The Lost CISO who?

And why am I being spammed with Twitter and LinkedIn about him all the time at the moment?

I came up with the concept of The Lost CISO when I was working late in the office one night. I decided to start writing and doing something about it straight away, and even created the banner and took my own picture for it sat at my desk. I also pulled the graphics together there and then, not in Photoshop, but Apple Pages (I was an executive at the time and to my shame do not know how to use PhotoShop. It still came out alright I think, though.

youtube-banner-png.png

The idea was to create short informational videos, 2-3 minutes long, almost like a high energy presentation, in front of a green screen that I could then superimpose relevant imagery etc. It was a good concept, I thought, and within my technical skills with a camera and Final Cut Pro X. Or so I thought. I could also put all of my other InfoSec videos under the same brand, tying it up into a neat piece of branding. The films would be aimed at people simply are keen to learn, and no more. Not all of it will be groundbreaking stuff, but it will be researched, experienced or just advice that flies in the face of common knowledge. The basics, Plus, I suppose.

I created a test and shared it with some friend who gave me some honest feedback on quality, imagery etc.. I then did a first episode (bearing in mind each one took me about 7 days of intermittent working to edit), shared it again, and excitedly held my breath.

“Do not release this… it will do your personal brand more damage than good…”

Ouch.

Back to the drawing board; except I didn’t, life and work got in the way. Until twelve months went by, and I decided to just get this done properly once and for all. So I invested in some quality lighting, foley and a decent green screen, and even hired someone to do the filming and editing for me, and got to work. Of course, now I run my own business, I wasn’t able to prepare the topics as well as I wanted. To be honest, I pretty much flew through the filming so I could get onto the next job in my increasingly long To-Do list, but the quality, and to be honest, the creative talent I hired shines through far more than before.

As always, my success (such as it is) is tied to the talent of others. A lesson for everyone there, I think…

What’s the infosec lesson here? None really, although perhaps at a stretch I could say that just because my original idea failed didn’t mean it was a bad one, and I just needed the right resources. I don’t know, parallels to infosec education and awareness training maybe.

I hope you enjoy the series, and please do comment on them, let me know what you think and also if you would like a particular topic covered.

 

 

 

 


Keeping It Supremely Simple, the NASA way

Any regular reader (hello to both of you) will know that I also follow an ex NASA engineer/manager by the name of Wayne Hale. Having been in NASA for much of his adult life and being involved across the board he brings a fascinating view of the complexities of space travel, and just as interestingly, to risk.

His recent post is about damage to the Space Shuttle’s foam insulation on the external fuel tank (the big orange thing),and the steps NASA went through to return the shuttle to active service after it was found that loose foam was what had damaged the heat shield of Columbia resulting in its destruction. His insight into the machinations of NASA, the undue influence of Politics as well as politics, and that ultimately everything comes down to a risk based approach make his writing compelling and above all educational. This is writ large in the hugely complex world fo space travel, something I would hazard a guess virtually all of us are not involved in!

It was when I read the following paragraph that my jaw dropped a little as I realised  that even in NASA many decisions are based on a very simple presentation of risk, something I am a vehement supporter of:

NASA uses a matrix to plot the risks involved in any activity.  Five squares by five squares; rating risk probability from low to high and consequence from negligible to catastrophic.  The risk of foam coming off part of the External Tank and causing another catastrophe was in the top right-hand box:  5×5:  Probable and Catastrophic.  That square is colored red for a reason.

What? The hugely complex world of NASA is governed by a five by five matrix like this?

Isn’t this a hugely simplistic approach that just sweeps over the complexities and nuances of an immensely complex environment where lives are at stake and careers and reputations constantly on the line? Then the following sentence made absolute sense, and underscored the reason why risk is so often poorly understood and managed:

But the analysts did more than just present the results; they discussed the methodology used in the analysis.

It seems simple and obvious, but the infused industry very regularly talks about how simple models like a traffic light approach to risk just don’t reflect the environment we operate in, and we have to look at things in a far more complex way to ensure the nuance and complexity of our world is better understood. “Look at the actuarial sciences” they will say. I can say now i don’t subscribe to this.

The key difference with NASA though is that the decision makers understand how the scores are derived, and then discuss that methodology, then the interpretation of that traffic light colour is more greatly understood. In his blog Wayne talks of how the risk was actually talked down based upon the shared knowledge of the room and a careful consideration of the environment the risks were presented. In fact the risk as it was initially presented was actually de-escalated and a decision to go ahead was made.

Imagine if that process hadn’t happened; decisions may have been made based on poor assumptions and poor understanding of the facts, the outcome of which had the potential to be catastrophic.

