Cybility Savvy

E11-All change… In conversation with Amy Tarrant

January 19, 2022 Michala Liavaag Season 1 Episode 11
Cybility Savvy
E11-All change… In conversation with Amy Tarrant
Show Notes Transcript Chapter Markers

📝Show notes:

Michala Liavaag talks with Amy Tarrant, a Change Delivery Lead who has delivered a wide variety of business transformation and strategy initiatives in the insurance sector over the last 15 years. She is also a trustee of the Brighton Yoga Foundation. 

They discuss the ins and outs of cybersecurity in the insurance and other sectors from the perspectives of both employee and trustee. 


⭐Found this useful? Please rate and review, as it helps reaching more people 

👍You can also subscribe and share on social media

💬 Contribute to future episodes with your cyber security concerns and questions


🤝Connect with Michala and Cybility Savvy:




✍🏾Written and produced by Michala Liavaag

🎦Co-produced and edited by Ana Garner video

🎵Music by CFO Garner


⭐Found this useful? Please rate and review, as it helps reaching more people

👍You can also subscribe and share on social media

💬 Contribute to future episodes with your cyber security concerns and questions

🤝Connect with Michala and Cybility Savvy:



✍🏾Written and produced by Michala Liavaag

🎦Co-produced and edited by Ana Garner video

🎵Music by CFO Garner


Michala Liavaag: Welcome to Cybility Savvy the show that demystifies cybersecurity for not-for-profit boards and leaders

Amy Tarrant has delivered a wide variety of business transformation and strategy initiatives in the insurance sector over the last 15 years, including setting up new insurance branches and divesting under-performing business units.  

In 2017 she established the Southeast branch of the Change Management Institute, and hosts workshops and panel discussions with and for change professionals.  

Over time, Amy has become fascinated by the benefits that fusing the change skillset with a coaching toolbox has on the delivery of lasting change. 

Amy became a Trustee of the Brighton Yoga Foundation in February this year and she focusses on accessing funding for their outreach work. 

Amy is Agile, MSP and Prince2 certified and when not working she spends her time exercising and doing yoga. 

She is going to share with us her journey to becoming a Cyber Savvy Change leader and Trustee. 

Hi Amy thank you so much for joining us today

Amy Tarrant: Hello thanks for inviting me. I’m really happy to be here.

Michala: For those in our audience that don't know you please tell us a little bit about yourself

Amy: Yes, thank you for that lovely introduction. So, as you've already said, I’ve been working in the insurance industry for about 15 years across a variety of change and strategy initiatives. I came to work in the London market of insurance about 12 years ago. Currently I head up the delivery project team for an insurance company in the city of London, and when I’m not doing that, as you said, I am a trustee for a charity called the Brighton Yoga Foundation. As you rightly said, I set up the southeast branch of the Change Management Institute and as a result of that I met someone who is an executive coach. She and I discovered a mutual synergy between our two skill sets and we are actually writing a book about that, which has been picked up by a publisher called Kogan Page and is due to be published in September next year. 

M: Oh, that's really exciting. Congratulations for you both

A: Thank you 

M: For those of us that aren't actually aware and appreciate the difference, me being one of them, can you just tell us a little bit more about the difference between change management and change delivery. And also, for the CIOs out there when they hear change management they think specifically about ITIL change management in terms of managing changes to infrastructure versus change management in terms of behaviour and organizational change. So, can you just tell us a bit about the differences please? 

A: When you're delivering change within an organization, you usually have different roles and responsibilities, and typically you'll have a project manager responsible for the timely delivery of the project against the agreed timeline, the agreed budget, and the agreed scope. That's the project manager's job. A change manager takes care of the people side of change because whatever you're doing within an organization, whenever you're changing something, you're asking people to change their ways of working. It could be following a different process, it could be going to work in a different building, there's a number of different things you're asking people to do, so a change manager looks at the psychology of change and how to mitigate resistance to the change by working with people. That's not to say a project manager can't do that, but they've got enough on their plate. It's generally not a skill set that I find blended very often in one head count. People do use them interchangeably, so they'll say oh you've got a change management team, haven't you? And I’ll say no’ we have a change team, we have five project managers, and we have a change manager, so I’m constantly reminding people of the distinction. And then to your latter point, when I was recruiting for a change manager and I was advertising the role I can't tell you how many applicants I had who thought it meant release manager, ITIL, IT space and which it absolutely isn't, but it's another common way that the two roles get conflated, so thank you for allowing me that little soapbox there.

