Posts Tagged ‘management’

Talking Up Security

A keynote I gave to GDSCon 2017 on how security practitioners should engage with senior executives.

Strategic Security Management Challenges

I was recently asked by a consultancy firm to provide a keynote talking about the challenges I had faced as a security leader during my career and how the consultancy could start thinking about how to help people in my position. I appreciated the customer-first orientation they were adopting, refreshing in a world of consultancies that have a habit of leading sales engagements with why it would be both foolish and dangerous not to buy their off-the-shelf industrialised services that were designed for smaller more focused firms with less in-house capability.

Large global enterprises share much in common but the key themes of concern for a security leader in my experience are:

  • Complexity (the old enemy of security),
  • Scale,
  • Availability of the right people and
  • Culture

(more…)

Not so basic but definitely essential.

We keep talking about new shiny, and increasingly fragile, controls that will prevent attacks or fiendishly clever algorithms or AI to which we can outsource all that hard or fast thinking we’re not good at but we are all still staring down the barrels of a loaded data breach gun waiting for it to go off. The thing is we seem to be holding that gun to our own heads and it’s not like we don’t realise. All the talk of ‘basics’, ‘essentials, ‘foundations’ points at a relatively common set of issues usually focused on some combination of the following:

  • IT Maintenance (patching, replacing end-of-life platforms, inventories, baseline builds etc),
  • Network security (internal segmentation),
  • Access Management (efficient joiners, movers, leavers processes, privileged user management)
  • Security Monitoring (effective visibility),
  • Incident Response (tested plans, exercised staff)

(more…)

Cyber Resilience: Part Six Recommended Reading

 

Here are the sources used when developing the thinking behind this blog series:

(more…)

Cyber Resilience: Part Five What next?

Cyber resistance clearly requires leadership and operational intervention from specialised cyber professionals.  However, Cyber Resilience requires a broader institutional response that encompasses all aspects of the business.  As such, it needs to be owned by the entire executive management of an organisation.

The Department encourages all institutions to view cyber security as an integral aspect of their overall risk management strategy, rather than solely as a subset of information technology.” Benjamin Lawsky, Superintendent of Financial Services, New York State Department of Financial Services, December 2014

(more…)

Twitter RSS