The key point I am making is that a simple approach to complex problems can be taken, and that ironically it can be harder to make it happen. Everyone around the table will need to understand how the measures are derived, educated on the implications, and in a position to discuss the results in a collaborative way. Presenting an over complex, hard to read but “accurate” picture of risks will waste everyone’s time.

And if they don’t have time now, how will they be able to read Wayne’s blog?

 

 


Price versus Value; Why it is Important in Information Security

Running my own business now means I have to work out how much I am going to charge for my services, and if the market (or client) is going to be willing to pay me that price. It makes for an interesting internal dialogue, especially as I have always been told to not sell myself short or underestimate the skills I have and the value they bring to a client.

I recently lost out on some work because the client decided to go with somebody established rather than a new company like me. To be fair to them they had paid me well for five days consultancy to help them work out what they wanted, and they were very pleased with what was delivered so I honestly thought they would choose me. Hubris at its best I suppose.

I suspect that by going with a larger, established company they may well be paying less than I quoted for (it was assistance with ISO27001 certification by the way). The established company would have a larger range of resources, some certainly more junior than me and the people I was going to subcontract with, a tried and tested approach they have used hundreds of times before, and larger resources to back them up throughout the process. The client will certainly become compliant and obtain the certification.

Now, I am not going to denigrate the work this competition do, but I imagine they would be very task oriented, focussed on getting the certification for their client, and ensuring they come back year after year for more support. Then they will be onto the next job and doing the same thing again in short order. I have been a part of this process myself in my old consulting days.

So what value would someone like me bring then, especially if the end goal is the same, i.e. certification? Put simply, I strongly believe in the differing cultures of one company to the next, and the fact that what is left at the end of the certification needs to be reflective of that culture and able to be adopted for the long term. That means policies, procedures, communications and the overarching ethos of the programme must be in harmony with the clients vision and goals. That is very hard to do with a boilerplate approach. I guess it comes down to “the personal touch” as well as a somewhat selfless approach in ensuring the client is educated in the process enough along the way that they could actually go through the process again with significantly less of your support.

Is it the most immediately profitable approach? Of course not, but it is how you build “sticky” relationships with potential clients by ensuring they see you are there for their benefit and not yours. With a bit of luck this will mean more opportunities with them in the future or recommendations to other potential clients.

There are certainly no hard feelings between me and the client I mentioned at the beginning, they are lovely, honest and transparent people who I enjoyed working with and who paid me a fair price for my time in the analysis phase, and I really do wish them the best of luck in their certification with their new vendor.

I just hope they call me when they realise what they could have had. <Disengage hubris mode>


Waving, Not Drowning

I have just stepped off the stage at the Pulse Conferences CISO 360 Congress in Rome having presented on “The True Cost of Security, A Personal Story”, recounting my experience of poor mental health. I published my life threatening experiences in my Blog, Drowning not Waving, published a few months ago, and those of you with good memories will recall those events also took place in Rome in September 2017.

I haven’t been back to Rome since then until now to do this talk, and so I am doing so with significant apprehension and unease. It’s an odd feeling, and one I haven’t experienced since my breakdown, but it is one that I will work through and will ultimately do me good. I also have to thank the incorrigible Clive Room of Pulse Conferences for giving me the opportunity to do this talk to a significant audience, and in Rome also. Personal stories are always so much more powerful, and if people in the audience either get the help they need, recognise others in their lives who need the help they need or even just understand that it is a perfectly normal thing to go through, then it will be worth it.

It is also the last time I will be publicly talking about this topic.

I have been approached many times since my original post by people thanking me, empathising with me or generally being extremely supportive as my post had a personal impact on them in some way. In short, the response has astounded me. However, I don’t want to be known as “the mental health guy”; the point of my story is that I recovered, got better, moved on and actually came out a better person. The point of my story was that it was a transitory period of my life and not one (for me) that I have to keep going back to in order to maintain my recovery. The point of my story was to let others know that they are not alone.

Does this mean that I don’t care about this topic any more? Obviously not, and I will always be happy to engage with people about it, help and support them if needed. I am always going to “available” if that is the word, to anyone that feels I may be able to help them.

It does mean that this will be the last time I blog about it, present or appear on a panel on the subject or make any kind of public appearances or endorsements on the topic. Some of you may think this is a bit odd, or maybe even callous and cold, and I understand that. However, this is what is the right thing to do for me in my pursuit of happiness, continued engagement with the InfoSec community and growth of my own business.

To be absolutely clear though, if you want to talk/DM/email with me about this topic then please do. If you feel the need to talk about your own struggles, or think I can help, then reach out, and I will make myself available to you as best I can. Depression and alcohol dependence is a an empty and lonely place to be, and if a kind word and a smile from me will help you then then don’t hesitate. You should also speak to a mental health professional as well of course, as you would have to be very unwell to think I am your best route to happiness!

