The Lost CISO who?

And why am I being spammed with Twitter and LinkedIn about him all the time at the moment?

I came up with the concept of The Lost CISO when I was working late in the office one night. I decided to start writing and doing something about it straight away, and even created the banner and took my own picture for it sat at my desk. I also pulled the graphics together there and then, not in Photoshop, but Apple Pages (I was an executive at the time and to my shame do not know how to use PhotoShop. It still came out alright I think, though.

youtube-banner-png.png

The idea was to create short informational videos, 2-3 minutes long, almost like a high energy presentation, in front of a green screen that I could then superimpose relevant imagery etc. It was a good concept, I thought, and within my technical skills with a camera and Final Cut Pro X. Or so I thought. I could also put all of my other InfoSec videos under the same brand, tying it up into a neat piece of branding. The films would be aimed at people simply are keen to learn, and no more. Not all of it will be groundbreaking stuff, but it will be researched, experienced or just advice that flies in the face of common knowledge. The basics, Plus, I suppose.

I created a test and shared it with some friend who gave me some honest feedback on quality, imagery etc.. I then did a first episode (bearing in mind each one took me about 7 days of intermittent working to edit), shared it again, and excitedly held my breath.

“Do not release this… it will do your personal brand more damage than good…”

Ouch.

Back to the drawing board; except I didn’t, life and work got in the way. Until twelve months went by, and I decided to just get this done properly once and for all. So I invested in some quality lighting, foley and a decent green screen, and even hired someone to do the filming and editing for me, and got to work. Of course, now I run my own business, I wasn’t able to prepare the topics as well as I wanted. To be honest, I pretty much flew through the filming so I could get onto the next job in my increasingly long To-Do list, but the quality, and to be honest, the creative talent I hired shines through far more than before.

As always, my success (such as it is) is tied to the talent of others. A lesson for everyone there, I think…

What’s the infosec lesson here? None really, although perhaps at a stretch I could say that just because my original idea failed didn’t mean it was a bad one, and I just needed the right resources. I don’t know, parallels to infosec education and awareness training maybe.

I hope you enjoy the series, and please do comment on them, let me know what you think and also if you would like a particular topic covered.

 

 

 

 


Keeping It Supremely Simple, the NASA way

Any regular reader (hello to both of you) will know that I also follow an ex NASA engineer/manager by the name of Wayne Hale. Having been in NASA for much of his adult life and being involved across the board he brings a fascinating view of the complexities of space travel, and just as interestingly, to risk.

His recent post is about damage to the Space Shuttle’s foam insulation on the external fuel tank (the big orange thing),and the steps NASA went through to return the shuttle to active service after it was found that loose foam was what had damaged the heat shield of Columbia resulting in its destruction. His insight into the machinations of NASA, the undue influence of Politics as well as politics, and that ultimately everything comes down to a risk based approach make his writing compelling and above all educational. This is writ large in the hugely complex world fo space travel, something I would hazard a guess virtually all of us are not involved in!

It was when I read the following paragraph that my jaw dropped a little as I realised  that even in NASA many decisions are based on a very simple presentation of risk, something I am a vehement supporter of:

NASA uses a matrix to plot the risks involved in any activity.  Five squares by five squares; rating risk probability from low to high and consequence from negligible to catastrophic.  The risk of foam coming off part of the External Tank and causing another catastrophe was in the top right-hand box:  5×5:  Probable and Catastrophic.  That square is colored red for a reason.

What? The hugely complex world of NASA is governed by a five by five matrix like this?

Isn’t this a hugely simplistic approach that just sweeps over the complexities and nuances of an immensely complex environment where lives are at stake and careers and reputations constantly on the line? Then the following sentence made absolute sense, and underscored the reason why risk is so often poorly understood and managed:

But the analysts did more than just present the results; they discussed the methodology used in the analysis.

