Archive for the ‘Other’ Category

Misinterpreted policy?

A couple of months ago I was home ill from work and frankly a little bored.

While idly reading my twitter feed I reflected on a challenge I had been facing at work; a very technology-focused, agile, team that seemed to move faster than the security team could handle. I had some time ago realised that short of a herculean hiring effort we needed a combination of automation, delegation and good engagement to achieve the security outcomes we desired.

At about the same time as addressing that challenge I had also been involved in the production of updated acceptable use policy to meet some PCI DSS requirements which had been a lightly bruising affair. The business is a startup culture where freedom and good sense are valued much more highly than rules. The noticeably positive culture of the organisation was rooted in this and as a result the managers resisted the imposition of new rules. It was also the case that the staff cried out for information and knowledge so they could make their own minds up about security, they wanted security awareness training as long as it explained why security mattered and how it worked.

The combination of a fast moving technology team, the startup culture and the positive results of just good security communications and engagement was that a written policy seemed anachronistic and almost fossilised.

I posted the following provocative, somewhat tongue in cheek, but honest question:

Questioning security policies
(more…)

ORGCon 2012

I attended the Open Rights Group Conference (ORGCon) this year.

We are at a weird moment where the Internet and the associated digital technologies it has spawned and supported are wreaking changes to the social, cultural and economic environment that don’t easily fit the current models of law and governance. Cory Doctorow makes this point more completely and more eloquently here (Lockdown: The coming war on general purpose computing).

As a result we are seeing law and regulation that is driven much more by lobby groups rather than politicians. The politicians that understand these changes are few and far between and made more notable for that irrespective of their party allegiance (For example Tom Watson and Francis Maude). I am heartened by the ORG as they represent the other side of the coin from the industry lobby groups.
(more…)

Protected: Black Swan Security Dinner

This content is password protected. To view it please enter your password below:

44con and Uncon

It’s been a busy week again.

I helped out  a few weeks ago on the panel choosing speakers for the Infosec track for 44con and subsequently got roped in / volunteered to run that track during the days of the con. A week before 44con happened one of the speakers failed to get a visa and I volunteered to fill the gap and spoke on ‘Intelligence-Led Cybersecurity’. It was an interesting process working out what I could talk about, how I could squeeze it into a 45 minute slot (With questions)  and then convincing my employers to let me talk publicly.
(more…)

Cyber Cyber Cyber

The industrialisation of cyberwar and cyberespionage using techniques developed in the last decade of massive expansion in cybercrime has presented a serious challenge to the security industry.

The myriad breaches, whether at the lulz end of the scale or at the national security end of the scale, has highlighted the fact that while we as an industry may have been doing the component parts of information security for a long time we haven’t done it very well.
(more…)

Twitter RSS