence, man har brug for, er meget fragmenteret og tværgående i organisationen. Ofte har ingen et fuldt overblik over hele systemet. Find derfor de rette mennesker og få dem ind i et rum, så de kan tale sammen og finde ud af, hvilket behov I har. Det er et godt første skridt. Hvad kan vi gøre om 6 måneder: Begynd at indsamle input. Enten i form af, at I selv tager på nogle kurser eller hiver en ekstern ind, der kan hjælpe med at kigge rundt og pege på, hvor I skal have løftet bundniveauet, og hvordan det kan udføres. Hvad kan vi gøre om 5 år: Etabler styring med sikkerheden, så I sikrer jer, at inputtet bliver indlejret i jeres processer, årshjul og governancemodel. På den måde kan sikkerheden udvikle sig med produktet og med trusselsbilledet.  

ENGLISH INTERVIEW STARTS AT 06:36 The guest is Christian Hunt from Human Risk, and your hosts are Lasse Frost and Christian Lykke-Rasmussen.This episode is about why compliance has such a bad reputation, and how we can change that with simple tools from behavioral design.Find our LinkedIn community here.Listen to Christian Hunt's podcast Human Risk here.Learn more about Human Risk here.Christian Hunt's vision:  That one day, kids grow up genuinely wanting to become a compliance officer. Because, at the moment, nobody does. The brand is horrible. I would love it, if we could make it more compelling. And I think it is crucial to position compliance closer to its natural place at the center of strategic considerations in all organizations.  Christian Hunts 3 advice: What can we do tomorrow: Think about every single interaction you have with your target audience (e-mails you send out, policies you create, training you put on, posters etc.). One bad (i.e. boring, patronizing, unhelpful) communication touch point can undermine your entire programme.  What can we do in 6 months: Start developing behavioral-design skillset. Understand the psychology of non-compliance – especially when you, on the surface of it, think it doesn’t make any sense at all – by consulting behavioral-design techniques, ideas, and frameworks (there are loads!), and start experimenting strategically.  What can we do in 5 years: Fundamentally rebranding compliance. Turn it into a space where people appreciate what compliance is there to do. Right now, it is viewed as a necessary evil – they tolerate us in meetings. But rebranding compliance would make them want us there, not least in strategic meetings.