John Hield’s hard work and drive for perfection has meant that today he is the go to person for compliance and infosecurity within Veolia UK and Ireland. John is part of both the UK & Ireland Information Security & Compliance Leadership team and the Veolia Global CSec team. He has achieved this by acting as a trailblazer and visionary globally, both internally with his colleagues around the world, and externally when he presents and engages with contemporaries at industry events.
John hails from Staffordshire in the West Midlands of the UK. He started out in the ceramic manufacturing sector working in the quality and process control department; after that he moved to a technology company where he first delved into the world of IT by working with IT Infrastructure Library (ITIL), IT Service Management (ITSM) and the ISO 20000 certification, and started taking an interest in cyber security. He has always been motivated by a drive towards perfection, focusing on reducing variation and eliminating errors so that his organisation runs at a high standard and is able to comply with industry regulations. John stayed in IT throughout the 1990’s and early 2000’s, specialising in quality management and business improvement, until 2006 when he joined Veolia UK and Ireland as an IT Quality Manager.
Veolia is the global leader in optimised resource management and has 163,000 employees worldwide. The company designs and provides water, waste and energy management solutions that contribute to the sustainable development of communities and industries. As an IT Quality Manager, John focused on improving IT processes so that they could adhere to a multitude of compliance standards. With time, John found himself more involved with information security as compliance and infosec intertwined, and in 2010 he was promoted to Infosecurity and Compliance Manager. John found that the steps that the business needed to take to comply with regulations, and the steps it needed to take to protect against data breaches were often very similar.
John is known as a cyber security and compliance mentor for all within Veolia UK and Ireland. For example, a large part of the business is run by independent contractors who John works with personally to ensure that they understand relevant regulations and are working in a safe and compliant way. He is also on Veolia’s UK & Ireland Risk committee and is a member of the Global Cybersecurity Team, and works in unison with his counterparts from around the world to maintain Veolia’s reputation as a leader in cyber security and compliance. John has spoken as an industry leader at several external events in the last year, ranging from the Gartner Security and Risk Management Summit to Whitehall Media’s Enterprise Cyber-Security event. This is alongside regular speaking engagements that John holds internally on data protection, social media safety, social engineering and other relevant infosecurity and compliance topics.
John emerged as a true pioneer in his field when he proactively took interest in the GDPR mid-2016, months before many UK organisations would have even been aware of its existence. He became an intrinsic part of a working group within Veolia that was planning for GDPR compliance; John stepped forward as the Project Manager for GDPR, working hand in hand with the Head of the Legal Team. This lead naturally to John being assigned the position of Data Protection Officer (DPO) for Veolia UK and Ireland – this was a perfect fit for John, as the GDPR defines a DPO as “a cornerstone” of “accountability”. A large part of this role is ensuring that Veolia’s end users received cyber security awareness and training.
John’s team have trialled many different cyber security training and awareness methods. Amongst other things they trialled email-based education – sending employees infographics and statistics; uploading blogs onto a shared intranet; and uploading information onto Google Communities. Unfortunately end-users didn’t really engage with these methods, with emails going unopened and blogs being ignored. This meant that John’s team couldn’t truly demonstrate that they were training their employees, therefore were uncompliant with regulations that required cyber security training, like the GDPR. John then changed tac by giving one hour presentations to staff at different sites, but many did not have suitable locations where he could train everyone at once. He then set up smaller, interactive sessions, where he trained six to eight people at once. This was incredibly effective but with 5,500 IT users across 400 plus sites in the UK and Ireland, and a team of around three people, it was not logistically viable.
So, John started looking in to cyber security training software. He demoed solutions from two leading brands by asking people from HR, Finance and IT teams to try out the different types of training and give him their feedback. Overwhelmingly, the trial users preferred Wombat Security Technologies’ solution because Wombat’s interactive, step-by-step modules were more engaging than the other company’s video-based modules which end users found overly technical and hard to engage with at their desk.
John started implementing Wombat’s solution in May and June, 2017. He began his first campaign by sending an introductory email to everyone inviting them to complete mandatory “security essentials” training, as well as letting them know that they could try out other optional training modules. In the first week, 1,200 modules were completed, belonging to both the compulsory and voluntary module set. John gave the company three months to complete the compulsory training, and with just a polite monthly reminder, 80% of users completed the training. He was pleased the department leads acted as stakeholders during the campaign, with many asking for a list of names of those who hadn’t completed training so that they could personally incentivise them to do so.
Apart from the resounding success of the compulsory campaign, John was really impressed with how many end users completed voluntary training – from June to December 4,120 voluntary modules were completed. 100 staff members even did every module available! Mobile device cyber security was a particularly popular voluntary topic.
John ran a mock phishing attack on his users in March during Veolia’s internal cyber and physical Security Week – 700 people out of 5,300 email address targeted clicked on a link within the email. Because this number was already relatively low, John decided to challenge his users during the next mock phishing test in November/December 2017. He used an attachment based simulation and more corporate looking emails – this saw more people falling for the test who hadn’t before. So, having identified the problem, John has applied an instant solution by planning the next mandatory education model to be “avoiding dangerous attachments”.
The ROI of the training has been immense, with the equivalent of 250 entire days of training being delivered from June until October, 2017 – an impressive number considering that the modules only take around 15 minutes to complete. The money saved by using this type of training is going straight into the budget for next year, and one of John’s first steps as DPO will be to run a compulsory campaign educating users with Wombat’s GDPR training modules – although he has noticed that a lot of people are already voluntarily doing this module.
John presented Veolia UK and Ireland’s cyber security training campaign to his contemporaries at a global security summit in France in the summit of 2017 and they were blown away – with John at the helm, the rest of the organisation looks set to roll out this high level of cyber security training and awareness globally. The way that John has tackled cyber security training and awareness head on within his organisation, acting as a trailblazer globally, has demonstrated that he is truly an influential cyber security leader – he will no doubt continue to influence and inspire in his role as DPO within Veolia when the GDPR comes into play in May, 2018.