CSARN Organisational Resilience Conference

I was able to attend the City Security And Risk Network (CSARN) conference on organisational resilience today. It was a very well put together one day event with speakers from a broad range of companies and backgrounds such as the Police Force as well as military and traditional consultancies.

The key focus of the day though was of course on elements of organisational resilience such as incident and crisis management, the terrorist threat, global travel planning and the associated risks (in this case played against a backdrop of maintaining operations during the Arab Spring) and of course business continuity management. The speakers were knowledgable, and approachable during breaks for further questions. Justin Crump did a cracking job of maintaining order throughout the day and ensuring the audience was engaging well with the speakers.

Halfway through the day there was a panel discussion focussed on “building and embedding effective cyber security structures”, and I was pleasantly surprised to have been asked last week to be on the panel itself. (Cue jokes for how far down the list they had to go before they got to me etc…). Also on the panel with me was Geordie Stewart (who I am also speaking with at RSA and Paul Simmonds (Co-editor, Cloud Security Alliance “Guidance” v3 Co-founder & Board of Management, Jericho Forum Former CISO, AstraZeneca). I felt it came across as a very well balanced discussion, with some very insightful and focussed questions from the audience. I had been primed that the audience was not that well versed in all things “cyber”, but that didn’t really come across which made for a very enjoyable and engaging discussion.

We covered topics such as sources of cybercrime (state sponsored, organised crime and so called chaotic actors), what our thoughts were on the biggest threats coming out of the “cyber” threat and what we could be doing better at international levels. When each asked what the single take away from the discussion, mine was a rather glib, if valid, “plan for failure”; another strong take away to my mind was “get the basics right, everything else comes second”. Again, it sounds glib and from the school of the bleeding obvious, but over complicating any challenge is so easily done.

If I had one piece of critical feedback (well, two actually) it was that towards the end the presentations seemed to move into blatant sales pitches; now I understand sponsors need to get a return on their sponsorship, but it was the wrong forum to my mind for sales pitches. Secondly, I wouldn’t do something like this again on a Friday; it felt like half the audience had left come 2 o’clock, which can’t have helped the afternoon speakers at all!

I thoroughly enjoyed myself though, have some great key takeaways specifically for my business continuity planning, and I hope have planted the seeds of being able to return again in the future as a solo speaker!

My thanks to Acumin and CSARN for giving me the opportunity to be on their panel, especially alongside two people whom I admire in the industry.

10 Rules of Risk Management… In 10 Movie Quotes

I had an absolute blast last night presenting at the Acumin RANT forum (https://www.rantforum.com) on the topic of “10 Rules of Risk Management… In 10 Movie Quotes”. The premise was simple – people don’t remember rules or dull facts, but they do remember things that emotionally touch them in some way. Each quote and movie opened up a conversation on an aspect of risk management (although the term “rule” was a little inaccurate of course). Given it was the RANT forum, and I was competing for the attention of the audience against the allure of a free bar, there was plenty of opinion and discussion flowing around the room throughout. Hopefully a few of the points I was trying to make will have stuck as a result of quotes such as “You’re gonna need a bigger boat” or “I see dead people”.

I felt the audience engaged and participated throughout with lots of very verbal agreement and disagreement throughout, and it was exciting to be right at the centre of the maelstrom. If you have never been to a RANT before just imagine one person being surrounded by a large number of people only a few feet away; with your back to the projector screen, there is no lectern to hide behind and no stage to stand on. It’s do or die, and a  #Fail never far from your thoughts!

Not everyone agreed with the points I was making of course but that just generated further conversation. I had some excellent follow up conversations with a number of people, including a great idea for my next presentation which a stated up front I might shamelessly steal – I think i got his agreement that doing so was OK! I had some very positive feedback afterwards as well for which I am very appreciative of; if you are reading this and want to provide more feedback, of both kinds, then please do. Without wishing to sound too “new age”, feedback is a gift you can give someone that will allow them to grow and improve. Without it we continue to make mistakes and miss the opportunity to learn.

