Taking Care of Business

Leave a comment

I remember back in early 1996 arriving home from work and telling the future ex Mrs Langford that was going to be very busy “for the next two to three months”. There was a project going on that I decided I was going to get involved in (outside of my normal IT Manager day job) and that it was going to be good for my career. In modern parlance, I had decided to “lean in”.

Those busy two to three months ended for me on the 10th September 2017. I had pushed myself professionally as hard as I could, burnt the candle at both ends, worked long hours, was only off work sick when I euphemistically “called in dead”, accrued millions of air miles, and was ostensibly successful in my career. Without wishing to dwell here on the events of that fateful night/morning in September 2017, I had reached the end of the line; all of that work and effort had ultimately netted my severe anxiety and stress, diabetes, alcoholism, and a desire to make it all stop very violently.

All of which brings us neatly to right now. I am currently off work sick. I’m very likely to head back tomorrow 9even though I am not 100%, but boredom is a keen medicine sometimes), but I have had the best part of five working days of, plus a weekend in between. I had been feeling under the weather for about a week or so beforehand, but at about midday on my first day off I decided to just switch off my computer and go to bed, and there I more or less stayed for the best part of a week. I had tested positive for COVID, but a few days later that was now negative and I still felt like a bag of rusty spanners had taken residence in my lungs, and my energy levels were depleting like a Death Star tractor beam. Looks like I worked through a second bout of COVID and then got taken down by another virus; but those are details for me and my GP and work HR I guess.

But “SO WHAT?!” I hear you cry? Well, throughout these last few days of being off I made a conscious effort to disconnect from work as much as possible and focus on my recovery. I learnt my lesson those few years back, and realised I needed to get myself back to fitness, despite the many pressing deadlines and meetings I was missing, and the importance of the work I was doing. I focussed on myself and my health as I knew I don’t want to go back too early and jeopardise not only my health but my work performance.

And you know what? Despite everything I had experience before and told myself, I still felt guilty about taking the time out.

This shouldn’t come as a surprise to anybody, anywhere though, not least the information security industry. A few weeks ago, my good friend and all round good chap Sarb Sembhi, who along with Peter Olivier and Paul Simms authored a paper on Mental Health in Cyber Security, and of which I was asked to peer review. I will leave you to read the paper yourself, but the figures in there are both unsurprising as well as making for uncomfortable reading regarding anxiety, depression, anger, alcoholism etc..

I was asked by a client over dinner recently “what keeps you up at night?”. Obviously they were fishing for gossip/insight into the state of our joint business, but I told them that basically nothing does because after my life changing experience back in 2017, I refuse to get stressed or anxious over work matters because it simply isn’t worth it, especially as I am not CISO for something that may save/take lives. And yet here I am feeling guilty about taking maybe another day off sick, and deciding to go back even though I am still not breathing right and feeling fatigued. Surely I should know better?!

To be clear, we are (normally) compensated well and a have privileged positions at work to get the job done properly; we have responsibilities to our colleagues and to the clients and markets we support to do the right job and put the effort in, and frankly most of us even enjoy our jobs. But I can absolutely guarantee you that none of that is worth anxiety, depression, anger, diabetes, alcoholism and suicidal tendencies if that pressure to perform is maintained indefinitely.

Taking care of business ultimately means taking care of yourself first.

I am going to be at InfoSecurity Europe in a few weeks time on stage with the Sarb and Peter, authors of the above mentioned Mental Health in Cyber Security paper.

Links to other interesting stuff on the web (affiliate links)

What Exactly is the Cyber Scheme?

Solving today’s Security Challenges With Device Centric SSE

Sneaky Tricks In Enterprise Pricing

Beer, PowerPoint and Politics

Leave a comment

Gone are the days when being a CISO (or even just ‘the security guy/gal’) was about actual information security or IT security. Even the term IT Security is outdated now and emphasises a one-dimensional view of what security is really about. However, I digress…

The Information Security element of CISO is correct, but for various reasons, the CISO’s role is very different from what it was a decade ago. The role then required a strong technologist who understood the firewalls, their rules, the cryptographic controls and even how to code hotfixes on the fly. This isn’t surprising given the role almost wholly came from an IT background; after all, back in the day, mere lip service was paid to the human element, and the legal considerations were considered simply “someone else’s job”.

I was often asked what my job as a CISO entailed, and because I didn’t initially understand what I had actually got myself in for when I took on my first CISO job I used to jokingly say;

PowerPoint and politics

Me. Back Then.

