Managing Insider Risk

A short presentation I gave to the July 2015 NED Forum on using the ‘Critical Pathway to Insider Risk’ to Manage Insider Risk. This was a very conversational event so the slides are even more terse than usual. I’ve removed a slide on my employers proprietary technology in this area. This was a small gathering but a vocal and interactive one.

For more background on the Critical Pathway to Insider Risk I recommend the following paper [PDF].

ICI Global Cybersecurity Forum 2015 Keynote: Cyber Resilience

Yesterday I was lucky enough to be given the opportunity to deliver the keynote for the ICI Global Cybersecurity Forum in London. It was a great event with some seriously considered debates, some well run panels and lot of practitioners I hadn’t met before. I’ve decided to publish my speaking notes here, I rambled all across these notes and embellished in many places but these reflect the main body of my speech. I was especially pleased with the level of engagement after I spoke, mostly to prove I wasn’t as bad as I feared, but also it showed I had touched a nerve with many on the room.

I include my speaking notes below, these borrow heavily from a draft whitepaper I have been writing and sharing with clients and other stakeholders for their comments.

  Read the rest of this entry »

20 questions on cyber-supply chain risk management

I recently wrote an article for Banking Technology that has been generally well received, I’ve decided to include it here on the blog for future reference. I’ve enjoyed working with Banking Technology and thoroughly recommend the editor David Bannister who has clearly been around the block enough times and has a wealth of experience in the field.

Managing cyber supply chain risk is an unsolved problem that has increasingly drawn my attention as I discover new risks and new failures of risk management in this area. The OECD found that 73% of services traded in OECD countries are ‘intermediate’ services or services that are intermediate inputs into a final service or product that is consumed. That statistic lies behind some of my concerns regarding aggregation and correlation of risk within and between different sector supply chains that are not immediately obvious.

This also highlights the complexity of supply chains in the modern economy. I believe that supply chain cyber security in the age of industrialised and targeted cyber-attacks is a wicked problem [PDF] and that many of our current approaches to manage these risks do not address the nature of the underlying risks and instead focus on a fairly superficial view of the technological controls operated by ‘key’ suppliers. There are more innovative approaches being developed such as Red teaming suppliers or actively monitoring supplier cyber hygiene but I am not seeing these regularly being built into coherent cyber supply chain risk management strategies yet. I hope the high level article below goes some way to encouraging this.

The original text is presented below and was published here.
Read the rest of this entry »

Competing Innovations in Cyber

I have had a series of productive discussions with a colleague over the last year about the differences in adopting new innovations between cyber attackers and cyber defenders. His interesting, and itself innovative, contention is that a key problem in cyber security is created by the differently shaped innovation adoption curves between defenders and attackers. Also that by investing in changing the shape of defenders adoption curves the nature of the competition itself will be re-shaped. (I suspect I am doing my colleague something of a disservice with my summary).

Diffusion of Innovation Curve

Diffusion of Innovation Curve

Read the rest of this entry »

Pitfalls of Cyber Data

I jointly presented with Ernest Li at 44con Cyber Security on April 28th 2015 discussing how we use public cyber data and some of the problems we have run into. My presentation is on slideshare below:

Twitter RSS