Information Security award entry from Wombat Security Technologies

John Hield’s hard work and drive for perfection has meant that today he is the go to person for compliance and infosecurity within Veolia UK and Ireland. John is part of both the UK & Ireland Information Security & Compliance Leadership team and the Veolia Global CSec team. He has achieved this by acting as a trailblazer and visionary globally, both internally with his colleagues around the world, and externally when he presents and engages with contemporaries at industry events.

John hails from Staffordshire in the West Midlands of the UK. He started out in the ceramic manufacturing sector working in the quality and process control department; after that he moved to a technology company where he first delved into the world of IT by working with IT Infrastructure Library (ITIL), IT Service Management (ITSM) and the ISO 20000 certification, and started taking an interest in cyber security. He has always been motivated by a drive towards perfection, focusing on reducing variation and eliminating errors so that his organisation runs at a high standard and is able to comply with industry regulations. John stayed in IT throughout the 1990’s and early 2000’s, specialising in quality management and business improvement, until 2006 when he joined Veolia UK and Ireland as an IT Quality Manager.

Veolia is the global leader in optimised resource management and has 163,000 employees worldwide. The company designs and provides water, waste and energy management solutions that contribute to the sustainable development of communities and industries. As an IT Quality Manager, John focused on improving IT processes so that they could adhere to a multitude of compliance standards. With time, John found himself more involved with information security as compliance and infosec intertwined, and in 2010 he was promoted to Infosecurity and Compliance Manager. John found that the steps that the business needed to take to comply with regulations, and the steps it needed to take to protect against data breaches were often very similar.

John is known as a cyber security and compliance mentor for all within Veolia UK and Ireland. For example, a large part of the business is run by independent contractors who John works with personally to ensure that they understand relevant regulations and are working in a safe and compliant way. He is also on Veolia’s UK & Ireland Risk committee and is a member of the Global Cybersecurity Team, and works in unison with his counterparts from around the world to maintain Veolia’s reputation as a leader in cyber security and compliance. John has spoken as an industry leader at several external events in the last year, ranging from the Gartner Security and Risk Management Summit to Whitehall Media’s Enterprise Cyber-Security event. This is alongside regular speaking engagements that John holds internally on data protection, social media safety, social engineering and other relevant infosecurity and compliance topics.

John emerged as a true pioneer in his field when he proactively took interest in the GDPR mid-2016, months before many UK organisations would have even been aware of its existence. He became an intrinsic part of a working group within Veolia that was planning for GDPR compliance; John stepped forward as the Project Manager for GDPR, working hand in hand with the Head of the Legal Team. This lead naturally to John being assigned the position of Data Protection Officer (DPO) for Veolia UK and Ireland – this was a perfect fit for John, as the GDPR defines a DPO as “a cornerstone” of “accountability”. A large part of this role is ensuring that Veolia’s end users received cyber security awareness and training.

John’s team have trialled many different cyber security training and awareness methods. Amongst other things they trialled email-based education – sending employees infographics and statistics; uploading blogs onto a shared intranet; and uploading information onto Google Communities. Unfortunately end-users didn’t really engage with these methods, with emails going unopened and blogs being ignored. This meant that John’s team couldn’t truly demonstrate that they were training their employees, therefore were uncompliant with regulations that required cyber security training, like the GDPR. John then changed tac by giving one hour presentations to staff at different sites, but many did not have suitable locations where he could train everyone at once. He then set up smaller, interactive sessions, where he trained six to eight people at once. This was incredibly effective but with 5,500 IT users across 400 plus sites in the UK and Ireland, and a team of around three people, it was not logistically viable.

So, John started looking in to cyber security training software. He demoed solutions from two leading brands by asking people from HR, Finance and IT teams to try out the different types of training and give him their feedback. Overwhelmingly, the trial users preferred Wombat Security Technologies’ solution because Wombat’s interactive, step-by-step modules were more engaging than the other company’s video-based modules which end users found overly technical and hard to engage with at their desk.

John started implementing Wombat’s solution in May and June, 2017. He began his first campaign by sending an introductory email to everyone inviting them to complete mandatory “security essentials” training, as well as letting them know that they could try out other optional training modules. In the first week, 1,200 modules were completed, belonging to both the compulsory and voluntary module set. John gave the company three months to complete the compulsory training, and with just a polite monthly reminder, 80% of users completed the training. He was pleased the department leads acted as stakeholders during the campaign, with many asking for a list of names of those who hadn’t completed training so that they could personally incentivise them to do so.

