Archive for the ‘Security’ Category

ICI Global Cybersecurity Forum 2015 Keynote: Cyber Resilience

Yesterday I was lucky enough to be given the opportunity to deliver the keynote for the ICI Global Cybersecurity Forum in London. It was a great event with some seriously considered debates, some well run panels and lot of practitioners I hadn’t met before. I’ve decided to publish my speaking notes here, I rambled all across these notes and embellished in many places but these reflect the main body of my speech. I was especially pleased with the level of engagement after I spoke, mostly to prove I wasn’t as bad as I feared, but also it showed I had touched a nerve with many on the room.

I include my speaking notes below, these borrow heavily from a draft whitepaper I have been writing and sharing with clients and other stakeholders for their comments.

  (more…)

Competing Innovations in Cyber

I have had a series of productive discussions with a colleague over the last year about the differences in adopting new innovations between cyber attackers and cyber defenders. His interesting, and itself innovative, contention is that a key problem in cyber security is created by the differently shaped innovation adoption curves between defenders and attackers. Also that by investing in changing the shape of defenders adoption curves the nature of the competition itself will be re-shaped. (I suspect I am doing my colleague something of a disservice with my summary).

Diffusion of Innovation Curve

Diffusion of Innovation Curve


(more…)

We need to talk about IT

It has long been a truism of security practitioners that security is not an IT problem. This is an attempt to lift the gaze of the security team from technology to the wider business. A laudable and useful goal. However, IT is a security problem.
(more…)

Misinterpreted policy?

A couple of months ago I was home ill from work and frankly a little bored.

While idly reading my twitter feed I reflected on a challenge I had been facing at work; a very technology-focused, agile, team that seemed to move faster than the security team could handle. I had some time ago realised that short of a herculean hiring effort we needed a combination of automation, delegation and good engagement to achieve the security outcomes we desired.

At about the same time as addressing that challenge I had also been involved in the production of updated acceptable use policy to meet some PCI DSS requirements which had been a lightly bruising affair. The business is a startup culture where freedom and good sense are valued much more highly than rules. The noticeably positive culture of the organisation was rooted in this and as a result the managers resisted the imposition of new rules. It was also the case that the staff cried out for information and knowledge so they could make their own minds up about security, they wanted security awareness training as long as it explained why security mattered and how it worked.

The combination of a fast moving technology team, the startup culture and the positive results of just good security communications and engagement was that a written policy seemed anachronistic and almost fossilised.

I posted the following provocative, somewhat tongue in cheek, but honest question:

Questioning security policies
(more…)

Protecting Information About Networks, The Organisation and Its Systems

I recently wrote a report with a number of colleagues for the Centre for the Protection of National Infrastructure (CPNI) on the Network Reconnaissance phase of a targeted attack following initial exploitation. The report covers what is targeted, how the attackers operate and what controls help. Below is a summary infographic and below the cut is the briefing presentation I delivered and the full report.

Infographic:

(more…)

Twitter RSS