M: No, that's all right. And can you just also clarify for me the difference between the change management in terms of the behavioural side and change delivery or are all the sort of PMO the change management and change manager under the whole banner of change delivery, is that thing? 

A: For me, there's a sort of generic broad-brush term whereby the project program managers the change manager. We are all under the umbrella of delivering change, we are all part of a change delivery team. The other term I use quite a lot is change practitioner, because we are all delivering change whether we're change managers, project managers, program managers, etc

M: That's really helpful, thank you. And one of the interesting things I think for our not-for-profit leaders out there is depending on the size of the organization, not all of them will actually have the luxury of a change delivery team, you know, they might be lucky to have one project manager and, as you said that skill set isn't always found in that head count, so that can quite often be why some projects fail. I’m just curious as to, for those organizations who are challenged in that way, what advice would you give them about how to effect change? Because there's a lot of digital transformation going on in the sector at the moment, but again not necessarily the funds to back that up. So, what would you say to them about the best way to enable and actually affect real change on that term?

A: Okay, so there's two or three things that I always talk about which is: first of all, never let somebody deliver change on the side of their desk. It it's either somebody's day job or it isn't, and the reason for that is the skill set is fundamentally different, so if you're asking someone to take on a project as part of their business as usual it's highly unlikely that they will have the right skill set to run with change and actually deliver a project. I have dealt with this many times in my career, so the advice I give people is: do a business case, put it in front of whoever it needs to be in front of, whether it's the CEO the CIO, that says: this is the cost of bringing in a project manager, I recognize that and I hold my hand up to that, but the benefits are these. And you can list a whole host of benefits of having a professional project manager in post. Firstly, the amount of money that you spend delivering change when it's only someone's part-time job, the opportunity cost of not letting that person do their day job, there are a number of levers you can pull when you're putting a business case together. The other thing that I’m very passionate about is the right sponsorship. So, any change that happens has to have a sponsor, there has to be somebody very senior in the business who wants it, and who cares about it. That person then becomes the driver of the bus, they communicate the vision, they support the project manager, they are cognizant of the benefits of the project, and they are effectively your ambassador. If you don't have those two things in my opinion, you probably will fail and I’m sure you've seen the statistic, something like 70 percent of change initiatives fail.

M: Yeah, that's really helpful thank you. Hopefully some people will take that on board. I realize it is challenging though from a financial point of view, but it's worth mentioning obviously that there are professional project managers out there who do volunteer their time. So, again there are different ways that organizations can take advantage of this skill set. Just sort of stepping back a bit, you've obviously been doing this for a very long time, how did you actually come into it and sort of discover that you're excited about this area?

A: Yes, I started delivering projects, or rather as a sort of junior project coordinator, just really as part of a work stream when I worked for a very large American card issuer in my mid-20s, on a very exciting project and I wanted to do more. I later on went to work for a private medical insurer and I was part of a blended strategy and change team. So, there I had the opportunity to work on strategic initiatives like looking into new market entry, pulling together proposals for the board around what should they invest in, what should they acquire, and that was very exciting and very cerebral, for want of a better word, but what I was finding is that nine reports out of ten that you write will go into someone's draw. And quite rightly companies can't invest in every single opportunity that they ask you to do research on. And for me, as a very delivery focused individual, I need to have a tangible output. So, I decided to hitch my wagon to the change delivery side of things, and I went on to pursue those roles throughout my career, and then took a senior role a couple of years ago actually leading a team of people who are doing exactly that.

M: Again, I resonate so much for that even in cybersecurity again. You write the reports, and you know they don't get read, and it's like, oh yeah, the time I spent on that I could have actually been delivering. So, I completely get that, agreed. One of the things I’m really interested about, if we just move on to cybersecurity elements bit, is it's very much in the forefront of people's minds now, because there's been so much on TV about data breaches and everything, but when did you first sort of start interacting with information security, it'd probably be called back then professional, as part of these sort of project and change initiatives?