It seems simple and obvious, but the infused industry very regularly talks about how simple models like a traffic light approach to risk just don’t reflect the environment we operate in, and we have to look at things in a far more complex way to ensure the nuance and complexity of our world is better understood. “Look at the actuarial sciences” they will say. I can say now i don’t subscribe to this.

The key difference with NASA though is that the decision makers understand how the scores are derived, and then discuss that methodology, then the interpretation of that traffic light colour is more greatly understood. In his blog Wayne talks of how the risk was actually talked down based upon the shared knowledge of the room and a careful consideration of the environment the risks were presented. In fact the risk as it was initially presented was actually de-escalated and a decision to go ahead was made.

Imagine if that process hadn’t happened; decisions may have been made based on poor assumptions and poor understanding of the facts, the outcome of which had the potential to be catastrophic.

The key point I am making is that a simple approach to complex problems can be taken, and that ironically it can be harder to make it happen. Everyone around the table will need to understand how the measures are derived, educated on the implications, and in a position to discuss the results in a collaborative way. Presenting an over complex, hard to read but “accurate” picture of risks will waste everyone’s time.

And if they don’t have time now, how will they be able to read Wayne’s blog?

 

 


Drowning, Not Waving…

Last week I attended The European Information Security Summit 2019 and spoke on the closing keynote panel at the end of the second day. The topic was “Unacceptable personal pressure: How senior Cyber Security Executives safeguard their own mental health, and those of their teams”, and as a panel we were surprisingly open about our experiences. Afterwards a number of people spoke to us about how pleased they were that we had been open and honest about a subject that is so often swept under the carpet as too difficult to deal with or just plain embarrassing. I have also seen the LinkedIn articles written since get a huge amount of traction with every comment a positive and supportive one.

I briefly told my story last week, and so have decided to elaborate a little more to a larger audience here. This is not meant to be virtue signalling, or jumping on the bandwagon, but rather a message to everyone out there who has suffered in silence and felt they were the only one with these feelings. These are the “highlights”, and some parts of the story are just between me and, well me, but I am sure this will paint the correct picture.

My last role was challenging to say the least; as a  newly minted CISO I was tasked with building a security team from the ground up (again) in a large global organisation that was as politically charged as it was not interested in security. We did well, growing to over 60 people at last count before I left, and were considered a high performing team who collaborated and never said no. People enjoyed working with us and we took on more and more work and constantly delivered.

The cost though was an intense environment where my main role was PowerPoint and politics, and constant air support for the team. Combine a tough travel schedule and the global, always on element, I never truly switched off. That said, one of my mottos was “Work Hard, Play Hard” so evenings with teams, internal clients and their customers in different countries were long, hilarious and helped us bond even closer to perform even better. Frankly it was exhausting and my sleep suffered.

So I did what every self respecting professional does, and started to self medicate with alcohol. It was, for the most part free from British Airways and Hilton, or on expenses (see above). It wasn’t a problem as I had a good tolerance, was a happy (maybe even hilarious) drunk, and while stupid things were done, it only bought us closer and more effective as a team.

And it wasn’t a problem for a number of years… until it suddenly was.

2017 was a very difficult year for me. In that year I drank almost every single day to excess as a result. I would get up in the morning and carry on working until the end of the day and I would start again. I wasn’t an alcoholic as I didn’t need to drink 24 x 7, so that was OK. I also managed to spend thousands of my own money on nights out with friends and team mates, pushing myself seriously into debt. My anxiety, stress and depression were getting worse, but I was able to medicate for that myself, so no problem.

Then came Rome. I will save you, dear reader, from the gory details, suffice to say that at 5am on a Monday morning at the end of September I found myself at the top of a building incoherent with emotion, raging at the universe, and willing myself to jump off. I had lost my third phone that year from the nights entertainment, had driven myself further into debt and I just couldn’t do it anymore.

