Posts Tagged ‘security’

Talking Up Security

A keynote I gave to GDSCon 2017 on how security practitioners should engage with senior executives.

Strategic Security Management Challenges

I was recently asked by a consultancy firm to provide a keynote talking about the challenges I had faced as a security leader during my career and how the consultancy could start thinking about how to help people in my position. I appreciated the customer-first orientation they were adopting, refreshing in a world of consultancies that have a habit of leading sales engagements with why it would be both foolish and dangerous not to buy their off-the-shelf industrialised services that were designed for smaller more focused firms with less in-house capability.

Large global enterprises share much in common but the key themes of concern for a security leader in my experience are:

  • Complexity (the old enemy of security),
  • Scale,
  • Availability of the right people and
  • Culture

(more…)

The Future of Security Automation.

It is entirely possible I am about to have a flying car moment. Recently I have been asked by a variety of product vendors and security consultancies for my opinions on the future direction of security and where they should be focusing their innovation efforts. I’m honestly not sure why I get asked this but I enjoy both the sound of my own voice and free lunches so i’m not complaining. Here is my view on the core of how we will be delivering security in large enterprises in the near-ish future.
(more…)

Not so basic but definitely essential.

We keep talking about new shiny, and increasingly fragile, controls that will prevent attacks or fiendishly clever algorithms or AI to which we can outsource all that hard or fast thinking we’re not good at but we are all still staring down the barrels of a loaded data breach gun waiting for it to go off. The thing is we seem to be holding that gun to our own heads and it’s not like we don’t realise. All the talk of ‘basics’, ‘essentials, ‘foundations’ points at a relatively common set of issues usually focused on some combination of the following:

  • IT Maintenance (patching, replacing end-of-life platforms, inventories, baseline builds etc),
  • Network security (internal segmentation),
  • Access Management (efficient joiners, movers, leavers processes, privileged user management)
  • Security Monitoring (effective visibility),
  • Incident Response (tested plans, exercised staff)

(more…)

The security opportunity in Digital

Four years ago I discussed some of the characteristics of cyber security that made the use of the term useful, this was at a time when the use of cyber security was widely derided by practitioners of IT security and Information Security. One of the common complaints was that Cyber was just the same things we had already been doing re-branded to seem ‘cool’. As time has moved on the practices of cyber have become clearer, the use of threat intelligence, the development of threat hunting, the increased focused on incident response, the wide deployment of behavioural analytics etc. As is the case early adopters knew they were solving new problems in a new way but the articulation of meaning to the later adopters has needed a body of activity and emerging practices to clarify how cyber security overlaps with but also differs from the other predecessor disciplines IT and Information Security (both of which are still going strong and are still necesary).

Another buzzword appeared soon after cyber and that was Digital. Digital is a customer-focused technology-first approach to business that again looked just like what we were doing before in technology and business activities. Over time practices have emerged, agile development, devops, infrastructure automation, cloud, mobile, social etc that have started defining what the early adopters really meant when they said Digital.

Digital lies in the intersection of velocity, scale and complexity.

(more…)

Twitter RSS