Competing Innovations in Cyber

I have had a series of productive discussions with a colleague over the last year about the differences in adopting new innovations between cyber attackers and cyber defenders. His interesting, and itself innovative, contention is that a key problem in cyber security is created by the differently shaped innovation adoption curves between defenders and attackers. Also that by investing in changing the shape of defenders adoption curves the nature of the competition itself will be re-shaped. (I suspect I am doing my colleague something of a disservice with my summary).

Diffusion of Innovation Curve

Diffusion of Innovation Curve


Read the rest of this entry »

Pitfalls of Cyber Data

I jointly presented with Ernest Li at 44con Cyber Security on April 28th 2015 discussing how we use public cyber data and some of the problems we have run into. My presentation is on slideshare below:

We need to talk about IT

It has long been a truism of security practitioners that security is not an IT problem. This is an attempt to lift the gaze of the security team from technology to the wider business. A laudable and useful goal. However, IT is a security problem.
Read the rest of this entry »

Misinterpreted policy?

A couple of months ago I was home ill from work and frankly a little bored.

While idly reading my twitter feed I reflected on a challenge I had been facing at work; a very technology-focused, agile, team that seemed to move faster than the security team could handle. I had some time ago realised that short of a herculean hiring effort we needed a combination of automation, delegation and good engagement to achieve the security outcomes we desired.

At about the same time as addressing that challenge I had also been involved in the production of updated acceptable use policy to meet some PCI DSS requirements which had been a lightly bruising affair. The business is a startup culture where freedom and good sense are valued much more highly than rules. The noticeably positive culture of the organisation was rooted in this and as a result the managers resisted the imposition of new rules. It was also the case that the staff cried out for information and knowledge so they could make their own minds up about security, they wanted security awareness training as long as it explained why security mattered and how it worked.

The combination of a fast moving technology team, the startup culture and the positive results of just good security communications and engagement was that a written policy seemed anachronistic and almost fossilised.

I posted the following provocative, somewhat tongue in cheek, but honest question:

Questioning security policies
Read the rest of this entry »

Security Analytics Beyond Cyber

I presented at 44con 2014 on moving security analytics on from network defense and rapid response towards supporting data-driven and evidence-driven security management, my presentation is on slideshare below:

Read the rest of this entry »

Twitter RSS