A: Only about a year ago. I became the portfolio manager for our global cyber division, so I do work very closely at the moment and have been for about a year with cyber underwriters, project managers, and other professionals within the cyber arena. It's been a very very steep learning curve. And then not three months later joined the Brighton Yoga Foundation as a board trustee, one of the first calls I joined as part of that role, was a risk management call. And, as you would expect, for any organization whatever sector you're in, cybersecurity, data protection very much top of the list when it comes to what are our key risks.

M: I have to admit, I’m a bit surprised by just how recent it is, given the length of your career in this space. Do you think that's perhaps because historically it's always been seen as IT's job, or do you think there's something else around that?

A: I think for me, because I work in the insurance sector, cyber is very much an underwriter's job. And as a project manager and a program manager you are typically attached to the project that you're attached to. So, if you get sent off to work as I did for six months in South Africa, setting up a new branch, that's what you do for the next six months. And you tend not to get involved with anything else that doesn't come into that scope. You then go and work on another project. So, then I went to work on an acquisition and integrating that company into our company. And as you rightly say, you know, IT have their checklist of things that they need to look at that didn't come into my remit. So, it really is really recent, and you're quite right, it's quite shocking

M: Yeah, and I do wonder how much that's going to change. I mean I’m hoping, you know it will, and that's obviously one of the reasons for this podcast, to try and help that. But let's take for example these sorts of mergers and acquisitions, we've had lots of data breaches where, you know, think back to Talk Talk is the big one in the UK, where it is taking on that other organization and their legacy technical debt, that has then resulted in a data breach, that that new company that's bought them is responsible for. Did that sort of stuff sort of surface in your risk registers at all or was it literally just sort of no visibility in that sort of aspect of it?

A: It was absolutely on the risk register. I hasten to say, the risk never materialized, but one of the things that I’m really cognizant of when you're acquiring another company is that the company that is being acquired typically, for want of a better expression, they tend to stop caring as they get closer and closer and closer to the transaction date. Things start to slip, so it may be that a lot of the mitigations and the controls that you put in place around cybersecurity and data protection, maybe someone leaves, they don't hand over the responsibility for it, things start to slip through the cracks. So, you absolutely, day one when you acquire that company, need to do a full checklist and health check to make sure that they are on point

M: And that point equally applies to services as well in the not-for-profit sector, in terms of there's a lot of joint working happening, service delivery for others, and taking on whatever that might be, whether it's the staff practices again applies in terms of those secure behaviours. Given that that's so relatively recently, but as you say you know it has been on the risk registers, what made cybersecurity real for you in terms of your sort of aha moment about the importance of it?

A: Yeah, I think I would have to go back to the project or the portfolio that I started working on. So that that's really you know when I realized. And I became genuinely interested in it. Then when I took on the trustee position, every other point on our risk registers is data protection. I also look after the renewal of our insurance policy and then I suppose that's a natural fit given my professional background, making sure that we are adequately protected if the worst happens through our insurance policy. Then it became real to me. That was I guess was my aha

M: Yeah, quite often people say you know it's a particular security incident or something. So, it's really interesting that for you it's actually been that proactive preparation side, in terms of the risk mitigation. And I do hope that our listeners will take that on board that if you don't have cyber insurance. There's not many who are actually doing that. And obviously with the increase in ransomware, the insurance companies are imposing more strict controls around that as well in terms of not really wanting to pay out.

A: I’d be more than happy to delve deeper into that with my insurance hat on, because I think far too many customers see cyber insurance as the prevention, whereas in fact clients have to be fully across the range of preventative measures. Plus have an insurance policy to cover the fallout if the worst happens you know in terms of the liability, any legal costs that they may need to cover. In addition to not instead of

M: Yeah, no, absolutely, you can't sort of outsource the accountability side, but can you and you do need those things in place. Stepping back a moment to your learning curve that you mentioned, you know that being quite steep, how did you approach sort of upskilling yourself around that, what sort of process did you go through?