Gemma (from Acumin) and I tried something new this time as well, filming the presentation with two cameras. It will take me a few days to splice the footage together, but as soon as it is done I will have it posted here. I know some of those who attended were interested in both reviewing and sharing the footage, as well as the slides; these are below, as well as a slideshow of the deck. I use Keynote  for my presentations, so the PowerPoint conversion is never a true representation. If in doubt, use the PDF. Someone mentioned last night that they may want to link to the content here too. I have no objections to this, just credit me and don’t muck about with the content!

My thanks to Acumin for hosting the evening, and thank you to all of you who took part, especially the very lucky prize winners! (If you wanted a pen but didn’t get one let me know and I will do my best to send one to you).

This slideshow requires JavaScript.

Files for download:

PDF – 10 Rules of Risk Management

PPT – 10 Rules of Risk Management

Keynote – 10 Rules of Risk Management (native)

Movie from the evening – Coming Soon

May I Ask YOU A Question Or Two…?

The iPhone5 launch is very exciting for many people, and I have to admit myself included. Whatever your opinion of that particular can of worms, one thing is for sure, and that is many people will be parting with a lot of money in the next week or two in order to get hold of the latest piece of geek chic.

When there is a likelihood of a money changing hands, scammers and criminals will never be far behind.

I took a phone call (from a UK 0845 number) on my mobile phone on Saturday from someone claiming to be from O2, with an offer to get the new iPhone5 on the day of release without having to queue for hours at my local O2 store. They would even honour the lower retail store price compared to the order online price; on my tariff that meant £70 for the handset rather than £100 because I was a good customer (which I am). What an offer!

Without thinking, I confirmed the first line of my address… and then thought “Oh crap, shouldn’t have done that”; I got a bit carried away. They had called me, not the other way around, I really had no idea who they were!

Cast your mind back a few years ago, and there was a semi legal scam whereby people would take calls from “a representative from <insert mobile provider here>”. They would entice the individual with early upgrades and a new phone, get the verbal agreement, and then shift the contract to a new, third party provider. The downside was that this provider had many hidden charges and an average £25 bill would become £125 overnight partnered with a legally binding contract. This was soon clamped down upon, but this example starting to ring through my mind!

It was at this point that I had verbally agreed that I wanted the new iPhone delivered to my door on a new and cheaper contract this coming Friday… Oh dear God, Have I just committed professional suicide here?!

I turned on my professional brain, and then asked the person at the end if she really was from O2, and obviously she replied “yes!”. So I asked her if she would mind if I asked her a few security questions “of course not, I would do the same!”. i logged onto my O2 account and asked her for my account number, last bill amount and how long I had been a customer. She had all of the information to hand, I was happy, and I am now looking forward to a new phone on Friday (either that or this blog will be closed down on Saturday!).

It did occur to me however that I felt a little awkward asking these questions. How many other people in a similar position, offered an enticing deal would do the same thing? And how often would someone be ripped off as a result. We receive phone calls all the time from our service providers, and very often just asking for innocent information or making sure you are happy with their current deal, but sometimes the first question they ask is a “security” question to confirm you are the correct person. This normal procedure is easily hijacked by social engineers who could over the course of a few months gather a vast amount of information just from phoning you and asking you outright!

Has anybody else experienced this kind of thing? Have you missed some great deals because you missed the opportunity to grab it because you were too suspicious or have you thrown caution to wind only to regret it later, if only for a short period of time? How cautious do we need to be in these circumstances?

One thing I learnt however is that in the middle of a conversation, it is very easy to forget who called who; remembering that if you answer the call you haven’t confirmed their identity and therefore need to ask some security questions of your own is probably  the best way of keeping you out of trouble!

Where is Outlook for iPad?

