The Runners and Riders of Lockdown

After over six weeks of some kind of lockdown here in the UK, and similar amounts of time elsewhere in the world, it has become very obvious to me that many companies out there are simply ill-equipped to deal with the change in lifestyle the lockdown demands.

By ill-equipped, I don’t just mean from a technology perspective, although we see some of that as companies reduce security requirements to get users online from home. What I mean is that culturally they are not equipped to deal not only with a workforce that needs to work remotely but also a market that is doing the same. Put simply; companies are struggling to re-gear their sales and marketing departments to this brave new world we find ourselves.

I say this because as an industry we are used to a plethora of in-person events happening where vendors can either have stalls displaying their latest products, or stages where carefully polished presentations and panels are put on for us to watch, learn and hopefully decide to buy their product from. Webinars and online events were there but were the distant, impoverished, uglier cousin of something live, in-person and your face. Indeed, just a few weeks before the lockdown I was at RSA Conference in San Francisco, where the very epitome of what I describe was played out for the world to see.*

Then suddenly, it all stopped. Conferences and shows were cancelled, events postponed indefinitely, and in many cases, the security product landscape just stopped. I understand why, in many cases, cash flow needed to be conserved in these unprecedented times. However, it very quickly became apparent that this was the new normal, and that the companies that didn’t embrace it would quickly become irrelevant. after all, if you can’t adapt to a few weeks of disruption, what kind of company are you, delivering products to an industry that needs to plan for disruption?

I watched “Have I Got News For you” in those first few weeks on the BBC, a topical panel show comprised of 5 people, and they did it by having the guests record from their homes.

Have I Got News For You, March 2020

It was different, the dynamic was… a little off… but the show went ahead, the jokes landed, and each subsequent show got better. In other words, the BBC just got on with it, embraced the change, and made it work.

The same needs to happen to many of the security vendors, as unfortunately, it is a case of remaining relevant throughout the lockdown, in the front of people’s minds, and showing that they can overcome adversity by delivering knowledge and information. Those that don’t do it, retract into their proverbial shells and wait for “normality” to return will suffer.

Also, let us assume that normality does return, whatever form that might take. Those that have embraced these alternative Zoom/Skype/Teams/Hangouts/whatever approaches may find they are just as valuable as in-person events and can operate both, side by side, now unconstrained by the lockdown and able to use film and audio in even more creative ways. Which company would you choose to work with in the future, the one who sat tight, and did little market outreach during the lockdown, or the company that continued to communicate with their clients and potential clients through different mediums, sometimes getting it wrong but continually innovating and improving. Which company has the better culture?

It isn’t even a matter of cost. The LinkedIn Live, Zoom, Webinar etc. technologies already existed and were invested in, just woefully underutilised.

The same argument also applies to work from home, as many organisations now realise that productivity isn’t hours sat at the office desk, but rather results.  Which organisation/manager would you want to work for? The one that never changes or the culturally adaptive one that is based on results and trust?

These are challenging times, but these are the times that are going to show many companies in their true light, and you can use this time to differentiate between them.

 

*I do love a good conference, and the benefits they bring to my peers and me are fabulous, in case you think I am biased against them.


RSA 2019, and women finally had to queue for the toilets…

If the streets of San Francisco are becoming more cluttered as the homeless problem gets worse year after year, the conference itself seemed to take a clear shift towards a more friendly and inclusive event.

The redesign of the conference wasn’t just limited to the Moscone Centre itself. To be sure , the revised layout meant even more vendors could be squeezed in (where do they all come from?!) and we could find ourselves utterly lost on the expo floor as it was no longer clear if we were in the North or South hall, and what direction we had to walk in for the West hall when we finally emerged, blinking into the weak Californian sun.

This redesign, if it can be called that, came across to me in two distinct ways, both of which are areas that are close to me. Sure, the talks were good, the Keynotes interesting (if occasionally sponsored), and the overall organisation was excellent. But the two areas I thought that stood out were diversity and wellness.

