Last week I had the opportunity to do both a presentation at the BCS IRMA Specialist Group as well as take part in a drastically reduced panel with Javvad Malik (and only Javvad!) at the InfoSec Europe 2013 Press conference.
Firstly I want to recount the panel for the press conference. After some last minute drop outs (one of which I was replacing anyway!) there was just Javvad and me available to do it less than 24 hours before we were due to start. In his own inimitable style he proposed a double act Parkinson style to talk about the challenges faced by a CISO in the Enterprise. I was somewhat unconvinced by this but true to his word, the whole session went extremely well and was thoroughly enjoyable. Afterwards Javvad was told by some of the journalists that the session was a great way to end the two days with the non vendor focus of the session, and the humour that Javvad and I of course used!
One of the main topics we discussed was that of the position of the CISO within the organisation and the influence that this subsequently brings. Ultimately my position is clear on this, that the CISO needs to be as high in the organisation, and as independent of vertical alignment as possible. What I mean by this is that if the CISO is on the board (or executive leadership team as appropriate) and does not report into the CFO, COO, CIO or any other C level executive there is a dramatically increased chance of security being a successfully managed activity in the enterprise. It ensures full representation of the security function at the most senior levels, free of conflicts of interest and able to vie for budget and attention on an equal footing with the rest of the business units.
I will caveat this however. If there is no security function in place or it is in its nascent stages, or the business itself is smaller, it makes absolute sense to have the security function perhaps initially reporting into the CIO; in all likelihood the staff building the team will come from IT anyway. However, as the team grows it needs to evolve its leadership and position in the organisation, perhaps moving away from the IT function, to the COO and then ultimately to the board.
This transition is something that I have never seen planned in advance, and this is probably one of the fundamental reasons why the CISO and security function is constantly under represented in the modern enterprise as it struggles to gain independence. This will always result in poor awareness and training, lack of budget and lack of true top down security adoption as they compete for ever diminishing resources from lower down in the organisation.
One fairly unique place I have seen the security function is reporting into the General Counsel/Legal function. This I have seen work well as it is the GC that is traditionally responsible for the tracking and management of risks for the enterprise, and frequently has the ear of the CEO. I rarely see a conflict of interest with the security function either. This is not common though, and is likely to only be likely in the larger organisations that have a formal role of GC.
Bottom line, if the newly appointed CISO (i.e. a senior level position for a mature security team) reports into the CIO, then in reality, security is not going to function effectively in that organisation.
And finally (although not in chronological order), the BCS. It was the final presentation of “An Anatomy of a Risk Assessment” and it was (as far as I can tell) well received. Unfortunately the weather and lack of sandwiches post the even meant there was little time to mingle afterwards, but I have since received a number of favourable comments and of course connection requests on LinkedIn which is always heartening. I did however feel I didn’t answer one of the questions at the end, about India, particularly well, and may have come across as a little disingenuous when nothing could be further from the truth. I hope my friends and colleagues from india will forgive me if they make it to the end of the video when I get hold of a copy (and post it here). As an aside I found an extremely flattering write up of the very first time I presented this in January last year. To the author at Acumin, thank you! http://acumin.wordpress.com/2012/02/
All in all, a very enjoyable and engaging kick off to 2013.
Blogging can be seen as a very inwardly focussed activity, it is all about me, me, me. I have always tried to maintain a fairly balanced online presence, keeping it professional if a little informal, striving to only blog, or tweet quality rather than quantity. On the whole this has worked for me. The downside to this though has been a slow increase in my online presence (or brand, whatever term works for you) and therefore Twitter followers and blog visits. For example one of the primary reasons for blogging this year has been to “practise” writing about my profession in a way that I don’t get in my place of work and not to gain fans and followers (although that would be a nice by product!).
That said, the automated report that WordPress sends out prompted me to consider what I have achieved over the last year and realise how positive I feel about my online presence. To put it into context here are some very quick (and totally unscientific) stats: In 2011 (when I joined Twitter) I had four blog posts in a self managed blog page, attended one conference (RSA), had less than ten followers and tweeted maybe ten times. I had publicly spoken once, for two minutes, at the Christmas RANT forum. In short, I had no idea what the community had to offer or indeed how to engage with it.