Apart from the resounding success of the compulsory campaign, John was really impressed with how many end users completed voluntary training – from June to December 4,120 voluntary modules were completed. 100 staff members even did every module available! Mobile device cyber security was a particularly popular voluntary topic.

John ran a mock phishing attack on his users in March during Veolia’s internal cyber and physical Security Week – 700 people out of 5,300 email address targeted clicked on a link within the email. Because this number was already relatively low, John decided to challenge his users during the next mock phishing test in November/December 2017. He used an attachment based simulation and more corporate looking emails – this saw more people falling for the test who hadn’t before. So, having identified the problem, John has applied an instant solution by planning the next mandatory education model to be “avoiding dangerous attachments”.

The ROI of the training has been immense, with the equivalent of 250 entire days of training being delivered from June until October, 2017 – an impressive number considering that the modules only take around 15 minutes to complete. The money saved by using this type of training is going straight into the budget for next year, and one of John’s first steps as DPO will be to run a compulsory campaign educating users with Wombat’s GDPR training modules – although he has noticed that a lot of people are already voluntarily doing this module.

John presented Veolia UK and Ireland’s cyber security training campaign to his contemporaries at a global security summit in France in the summit of 2017 and they were blown away – with John at the helm, the rest of the organisation looks set to roll out this high level of cyber security training and awareness globally. The way that John has tackled cyber security training and awareness head on within his organisation, acting as a trailblazer globally, has demonstrated that he is truly an influential cyber security leader – he will no doubt continue to influence and inspire in his role as DPO within Veolia when the GDPR comes into play in May, 2018.

An entry for you to assess

2017 Submission: Heading
This is the main picture that will appear at the top of your entry. At least 1200 pixels wide is recommended.
Maximum upload size: 2.1MB
Please use the internet address of a picture (it should end in .png or .jpg or similar) that will be visible to people outside your organisation until after the awards end.
No more than 10 words please.
No more than 25 words please

Save this tab if you have made any changes

Another organisation

Please provide the internet address of the organisation's logo
For inclusion in our publicity about this entry if nominated
Information will be required about the start and end date of, size of investment in and geographical scope of your initiative where appropriate

About your Entry

The information you provide here will help determine the suitability of your submission and the best shortlist for your entry if nominated

implementation
implementation
implementation
implementation
implementation
implementation
The investment on this initiative from its initial conception to now, excluding elements that would have been required for other reasons anyway, and excluding aspects that do not impact this entry. We may use this when finalising the shortlists to split a popular category into two categories by project size. Also judges take this into account when assessing Impact, and so if you can disclose this information it can only be helpful for both of these processes.
initiative's focus
Which region(s)?
Which nation?
Covering which countries?

Confidentiality

Let us know here if you would like some aspects of your entry kept confidential
We may wish to include your entry in publicity about shortlisted entries.
If you would like the candidate's organisation's name to not be mentioned by us then please ensure that it is also not mentioned in your text, images, videos or PDFs included in your entry.

Save this tab if you have made any changes

Your Entry

Here you describe your initiative or strategy; what you did and why you did it, how it was successful and what your fellow professionals could learn from your experience. You can use a mix of text, pictures, video and PDFs etc. to convey your ideas and engage the interest of judges. We recommend that you include a concise overview for judges spending less time reviewing entries, with greater depth also provided for those that wish to know more. You will be able to fine-tune (edit) your materials up until the time that judging starts.

Any background or confidential information that you would like the organisers to take into account when considering this entry for nomination. This will not be published.
Your entry in full.
If you have a video you would like included with your entry description, upload it to YouTube and paste the link here
Maximum upload size: 2.1MB
If you have a PDF you would like included with your entry description, upload it here

About the following

These input blocks for Impact, Innovation and Inspiration are provided in case you would wish to provide additional information for the judges, to help them understand the strength of your submission in terms of each of our three judging criteria.

The difference made in target communities and benefits to the organisation - good anecdotal or metric evidence of real outcomes rather than reams of stats.
If you have a video you would like included with your impact statement, upload it to YouTube and paste the link here
What's distinctive about this entry and how being creative has helped you overcome challenges - a good idea that your fellow professionals might not have thought of.
If you have a video you would like included with your innovation statement, upload it to YouTube and paste the link here
Hints and tips from your real experience to help your fellow professionals (the judges) adopt your good ideas and apply them to suit their circumstances.
If you have a video you would like included with your inspiration statement, upload it to YouTube and paste the link here

Save this tab if you have made any changes