Of course, the more cynical of us will say that it was just a move that RSA made to keep the haters quiet and the ticket sales up, but it really did feel like a corner had been turned here. That is not to say they did it first, as there are thousands of events around the world that are supporting diversity and wellness, but to see it done at this scale is what made it stand out. RSA is undeniably a commercial conference, and many parts of the infused echo chamber deride it for being so, but it is also a litmus test of how the industry as a whole is performing.

 

Group_Male_Executives1

Therefore, seeing the demise of the all male panel (or “manel” as I heard it described) and seeing broadly balance panels, and a larger number of talks fronted by women is the direction that the community has been pushing for years. It takes effort to redress a balance like this, but when it reflects is a high profile show like this the benefits are greatly increased. As a direct result of this, my unscientific method of just using my eyes showed me there was a greater number of women attending as well. (I think I even saw a queue for the ladies toilets at one point as well – now if that isn’t scientific proof i don’t know what is). This greater balance is better for all of us in this industry, however you look at it.

As for wellness, I counted at least three sessions on the impact of infosec on mental health, including one keynote. I was informed just today that a straw poll found that 14% of CISOs found the stress of the job “unbearable and unsustainable”, and the associated decline in mental health a very real cause for concern. Our toxic mixture of being measured on failure and the requirements for us to 24×7 “keep secrets” means none of this reported or addressed, and people are suffering. Seeing this addressed by senior and well known people in the field in an open forum can only mean good things and result in better health overall.

Let’s be clear, diversity and wellness are still in the early stages of being addressed, but being addressed they are, and if more shows and conferences like RSA can continue to push the agenda, then the information security industry will become a friendlier place.

Let’s not forget (Will) Wheaton’s Law that applies to all of us here, and a mantra to live your personal as well as your professional life by:

“Don’t be a Dick”.

I was also involved in some media coverage, mainly because of the very fine folks at ITSP Magazine. I helped with a daily wrap up report and an end of show report as well. You will not I hope, dear reader, have missed the quite excellent T-shirts I happen to be sporting…

Thursday’s update was so good, we even did it twice ; if you ever get to meet Sean you can ask him why…

Selena, Marco and Sean did a fantastic job summarising every day, as well as carrying out a slew of other interviews and update. Please do check out their magazine and subscribe, i promise you won’t be disappointed.

I also did an interview with Matthew Schwartz of ISMG, under thier Bank Info Security brand. It focussed on wellness and mental health, and has yet to be published (if at all). This was an interesting choice for me as I do not wish to become the poster boy for this topic, but given the wholly positive response I have recieved from people who not only are affected by the issues I raised, now feel “safe” to talk about them, it is hard to not talk more about it. I have no doubt I will be talking more on this, so I guess i will have to hone the message more to not just get the point across but also avoid being placed in this niche itself.

Hopefully that interview will surface as Matthew is a wonderful interviewer and friend, and he helped tell the story in a very compelling and sensitive way.

Finally, i had the opportunity to knock around RSA with my old mucker Javvad. We absolutely did not plan any filming, and I absolutey did not help him script his film, or even hang around hoping to be filmed. But as luck would have it I happened to be in the right place at the right time to be interviewed.

In it I opine about the huge amounts of negativity aimed at vemndors during RSA, even hearing some commentators refer to it as a “vendor wank-fest” which is both disingenuous and frankly a somewhat disturbing image to conjur up. I will leave you to watch Javvad’s thoughtful film on the topic of vendors, suffice to say that without them we wouldn’t have half of the community we have now.

And then the week was over in a flash. Diversity, wellness, toilets, faulty microphones, vendors and filming, all wrapped up in a blog post, films and a bunch of fun memories.

<edit> Typos


Opening a New Door of Opportunity

As many of you have worked out by now I am no longer in full time employment and have decided to open the doors on my own business; I give you (TL)2 Security Ltd:

tl2_square_colour_logo

Originally intended to fill a gap on my CV while I find a full time job, and allow me to take on work in the interim, I have been blown away by the interest in the services (TL)2 Security offers and thee immense goodwill from so many people. As I was building the website I decided to go beyond a simple one page brochure and expand it a little, resulting in a genuine sense of excitement that I really could make a go of this little enterprise!

