John Scott

John Scott is the Lead Cyber Security Researcher for Culture AI, a comprehensive Human Risk Management platform that empowers organizations to effectively measure employee security behaviors and reduce cyber risks. He is also an instructor for the SANS LDR433: Managing Human Risk teaching classes all around the world on managing human risk, as well as being an international speaker on security culture change. Previously, he worked in a senior security transformation role at BT and was Head of Security Education for the Bank of England for nearly 7 years, running an internationally recognised culture change programme for the UK’s central bank. John’s key passion is the need for security to be a champion of their colleagues, rather than just being the ‘department of NO’. He hates the phrase ‘users are the weakest link.

More About John


Being an IT trainer was not something John set out to do. Throughout his career, he found himself choosing “interesting” job roles over a more traditional career path. Around 2015 he chose a job in security awareness, specifically, and suddenly realized this was the career he’d been working towards his entire professional life without knowing it. John’s combination of communication skills, psychology, pedagogy, and persuasion, coupled with his passion for teaching others, suddenly were all very relevant to his role.

John has run cyber exercises for all levels of his organization, helping them to understand how to respond in a crisis situation. Drawing on his presentation skills, storytelling, and design skills to present exciting and engaging exercises that get the points across is very rewarding for John. In fact, just three months into his current role, the entire organization was creating posters to be included in the cyber security strategic plan gallery. His enthusiasm carried him past a poster to in-house developed multimedia games, videos, interactive exhibits, and a 3-D modelling of critical systems and how information flowed among them.

John’s teaching philosophy comes from his very first instructor role - teaching Aikido, a Japanese martial art. From that he learned very quickly that there cannot be a single approach to teaching; some people learn by watching while others by doing. This belief guides John’s teaching to use as many different ways of getting his point across as possible, ensuring he’s done everything possible to help students understand. The other thing Aikido taught John is that no matter how good you are, some days, with some techniques, someone you're teaching might be better than you. John latches on to the opportunity in every class to learn from someone else by being open to it and a good listener.

When teaching, John thoroughly enjoys the conversations with the class, drawing on everyone's experiences, backgrounds, and creativity. He encourages sharing of stories, good and bad examples of what has worked and sometimes more importantly, what has not. Watching the lightbulb go off for a student, recognizing they are not alone in the world even if they are the only person in their organization who thinks about security awareness, is John’s biggest win. He helps students discover security awareness is an exciting and creative career, find and engage with the larger community of practitioners around the world, and understand that they can make a real difference in their organization with some simple but effective techniques to drive behavior change.

The threats we have to educate our colleagues about change on a daily basis, but a lot of the mitigations remain the same from a behavioral point of view - have good cyber hygiene, create strong passwords, don't fall for phishes and so on. John believes his students’ biggest challenge is the strange balance that comes from keeping messaging fresh while reiterating and reinforcing the same behaviors over time in order to keep people engaged. He feels strongly it’s all about the stories you tell and how people listen to them.

John holds a bachelor’s degree in Library and Information Studies from Manchester Polytechnic, a PG Certificate in Education from University of Brighton, and a masters in Cyber Security and Human Factors from Bournemouth University. Additionally, John is a Microsoft Office Specialist in Excel and earned the SANS Security Awareness Professional certification.

Outside of work, John loves spending his time sailing and recently passed his Yachtmaster qualification. For John, sailing is a fantastic combination of very practical and very cerebral skills. He finds trying to work out the effect of wind, tide, and steerage in the middle of a gale exhilarating.

Commonalities of Salt and Security Culture, July 2023