The IRMS – a new angle on information security and risk management

photo[1]I have recently returned from a conference that I might not have ordinarily attended or even been able to justify, namely the Information & Records Management Society (IRMS) conference in Brighton.

I had been invited to participate in a panel session on Monday morning entitled “Adapt or Die: Is Records Management still relevant in a World of Big Data” alongside Christian Toon (@christiantoon) and Phil Greenwood of Iron Mountain, and Sarah Norman of HM Treasury. Not only was it an excellent discussion, but it struck me quite how similar the challenges are between the IRM world and the risk management/CISO world.

We answered a question around how can the IRM folks avoid only getting funded and have attention paid to them after an emergency, and it immediately struck me that this is exactly what happens with security. Another related question concerned connecting effectively to the business and I was able to relate the tasks of the IRM function to the Confidentiality, Integrity & Availability (CIA) goals of the information security professional, and how the two goals are very similar.

Even the opening speech spoke about IBM’s Four V’s of big data (quoted), namely:

  • Volume: Enterprises are awash with ever-growing data of all types, easily amassing terabytes—even petabytes—of information.
  • Velocity: Sometimes 2 minutes is too late. For time-sensitive processes such as catching fraud, big data must be used as it streams into your enterprise in order to maximize its value.
  • Variety: Big data is any type of data – structured and unstructured data such as text, sensor data, audio, video, click streams, log files and more. New insights are found when analyzing these data types together.
  • Veracity: 1 in 3 business leaders don’t trust the information they use to make decisions. How can you act upon information if you don’t trust it? Establishing trust in big data presents a huge challenge as the variety and number of sources grows.

Isn’t this exactly the sort of thing that CISO’s have to grapple with every day?

The world of the IRMS and the world of the Infosec Professional are very closely related it seems, and I think this relationship is one that needs to be explored by both communities further to ensure mutual goals are more easily met.

Christian Toon and me looking rather spiffy

Christian Toon and me looking rather spiffy

On a personal side I had a great time speaking with the vendors, watching a few presentations and taking part in the pub quiz (we didn’t win..). There was even a black tie gala dinner on Monday that was an absolute blast that culminated in my friend, Christian Toon, being awarded a fellowship of the IRMS which was just fantastic to to be able to see.

I am sincerely hoping to go to next years event, and perhaps hoping even more that by then the argument to attend will be much easier as our industries begin to forge closer ties.

One Award, Two Conferences and a Surprise in the Works

IMG_2138IMG_2153I am just returning from a very full three days in west London for the annual infosec conference season. I will do my best to name as many of the wonderful people I met throughout all three days, both new and old, but if I miss a namecheck or two, forgive me, let me know, and I will rectify immediately!

Tuesday bought the kick off of InfoSec Europe. After a quick run round to get some schwag  and chat with a few key vendors I had lunch with Cindy (@cindyv), Dwayne (@thatdwayne), Jitender (@jitenderarora), Javvad (@j4vv4d) and Brian (@brianhonan) to chat about RSA Europe and our proposed submissions. This was quickly followed by a couple of panels in the Keynote theatre (one moderated by Javvad) and then some good gossiping with Brian and Neira (@neirajones) before heading off to one the two award ceremonies of the night.

Well goodness, gosh and golly!

Well goodness, gosh and golly!

It was at this point the evening took a somewhat surreal turn. Having been nominated for Best Personal Security Blog at the inaugural European Security Bloggers Awards, I was both deeply honoured and supremely surprised to win!  I was also very proud to see Javvad pick up two awards as well. To say that the evening started to blur somewhat from that point on would be an understatement, but I am glad to say that the award itself did make it home safely. I did spend quite some time talking with Dwayne and Jack (@jackdaniel), predominantly about the mysogeny that still manages to find its way into infosec trade shows through booth babes that were supposedly banned form this years infosec show (looking at you ForeScout…) and then about possibly spinning up a BSides in India. Jack proved what a class act he was by offering to advise anyone who would be willing to take on this mantle in India, something I am hoping to encourage. I will be posting more on the awards in the next few days but suffice to say a huge thank you to Brian and Jack for making these awards happen.

Wednesday bought BSidesLondon. Whilst I was very disappointed not to have been able to speak it did take the pressure off considerably and I was able to enjoy a few good talks

Javvad and his heroes

Javvad and his heroes

(javvad and Stephen Bonner, @stephenbonner) and some great conversations with friends and colleagues. Max (@hoolers) if you are reading this, I apologise unreservedly for not getting around to having the chat I promised! I also managed to meet my “rookie” for the Rookie Track, Gavin (@gavinholt), as well as a great chat with Leron (@le_rond). Halfway through the afternoon I had to head back to InfoSec for my a panel I was a part of on BYOD and Consumerisation. This went very well, was entertaining and informative in my opinion, and despite two attempts at distracting me by Geordie Stewart and Andrew (@sirjester) completed without incident!