Thankfully, an ambulance turned up, I was talked down, hospitalised for a few hours and then discharged. With no phone, in a foreign country, no idea of where my hotel was or where I even was, I managed (in a complete blur) to get back to the hotel, call my wife, get to the airport and get home only to spend the next four weeks in the care of the NHS and my family, and off work.

The irony of my situation wasn’t lost on me; here I was, a successful, well paid, C-Level Executive, ostensibly well known and regarded in the industry, and I am clinically depressed and suicidal. Therefore to say I was scared, lonely and emotional would be an understatement, and I decided to make some changes in my life.

Two of those changes are of direct relevance here;

  1. I stopped drinking alcohol. I was classed as a Non-Dependent Alcoholic and as a result was tasked with cutting down my intake dramatically. I decided to stop entirely, a choice I would have considered unthinkable, even laughable, just a few months before. I haven’t drunk alcohol since, not because I can’t allow myself to, but because it simply isn’t an important part of my life now.
  2. I decided to be more open about my mental health issues with not only my family, but my friends and work colleagues, and address them proactively.  I was not going to be defined by this event and lifestyle change, and I also wasn’t going to be held to ransom, mistakenly or maliciously, by the events I have just disclosed above. I have yet to discover anyone who I confided in who was at the very least supportive, if not understanding, be they family, friends and especially my team.

There is of course a damn good reason why I am sharing this with you. What follows is my takeaways for everyone who read the above and felt it resonated with them even just a little.

  1. Alcohol is a bad way to treat yourself for anything longer than a few days. Talk to a doctor or therapist sooner rather than later and save yourself a life threatening event to wake you up.
  2. There is no stigma in sharing your mental health struggles. I am constantly amazed at the overwhelmingly positive response from everyone I talk to about my personal experiences. If your friends and colleagues are not supportive of you, perhaps you should question why you are in the state of mental decline in the first place.
  3. If you work for a good company, and/or have a good team, your time out of the office will be dealt with and accommodated for allowing you to recover. When you come back, you will do so with more energy and vigour than most other members of the team. If you are not being supported, see point 2.
  4. If a member of your team is struggling, you don’t actually have to do much to help. Communicating to them that they should take whatever time they need to address their issues, and not asking questions is all that is needed. If your team can’t take up the slack, then how are they going to cope during an incident anyway?
  5. Be supportive if you can; it is difficult, but even small gestures like gifts of tea and chocolate (you know who you are…) or staying in touch over instant messenger to make sure someone is OK is also a great way to show your support. Humour helps too.

I’m going to close this with a call to action. This isn’t some virtue signalling programme that I will front up on Twitter and Facebook, but rather a call for everyone to include mental health topics in their team meetings, their management reports and metrics, as well as face to face meetings. The financial losses to our industry are probably staggering because of mental health issues, so we should be tracking and probing on it in our organisations as much as gender or racial diversity.

I want to reiterate, again, that if you are feeling it, someone else is feeling it too. Now you know what I have been through, I hope it means you now you have someone you can reach out to as well, or have to courage to seek help and support when before you didn’t.

As for me, I have never been better these last 18 months or so. I sleep better, I work better, I manage stress better, and I am pretty sure my jokes are better too. Therefore, I leave you with this unattributed quote:

I wouldn’t recommend suicide, it’s bloody dangerous. I nearly killed myself…

 

Note: I am going to be at the RSA conference in San Francisco in a 
couple of weeks time, as well as at a variety of other conferences 
over the coming months. Please do say hello and let me know your 
thoughts on this topic. Should it be as mainstream as I suggest, 
or should we just stick with the stiff upper lip approach?
Can and should we be doing something else?

The Art of the Presentation (Part 2 of 3)

You’ve created your presentation, now you need to practise. Or as the great Yogi Berra put it:

In theory there is no difference between theory and practise. In practise, there is.

