The human factor in the middle of a global breach.

In this episode I am joined by Andy Jones.  Andy, has a distinguished career in information security, as both a CISO and also in his roles as a major influencer within industry stakeholders such as the Information Security Forum.

He helped steer organisations like Sainsburys, Unilever, British Airways and Maresk along their journeys when it comes to developing a mature approach to informat6ion security. And his rich experience and practical insight made him a natural for roles at the Information Security Forum.

He’s curious about many things, not just information security, and that gives him a level of insight and an ability to communicate which marked him out amongst his piers and meant he was a regular speaker on the industry circuit. But the reason why I asked Andy to join us was his specific experience of the “human factor” within the context of one of the worlds best known cyber security attacks.

In this episode I wanted to explore whether employee awareness, behaviour and culture was influenced by the unique forces at play during a significant cyber security incident.

The motivation for taking this angle came through my research at the Re-thinking the human factor, where I identified that our judgement and decision making is heavily influenced by the environment. So what happens when our environment, within which we make decisions, is no longer the corporate classroom or some CBT, and turns into a real, live event.

In this episode Andy shares insights into his own experience as the CISO at the helm of Maersk during one of the industry’s best known cyber security incidents in recent time.

I hope that you enjoy.


Key Topics


  • How a major cyber security incident rolled out at one of the world’s shipping companies.
  • Employee awareness, behaviour and culture.
  • The powers at play during a global security incident and how they might influence awareness, behaviour and culture.
  • How cultural values influence how people respond to changes including major security incidents.
  • The difference in between planning and responding to scenarios. And how plans often fall apart when they are put into effect, even the best made plans.
  • Industry bias towards “prevention” when it comes to strategy, programmes and initiatives around the human factor.
  • Maturity of current industry thoughts around awareness, behaviour and culture.
  • Opportunities for aligning current human factor industry best practise with existing cyber security best practise.



Andy Jones has worked in cyber security for over twenty years, both as a practitioner, holding executive positions at Sainsburys, Unilever and Maersk, and as a researcher for the Information Security Forum.

Although he has recently stepped back from a full time role, he retains an active and passionate interest in the world of cyber security.

Click to access the login or register cheese