The odd thing is that this response is not far from the truth. My role became significantly less about my understanding of specific niches of information security knowledge and more about putting across to the business what this information security lot was all about and how it helped the company stay competitive, out of trouble or even just in business. The more I was doing this, the more I was embroiled in the day-to-day machinations of how a business works and the inescapable conclusion I came to was this; even if information security is seen as essential to the business, it is still just one voice of many that are trying to influence, cajole and be heard.

Moreover, this is where the politics come in, unfortunately. It is human nature and the way of businesses around the world. Politics is everywhere, and any CISO who doesn’t see and at least understand what is going on is, at best, going to be ignored and, at worst, eaten alive.

Which brings me to my second quote from me (well, it makes attribution a whole lot easier, doesn’t it?);

The purpose of a CISO is not to make the company more secure per se, but rather to help it sell more beer/widgets, increase shareholder value (as appropriate), and let the business make risky decisions more easily… through the judicious use of security

Me, Just now. Again.

The CISO should not be concerned with the name on the front of the firewall or the specifics of the latest penetration test. Instead, they should focus on how best to align their security services to the business and ensure security isn’t just a cost centre but a capability that allows teams and the company to run faster, more efficiently, and with less risk.

That doesn’t take technical knowledge; that takes strategic and business knowledge.

Links to other interesting stuff on the web (affiliate links)

Shift Gears: How to Leverage Data-Centric Security Controls in AWS

Changes to the OWASP API Security Top Ten 2019 to 2023

Cybersecurity as an Operational Effort

Risky Business

Leave a comment

<updated with missing risk matrix image>

Risk is a topic that I like to talk about a lot, mainly because I managed to get it ‘wrong’ for a very long time, and when I finally did realise what I was missing, everything else I struggled with fell into place around it. For me, therefore, Risk is the tiny cog in the big machine that, if it is not understood, greased and maintained, will snarl up everything else.

In the early days of my career, risk was something to be avoided, whatever the cost. Or rather, it needed to be Managed, Avoided, Transferred or Accepted down to the lowest possible levels across the board. Of course, I wasn’t so naive as to think all risks could be reduced to nothing, but they had to be reduced, and “accepting” a risk was what you did once it had been reduced. Imagine my surprise that you could “accept” a risk before you had even treated it!

There are many areas of risk that everyone should know before they start their risk management programme in whatever capacity they are in, but here are my top three:

Accepting the risk

If you want to know how not to accept a risk, look no further than this short music video  (which I have no affiliation with, honestly). Just accepting something because it is easy and you get to blame your predecessor or team is no way to deal with risks. Crucially, there is no reason why high-level risks cannot be accepted, as long as whoever does it is qualified to do so, cognizant of the potential fallout, and senior enough to have the authority to do so. Certain activities and technologies are inherently high risk; think of AI, IoT or oil and politics in Russia, but that doesn’t mean you should not be doing those activities. 

A company that doesn’t take risks is a company that doesn’t grow, and security risks are not the only ones that are being managed daily by the company leadership. Financial, geographic, market, people, and legal risks are just some things that need to be reviewed.

Your role as the security risk expert in your organisation is to deliver the measurement of the risks clearly as possible. That includes ensuring everyone understands how the score is derived, the logic behind it and the implications of that score. This brings us neatly to the second “Top Tip”:

Measuring the risk

Much has been written about how risks should be measured, quantitatively or qualitatively, for instance, financially or reputationally. Should you use a red/amber/green approach to scoring it, a percentage, or figure out of five? What is the best way to present it? In Word, Powerpoint or Excel? (Other popular office software is available.)

The reality is that, surprisingly, it doesn’t matter. What matters is choosing an approach and giving it a go; see if it works for you and your organisation. If it doesn’t, then look at different ways and methods. Throughout it all, however, it is vital that everyone involved in creating, owning and using the approach knows precisely how it works, what the assumptions are, and the implications of decisions being made from the information presented.

Nothing exemplifies this more than the NASA approach to risk. Now NASA, having the tough job of putting people into space via some of the most complicated machines in the world, would have a very rigorous, detailed and even complex approach to risk; after all, people’s lives are at stake here. And yet, their risk matrix comprises a five-by-five grid with probability on one axis and consequence on the other. The grid is then scored Low-Medium or High:

Seriously. That’s it. It doesn’t get much simpler than that. However, a 30-page supporting document explains precisely how the scores are derived, how probability and consequence should be measured, how the results can be verified, and so on. The actual simple measurement is different from what is important. It is what is behind it that is.

Incidents and risk

Just because you understand risk now, you may still need to be able to predict everything that might happen to you. For example, “Black Swan” events (from Nicholas Nasim Taleb’s book of the same name) cannot be predicted until they are apparent they will happen.

