07/02/20: Marcus Beyer advises and accompanies companies in the implementa-tion of security or BCM awareness campaigns and supports IT departments in project com-munication or in change and team building processes in the company.
His workshop „Lego Serious Play - Use of agile methods in security processes“ is a thinking, communication and problem solving technology for use with individuals, teams and organizations.
The central theme of Command Control 2020 is cyber resilience. What does this approach mean to you? And why should companies base their security strategies on this?
Beyer: If you look at psychology, resilience is very well defined: It is the psychological strength and ability to survive difficult life situations without any lasting adverse effects. Within the definition of cyber resilience, the “difficult life situation” can be interpreted as an attack on a company, which it and its entire work organization have to be able to tackle head on. A company needs stability—in its security culture, in corporate processes and in its security strategy and organization. In other words, it needs to be prepared and have a good plan in place for the worst case scenario. There should also be a culture of error in the company, where employees are not only encouraged to report incidents, but also have the opportunity to do so. Companies should also be in a position to draw the right conclusions from incidents so they are better prepared for the next situation. As such, a cyber-resilient company can be compared to one of those roly-poly toy figures that can be made to sway, but which always returns to its original position—sometimes quite quickly, sometimes a bit more slowly. In any case, it cannot simply be thrown off course.
In your opinion, what is the difference between cyber resilience and cybersecurity?
Beyer: I must admit I don't really like the term “cyber” in this context. I prefer to speak of resilient organizations and information security. That makes it clearer. While resilience is more about the stability of the entire organization in critical and dangerous situations, cybersecurity is more about the technical and, perhaps here and there, organizational aspects of detecting and defending against attacks.
At Command Control, you will be running a LEGO Serious Play workshop. Can you give us a brief insight into how this thinking, communication and problem-solving technology helps with cyber awareness?
Beyer: That's easy, it's all about thinking with your hands. That might sound a bit weird, but it's not. In my more than 16 years of consulting work, I have never seen a more intense, involving and creative facilitation method than LEGO Serious Play. Almost everyone enjoys playing with LEGO bricks. What is important for this method is a concrete, clear and transparent question: For example, what skills should my security team have? What form should our corporate security culture take? Or what do users expect from information security? With a question in mind, we then set about building and thinking. Metaphors and storytelling are at the forefront. What exactly do I want to express with what I have built—what do I want to explain?
The stage is a safe space for the participants. First of all, the process involves individual models, which are then combined into a group model. This establishes a creative group dynamic—without anyone being able to withdraw from the process. And through the joint explanation and discussion of the group model, a healthy consensus, acceptable to everyone, emerges in relation to the initial question. Where else can I find a situation in which everyone is not only committed to the same thing, but also has a shared understanding of the same thing?
Another advantage of this method is that the complex, elusive digital world can be translated into an analog and emotive dimension. We are surrounded by the digital every day. So there is a great need to have created something with our own hands. And LEGO Serious Play is an excellent method for mediating groups and teams.
How exactly does LEGO Serious Play help to identify obstacles in the planning of security awareness campaigns—such as distinct hierarchical thinking within the company or different levels of knowledge and approaches among employees?
Beyer: The goal of LEGO Serious Play is to create a common understanding of an issue by all parties involved. It doesn't matter whether it's an awareness and training campaign, organizational and procedural adjustments or the formation of a team—the focus is on dialog and joint creation. And especially with interdisciplinary or even intercultural teams, the combination of thinking with your hands and the accompanying, explanatory process can be incredibly helpful.
In LEGO Serious Play, each participant is reached in his or her own way. Everyone is involved. Everyone is of equal importance. Nothing is forgotten. Everything is brought to the table. Everyone explains. Everyone discusses. Language and hierarchical barriers are quickly overcome—if you leave enough room for the creative phase. The advantage of this method is that almost everyone enjoyed playing with LEGO in their childhood. The moment LEGO bricks are put on the table, most people start building with them right away. This is something you can try out at a regular meeting. I experience the exact opposite with PowerPoint presentations. In fact, most participants usually behave rather passively. This is definitely different with LEGO Serious Play. And that's what makes the method so valuable when it comes to developing a common understanding of the importance of cybersecurity.
Command Control has three main target groups: security professionals (CISOs, etc.), privacy professionals / risk managers and digital transformation leaders (C-level representatives). Is the workshop particularly relevant for one of these target groups or do you think it offers added value for all of them?
Beyer: Basically, the method thrives on the diversity of the participants. They complement each other and are able to gain an “alternative” view of a topic by identifying with the needs and requirements of others. Accordingly, the workshop is suitable for all Command Control participants.
In general, why are you looking forward to Command Control?
Beyer: The line-up of speakers is really interesting, multi-faceted, controversial and complementary—exactly what I expect from a conference. And, of course, I also find the diverse communication opportunities for a professional and, above all, personal exchange appealing. This is what such events are all about—networking, meeting colleagues, getting to know new people. At Command Control, the whole thing is paired with knowledge transfer and exciting presentations. I am therefore very pleased to be part of this year's event.