October 4, 2022
SI in Conversation with.. Rob Forster, Head of Cyber Security at Milk & More. How an interest in psychology sparked a journey into security.
For our first interview, we were really excited to catch up with Rob Forster for a fascinating discussion about how psychology led to a career in security, key priorities in 2022, and top tips around phishing and security awareness.

In this series, we’ll be interviewing remarkable security leaders in varying roles across the cyber security industry. In an ever-increasingly virtual world, the personal perspective is so important, as is a community where insights and learnings can be shared. The role of a CISO is increasingly challenging, from dealing with growing expectations from executive teams to budget constraints, stress management and the constantly changing threat landscape. We have a fantastic network of innovative and progressive security leaders who want to do things better, and every month we are shining a spotlight to share with you some of their unique and personal insights, learning more about how they achieve success and overcome challenges.

Rob, we love that you’ve had such a unique career path into cyber security, one less trodden than the more conventional technical routes usually taken by CISOs and security leaders. Could you please tell our readers about this journey?  

Absolutely. Whereas many routes into security are through the technical side, my journey came about by following a human perspective. I began looking into social engineering and deception, which piqued my interest and resulted in my pivot into security.  

I have always been interested in cyber security, starting my journey at IBM as a consultant in financial services, where I worked first with security and resilience, and then moving to a European retailer where part of my focus was business continuity. I later joined an IT services company and worked with a lot of charities. This was around the time that GDPR was being introduced so a big question they were asking was ‘how do we secure our data’?  

At this stage my journey took a slight curve ball, as I decided to study my master’s in psychology, a topic that I’m incredibly interested in, and I think is so relevant as businesses revolve around people and their customers. I’m very interested in social psychology and how we behave, and for my dissertation I studied Deception, looking at how an individual’s personality can determine whether you can tell a truth from a lie (the average person can tell a truth from a lie just over 50% of the time!).

I’m now studying for my doctorate in information security as well. I think there is so much more to discover about how technology affects our behaviour.

That is a fascinating journey Rob, and we know that to be truly successful in security, the human side of the role, where you’re required to engage your team, other department heads, and communicate cyber security to leadership, is critical. Have you found this a useful skill in your current role?  

Yes, I think understanding social psychology, and in particular, deception, has helped me in building up a security culture from scratch. The cultural side of security is a massive part of the role, and as well as the technical and business skills you need in a senior role, you also need to be able to translate the needs of security and be able to come in and inspire your team and achieve buy-in.  

One piece of advice I'd give anyone trying to break into cyber security from elsewhere is to play on your current strengths and skills. Good technical IT experience lends itself well to technical security roles whereas if you have IT Service Management skills you are probably experienced in process and policy writing and holding others to account and so these skills are great in the GRC space.

So since joining Milk & More, what have been your first priorities within your role as Head of Technology, Cyber Security and Operations?

At Milk & More we deliver milk and other household products to your doorstep, and we are a sustainable led business, so for example we have one of the largest fleets of electric vehicles in the country. We’re part of a wider group of companies, but the difference is that we are an e-commerce business rather than manufacturing. My role came about as part of that desire to focus on operations and security relevant to e-commerce, for example we hold lots of customer data. We have distinct security risks and needs, and I joined the company to make sure operations were up and running, and to set up the security team from scratch.  

I would say my top priorities have been building up a security culture, as we’ve mentioned, and understanding the data landscape. It’s important to understand where that data is, how we’re processing it, and how we can improve. No one can ever be 100% secure, but we need to understand where the risks are, so I’ve been looking at our policies and analysing how we can reduce that risk.  

Looking at culture, there’s a risk that cyber security can be seen as a silo – almost like IT was 20 years ago! It can be seen as a blocker, and a team that costs a lot of money rather than being useful. It’s therefore important to communicate how security is contributing to business strategy and how it is removing risk. By framing it this way, and demonstrating value to executives, it allows you to have conversations more easily about investment.

Looking ahead then to the rest of this year and 2023, are there any trends or threats you’re noticing?  

Yes, I think cyber insurance is an area that is definitely developing, because up until now insurers haven’t really known how to approach this and it’s a new area for a lot of them. This is an offering which has so much value to a business, and it allows you to bring in skills quickly in the case of an incident, such as forensics, recovery, PR and marketing.  

I also think adapting to hybrid working, and the security issues that that brings, is a topic we should all be focusing on. Coming out of the pandemic, a lot of businesses were in a position where they had pivoted to hybrid working very quickly. Security teams had to work very hard to make sure their data was secure, and no one thought it would be for the long term. Now we’ve all realised that hybrid working will likely be the norm going forwards, we need to adapt to that. We’ll need to facilitate new policies, new ways of training employees on security risks, on developing and evolving so that we don’t reduce our security standards.  

What do you enjoy most in your role?  

I think what makes my role so interesting is that there is so much opportunity. We are established and part of a good group of businesses, and I now have the opportunity to build up my security team from scratch. I love scaling teams, and I’ve done a lot of that in the past, so I enjoy being focused on where we want to go as a business and how we are going to achieve that.

Are there any challenges that you experience day to day in security?  

I’m in the lucky position that I have a fantastic executive board behind me that support the function, but I think it’s always a challenge to join as the first security individual and build up your brand as the go-to person.  

Building up awareness and training is also more challenging, and exciting, in a business that has teams that work both in an office and also in fulfilment centres or delivering products. They don’t have the same security needs as employees who work in an office, so I can’t just roll out the same corporate training. I’ve found it a great opportunity to think about how I can introduce training that is tailored to different teams working in different environments. It’s both a challenge but an opportunity I relish. I’ve been looking at creating short 2-3 minutes videos at the moment which has been great!

And finally Rob, we know that a big concern for security leaders at the moment is phishing. Is there any advice or top tips you could give from a behavioural perspective that may help them to introduce effective policies, training, and awareness within their organisation?

This is a fascinating topic and one that you could easily dedicate a whole blog post to! Over the past few years, the discipline of Behavioural Cyber Security has emerged as a combination of behavioural science and psychology applied to cyber security awareness and mitigation activities. In terms of phishing, these attacks are getting more sophisticated all the time. One popular phishing attack purports to be from a company CEO wanting information quickly and is often phrased in a manner that implies a favour.  This plays upon a couple of areas of Psychology. One is the Truth-Default Theory, that states that we naturally want to believe what we are being told is true unless, or until, we can rationalise or explain any doubts. Another is that we simply feel good if we think we have helped someone out.  

Whilst we can run large programmes of security awareness and training, it’s often the simple things that can keep people engaged and safe. My advice is to encourage a ‘Stop and Think’ culture with employees asking themselves questions such as: Is this someone who would usually email me? Am I the person who would usually be asked for this sort of information? Regular, small items of security awareness that allow employees to feel in control can have a huge impact on adopting a healthy security culture across any organisation.

Thank you so much for your time today, Rob!    

Sign up to our newsletter to receive the latest updates