Taking Care of Business

I remember back in early 1996 arriving home from work and telling the future ex Mrs Langford that was going to be very busy “for the next two to three months”. There was a project going on that I decided I was going to get involved in (outside of my normal IT Manager day job) and that it was going to be good for my career. In modern parlance, I had decided to “lean in”.

Those busy two to three months ended for me on the 10th September 2017. I had pushed myself professionally as hard as I could, burnt the candle at both ends, worked long hours, was only off work sick when I euphemistically “called in dead”, accrued millions of air miles, and was ostensibly successful in my career. Without wishing to dwell here on the events of that fateful night/morning in September 2017, I had reached the end of the line; all of that work and effort had ultimately netted my severe anxiety and stress, diabetes, alcoholism, and a desire to make it all stop very violently.

All of which brings us neatly to right now. I am currently off work sick. I’m very likely to head back tomorrow 9even though I am not 100%, but boredom is a keen medicine sometimes), but I have had the best part of five working days of, plus a weekend in between. I had been feeling under the weather for about a week or so beforehand, but at about midday on my first day off I decided to just switch off my computer and go to bed, and there I more or less stayed for the best part of a week. I had tested positive for COVID, but a few days later that was now negative and I still felt like a bag of rusty spanners had taken residence in my lungs, and my energy levels were depleting like a Death Star tractor beam. Looks like I worked through a second bout of COVID and then got taken down by another virus; but those are details for me and my GP and work HR I guess.

But “SO WHAT?!” I hear you cry? Well, throughout these last few days of being off I made a conscious effort to disconnect from work as much as possible and focus on my recovery. I learnt my lesson those few years back, and realised I needed to get myself back to fitness, despite the many pressing deadlines and meetings I was missing, and the importance of the work I was doing. I focussed on myself and my health as I knew I don’t want to go back too early and jeopardise not only my health but my work performance.

And you know what? Despite everything I had experience before and told myself, I still felt guilty about taking the time out.

This shouldn’t come as a surprise to anybody, anywhere though, not least the information security industry. A few weeks ago, my good friend and all round good chap Sarb Sembhi, who along with Peter Olivier and Paul Simms authored a paper on Mental Health in Cyber Security, and of which I was asked to peer review. I will leave you to read the paper yourself, but the figures in there are both unsurprising as well as making for uncomfortable reading regarding anxiety, depression, anger, alcoholism etc..

I was asked by a client over dinner recently “what keeps you up at night?”. Obviously they were fishing for gossip/insight into the state of our joint business, but I told them that basically nothing does because after my life changing experience back in 2017, I refuse to get stressed or anxious over work matters because it simply isn’t worth it, especially as I am not CISO for something that may save/take lives. And yet here I am feeling guilty about taking maybe another day off sick, and deciding to go back even though I am still not breathing right and feeling fatigued. Surely I should know better?!

To be clear, we are (normally) compensated well and a have privileged positions at work to get the job done properly; we have responsibilities to our colleagues and to the clients and markets we support to do the right job and put the effort in, and frankly most of us even enjoy our jobs. But I can absolutely guarantee you that none of that is worth anxiety, depression, anger, diabetes, alcoholism and suicidal tendencies if that pressure to perform is maintained indefinitely.

Taking care of business ultimately means taking care of yourself first.

I am going to be at InfoSecurity Europe in a few weeks time on stage with the Sarb and Peter, authors of the above mentioned Mental Health in Cyber Security paper.

Links to other interesting stuff on the web (affiliate links)

What Exactly is the Cyber Scheme?

Solving today’s Security Challenges With Device Centric SSE

Sneaky Tricks In Enterprise Pricing

You, Me, and Dystopia

We all remember the Ocean’s 11 styles of antics that criminals can emulate to gain access to IoT devices and, subsequently, the enterprise network on which they are hosted. It may have been an isolated incident, but it underscores that ANY vulnerability can be exploited.

The question of “why should we be bothered now?” begs to be answered, given that these risks have been around for a long time. But, interestingly, the 2020 COVID lockdown (and subsequent ones) and the impacts it had on the supply chain may help us to answer this question with surprising clarity.

Do you remember how difficult it was to get hold of toilet paper, pasta and hand gel in March of 2020? Panic buying meant that the supply chain struggled to meet demand; combined with the “just in time” supply models employed by most manufacturers and retailers, stocks were diminished quickly with no replenishment in sight. So far, so what, right?

According to the UK’s Office for National Statistics, there are well over 8,000 small to medium sized food suppliers in the UK (probably exacerbated by the gig economy as well). How many companies of this size do you know of that have a robust cybersecurity programme in place?