By this very fact, creating a risk register to predict unpredictable, potentially catastrophic events seems pointless. However, that differs from how an excellent approach to risk works. Your register allows you to update the organisational viewpoint on risk continuously. This provides supporting evidence of your security function’s work in addressing said risks and will enable you to help define a consensual view of the business’s risk appetite.

When a Black Swan event subsequently occurs (and it will), the incident response function will step up and address it as it would any incident. Learning points and advisories would be produced as part of the documented procedures they follow (You have these, right?), including future areas to look out for. This output must be reviewed and included in the risk register as appropriate. The risk register is then reviewed annually (or more frequently as required), and controls are updated, added or removed to reflect the current risk environment and appetite. Finally, the incident response team will review the risk register, safe in the knowledge it contains fresh and relevant data, and ensure their procedures and documentation are updated to reflect the most current risk environment.

Only by having an interconnected and symbiotic relationship between the risk function and the incident response function will you benefit most from understanding and communicating risks to the business.

So there you have it, three things to remember about risk that will help you not only be more effective when dealing with the inevitable incident but also help you communicate business benefits and support the demands of any modern business.

Risk is not a dirty word.

Links to other interesting stuff (affiliate links)

Building a Modern Exposure Management Program

Access Controls that Move – The Power of Data Security Posture Management

Vulnerabilities and Insights: A Look at Cybersecurity Challenges

The New Etiquette of Webinars (insert post-Covid statement here)

Leave a comment

Hands up if you have been to an in-person conference or summit since the middle of March this year. Yeah, me neither.

And so we saw the rapid build-up of the online webinar, starting from the first tentative steps made by the BBC’s Have I Got News For You, through to LinkedIn Live, Zoom based cabinet briefings being “hacked”, and the advent of the vanity backdrop. And there was much celebration amongst members of ISACA and (isc)2 as we could now still get CPE’s for sitting around drinking coffee and chatting with our infosec mates.

Some fo the first ones were, frankly, a little bit crap. Poor sound and video, and events organisers more used to managing people in person rather than at the end of a dodgy video link. But these were pioneering days, and let’s face it, we needed those CPEs. It didn’t take long for features to start pouring into platforms like Zoom, Teams, Discord, even Webex (used only by employees of Cisco and people trapped in a Cisco building), and other platforms like BrightTALK. Events people got better at putting them on and using the tools, and the quality went up. New tools (or tools that found a new audience) such as StreamYard and Livestorm have truly democratised the ability to produce slick online conferences with a big budget feel at pocket-friendly pricing.

But.

The rot is starting to seep in, and quickly too. It’s only been a few months as well.

For context since the beginning of this month (October) to the end of next month, I will have hosted over 30 hours of online events, mostly as a full-on Host but also as a panel moderator, and some poor behaviours are starting to seep in already.

So I present to you my Top Ten Webinar Peeves, from both sides of the screen

  • Start on time. Even if some of your speakers are suffering from technical difficulties, start on time. You should always have a plan B anyway, or a host that can think on their feet quickly enough to engage the audience for the few extra minutes needed. Unlike a physical conference, you don’t have a captive audience. They will leave to do something else or assume it was cancelled last minute. Be on screen straight away and engage immediately.
  • Finish on time. Or slightly earlier. Never overrun. Your attendees are busy people and have meetings and places to be. Again, they are not a captive audience with the promise of a free drink or six at the end of the show and will leave the session at the published time. This means any closing remarks, thanks to sponsors or calls to action will be lost, and the benefit of the session in the first place significantly reduced.
  • Test the platform upfront. There are so many different platforms out there now, all with their own quirks and foibles. Each one has a different workflow to share your screen to give a presentation or require an upload prior to the session. Others require a certain browser to work properly, and they all seem to handle audio devices in different ways. Get it sorted upfront.
  • Position your camera properly. Everybody’s home setup is different, but there are basics that need to be observed. Don’t sit with a window or other light source right behind you as it will darken your image such that you can’t be seen. Can’t move? Then close the curtains. Try out different lights in different locations to get the best picture of you (you want to be recognised at a real conference, later on, don’t you?), and get the camera at the same hight as your eyes. Nobody wants to look into your nostrils. This might mean putting your laptop on a stack of books or similar, but the change is very noticeable.
  • Use a wired microphone and headphones. Having audio coming out of your speakers is suboptimal and can result in feedback. Wired is best because of latency and sound quality. There are some Bluetooth headsets and buds available that do a good job here, but they are the exception, not the rule.
The steps you go to ensuring you look good on screen. I need all the help I can get.
  • Present to the schedule. As a speaker, if you have been given a 15-minute slot, speak for 15 minutes (give or take a couple of minutes I am not a heartless monster). the organisers will have some buffer built-in and can work on the fly for genuine accidental overruns, but if your 15-minute slot goes on for 40 minutes, that is rude and disrespectful to the organisers, the speakers following you, and the audience who may not have even joined to watch you but rather subsequent speakers.
  • Have a timer. Conversely, more organisers should have a visible countdown clock on-screen that will allow everyone to see how much time they have remaining. Additionally, confirming on a regular basis that the speaker knows they will be interrupted and shut down if they exceed their slot by too much is a good way of reinforcing the message to the speaker.
  • Have a discussion area available. Not all questions are going to be answered in the session, so having a Slack, Discord or other platforms available will help immensely and ensure your speakers have an opportunity to connect to the audience after the session if need be.
  • Let everyone speak. A good host will ensure that everyone on a panel or discussion gets the opportunity to put their point across. Most of the time everyone is happy for this to happen, but sometimes people like the sound of their own voice over everyone else’s. Short of removing that person from the session, it is very difficult to manage that without causing embarrassment. Don’t be that person. Let the moderator/host guide you through the whole session as they have a much better idea of what is supposed to happen and when.
  • For goodness’ sake, have fun! As if this year hasn’t been tough enough already, having an opportunity to get together and listen to good talks should be embraced and be enjoyable.