As a result I am sat in an office in Paris having just signed my first contract for a couple of months of work. This isn’t just any work, this is an international contract no less! I am also pleased to say I also have other work lined up and getting ready for the contract stage and all in all I am feeling a little pleased with myself.

FIST-PUMP-BABY-THUMB

You can visit the official site at (TL)2 Security, and see the consultancy services on offer, but they broadly fall into two camps, namely strategic (vCISO, strategic advice & support) and Speaking (conferences, keynotes, brand advocacy). It is deliberately very broad at this point and plenty of grey area in between where I will no doubt take on work that is neither one camp or the other; I do have a mortgage to pay after all.

So please welcome (TL)2 Security to the world, incorporated on 25th January 2019, and the first contract signed exactly a month later. It was a difficult labour, and I am still finding my feet, but I am so very, very excited to help it grow up and become a force to be reckoned with.

As the well know philosopher and entrepreneur, Derek Trotter, once said;

“This time next year, we could be millionaires”


What, No Expense Account? My RSA 2019 Itinerary

Yes, you read it here first, I will not be jetting into San Francisco on my private jet and staying at a hotel I wouldn”t tell you plebs about anyway.

RSA 2019 will be a first for me in that I am representing myself and not expensing my trip on the company dime. I am attending in part, to the generosity of ITSP Magazine, (cheers, Sean and Marco!) and all I have to do in return is type a few words out for them. They may already be regretting that decision after seeing me insulting you, dear reader, in my first sentence of this blog.

I often attend RSA without a solid itinerary, getting a lot of value of the “hallway track” and the multitude of events that are thrown in and around the city during the conference proper. However, since I now have some of my personal cash invested in this trip (I am staying in an AirBnB with a shared bathroom for goodness sake), it is probably wise to get at least some kind of structure together. To wit:

dirty-bathroom

Oh, the inhumanity…

The Sessions

  • HUM-T06: Humans Are Awesome at Risk Management
  • DevOps Wine0ing (Not Whining) Cocktail Party
  • ID-T07: Studies of 2FA, Why Johnny Can’t Use 2FA and How We Can Change That
  • CXO-T09: How to Manage and Understand Your Human Risk
  • InfoSecurity Magazine Breakfast Briefing
  • Threat Modelling Brunch with IriusRisk
  • Security Blogger Awards (is it still on this year?)
  • KEY-R02S: Burnout and You: Fireside Chat with Dr. Christina Maslach
  • CXO-R11: The Fine Art of Creating a Transformational Cybersecurity Strategy
  • PROF-F01: Five Secrets to Attract and Retain Top Tech Talent in Your Future Workplace
  • PROF-F02: Why the Role of the CISO Sucks and What We Should Do to Fix It!

In summary then, risk, stress, strategy and human beings; all the key ingredients of any information security function.

This is my first cut of the agenda, and I reserve the right to not attend these and attend others, especially if some of my friends, colleagues, old drinking buddies and interesting random strangers turn up. Because that is what RSA is really about; meeting, networking and swapping ideas and opinions in real time.

The educational element is excellent of cours,, but it is rare that they will address exactly the problems you are facing day to day. You will learn something, you will expand your knowledge and you will take fantastic advice away with you, but it is rare you will get an hour face to face with he speaker. Taking the opportunity to really network and chew the fat with your old chums, as well as new o9nes is an invaluable way of really focusing your efforts.

Of course I have some specific goals (remember my reason for staying in the AirBnB?); I will be networking to find potential consulting work in the future, looking for NED or advisory positions, and seeing what is coming on the horizon from the many vendors. I am also interested to see if Artificial Intelligence code has actually been written in anything other than PowerPoint, although I suspect I will be disappointed again on that front.. Meeting my old boss and mentor, my old Deputy,  a multitude of other pals, even the guy who reckons he is the sole founder of Host Unknown (when everyone knows that is me), is just icing on the cake. I am definitely looking forward to catching up with the person who said I could use their hotel room bathroom too.

