Elaine Muir is known for her "uncanny instincts" – for being in-sync with people in the world of security; understanding their needs and fears - and then translating that into the right messaging and intuitively arming it with theory.
“It's all about flipping the narrative, understanding the customer and their needs, and then changing the messaging to suit.
Today, Muir is leading the charge on the educational security front at IAG, a role she clinched in 2019 that sees her using her ‘instincts’ to uplift security education across the entire organisation.
As the cyber security education and awareness manager, she’s responsible for raising security awareness through IAG and its subsidiaries, reaching more than 17,000 employees.
Indeed, she's on a mission to enrich people's lives through the power of education – one staff member at a time.
And she's no stranger to the world of security, having more roles than hot breakfasts, leading marketing teams for major security vendors and IT firms (including Mimecast, Optus, Symantec, and RSA) for more than two decades.
Given her passion for technology, deep knowledge of the security industry (and vast networks), she's recently been crowned the vice-president of the board for the AWSN (Australian Women in Security Network).
It's an extensive role that she says will see her "shape and guide AWSN to achieve its objectives in implementing programs to attract, support and help grow women in security."
Strength of Character
But life wasn't always so clear cut for Muir, who had a tough beginning and had to claw her way to success – one job role at a time.
Initially, in the world of real estate (collecting rent on a Saturday morning at the age of 16) to eventually practicing IT marketing in the world of cyber security.
“I had to leave school when I was 16. I had to go get a job. It was one of those families where life throws you a curveball. And then I put myself through night school over the next 10 years to complete my schooling, do further study, and finally I got my MBA as well,” Muir recalls.
And while her path “wasn’t linear,” as she likes to call it, she was determined and tough. “I had no idea growing up what I wanted to be. But I knew I wanted to be independent and make my own path and find something that I liked, and that’s what I did.”
Certainly, her resilience has served her well – but she’s also secretly battled ‘imposter syndrome’ – a fact she’s finally willing to reveal.
“I’ve always felt ashamed of the fact that I never felt quite good enough. It comes from my background of not finishing high school. Always that feeling I was behind because I had to try a different way to complete my education. Always that feeling of not being good enough because I didn’t go through the traditional path," she says.
“And it’s taken me until now to openly admit that because of the whole imposter syndrome. And it shouldn’t be that way because there are many successful people who’ve had similar challenges in their childhood - where their path wasn’t as linear as other people - but who are very successful.
“So, having the resilience to bounce back and the persistence and the drive to do something different – to not accept what’s handed to you – is something I’m proud of.”
Conduit between security and everyday
Muir is also proud of her long and winding career, where’s she’s mastered innumerable skills - and gained vast industry insight - while volunteering and working at the association level for organisations like the Australian Information Security Association (AISA); and in developing a “deep knowledge of customer and human behaviours and how to drive sustainable change” thanks to her varied security roles.
Today, armed with that extensive work history, she considers herself a conduit between the worlds of security and everyday actions.
“My strength lies in my ability to be a conduit between the worlds of security and everyday actions, translating the benefits of security controls to deliver clear messaging in a way that aligns with both employee and business needs and wants,” Muir explains, setting the scene.
“The majority of people are just trying to do their jobs. But if you put too much in their way, they will find ways around it. So it’s about understanding, but you also have to consider cognitive dissonance.
"People have the knowledge, and they always say they will do the right thing, but when it comes to that moment in time, their actions are very different. It’s understanding that this is, in fact, real life,” she says, explaining you need education and awareness programs that drive cultural change.
In that vein, Muir says it’s her responsibility to convey the all-powerful message of security to staff – and engage them in any way she can, from compliance-based training, to simulations on secure coding, to training and assessments, to providing security awareness through engaging content and interactive activities – and even the use of much-loved mascots to humanise the threat and the context.
“Everybody needs to adopt that cyber security is everyone’s business,” she says.
“If you look at the latest data breach report, 34 percent of all breaches are caused by human error – and phishing attacks are still the main threat vector coming into organisations.
"With all of the security technology, we still need to rely on the staff doing the right thing.”
Milestones and Metrics
Already, Muir is seeing some promising results from using both traditional and digital activities as part of her mission to uplift security education right across IAG – and bring all company stakeholders onboard.
She’s already uplifted IAG’s security education and awareness program by enhancing a number of campaigns including: the phishing simulation program; Game of Codes, which teaches secure coding to IAG’s developers via a challenging gamified platform; and a dedicated security website that breaks down security threats and controls and translates it to everyday language.
At the same time, she’s also developed metrics dashboards that foster visibility of staff members’ security behaviours; and created engaging internal communications that has gained traction in all corners of the business.
“By tapping into my marketing foundation and experience, I have been able to uplift the security education and awareness programs and take into account the different needs and ways of working for all staff,” Muir explains.
“At IAG, we have a diverse employee base, covering five generations plus diversity of culture, background, upbringing, environment, gender and age. These are important aspects that need to be considered when designing and executing important programs covering security education and awareness.”
Asked her big mission for the next 12 months? “I have big plans to finish the metrics reporting program. If you can’t measure it, then what’s the point of doing it? I’m measuring everything so we can learn, improve, and see what’s making a difference.
"When people do the right thing, they should be applauded. We already have some reward structures in place. There’s no point naming and shaming; no point in making people feel scared of security.”
Power of networks
Muir says she’s never lost her love for the security industry (the buzz she gets from the fast-paced nature of it all) – but mostly credits the people as her true source of inspiration.
“The fact it’s so fast-paced and ground-breaking is what’s so exciting. I’ve always loved being on that cutting edge of new technologies. I love how new technology can enable businesses and can enable people.
"And security is just the same. Without security, businesses can’t take on those opportunities, or can’t serve its customers, and have the trust in its customers - and the customers can’t trust the businesses,” Muir says.
“But it’s the people that I love most about the industry. These people work in a very serious career or discipline, but yet they don’t take themselves too seriously. They’re very supportive people, very friendly people, who are all trying to solve some big, really complex problems, but they’re all working together to make it happen.”
Indeed, her reputation for building exceptional teams and mentoring others is well-known throughout the security industry.
But she also praises the women who have empowered her over the years – and particularly encouraged her to jump out of her comfort zone and move from a security marketing role to an educational client-facing tech role at IAG.
“I honestly thought I’d be interview fodder,” she explains of the IAG role. “I didn’t think I’d be technical enough, but it turns out I was exactly what they needed. The marketing background was what was required to make that career change, and with that, I’ve always had a strong focus on metrics and measuring activities and looking for ways to improve. But I needed that encouragement to actually apply,” she says.
“Thankfully, I have a network of supporters, other women, who themselves have faced the same challenges, and who’ve been crucial in my career. I wouldn’t have succeeded without them. I wouldn’t have taken some of the opportunities I’ve been able to embrace, if it wasn’t for the wonderful support network of women in security.”
This story is part of a new series by iTnews called 'Insights'. New stories are released every Thursday. You can read all stories in the series here.