So, speakers, presenters and organisers alike, some tips to make these new (obligatory post-COVID statement here) webinars and sessions more effective for everyone. There are plenty of other tips (don’t use a virtual background if you don’t have a green screen for instance), but these will certainly improve any even you are involved in, and in whatever capacity.

The best thing about virtual events though is that I can get my tea and snacks whenever I want, and not when the venue staff decide. Win-win.

The Runners and Riders of Lockdown

Leave a comment

After over six weeks of some kind of lockdown here in the UK, and similar amounts of time elsewhere in the world, it has become very obvious to me that many companies out there are simply ill-equipped to deal with the change in lifestyle the lockdown demands.

By ill-equipped, I don’t just mean from a technology perspective, although we see some of that as companies reduce security requirements to get users online from home. What I mean is that culturally they are not equipped to deal not only with a workforce that needs to work remotely but also a market that is doing the same. Put simply; companies are struggling to re-gear their sales and marketing departments to this brave new world we find ourselves.

I say this because as an industry we are used to a plethora of in-person events happening where vendors can either have stalls displaying their latest products, or stages where carefully polished presentations and panels are put on for us to watch, learn and hopefully decide to buy their product from. Webinars and online events were there but were the distant, impoverished, uglier cousin of something live, in-person and your face. Indeed, just a few weeks before the lockdown I was at RSA Conference in San Francisco, where the very epitome of what I describe was played out for the world to see.*

Then suddenly, it all stopped. Conferences and shows were cancelled, events postponed indefinitely, and in many cases, the security product landscape just stopped. I understand why, in many cases, cash flow needed to be conserved in these unprecedented times. However, it very quickly became apparent that this was the new normal, and that the companies that didn’t embrace it would quickly become irrelevant. after all, if you can’t adapt to a few weeks of disruption, what kind of company are you, delivering products to an industry that needs to plan for disruption?

I watched “Have I Got News For you” in those first few weeks on the BBC, a topical panel show comprised of 5 people, and they did it by having the guests record from their homes.

Have I Got News For You, March 2020

It was different, the dynamic was… a little off… but the show went ahead, the jokes landed, and each subsequent show got better. In other words, the BBC just got on with it, embraced the change, and made it work.

The same needs to happen to many of the security vendors, as unfortunately, it is a case of remaining relevant throughout the lockdown, in the front of people’s minds, and showing that they can overcome adversity by delivering knowledge and information. Those that don’t do it, retract into their proverbial shells and wait for “normality” to return will suffer.

Also, let us assume that normality does return, whatever form that might take. Those that have embraced these alternative Zoom/Skype/Teams/Hangouts/whatever approaches may find they are just as valuable as in-person events and can operate both, side by side, now unconstrained by the lockdown and able to use film and audio in even more creative ways. Which company would you choose to work with in the future, the one who sat tight, and did little market outreach during the lockdown, or the company that continued to communicate with their clients and potential clients through different mediums, sometimes getting it wrong but continually innovating and improving. Which company has the better culture?

It isn’t even a matter of cost. The LinkedIn Live, Zoom, Webinar etc. technologies already existed and were invested in, just woefully underutilised.

The same argument also applies to work from home, as many organisations now realise that productivity isn’t hours sat at the office desk, but rather results.  Which organisation/manager would you want to work for? The one that never changes or the culturally adaptive one that is based on results and trust?

These are challenging times, but these are the times that are going to show many companies in their true light, and you can use this time to differentiate between them.

 

*I do love a good conference, and the benefits they bring to my peers and me are fabulous, in case you think I am biased against them.