The prevalence of the “Bring Your Own Device” (BYOD) concept as an acceptable, if little rushed, approach to empowering employees at work has resulted in many different types of devices being used in the workplace now. Arguably, these are split into two camps, Android & iOS (I don’t believe Windows Mobile has made many inroads into the enterprise… yet… watch this space as their new devices come off the production line).

The prevalence of Exchange Servers in the enterprise is also arguable, but in my own experience it is the number one mail server around, and with it of course comes Outlook. On the whole, I love Outlook; it has a few quirks (especially on the Mac) but by bringing together my email, calendar, contacts and notes into a tightly integrated package, which in turn integrates with my enterprise email/messaging/scheduling platform means it is probably the number one application I use.

Why then has Microsoft not capitalised on these two facts and marketed Outlook for mobile devices with the promise of integration, functionality and security? There are apps on the various app stores that claim to offer Outlook style experiences, but the feedback on these speaks for itself.

I can’t say I would care much for Word, Excel & Powerpoint on my tablet that much, I tend not to edit or annotate these documents on these devices much anyway. But Outlook would change how I interact with work over my iPad, but only if they implement it properly!

Given one of the core tenets of Outlook is to integrate email, contacts, calendar and notes from the enterprise, I strongly believe it should NOT integrate with the same apps on the device. By this I mean its database should be entirely separate, and ideally, encrypted to retain a certain degree of security. Because of this separate installation, the application itself can handle all of the ActiveSync profiling (e.g. encryption, password protection, password retries, remote wipe and the such like) that on existing devices causes an infinite amount of pain. Having had personal experience of rolling out a one size fits all ActiveSync profile to thousands of of BYOD devices with different hardware and firmware because they are by definition “personal” devices, I know too well of the amount of noise, frustration and lost hours this brings to the end user.

Of course, this kind of application, sold on the app stores for £10GBP/$15USD, could also be purchased by the individual owner and expensed (or not, see your expense policy) and is the one, and only, barrier the enterprise puts up to mobile BYOD adoption. Have the latest Outlook for iOS? Then gorge yourself on your work email to your hearts content! The enterprise has full control over the data, including rules of what can be forwarded, printed etc because it does not integrate with the devices native apps, and if the employee leaves or is fired, then ZAP! on the next connection and authentication the data is gone.

This approach may put companies like Good out of business, or may even drive them to greater innovation (where do you think I got the idea for the above anyway?!), but my experience of bolting on third party products onto Exchange has never been “good” anyway.

In my limited experience I know there must be some pretty major road blocks to this, otherwise why haven’t they done it already? If you are more educated in this area than me then please do comment and let me know your perspective. in the meantime, I shall dream of my iPad/Outlook nirvana and the increased amount of sleep I will get overnight not worrying about all that data flying around on peoples personal devices.

RSA Europe 2012

I am very excited to be going to RSA Europe this year, and not only that I am thrilled be taking part in a debate.  The topic of the debate is “Should you train your employees on security awareness?” on Tuesday October 9th at 13:10hrs. It takes place with five other folks in the information security field;

  • Christian Toon, European Head of Information Risk,Iron Mountain Europe;
  • Javvad Malik, Senior Security Analyst, 451 Research;
  • Rowenna Fielding, Information Security Manager, Alzheimer’s Society;
  • Kai Roer, Senior partner, The Roer Group;
  • Geordie Stewart, Principle Consultant, Risk Intelligence.

I am partnered with Geordie and Rowenna against security awareness training. I could well have argued either side of the debate, but I seem to be constantly disappointed even in cases where common sense should prevail and that is what swayed me in the end. Either way, it should be informative and above all fun, especially given those that are involved.

The official synopsis is as follows:

Training your staff in security awareness is an accepted and often mandated requirement of compliance in any organisation. Its effectiveness however has been increasingly questioned and its limitations highlighted. The Acumin Risk and Network Threat (RANT) community brings together six thought leaders from across Europe to debate the conflicting and opposing views of this challenging topic.