Thank you to everyone who has shown support, love, compassion, empathy and friendship since reading my story, you know who you are, and I send it all back times three thousand


RSA 2019, and women finally had to queue for the toilets…

If the streets of San Francisco are becoming more cluttered as the homeless problem gets worse year after year, the conference itself seemed to take a clear shift towards a more friendly and inclusive event.

The redesign of the conference wasn’t just limited to the Moscone Centre itself. To be sure , the revised layout meant even more vendors could be squeezed in (where do they all come from?!) and we could find ourselves utterly lost on the expo floor as it was no longer clear if we were in the North or South hall, and what direction we had to walk in for the West hall when we finally emerged, blinking into the weak Californian sun.

This redesign, if it can be called that, came across to me in two distinct ways, both of which are areas that are close to me. Sure, the talks were good, the Keynotes interesting (if occasionally sponsored), and the overall organisation was excellent. But the two areas I thought that stood out were diversity and wellness.

Of course, the more cynical of us will say that it was just a move that RSA made to keep the haters quiet and the ticket sales up, but it really did feel like a corner had been turned here. That is not to say they did it first, as there are thousands of events around the world that are supporting diversity and wellness, but to see it done at this scale is what made it stand out. RSA is undeniably a commercial conference, and many parts of the infused echo chamber deride it for being so, but it is also a litmus test of how the industry as a whole is performing.

 

Group_Male_Executives1

Therefore, seeing the demise of the all male panel (or “manel” as I heard it described) and seeing broadly balance panels, and a larger number of talks fronted by women is the direction that the community has been pushing for years. It takes effort to redress a balance like this, but when it reflects is a high profile show like this the benefits are greatly increased. As a direct result of this, my unscientific method of just using my eyes showed me there was a greater number of women attending as well. (I think I even saw a queue for the ladies toilets at one point as well – now if that isn’t scientific proof i don’t know what is). This greater balance is better for all of us in this industry, however you look at it.

As for wellness, I counted at least three sessions on the impact of infosec on mental health, including one keynote. I was informed just today that a straw poll found that 14% of CISOs found the stress of the job “unbearable and unsustainable”, and the associated decline in mental health a very real cause for concern. Our toxic mixture of being measured on failure and the requirements for us to 24×7 “keep secrets” means none of this reported or addressed, and people are suffering. Seeing this addressed by senior and well known people in the field in an open forum can only mean good things and result in better health overall.

Let’s be clear, diversity and wellness are still in the early stages of being addressed, but being addressed they are, and if more shows and conferences like RSA can continue to push the agenda, then the information security industry will become a friendlier place.

Let’s not forget (Will) Wheaton’s Law that applies to all of us here, and a mantra to live your personal as well as your professional life by:

“Don’t be a Dick”.

I was also involved in some media coverage, mainly because of the very fine folks at ITSP Magazine. I helped with a daily wrap up report and an end of show report as well. You will not I hope, dear reader, have missed the quite excellent T-shirts I happen to be sporting…

Thursday’s update was so good, we even did it twice ; if you ever get to meet Sean you can ask him why…

Selena, Marco and Sean did a fantastic job summarising every day, as well as carrying out a slew of other interviews and update. Please do check out their magazine and subscribe, i promise you won’t be disappointed.

I also did an interview with Matthew Schwartz of ISMG, under thier Bank Info Security brand. It focussed on wellness and mental health, and has yet to be published (if at all). This was an interesting choice for me as I do not wish to become the poster boy for this topic, but given the wholly positive response I have recieved from people who not only are affected by the issues I raised, now feel “safe” to talk about them, it is hard to not talk more about it. I have no doubt I will be talking more on this, so I guess i will have to hone the message more to not just get the point across but also avoid being placed in this niche itself.

Hopefully that interview will surface as Matthew is a wonderful interviewer and friend, and he helped tell the story in a very compelling and sensitive way.

Finally, i had the opportunity to knock around RSA with my old mucker Javvad. We absolutely did not plan any filming, and I absolutey did not help him script his film, or even hang around hoping to be filmed. But as luck would have it I happened to be in the right place at the right time to be interviewed.

In it I opine about the huge amounts of negativity aimed at vemndors during RSA, even hearing some commentators refer to it as a “vendor wank-fest” which is both disingenuous and frankly a somewhat disturbing image to conjur up. I will leave you to watch Javvad’s thoughtful film on the topic of vendors, suffice to say that without them we wouldn’t have half of the community we have now.

And then the week was over in a flash. Diversity, wellness, toilets, faulty microphones, vendors and filming, all wrapped up in a blog post, films and a bunch of fun memories.

<edit> Typos