A: Well, I’m very lucky ain’t I? Because I work with cyber underwriters and cyber professionals. So, my advice, and this is for everything that I do, talk to people. Of course, you can lean on search engines and there's a there's a lot of information on the internet, but no there's no substitute for talking to people. So, I was very lucky, I worked very closely on a daily basis with our cyber team here. I just asked for time with people and I said, you know, with your cyber hat on, can I borrow you for an hour to talk about x y and z? And I really struck gold, because one of my colleagues as I found out, isn't just a cyber professional, he's also trustee for a charity. So that was a fantastic conversation whereby he basically walked me through. This is how I would do a cyber risk review if I were coming and sitting in front of your charity. So, I sort of did it by proxy if you like. So that was tremendously valuable

M: Just thinking again about your cyber portfolio then and working with cyber professionals, are there any tips you would have for how to work with them effectively? Because quite often what I hear is there's this barrier in terms of translation between, you know, the sort of cybersecurity side we saw the jargon and you know the sort of execs and board side so how would you sort of advise people to manage that?

A: So, I’d use my experience as a customer of cyber insurance, rather than an employee of an organization that sells cyber insurance, because for me it's about as you quite rightly say in your in your title, it's demystifying the language. My advice is:  use your broker, lean on your broker to be that translator between the underwriting jargon, if you will, and the everyday. So what does this give me? Absolutely lean on your broker.

M: Right, that's great advice. And actually, I have noticed over the past couple of years, the insurance companies are, again because I suppose they're interested in preventing as much as possible, providing quite a lot of free advisory services to organizations aren't they?

A: That's another thing that I was going to say at some point you know and seeing as you've mentioned it, I’ll definitely pick up on that. So increasingly across all lines of business, not just cyber insurers, will have a risk manager in place who will work with organizations to reduce and mitigate risk. It's easier for everybody if you stop something from happening in the first place and it's the old adage that prevention is better than cure. For a long time now there have been risk managers on the liability side who will visit public venues, restaurants, places like that, and will work with the management to say, you know, if you have your fire exit here, or if you have your fire extinguisher here, or have lights down your stairs here, you will have fewer liability events. That benefits everybody, not least the poor customer who might have fallen downstairs. So, and that's now cutting across other lines of business including cyber, where they'll go very often, they'll go on site and they'll say, right let's see what you've got in place, let's see what malware you have in place, let's see how you are handling your data, and then we'll advise you 

M: Yeah so, it's almost like a free mini audit actually isn't it?

A: Absolutely, but then they say and now we can offer you cover, because you've got the right prevention in place your policy, you know, your premium will be cheaper. We as the insurer are less likely to need to pay out it. It really is a really virtuous circle.

M: Yeah absolutely. One of the things that I found interesting when I branched out on my own, was that my insurer sent me some e-learning around cybersecurity practices and, you know, you'd like complete one module, then they send you another one on another topic. So, it's like sort of really sort of staged out. And I just though, for organizations that aren't large and don't have the luxury of their own teams, or the budget to buy this nice fancy e-learning, to have insurance companies providing something free to help upskill, I think it's actually a really positive move.

A: Yeah it's win-win isn't it?

M: Absolutely. Why don't you take us back in time then to your decision as to when you decided to become a trustee and why that was?

A: I have wanted for a few years now to take up a non-executive director role and what they refer to in the business as a NED role yeah. And I received, and I did a lot of research, I joined lots of webinars, podcasts, events in the days where you could go to events, and I had a lovely coach at the time who knew that it was one of my objectives, and her advice, which is the best advice I’ve ever been given on this topic is: go and join a not-for-profit as a trustee, because you have so much to offer them with your commercial hat, you will also learn an enormous amount from sitting on a board, and then you can go into, not instead of because I love my voluntary work, but in addition to that, then look at maybe going into private sector NED role and being able to say to them: I’ve already done a board role and here's all the things that I’ve done. And that helps you to break the cycle of when you can't join a board because you've never been on the board. Last year I started applying for NED roles and I was very very lucky because I have a contact at the Brighton chamber of commerce, and she put something on LinkedIn about a handful of charities that were looking for new trustees. The Brighton Yoga Foundation resonated with me immediately, because I think if you were going to join a not-for-profit board as a trustee, you're using up your private time, it has to be something you're genuinely interested and passionate about. So, it was the only, it was the only post I applied for. The chair who I interviewed with offered me the post the following day.

