Cybersecurity researcher wants users to make smarter security decisions

20 Apr 2023

Image: Dr Jason Nurse

Dr Jason Nurse of CybSafe speaks to about his dual role in academia and industry, and how it has informed his understanding of cybersecurity best practices.

Click here to view the full Cybersecurity Week series.

Dr Jason Nurse is the director of science and research at CybSafe, a security human risk management platform, and an associate professor in cybersecurity at the University of Kent.

At CybSafe, Nurse leads a team of behavioural scientists and researchers responsible for ensuring that the company’s product is grounded in scientific evidence and empowers users to make smarter security decisions and build better habits.

Prior to his role at CybSafe, Nurse engaged in research into human cyber risk, security behaviours and cyber psychology at the Universities of Oxford and Warwick – with his PhD specifically focused on organisational cybersecurity.

Speaking about CybSafe’s goals, Nurse said the company is “focused on producing a platform with techniques, products, knowledge and research that helps companies support their people with the human aspect of cybersecurity”.

“This way, we are making the most important line of defence, the best line of defence.”

‘My research helped me understand the importance of people as part of the solution to cybersecurity’

What are the biggest challenges facing your sector, and how are you tackling them?

One of the most significant issues in our sector is addressing the balance between compliance and culture. Many organisations are compliance driven. By that, I mean they are primarily motivated by ticking the right boxes to cover themselves from liability.

However, while compliance certainly has an important place in the cybersecurity discussion, ticking the box to say you’ve given employees basic security and awareness training won’t protect you from increasingly frequent and complex cyberattacks.

People are busy, with a long list of priorities above their cybersecurity compliance, and we must be honest about where we are. Instead of telling people what they should know, we should focus on delivering the right content at the right time on the right platform, to drive up engagement and alter the behaviours that lead to vulnerabilities.

What set you on the road to where you are now?

I have always been interested in technology more broadly and decided to undertake an undergraduate degree in computer science and accounting. This would have set me on a nice career in accounting and specifically auditing (eg auditing tech systems). Yet, soon into my auditing journey, I realised it wasn’t for me. I wanted to do something directly in technology, and particularly in security. Simply put, security or infosec or cyber or whatever we call it in 10 years, it fascinates me.

But what set me down the path of focusing on the human aspect of cybersecurity was my postgraduate education. During my master’s, I undertook a project on cybersecurity which led to me choosing the topic of business cybersecurity for my PhD. During the early days of my PhD, I recognised that the social and people-centric side of cyber was ignored, and the technical aspects were favoured. It was then that I realised I wanted to fill that void and offer something new to the field rather than rehashing what had already been said.

‘Simply put, security or infosec or cyber or whatever we call it in 10 years, it fascinates me’

What one work skill do you wish you had?

I wish I could speed-read. More specifically, there is so much incredible research being conducted yearly, monthly and daily, but it is simply too much to properly digest and engage with.

I wish I had an increased capacity to not only digest this material effectively but also reach out to researchers and pull it through to the products that we see developing in the business world. There is a wealth of knowledge and innovation within the academic and research communities that could have impressive applications within industry, and connecting the two worlds is something the industry as a whole tends to neglect.

How do you get the best out of your team?

Everyone has a different approach when it comes to getting the most out of their team. But a few things stand out as particularly important from my experience and the way I work alongside the team.

Firstly, the most critical aspect of inspiring and motivating a team is getting them invested in their work as individuals and collectively. Therefore, if I have one piece of advice to anyone heading up a team it’s crucially important to understand your team’s motivations, passions and goals.

From there, you can jointly consider objectives, tasks and what they can bring to the table that best aligns with their passions and personal goals. Simply distributing tasks and expecting people to complete them misses the opportunity to build a strong team and one where everyone’s heading in the same direction. Motivation must simultaneously be intrinsic and extrinsic, which will ultimately only be achieved through a collaborative approach.

Beyond that, crucial characteristics of a successful team are understanding the brief, working out essential outcomes, and then planning ways to achieve those goals for the company in a way that satisfies personal objectives.

Have you noticed a diversity problem in your sector?

Across every sector, diversity is a problem. But in cybersecurity, the problem is being amplified for several reasons, one being educational inaccessibility. Across the EU, under a fifth of all cybersecurity degrees are at the undergraduate level, while 77pc are at the master’s level. As a result, we are not developing and training people at a younger age for the infosec industry; only a lucky few can afford postgraduate education.

That said, we have seen this uptick in organisations, including cybersecurity companies, prioritising diversity rather than putting diversity on the back burner. This mostly comes in the form of self-reflection about diversity. Diversity reports are becoming more common. This way, organisations can hold themselves accountable, ask themselves what the breakdown of staff is, and create an organisation that represents their values. These reports are crucial to creating an inclusive cybersecurity industry which supports those from any background, regardless of race, gender, sexuality, neurodiversity or disability. But more must be done on this front. Initiatives like diversity reports shouldn’t be seen as an option but rather a necessity, and actually, diversity is key to building a better organisation.

What’s the best piece of career advice you have ever received?

The best advice I have ever received is from an academic mentor I had while studying for my master’s degree. During my master’s, they saw my ability to take abstract academic concepts and apply them to real-life problems and encouraged me to develop those skills further by pursuing my doctorate.

The reason I am so appreciative of the nudge towards continued study is that it gave me the opportunity to hone my skills as a researcher, specifically, one focused on problems facing industry. It allowed me to gain a better understanding of security and its importance to businesses. Furthermore, it helped me see, from a scientific perspective, the importance of people as part of the solution to cybersecurity.

What are the essential tools and resources that get you through the working week?

Post-it notes for reminders, keeping track of tasks, and keeping track of passwords (just kidding!).

It’s essential to set aside time every day to concentrate on key tasks. There will always be emails and Teams/Slack messages to reply to, but on most occasions, they can wait. Leaders, like everyone else, need to give themselves the breathing space to get their heads down and crack on.

While I see the benefits, no matter how hard I try, the shared office isn’t for me. I need to block out the outside world occasionally, and my noise-cancelling headphones are instrumental in helping me do just that.

10 things you need to know direct to your inbox every weekday. Sign up for the Daily Brief, Silicon Republic’s digest of essential sci-tech news.