Gavin Holt, who I was fortunate enough to be mentor to for last years BSides London Rookie track, invited me to submit a talk for Securi-Tay3, the third annual security conference hosted by the University of Abertay and run by the Abertay Hackers Society. He is the Vice President of that society and responsible for drumming up trade for the conference. Securi-Tay has a reputation for being Scotland’s biggest security conference, and this year attracted something like 170 people putting it well on a par with many ‘professional’ conferences.
I duly did as I was told and submitted into the CFP.
The day was great; the conference was well managed and run, there were always plenty of volunteers in distinctive blue (and not black for once!) T-shirts who were friendly and willing to help. Vitally there was always a cup of tea available in the reception area, throughout the day, something so many conferences miss when you are working the hallway track rather than the advertised tracks. This is one Englishman who has traditional standards…
As expected there was a very strong technical slant to the presentations (many of them given by people called Rory it seems as well) and some of them were beyond me. In fact I tweeted the following day saying that the one downside to the conference was that I often felt like the dumbest person in the room.
I was able to present on “Throwing Shapes for Better Security Risk Management”, a wholly revamped version of a talk I did at the IT Security Forum late last year. When I first gave it I had some great feedback from Jitender Arora which I tried to address, as well as the formal feedback from the session (basically “good content but not what was promised”). Securi-Tay kindly recorded the talk which I will post shortly, although with the microphone cutting out there is only so much you can hear. Feedback afterwards was very positive, and I had some great conversations with people not just about risk management but presentation style generally.
Two other presentation also stood out for me; Ritesh Sinha and Paco Hope‘s “The Colour of Your Box: The Art and Science of Security Testing” and Rory McCune’s “Crossing the Mountains of Madness – How to Avoid Being a Security Cultist”. These will also be available at the Securi-Tay YouTube channel shortly.
This was a great conference, attended by people who truly wanted to learn and engage rather than just get out of the office for the day, and who are actively pursuing a career in the infosec industry. What did surprise me though was the number of people from the day who wanted to get more involved with risk management as a career option rather than the more technically focussed, ethical hacking option which at first glance would appear to be the defacto choice. The honesty and passion of all of the students there was very refreshing, and I thoroughly enjoyed chatting to everyone at the after party, all the way through the inevitable kebab on the way back to the hotel.
I decided to write a review of a paper submitted to wired.com on the subject of “An Approach to Risk Decision Making” by Curt Dalton. I must however declare an interest in this, in that I happen to report to Curt in my day job (he is global CISO), and that he was kind enough to share drafts with me as he wrote it for feedback. This will of course therefore be a somewhat biased review, although not too much, but I do hope if nothing else it generates conversation around topics and approaches like this. I have a huge respect for Curt, have learnt much from him over the last few years and hope to get a good score in the next performance review!
In essence, this model is designed to help an orgnaisation decide if it is financially viable to invest in security technology/controls/procedures in order to address a given risk. It is not designed to be used across an organisations risk management porogramme, but rather with those handful of risks that can’t be addressed in day to day operations and have to be escalated to senior management to be effectively resolved. With limited budget and access to that senior leadership, this approach provides support and guidance on what to ‘fix’ and what not to fix.
This scope is a key element of the model; it uses very traditional approaches to monetizing risk versus the more in vogue approach I have reviewed elsewhere in this blog. To that end it uses assigned numerical values to elements of its calculations; this is of course where ‘errors’ may creep in, but in theory an experienced risk manager familiar with their environment should be able to assess this reasonably well.
In summary, the model is as follows:
Figure 2 in the model requires an analysis of controls required to address a risk.
This does of course beg the question, how do you know you have all of the controls required and how do you know you have selected the correct numerical value? Again, the pragmatist in me suggests this is entirely possible with someone who is familiar with the environment and the organisation, but this may of course be more difficult in other situations.
Figure 3 does a similar thing with a similar level of granularity, i.e. defining in nine increments the ease of exploitation of a given risk; where I think there is potentially something missing is that this value applies to ALL of the risks listed in figure 2 rather than individually.
Obviously this would massively increase the complexity of the solution but this is a deliberate approach to ensure simplicity across the model.
These two numbers are then combined with a simple calculation of impact to etsablish a level of monetized risk. Finally, the 80/20 rule (or Pareto’s Principal) is used as a rule of thunmb to define the actual budget that should be spent to mitigate a risk. In the example given therefore a monetized risk of roughly $1.5m USD should be mitigated by spending up to $380k USD and no more. The Pareto Principal can of course be adjusted accoring to your organisations risk appetite, that is, the more risk averse the organisation the more the rule would move from 80/20 to 70/30 or 60/40 etc..
There are a lot of assumptions used in this model, not least the numerical values that may seem to be arbitrarily assigned. However, I believe this can be forgiven for the very simple reason that this is a pragmatic, transparent and easily understood approach; it can be easily transferred into an Excel spreadsheet meaning that some simple modelling can be carried out. I have said before that until the newer approach to risk management has a more easily understood and implentable approach it will not be adopted. This model does.
The other part to this model that I like is that it is not designed to be a cure all, but rather a tool to help organisations decide where to spend money. If the approach is understood then an informed decision can be made within the constraints of that model (or indeed any other model). I believe it is influenced by the ISO27005 approach to risk management which means many risk management folks will be able to grasp and adopt it more easily.
Overall, this is a model that can be adopted quickly and easily by many organisations, and implemented successfully, as long as its basis in assigning numerical values is understood, and calculations are carried out by those in a position to understand their risk profile well. I would strongly recommend you tai a look at the model yourself over at Wired Innovation Insights.
Pros – easily understand, pragmatic, focussed on one business issue, easily implemented.
Cons – relies on assigning ‘arbitrary’ numerical values, doesn’t address granularity of risk and ease of exploiutation.
This time last year I posted a WordPress summary of my blog and stated I was going to focus on “growth” for 2013. Fortunately WordPress sent the same summary as last year and so I am very pleased to say that I have achieved that, certainly in regards to posts, content and followers.
It was a hugely busy year as regards me and this growth, with just some of the highlights including;
* Establishing Host Unknown alongside Andrew Agnes and Javvad Malik, and making a start in showing that security education really doesn’t have to be dull.
* The opportunity to be a mentor to Gavin Holt for the Rookie track at BSides. Gavin is an extremely talented and intelligent InfoSec professional and I was thrilled to have been able to help him present.
* The inaugral RANT conference and being able to play a part in the day for the lovely people at Acumin.
* Presenting at RSA Europe again.
* Getting involved with The Analogies Project, curated by the very talented Bruce Hallas, in addition to being asked to be a regular contributor to the Iron Mountain Information Advantage blog.
* Winning Best Personal Security Blog at the inaugral European Security Bloggers Awards.
Combine the above (just the tip of the iceberg) with a dramatic increase in followers of the blog and of Twitter and an increase in the number of requests to present I am extremely pleased with 2013.
The word for 2014 therefore is “maintain”. Much as I would like to grow last years levels of activity it did cut into my day job quite considerably so I need to be a little more selective in my activities. That said, I have already presented at Securi-Tay3 in Dundee and have another one for the 451 Group in a few weeks. I will post something about Securi-Tay3 in a few days time when the videos have been published.
There are so many people to thank for the success of 2013, some of whom are mentioned above, but there are many others out there to whom I thank; I have very much been fortunate enough to stand on the shoulders of giants, allowing me to grow as a professional in the infosec field.
Moving forwards I have plenty of thoughts for content for this blog over the coming months so stay tuned for more details, and thank you for following me in 2013!