M: Excellent. And how are you finding that sort of conversation around cybersecurity as part of that governance? You mentioned it's going to be on the risk register, but is it something that you sort of probe into as a board or how does that conversation happen?

A: I’ve kind of jumped on the conversation because it's something I’m passionate about. I want the topics that I sort of take responsibility for, if you like, within the Brighton Yoga Foundation, are identifying and applying for grants by funding bodies, but also the risk management piece. So, for me, knowing that cybersecurity is top billing in terms of risk management, I’ve taken that on, and I’m running with that now. Courtesy of the mini audit that my colleague helped me to do. So, I now know the questions to ask. I’m liaising with our third party who hosts our website to cover off all of those questions around hosting, you know, website hardening, what mitigation they have in place. Because it's important to realize it's not just what you're doing, what are your third parties doing that you interface directly with? But also working with my fellow trustees, because we all work off our own laptops right? We're all volunteers, so what multi-factor authentication are you using or are you using multi-factor authentication when you log on to your email address? So, I’ve almost had to take that mini audit through and just kind of carry that on as a mini project.

M: Would it be fair to say then that you effectively are the sort of cybersecurity champion in that board?

A: That's a brilliant word actually. I’m the champion for it and I am also championing for perhaps our next trustee head count being someone who has a professional cyber lens, who can come in and really take the ball by the horns. And that would be fantastic also for me because I could learn from that person.

M: It's really interesting that you say that because one of the things I thought about they always say, use your professional skills to help the board, and so you look for those sorts of vacancies and I’ve only so far seen one in the past year, where they were specifically looking. And that might partly also be because about 90% of charity board posts aren't actually advertised anyway, so that's probably playing into it, but you know just for quite a niche thing. So, you would agree then that there is value in having that role you know sort of dedicated on there?

A: I definitely think some, in this day and age, whatever sector you're in, whatever it is you're providing, or selling, or making, absolutely you've got to have someone who owns cybersecurity, data protection, and obviously it's a benefit if they do that in their professional careers as well

M: Really interested in what you just said there because I think there's a great opportunity for trustee cybersecurity champion to actually support and mentor the cybersecurity staff within the organization. Because you know, as you've just said, you now know the questions to ask and they need support in how to distil all the technical information, translate it into business risk, and then present it in a way that's suitable and concise, and you know I’m not the best person being concise everyone who knows me knows that, but is that something again that you do much sort of coaching and sort of mentoring at all as a trustee?

A: It's not something I’ve done yet. I think the key for me is people don't know what they don't know. So, you need to provide them with information in a digestible format. But the other thing I find in my professional life as well, is that you need people to be asking questions that they don't know they need to be asking. So that's where the sort of coaching element comes in, where you can start surface questions and people then become cognizant of issues that they didn't even know about. This is something that I’m doing with my fellow trustees and I’ve only just sort of started that conversation up, but it's something that we do need to look at very quickly.

M: I’d really like to see, I think, some more formal programs for large organizations anyway, in terms of making that part of perhaps the induction for trustees and boards

A: Yeah 

M: and part of the development planning for the actual staff themselves. I do think perhaps we don't take enough advantage of, as you say, having those conversations because that's what you say, when things surface…

A: I think we're pretty good at doing that, so we have a, actually our board secretary who started at the same time as me, she actually did a small piece of work before becoming secretary. Basically, a mini audit of their website and how they use data, she made a few recommendations. So, I sort of riding a little bit on the back of all of that good work. One of the things she introduced was an actual policy, a written data protection data best practice policy. Trustees and volunteers have to sign up to that when they join.

M: It definitely sounds like you guys are falling within the “we know this is an issue and we're doing something about it” versus the many out there who haven't quite twigged yet, or have twigged but don't know how to go about it, I think is a big problem as well. Is that something you hear about much?

A: It isn't. I guess I’m very new to the trustee space. I’d love to spend more time with other trustees in other charities, to share learnings, what goes well, what doesn't go so well. I’m pretty sure that most of them would mention cybersecurity or at least data protection. Now a lot of people don't necessarily correlate data protection with cybersecurity, so they would probably use the expression data protection. A lot of the time, depending on what the charity's charitable object is, we're dealing with vulnerable people, their data therefore is vulnerable. For us we know we have PIIs, a lot of personally identifiable information. Could be medical data, data about disabilities. We provide yoga outreach to very vulnerable people, some of whom are in women's refuges and clearly there are people out there who they don't want to know where they are. So, we do have to be tremendously careful with our data.