View from the panel

View from the panel

A quick visit to the RANT forum (@rantforum) was followed by a couple of drinks at the BSidesLondon after party and then an early night.

Thursday bought a couple of early meetings including Bruce to discuss the Analogies Project (@analogies) which is always a pleasure. I then formally went on vacation…

The rest of the day was taken up with filming for a project I am involved in with Javvad, Andrew and the very talented Jim (@jimshields) of Twist & Shout. More of that to follow in the coming few weeks but I am incredibly excited at what this project may bring not just to me personally but also to the infosec community as a whole (for instance, a sense of humour…).

After dinner with @secwonk, @gattaca, @turbodog, @anthonymfreed, Cindy, Javvad and Andrew, a weary but very satisfied Mr Langford returned home.


  • Winning the Best Personal Security Blog Award
  • Thursday afternoon (see above)
  • ForeScout’s apparent admittance that they needed booth babes to help sell their product


  • Missing Gavin’s presentation because of a scheduling conflict
  • Not finding myself spoilt for choice for presentations to attend at BSides – I thought the choice was predominantly technical and not as broad as last year. Still a great conference, well run and with a huge amount of talent; just less applicable to me this year.

RANT Panel Debate: “Should You Train Your Users on Security Awareness?”

I spent last night with five eloquent, passionate and above all opinionated colleagues arguing the pros and cons of security awareness training. We were doing this at the monthly Acumin RANT forum to a packed crowd who, as always, were not shy in holding back on their opinions.

The Crowd, who make RANT what it is!

The Crowd, who make RANT what it is!

We had two stand ins replacing Christian Toon and Kai Roer in the form of Bernadette Palmer and Andrew Agnes both of whom bought a huge amount of experience, opinion and humour to the evening. The lineup therefore was:


(The Award Winning) Javvad Malik, @j4vv4d

Bernadette Palmer

Andrew Agnes @sirjester



Geordie Stewart

Rowenna Fielding @infosecgeeklady

We did a standard pre vote just before starting (we garnered no votes and a lot of good natured laughs as expected!) and then we went straight into the standard For and Against cycle with me kicking off. Nobody had briefed me (or perhaps I hadn’t listened…) that we were reducing our standard six minutes each down to three! A quick reshuffle in my head and we were off. The photos may look like I am singing Karaoke, but beneath the entertaining exterior was my serious message!

I have posted my core arguments to this blog before so I won’t rehash them here again but what followed over the next eighty minutes was hugely interactive, passionate, thought provoking and hilarious! With a few dongle and fork gags thrown in this debate had everything! Of course there was no real conclusion but at the closing vote there was a small but very definite swing in our favour, hooray!

The Karaoke King!

The Karaoke King!

What I found the most interesting however was that on the whole our arguments converged; we all acknowledged that information security training as it stands now is simply not working. What we do with it however, was where the real debate lay. Do you throw the whole lot out and start form scratch or do you continue to try and fix what we have? I think this is the dilemma we need to face up to sooner rather than later in the industry, once of course we accept that our training programs don’t work. That part is where the industry needs the most help.

I normally try and stay around after these kinds of events and listen to other peoples opinions, gather feedback and generally mingle. Tonight however I had dinner with a few folks (@jimshout, @j4vv4d, @sirjester, @jee2uu) to discuss an upcoming project. More on that in the next few months but it was a productive and exciting evening overall.

Finally, there was some footage taken of the evening by Gemma of Acumin; like all my footage if it ever sees the light of day I will get it posted here as soon as possible! As always a huge thank you to Gemma, Simon, Chris et al from Acumin for not only making this happen but asking me to be a part of it.

Andrew Agnes

Andrew Agnes

Geordie Stewart

Geordie Stewart

10 Rules of Risk Management… In 10 Movie Quotes

I had an absolute blast last night presenting at the Acumin RANT forum ( on the topic of “10 Rules of Risk Management… In 10 Movie Quotes”. The premise was simple – people don’t remember rules or dull facts, but they do remember things that emotionally touch them in some way. Each quote and movie opened up a conversation on an aspect of risk management (although the term “rule” was a little inaccurate of course). Given it was the RANT forum, and I was competing for the attention of the audience against the allure of a free bar, there was plenty of opinion and discussion flowing around the room throughout. Hopefully a few of the points I was trying to make will have stuck as a result of quotes such as “You’re gonna need a bigger boat” or “I see dead people”.

