Archive for the ‘Management’ Category

Security Analytics Beyond Cyber

I presented at 44con 2014 on moving security analytics on from network defense and rapid response towards supporting data-driven and evidence-driven security management, my presentation is on slideshare below:

(more…)

Protecting Information About Networks, The Organisation and Its Systems

I recently wrote a report with a number of colleagues for the Centre for the Protection of National Infrastructure (CPNI) on the Network Reconnaissance phase of a targeted attack following initial exploitation. The report covers what is targeted, how the attackers operate and what controls help. Below is a summary infographic and below the cut is the briefing presentation I delivered and the full report.

Infographic:

(more…)

Follow the Money

When we talk about security with the business we need to talk about money.

I have occasionally run into colleagues whose answer to risk-based governance approaches and performance-based management approaches has been to say “Show me the money!”. I understood their desire to see security operate in the language of business but was always reticent to jump feet first into financially-driven security for a couple of reasons; firstly  I just couldn’t see how we could put a reliable value on what we did and secondly I was nervous about what that might expose. In hindsight I find myself increasingly becoming a financial fundamentalist for security.

Business is fundamentally the generation of profits to maximise the returns of investors. It is the result of one equation:

Profit = Revenue – Costs

(more…)

Cyber Exercising

Cyber Exercises are a powerful and valuable tool but it is easy to confuse what we mean.

I was a member of the Scenario Design Group for the Bank of England’s Waking Shark 2 cyber exercise this year. It was a fascinating experience, seeing how the top cyber/technology risk people at the banks view a massive cyber attack, what really concerns them as well as seeing the regulators and other government agencies engaging with industry.

Waking Shark 2 garnered a lot of headlines but little of real meat made it to the public domain. I signed up to the participants non-disclosure agreement so I won’t be  adding any details here. There will be a publicly published report from the Bank of England for that soon enough.

(more…)

Blueprint for Security in 2013

I’ve worked with a number of organisations this year that have been refreshing or redesigning part or all of their security function. It’s brought into focus for me the tension between new security practices and organisational inertia. These have all been organisations that cared greatly about security and were in no way dysfunctional. However, they have all been fighting the battle of five to ten years ago and were only now were undergoing the discovery and self-analysis to understand how to deliver on the aspirations they have in the new context of cyber security and the changed threat landscape.

It has brought home to me the need to focus on continual improvement activities, not limited to finding greater efficiency and effectiveness in what we are doing now but regularly challenging the scope of our activities to see if we need to do more or less or do different things.

(more…)

Twitter RSS