This puts them at a significant disadvantage when it comes to recognising a cyber-attack and defending against it. Given the fish tank scenario from my last blog, it is no stretch of the imagination to see circumstances whereby chilled and perishable goods are sabotaged and destroyed, either in situ or in transit. Remote monitoring is rapidly becoming the norm and will reduce costs and effort, something any small business would jump at. So protecting these environments, the sensors, and the control devices from the get-go becomes critical.

The incentives to disrupt and destroy the supply chains are sometimes manifest, but only occasionally. Terrorism, both domestic and international, will always try and attack a nation’s weakest point. But there are other threats to consider as well.

The (fairly) recent global lockdowns and various actions carried out by governments worldwide have changed the business and planetary ecosystem, and not always for the better. Without commenting on the politics of the situations themselves, activism has been on the rise globally, with people taking to the streets to defend their particular viewpoints and air their grievances.

The hacker group, Anonymous, are the epitome of so-called “hacktivism”, using their collective skills to disrupt and expose governments and corporations. Their particular flavour of activism involves attacking their targets and exploiting their weaknesses for political and social leverage. So again, it doesn’t take a leap of the imagination to see these current troubling times being a catalyst for more hacktivism, attacking vulnerable supply chains through their reliance on IoT technology.

The positive impact of technology always needs to be balanced against the sociological and cultural impractical it may have, as well as the environment in which it operates. With the commoditisation of security testing capabilities and offensive technological tools, the ability to attack and exploit weaknesses in the supply chain becomes open to the general populace. If that populace suffers a more significant division of wealth and disenfranchisement, the risk of the supply chain being attacked is greater.

Ocean’s 11 suddenly becomes The Hunger Games; the implications of an insecure supply chain vulnerable to attack can have severe consequences for what we consider to be our ‘normal’ lives. So taking precautions now to protect our society’s lifelines must be imperative.

Links to other interesting stuff on the web (affiliate links)

Introducing Cyber Advisor

BSidesAustin 2023: CyberSecurity In The Texas Tech Capital

Understanding ‘Lone Wolf’ Attacks Dissecting and Modeling 2022’s Most Powerful Cyber Attacks

Beer, PowerPoint and Politics

Gone are the days when being a CISO (or even just ‘the security guy/gal’) was about actual information security or IT security. Even the term IT Security is outdated now and emphasises a one-dimensional view of what security is really about. However, I digress…

The Information Security element of CISO is correct, but for various reasons, the CISO’s role is very different from what it was a decade ago. The role then required a strong technologist who understood the firewalls, their rules, the cryptographic controls and even how to code hotfixes on the fly. This isn’t surprising given the role almost wholly came from an IT background; after all, back in the day, mere lip service was paid to the human element, and the legal considerations were considered simply “someone else’s job”.

I was often asked what my job as a CISO entailed, and because I didn’t initially understand what I had actually got myself in for when I took on my first CISO job I used to jokingly say;

PowerPoint and politics

Me. Back Then.

The odd thing is that this response is not far from the truth. My role became significantly less about my understanding of specific niches of information security knowledge and more about putting across to the business what this information security lot was all about and how it helped the company stay competitive, out of trouble or even just in business. The more I was doing this, the more I was embroiled in the day-to-day machinations of how a business works and the inescapable conclusion I came to was this; even if information security is seen as essential to the business, it is still just one voice of many that are trying to influence, cajole and be heard.

Moreover, this is where the politics come in, unfortunately. It is human nature and the way of businesses around the world. Politics is everywhere, and any CISO who doesn’t see and at least understand what is going on is, at best, going to be ignored and, at worst, eaten alive.

Which brings me to my second quote from me (well, it makes attribution a whole lot easier, doesn’t it?);

The purpose of a CISO is not to make the company more secure per se, but rather to help it sell more beer/widgets, increase shareholder value (as appropriate), and let the business make risky decisions more easily… through the judicious use of security

Me, Just now. Again.

The CISO should not be concerned with the name on the front of the firewall or the specifics of the latest penetration test. Instead, they should focus on how best to align their security services to the business and ensure security isn’t just a cost centre but a capability that allows teams and the company to run faster, more efficiently, and with less risk.

That doesn’t take technical knowledge; that takes strategic and business knowledge.

Links to other interesting stuff on the web (affiliate links)

Shift Gears: How to Leverage Data-Centric Security Controls in AWS

Changes to the OWASP API Security Top Ten 2019 to 2023

Cybersecurity as an Operational Effort