In 2018, as followers of Formula One (F1) will know, the fastest racing cars in the world got a controversial redesign. A new device was added to the cars; a curved bar or Halo, which was designed to protect the drivers’ heads in the event of a crash. The proposal was made back in 2016 and was universally condemned by the Drivers Association—Romain Grosjean (F1 driver and, at the time, Grand Prix Drivers Association Director) said, “Personally, I think it was a sad day for Formula One when it was announced and I am still against it.” Despite this rejection, safety concerns overrode objections, and the Halo was made mandatory from the 2018 season.
Why am I telling you this? It’s not just because at the British Grand Prix this weekend the Halo yet again saved three lives (most dramatically Zhou Guanyu, whose car flipped, hurtled upside down across the gravel pit before leaping over the tyre barrier to rest on its side).
According to the latest 2022 Verizon Data Breach Investigations Report (DBIR), 82% of breaches involve a human element. These elements include use of stolen credentials, phishing, misuse, or simply user error. These employees—the human element—are our racing drivers.
Like racing drivers, employees want to move fast, and they sometimes seem to charge headlong into risks in their quest to satisfy their ambitions and those of the business. As businesses grow and aim to “go-to-market” more quickly and efficiently with new products and digital services, this speed needs to be enabled but with security controls providing protective “guardrails” for the employee.
Since its introduction across open-wheeled sports car races, the Halo has been proven to save drivers from serious injury and even fatalities. 2022’s Championship contender Charles Leclerc walked away from a nasty crash in his first F1 season in 2018, after a car landed on his Halo (not his head). Images of seven-time World Champion Sir Lewis Hamilton parked up with rival Max Verstappen’s car on top of him, milimetres from his helmet, are still regularly shown in TV coverage of the sport. However, perhaps the most ironic example of its success was when it saved Romain Grosjean’s life in Bahrain—the car was sliced in two through a barrier, with flames churning around the vehicle, yet Grosjean escaped with only minor injuries. Grosjean has changed his stance on the Halo, now saying it saved his life and “it was the greatest thing brought to F1.”
It is clear; putting in a device “around the driver” that focused on protecting the driver—allowing them to take the necessary risks to get ahead—was beneficial to the teams, the sport, and the fans.
And as with racing drivers, again, so too with employees.
IT and security teams need to ensure that security is an enabler of speed and growth for their organisation; embracing digital and cloud. We need to let employees drive fast, while also keeping them safe from both traditional and new threats and risks.
Much like F1, an effective response is to create a “Halo effect” around every employee. The first step of this is to use a pop-up warning, or just-in-time education, whenever an employee makes a decision that introduces a risk. It may initially seem that this may be annoying to the employee, however with the correct implementation, the notification and coaching is only applied when a series of high risks are identified, minimising disruption.
Next, the same “Halo effect” can also be used to highlight and promote good behaviour and not just focus on the bad. At Netskope, we commend employees who take responsibility, action, and report when they see suspicious behaviour. Our products and services are built on ensuring organisations can safely and securely use the web and cloud regardless of the many risks that are observed. Not only do we heavily use our own product, we also run a “Catch of the Day” campaign that allows employees to be rewarded for spotting suspicious phishing emails or attempts to gain credentials. In this way we ensure our people and processes are as mature as our technical controls.
The “Halo effect” is about leaving a good impression and rewarding positive behaviour. I often say, if every person in an organisation gives a minimum of one minute a day to think about security, I get the equivalent of two new full-time “virtual” security staff for every 1,000 employees in the organisation. It’s a statistic that makes people stop and think.
Once an employee has seen the benefits of the Halo approach, they become more informed of the risk that relates to their activity and can make a more informed decision if they want to proceed. Similar to Romain Grosjean who immediately dismissed the Halo in F1, the safety and security control now becomes an essential component to protect the employee, and when the benefits and rewards are clearly seen, it could just be the greatest thing brought to your security strategy.