“I established just under a dozen potential risks to the business that I would not have been able to do otherwise”
How do we tackle cyber in small companies? Here at the Hipster Project, our aim from the offset has been to develop a package of support to enable small companies working with software in the health sector to improve their security and privacy decision making. 18 months on, our workshop intervention has been designed, developed, trialled, and is now in full swing. So far, we have conducted the workshop with multiple companies and groups of software developers. We have been delighted with the response and feedback from participating companies and want to share some of those experiences here.
One of those companies is Spark, which is developing a data-led mental health platform. Spark aims to provide a tool for employees to use to help themselves with their mental health, whilst also providing some insight to the business – anonymously and at the aggregated level – about how mental health can be improved within the organisation. In January, we had the pleasure of working with Spark in one of our Hipster intervention workshops. I recently caught up with the company’s owner and senior data professional, Jawad Bhatti, to reflect on Spark’s experience of the Hipster workshop and to find out what insights the company is taking away from the process.
Jawad’s interest in getting involved with the Hipster project originated from his observation that a focus on security was something missing from the strategic work being done to develop Spark:
“We were very focused on the product, very focused on getting the product market-fit, establishing the user experience and user interfaces…I had little to no concept of external or even internal risks and factors which may impede the progress of Spark.”
Spark is not alone! Security features and considerations can end up being deprioritised against the need to push out new product features or functionality, particularly when trying to get a product to the market. Part of the value of Hipster comes from its effort to bring security back into focus amidst competing priorities and constrained resources – crucially – in a way that draws on objective industry data to ensure that this focus is proportionate and realistic.
The Hipster workshop involves an interactive discussion using threat scenario cards specifically developed for this purpose. By bringing together multiple people from within the same company, the workshop offers a unique environment for companies to discuss cyber threats in a collaborative way. Further, it allows teams to build a tailored risk landscape relevant to the context of their own company and product. For Jawad, the opportunity to bring different members of the Spark team together in this way to discuss potential threats proved highly valuable:
“We’ve got different backgrounds and different skills. From a design perspective the approach to Spark is different from a development perspective, and from my perspective – because I’m quite data led and probably the most commercial of the team who attended – my thought process is different as well. So, we’re all coming at it from different angles…it added value to the conversation.”
At the heart of the Hipster workshop is an innovative method for thinking about threat and risk. In providing a set of scenario cards for teams to explore within the context of their own product and systems, a key objective for us was to equip teams with a tangible approach they can take away and implement in their own practices. This approach proved influential for Spark, which, as a result of the workshop, plans to implement a monthly security review into their practices. Jawad noted Hipster’s central role in sparking this change in the company’s approach to security:
“We’ve got the foundation now that was built in the workshop. That thought process just did not exist before because we had tunnel vision on the cosmetics and functionality of the product. Sadly, security was always going to be a bit of an afterthought – but we’ve now frontloaded that and it’s now part of our thought process.”
Determining potential users and beneficiaries of our research has been an important consideration for Hipster from the offset. Through the various mechanisms of feedback we have set up, we are continuing to find out who benefits the most from this work, and where this research holds the most impact. It is clear to us that start-ups are a key area where our work is poised to make a significant difference. Commenting further on how the Hipster process was useful for Spark, particularly as a start-up company, Jawad said:
“…it has been quite critical. I had no road map of, specifically, cyber security. I do have an awareness of GDPR and the protection of personal data, but [during the workshop] I established just under a dozen potential risks to the business that I would not have been able to do otherwise. If in the long run this saves Spark from going out of business, then it’s honestly a massive return on investment for those few hours.”
For us, it has been fantastic working with Spark and we are glad the company has taken away so much from their participation in the Hipster project. Jawad’s mission at Spark is a valuable and worthy endeavour, we were impressed with the team’s forward-looking approach and the desire to ensure security was firmly included in Spark’s journey going forward. We would like to thank Jawad and the rest of the team at Spark for their commitment and involvement in Hipster and we wish the company every success! You can find out more about Spark here.
If you weren’t already convinced about why you should follow Spark’s lead and get involved with the Hipster project, a final word from Jawad on why it is worth your time:
“I highly recommend it to any start-up and even established businesses to be honest. Get involved, go through the workshop and go through those scenarios because I guarantee even if you’ve got 99% of those mapped, one scenario will crop up and you will not have thought about it. And that could be the difference between business life or death.”
You heard it here first, get involved!
- Anna Dyson