Almost certainly in the early days of your presenting you will need to practise a considerable amount. There are two main reasons for this; firstly you will be presenting your own unique content for the first time in an open forum like a conference, which means you will need to be absolutely sure of what it is you are going to say to ensure you don’t come across as someone who is less knowledgeable than you are. Secondly, you will almost always be nervous. How quickly you overcome your nerves will vary greatly from person to person and a variety of other factors. For me it took just over two years before my nerves stopped kicking in to the point where they were visible.

The key to coming across confidently is to know what you are going to say right from your first sentence, all the way through to your last sentence. You also need to ensure that you don’t learn every single word of the talk parrot fashion. Unless you have a gift for remembering dialogue (in which case you will sound like you are simply reading your verbiage), you will have to employ a few tricks to get around this…

The Opening

Firstly, practise your very first sentence, and make it snappy and to the point, and impactful at the same time if you can. Don’t drone on about how happy you are to be here, what your name is,  thank you all for coming, I hope you like my talk, how you can’t believe you are stood in front of such a talented crowd at this amazing conference etc.. I recall practising in front of a good friend, and before I had got halfway through my introductory sentence he bellowed:

BORRRRRIIIIING! YAWN 

 

His point was that people weren’t there to hear your platitudes, they are here to get their money’s worth and listen to what you have got to say, so just get on with it. Additionally, if people want to know more about you personally they will either read your bio in the conference agenda, or look you up after the talk. Do not spend five minutes establishing your credentials as not only can it come across as egotistical (except in very rare circumstances) but erodes your impact as a confident and knowledgeable speaker.

Slide on the slides

The second trick is to use your slides as a prompt for a train of thought rather than using them as an aid to specific sentences you want to remember. In the first blog on this topic I mentioned using imagery as much as possible; avoiding the use of bullet points or long sentences as much as possible means you won’t be tempted to rely on the text for what you are going to say. Try to sound conversational, and while practising do consider filming yourself or at the very least an audio recording. Running through it a few times will help embed a few key phrases in your head you can move between, and also give your imagination a chance expand further on your thoughts. Having a few Tweetable length phrases ready to roll off your tongue is a useful way of making an impact with few words, as well as encouraging people to potentially tweet your quotes during the talk (an increase your audience). Don’t forget your “story” or the beginning, middle, end structure either.

Variety

This point is also an opportunity to practise varying the tone and pitch of your voice, the use of your hands and even how you want to move around. Practise slowing down your talking , and possible even lowering your volume (more easily achieved if you are going to be using a microphone), when you want to emphasis something of critical importance. You can also speed up and become more animated on sections that you find exciting, fun or revealing. A little bit of humour thrown in as well helps, but be careful here, especially with an international audience. Test it on colleagues and peers first.

The Close

So you have made it through the deck and you are on your last slide; before you know it you have finished your presentation. how do you finish? “And, um, that’s it really…” is not the way to go. See the first point and memorise a closing statement, something straightforward, and again, snappy. “With that, I will close and thank you all for your time and attention. I will now take questions” is a good place to start. Don’t be afraid to make changes to the deck and the story as you go through either; they will evolve as you become more proficient, and the deck should not limit your message; the message dictates the deck.

How often should you run through your deck? In my early days I would practise at least five times, recording it a few times, and often in front of a critical friend or two. This is a very real time commitment, so be aware and plan it into the creation of your presentation to meet your deadline. As you get more comfortable, you will be rehearsing the presentation as you create the deck, and after a few reviews will know what you are going to say (roughly) with each slide and each transition.

Patience

Above all, be patient with the process; like anything it takes thousands of hours to be proficient at something depending upon your natural ability, the circumstances and the topic in hand. If you are not having fun, ascertain what part of the process are you not enjoying? Very often, I talk to people who hate the entire process, including the presenting, until immediately after when they get such a rush they want to do it again. if that is the case, the painful parts do get easier. Also, make sure you find someone who will honestly critique your presentation either in person or after watching a recording. Take their viewpoint very seriously, and if they are a serious speaker then all the better.

So, if you are wondering how you can get to Carnegie Hall, as the violinist turned comedian Jack Benny once answered:

Practise Practise Practise!