It was at the aforementioned RSA conference that two things happened; firstly I realised that 80% of the presentations I watched were of a quality that I felt I could reproduce. Secondly I met a few folks on the last night that in all honestly changed my perception of the industry and how I could participate in it, namely Brian Honan (@BrianHonan), Kai Roer (@kairoer), Alex Hutton (@alexhutton) and Aaron Barr (@aaronbarr) amongst others. They showed me (unknowingly) how they worked with the community, staying in touch through Twitter, communicating through blogs, articles, podcasts etc.. I have since stayed in touch with Brian and Kai, both of whom I respect greatly and would like to thank for their openness and friendliness to me back in October 2011!
Fast forward to today and my stats are a little better: 26 blogs posts, nearly 500 tweets (not all of them are rubbish either!), 111 followers, six public speaking engagements including one panel and the RSA conference itself, a video blog with the almighty Javvad Malik (@j4vv4d) and contributed to two articles (for Tripwire and (In)Secure magazine). I attended in one capacity or another nearly twenty events/conferences/forums. The best part is that these stats don’t do the experience itself any justice. I have made friends and met many people for whom I have the most deep respect for and who I genuinely like and enjoy their company. I have submitted a joint CFP for a conference with one of them, and hope to continue my relationship with Acumin and the RANT forum (@Acumin & @GemmaPats) who gave me my first big break in public speaking (thank you!). In short, 2012 has been awesome as both a learning experience and a source of fun and enjoyment as regards my chosen profession. The blog stats below are of course modest by most peoples standards, but they are interesting and encouraging to me nonetheless in the context of the above.
I tweeted over the Christmas holidays that my word for 2013 is “growth” both professionally and personally; while I hope that my 2013 “stats” will continue to “grow” more importantly I hope that my new friendships and opportunities to learn in this odd, frustrating, challenging yet ultimately rewarding industry and community continue.
And before you ask, yes, New Year, New Theme for the blog; I’ve grown out of my dark goth and emo phase and now it is time for some colour and class!
Here’s an excerpt:
The new Boeing 787 Dreamliner can carry about 250 passengers. This blog was viewed about 1,200 times in 2012. If it were a Dreamliner, it would take about 5 trips to carry that many people.
Just before Christmas I had an excellent opportunity to co present one of Javvad’s (@j4vv4d) eponymous InfoSec video blogs. In it we took a tongue in cheek look at the variety of styles of bad presentation that we have observed at various conferences and forums. I should of course stress that neither one of us claims to be keynote material with regards to our own presentation style, but we are constantly struck by how many presentations are unintelligible, difficult to follow, underprepared or any other myriad of things that dramatically reduce the impact and message a presentation is supposed to give.
The video blog (here) looks at ten different styles that we felt were the most heinous; there were a further ten left on the cutting room floor! Obviously it was a humorous view in order to best get the point across but it does underscore a serious point, namely that it is astonishing that for a so called professional industry the quality of presentations is often so low, even at events that you have to pay for. I for one expect more.
What I want to look at now though is not “what” we should be doing to improve these presentations because that has been done elsewhere (here and here); rather I will focus on the “why” because it is important to understand the reasons for improving our presentations and the positive outcomes it will have to our community.
In my opinion, it comes down to three points:
Firstly (and in reference back to the video blog), I see so many people in the audience quite simply just turning off in the face of poor presentation style (be it the slide, the verbal delivery etc). All of us attend these forums and conferences to learn from other people, observe their real world experiences and look to see how we can apply the learning into our own professional lives. And yet the first message we get is that the topic in hand is dull, or inaudible or illegible. In any kind of information security conference all topics should be interesting to one extent or another to all attendees. It is the presenters primary responsibility to make the topic interesting, grab the audiences attention and maintain it throughout.
Secondly, it is a question of value for money. This is very apparent in the situations where an event costs money to attend; I expect a certain level of professionalism, content and delivery, and in too many cases it is simply not apparent. In free events, this is less obvious for the audience (who are often getting free beer and food at the same time), but the poor presenter is letting down the sponsor and perhaps sullying their name and reputation. Of course there is also the reputational damage to the individual giving the poor presentation!
Finally, it is a matter of professionalism for the industry and community. Not only do we need to be taken seriously amongst ourselves but we must ensure we can speak convincingly within our own organisations. If we cannot put across our thoughts, analysis, reasoning, proposals and perhaps most importantly our requests for budget in a convincing and professional manner the infosec industry (and your department) will never be taken seriously.
None of us are perfect, especially when it comes to standing up in front of a demanding audience, but I strongly believe we should be asking our trusted colleagues, peers and acquaintances for feedback each and every time we present. What we get back from them may make for uncomfortable listening, but as long as the feedback is given constructively, openly, without fear of reprisal and with good intentions we will all benefit, as individuals, as organisations and as an industry.