I felt the audience engaged and participated throughout with lots of very verbal agreement and disagreement throughout, and it was exciting to be right at the centre of the maelstrom. If you have never been to a RANT before just imagine one person being surrounded by a large number of people only a few feet away; with your back to the projector screen, there is no lectern to hide behind and no stage to stand on. It’s do or die, and a  #Fail never far from your thoughts!

Not everyone agreed with the points I was making of course but that just generated further conversation. I had some excellent follow up conversations with a number of people, including a great idea for my next presentation which a stated up front I might shamelessly steal – I think i got his agreement that doing so was OK! I had some very positive feedback afterwards as well for which I am very appreciative of; if you are reading this and want to provide more feedback, of both kinds, then please do. Without wishing to sound too “new age”, feedback is a gift you can give someone that will allow them to grow and improve. Without it we continue to make mistakes and miss the opportunity to learn.

Gemma (from Acumin) and I tried something new this time as well, filming the presentation with two cameras. It will take me a few days to splice the footage together, but as soon as it is done I will have it posted here. I know some of those who attended were interested in both reviewing and sharing the footage, as well as the slides; these are below, as well as a slideshow of the deck. I use Keynote  for my presentations, so the PowerPoint conversion is never a true representation. If in doubt, use the PDF. Someone mentioned last night that they may want to link to the content here too. I have no objections to this, just credit me and don’t muck about with the content!

My thanks to Acumin for hosting the evening, and thank you to all of you who took part, especially the very lucky prize winners! (If you wanted a pen but didn’t get one let me know and I will do my best to send one to you).

This slideshow requires JavaScript.

Files for download:

PDF – 10 Rules of Risk Management

PPT – 10 Rules of Risk Management

Keynote – 10 Rules of Risk Management (native)

Movie from the evening – Coming Soon

BSidesLondon – Woot Woot!

What a marvellous couple of days I have just had; Tuesday at InfoSec Europe in Earls Court followed by BSidesLondon in The Barbican on Wednesday. While InfoSec was good, and I enjoyed not only the wide variety of stands, prizes, swag and educational events, it is and will always be a trade show. I always feel I am one tiny eye contact away from signing up to 1000 licenses of a product I never knew I need.

BsidesLondon however was an entirely different event. This was the first BSides event I have attended anywhere, and its reputation as an edgier, grittier and slightly geekier type of conference (or at least that is what I picked up on) was entirely unjustified. What I experienced was an extremely high quality of talks, great organisation, interesting activities, engaging workshops and above all a broad, eclectic mix of information security professionals. To be honest, I was somewhat concerned that my professional background in governance, risk and compliance was going to be entirely misaligned, but I was encouraged to attend by a colleague in our Boston office. How mistaken I was!

I should have guessed really when a talk I submitted was voted for by the attendees (An Anatomy of a Risk Assessment) – I explicitly stated it wasn’t technical, or even focussed on a given standard, but rather a more social/human experience of risk assessments. Whilst I didn’t exactly fill the auditorium to the gunwales, I estimate there were about seventy people attending. I also had some great questions at the end and a stream of conversations and compliments throughout the rest of the day. I even managed a few more Twitter followers!

(On that last point, I think I really am going to have to pull my finger out now and start providing some real value on Twitter, and especially this blog!)

The “Crew”, and team of people entirely made up of volunteers who gave up their full day to support the event (and miss out on all of the great activities as well) did a phenomenal job in both setting it up and managing it. I was able to thank a few of them in the bar at the after party, but I know I missed a few; to all of you, Thank You!

If pushed to, there would be a few things I would change; please understand this is by no means a criticism of any aspect of this years event, but rather a desire to see a cycle of continual improvement!

1. Make it a two day event. I would hope this would encourage more volunteers who could do a half day stint at a time. This would mean that volunteers would not miss out on the excellent content. (I heard many times “I haven’t been able to see a single talk all day”)

2. Charge a nominal fee. By nominal I mean £50 for two days (£25 for students/concessions etc of course. That is only a night or two of beer for an average student and they will more than make up for it at the after parties!). This would ensure people actually turn up – I saw a lot of unclaimed name badges at the reception which is a massive shame given the clamour for tickets. One day tickets could be suitable priced at £30 and £15. This would also take the pressure of the organisers for the basics like T Shirts, lunch, booking fees etc and the (excellent) sponsors can focus on the value-add stuff.

3. Increase the numbers. I know smaller events have a niche value and connect with the community more effectively, but I think a third track formal could easily be accommodated next year as the reputation of this event will only improve and numbers wanting to attend will increase. There is a balance to be had, but pushing to 500 or 600 is still viable in my humble opinion.

All that said, even if everything stayed the same I will still be attending next year, and hopefully speaking again. Congratulations to all involved, what an amazing event. It’s barely been two days and I am already looking forward to next years!