Next time, The Art of the Presentation (part 3 of 3) – The Delivery.

 

Note: Look out for a new YouTube series from me coming soon, The Lost CISO!


The Art of the Presentation (Part 1 of 3)

In a post a few years ago I talked about The Art of the Conference, and what conference organisers can do to improve their conferences and make lives easier for their presenters. I was reminded of this post again recently as this is the sixth year that I am mentoring a rookie speaker at BSides London, and in my initial conversation with them I discussed a three stage approach to creating, practising and delivering the talk (the latter of which touches on the content of my previous post).

This post focusses on the first part of this process, the actual creation of the talk.

The Idea

This is actually the hardest part of the entire process (aside perhaps from actually standing in front of 200 people of course). In my experience many people try to not only come up with a wholly unique idea, but then try and explore it in too much detail. Given your talk will probably be competing against many other talks, the easiest way to make yours stand out is with it’s simplicity. Take the core of a topic, and honestly ask yourself what your view on it is; do you agree with it, if not why not, what could be better, what is your experience of it and how have you addressed it? By keeping it simple your audience will have more chance of remembering what you said. This process could take anywhere from minutes to weeks and weeks dependent upon your experience, knowledge and confidence. Don’t assume however that just because you have an opinion that everyone else is fully knowledgeable of it either; if nothing else you are bringing your own unique viewpoint.

The Creative

This is a point at which your approach may differ, but I have always found this the best way of actually inspiring myself and getting my story straight. I fill a sheet of paper with boxes (below) and then start to sketch out, not always legibly) the approach I am going to take on the deck I produce. I do this because it ensures I don’t write any actual prose on the topic; personally when I do this I find it very difficult to then pull myself away from the prose when presenting. It is a mental block of sorts of course, but this approach allows me to sketch out the story of my talk without having to get attached to a certain way of saying things

I try and avoid too many words as they are a distraction to the audience, and focus on high resolution images that help embellish my point or provoke an appropriate reaction from the audience. There are some very good books on creating slides for presentation that I have referenced, Presentation Zen and Slide:ology; I strongly recommend these to anyone who wants to up their game on the visual presentation side of things.

This approach also allows you to build a story; making sure your presentation has a beginning, middle and end help draw your audience in. What talk would you rather watch…

My talk is about a simple technology we used to allow someone to Tweet over a phone call.

or

John Doe is a man who was imprisoned on the flimsiest of evidence and with ludicrously high bail. He had restricted access to legal counsel and even family were not allowed to visit him. His entire campaign for justice was focussed around his significant Twitter followers, and given his elevated fame in his industry was where most of his support would come from. Here is the story of how we used a Raspberry Pi, two cans, a length of string and Python to allow him to live Tweet from his weekly phone call, directly and un-redacted, and ultimately beat the corrupt government that had arrested him.

Your approach needs to be simple, but that doesn’t mean it needs to be dull.

The Timings

Timing a presentation is very difficult, but after some experience I have found I can not only tell roughly what the length of a presentation created like this, but can also vary it in length, sometimes upon to 100%. The other rule of thumb is to dive the number of minutes you have by the number of slides. One slide for roughly every minute is a good place to start, but keep an eye out for when that number increases. Trying to cover more than one slide every 15 seconds is going to be very challenging.

The Takeaways

I often say that people will remember less than 30% of what you said less that 30 minutes after you have finished speaking. Not only is this where the simplicity of your deck is important, but also making sure you leave the audience with clear activities or advice on what to do next is vitally important. If you don’t do this, you will leave the audience somewhat nonplussed even if your content is great. As one close friend of mine said to me after I had asked for feedback:

It was a good talk, but I got to the end and thought “meh, so what?”

Your talk can be interesting, but if it doesn’t have a point, you will always be in the “meh” zone.

Next time (or maybe the time after), The Art of the Presentation (Part 2 of 3) – Practising.