M: I think that's a really great example that you've mentioned there, because there have been incidents related to that in local government, I can think of straight off. I don't think everyone realizes that sometimes this stuff can result in physical harm, whether it's physical harm to a patient or as you say a vulnerable person. Picking up again on another aspect of the volunteering that you do, you mentioned at the start that you also founded the southeast chapter of the Change Management Institute. Could you tell us a little bit more about sort of how that sits with your sort of volunteer, giving back to the profession?

A: Yeah. So, I actually joined the institute in 2017 to get out of my bubble. For me, as a project and program manager I thought: will I get the most benefit from joining my professional body for project managers, or would I get more benefit from joining a professional body of people who are different to me, and who can teach me and show me the other side to that coin? And equally what can I offer them? Very often I am the only project and program manager in in the room. I’m just a believer in sort of taking stuff out of your echo chamber. So, I joined them, and about six months later I said “hang on a minute you don't have a southeast branch. You've got a London branch, but that doesn't speak to all of these people dotted around the south coast, you know Kent and Surrey, who there are lots of organizations there with big change cohorts. We could be tapping into, we could be offering them a service”. I mentioned that to the UK chair and she said, well, go and set it up then! So, me and my big mouth then had to like go and set it up.

M: It's always this way

A: It's always this way, but you know I’m that kind of person, I’ll just be like oh yeah yeah, I’ll do that. And we'll get an event going, and we built up and we ended up with about 15 people coming along to our events before COVID hit, which is a lot of people, I’m going to say, in Brighton.

M: One of the really big challenges for us as cybersecurity professionals leading change programs is the behavioral change. You know there's a sort of link with neuroscience and looking at the behavioral change, game theory all of that sort of stuff, and I’m just thinking now in terms of what you're saying about, where do you get the value from, in terms of professional associations. I’m now thinking actually I, as a cybersecurity professionals should be joining the Change Management Institute, and learning from that side of things, because I’m sure there's a lot there. And also, I’m thinking like marketing as well, there's an awful lot we can learn about nudging behaviours. We're all about change culture aren't we, to deliver the ultimate objective of the business. Perhaps there's an opportunity that we can sort of all work a bit more closely. I’ll have a think about that one.

A: I think you've hit a very, very important nail on the head there and it's something that has struck me in the last 12 months, possibly because of COVID or maybe I would have got there anyway which is: change is everywhere. Change is not the preserve and the purview and the problem of the change team. It's everybody's problem. It's not going anywhere, and we are now going to be in a continuous cycle of change. So, we need to get better at it, at a cultural organizational level. In order to do that we need to accept that change itself is changing and what are the macro indicators of that, and I think COVID is a fantastic example but not the only example. The environment is changing, the climate is changing, social justice is evolving thankfully not before time, and there are a ton of movements, young people have fundamentally different values from my experience, and they are demanding better behaviours from corporates in terms of less meat, less animal testing. Everything is changing around us, and we all need to work together and just get on that page

M: Yeah, really good points, agree with all of that yes. I’m not quite sure exactly how we do that, because I’ve found, not all organizations, some are really good at it I have to say, I’ve had some really good experiences, but then some tend to work in silos and be a bit sort of protectionist. Do you think there's a role for leaders of boards to try and sort of help and pick that, but you know, how could you demonstrate that would you say in terms of board behaviour?

A: Silos are a big challenge and certain industries are more siloed than others. As a change professional, I’ve sat under lots of different board structures. So sometimes change goes into IT, sometimes it goes into operations, sometimes it goes into a strategy shop, sometimes it goes straight into the CEO. There are lots of different flavours and personally I don't believe anything is wrong or right, because it's about the leadership at the top, how we talk about change, how leaders formulate and share the vision across the organization, the mantras, the slogans, and keeping that communication going. That's what's going to deliver change ultimately

M: Well completely hundred percent agree with everything you just said, but also as you're speaking, I’m just mentally substituting the word cybersecurity. Again, it's so aligned, it's just all exactly what we're all trying to do. You mentioned change is changing itself. I was having a look the other day at the Change Management Institute competency framework, and I found it interesting that there seemed to be a gap around anything around information risk, cybersecurity, whether it's privacy data protection. Because data is, after people in my view, the life and blood of an organization, I did just think: is that perhaps a gap, now that you've sort of gone in this steep learning curve this past year with cyber, do you see a place for that in that competency framework at all?

A: I think it's very hard to make sure the competency framework retains its soft skill focus rather than being in any way thematic or led by topics. I suspect that's why the framework is built how it is. For me it's a very healthy framework, because it does, irrespective of your industry sector, your background, it gives you that full 360 holistic change toolkit

M: That's an interesting point there, because on the information security frameworks, competency frameworks, it is very topic-led. And the most recent iteration of the Institute of Information Security skills framework, they have expanded out the area around those soft skills. Maybe there's an opportunity for us to sort of learn from that side again and look at that. Something to park for later. Anyway, is there anything else you'd like to sort of comment on in terms of you know the work you've done sort of giving back as a trustee?

A: I think what I would say is: being a trustee is a fantastic opportunity to volunteer. A lot of people say, oh I want to do some voluntary work I haven't got time. Well, if you're time poor, and you're already in a role where you're trying to work your way up the ladder, the trustee is the perfect balance, because you're volunteering and it gives you experience that then enriches your corporate life. I think it's the perfect synergy that you can genuinely add value to the charity that you're volunteering for, and you can genuinely give back. For example, this time last year I had no concept of risk management, risk controls. Now I talk freely about it in the office, because I have that experience from my trustee role. So that's my big soundbite: don't be afraid to volunteer, do it as a trustee.

M: So that's really great, thank you so much for all of that. As we sort of bring it to a close, just a little off the wall question for you. If you could have dinner with any three people dead or alive, who would they be and why?

A: I love this question. I’m a big fan of my food, so this this question really resonates with me. So, my three people, dead or alive, I start off with Ayrton Senna, who was 34 when he died and he was my huge hero. I’m a massive F1 fan and he was my absolute hero. I love the drive and ambition of people like that. Second of all, I’d have my husband because I don't get to see him enough and I would really like to sit down and have dinner with him, without our dog sitting there asking for food. And thirdly, I would have a cricketer. Probably an Australian cricketer, to keep my husband happy because he's Australian, and I’ll probably have to have Donald Bradman, so that we could tease him about his 99.99 test average. My one caveat to all of the above is that we don't share food. My pet peeve, and everyone who knows me knows this, and I hate sharing food, so as long as it's okay all three of them can come.

M: So, you've already given us lots of wonderful advice so far in this conversation today, is there sort of one piece of advice that you'd like to give to the leaders who are listening out there, that are worried about cybersecurity?

A: Just generally in life I have a theory: don't run away from stuff that you're worried about, run towards it. My one caveat to that is spiders, never run towards spiders. Get involved, don't pretend it's not happening, it's absolutely happening. Talk to people, take advice, you might have to pay for the advice, that's fine. It's by far the cheaper and less frightening alternative. Go towards the threat, arm yourself with tools and information

M: That's brilliant thank you. So, if people want to get some more wonderful tips from you, where might they find you online?

A: Yes, come and talk to me, I love meeting new people and talking to new people. LinkedIn, I’m Amy Tarrant on LinkedIn, and I’m not on any other social media, I’m afraid, so that is your best bet.

M: That's brilliant, thank you so much, I’ve really enjoyed our conversation today, there's so much more I’m sure we could go down as well.

A: Me too. I’ve loved it. Thank you for inviting me

M: You're most welcome


About Amy
Change management vs change delivery
Effecting real change
Journey to Change delivery
Cybersecurity journey
Cybersecurity and risk management
Importance of Cybersecurity
Cyber insurance
Upskilling cybersecurity knowledge
Working with cyber professionals
Insurance companies’ role
Becoming a trustee
Cybersecurity in the board
Championing cybersecurity in the board
Data protection
Volunteering for the Change Management Institute
out of the echo chamber
Competence frameworks
Being a trustee is an opportunity
Dinner guests
Run towards cybsersecurity