There will also be a Host Unknown party, bought to you by the kind sponsorship of anyone who turns up, just like last year in Las Vegas during Black Hat and DefCon. I have heard at least two of the sole founders will be there to welcome the dollar bills of sponsorship from the attendees.

It’s going to be a long, endless week, but I do know that I will come back with more knowledge, more passion, more energy and more excitement for our industry than ever before.

And a whole lot less cash in the bank, so if you see me, don’t forget to offer food and drink.


The Art of the Presentation (Part 1 of 3)

In a post a few years ago I talked about The Art of the Conference, and what conference organisers can do to improve their conferences and make lives easier for their presenters. I was reminded of this post again recently as this is the sixth year that I am mentoring a rookie speaker at BSides London, and in my initial conversation with them I discussed a three stage approach to creating, practising and delivering the talk (the latter of which touches on the content of my previous post).

This post focusses on the first part of this process, the actual creation of the talk.

The Idea

This is actually the hardest part of the entire process (aside perhaps from actually standing in front of 200 people of course). In my experience many people try to not only come up with a wholly unique idea, but then try and explore it in too much detail. Given your talk will probably be competing against many other talks, the easiest way to make yours stand out is with it’s simplicity. Take the core of a topic, and honestly ask yourself what your view on it is; do you agree with it, if not why not, what could be better, what is your experience of it and how have you addressed it? By keeping it simple your audience will have more chance of remembering what you said. This process could take anywhere from minutes to weeks and weeks dependent upon your experience, knowledge and confidence. Don’t assume however that just because you have an opinion that everyone else is fully knowledgeable of it either; if nothing else you are bringing your own unique viewpoint.

The Creative

This is a point at which your approach may differ, but I have always found this the best way of actually inspiring myself and getting my story straight. I fill a sheet of paper with boxes (below) and then start to sketch out, not always legibly) the approach I am going to take on the deck I produce. I do this because it ensures I don’t write any actual prose on the topic; personally when I do this I find it very difficult to then pull myself away from the prose when presenting. It is a mental block of sorts of course, but this approach allows me to sketch out the story of my talk without having to get attached to a certain way of saying things

I try and avoid too many words as they are a distraction to the audience, and focus on high resolution images that help embellish my point or provoke an appropriate reaction from the audience. There are some very good books on creating slides for presentation that I have referenced, Presentation Zen and Slide:ology; I strongly recommend these to anyone who wants to up their game on the visual presentation side of things.

This approach also allows you to build a story; making sure your presentation has a beginning, middle and end help draw your audience in. What talk would you rather watch…

My talk is about a simple technology we used to allow someone to Tweet over a phone call.

or

John Doe is a man who was imprisoned on the flimsiest of evidence and with ludicrously high bail. He had restricted access to legal counsel and even family were not allowed to visit him. His entire campaign for justice was focussed around his significant Twitter followers, and given his elevated fame in his industry was where most of his support would come from. Here is the story of how we used a Raspberry Pi, two cans, a length of string and Python to allow him to live Tweet from his weekly phone call, directly and un-redacted, and ultimately beat the corrupt government that had arrested him.

Your approach needs to be simple, but that doesn’t mean it needs to be dull.

The Timings

Timing a presentation is very difficult, but after some experience I have found I can not only tell roughly what the length of a presentation created like this, but can also vary it in length, sometimes upon to 100%. The other rule of thumb is to dive the number of minutes you have by the number of slides. One slide for roughly every minute is a good place to start, but keep an eye out for when that number increases. Trying to cover more than one slide every 15 seconds is going to be very challenging.

The Takeaways

I often say that people will remember less than 30% of what you said less that 30 minutes after you have finished speaking. Not only is this where the simplicity of your deck is important, but also making sure you leave the audience with clear activities or advice on what to do next is vitally important. If you don’t do this, you will leave the audience somewhat nonplussed even if your content is great. As one close friend of mine said to me after I had asked for feedback:

It was a good talk, but I got to the end and thought “meh, so what?”

Your talk can be interesting, but if it doesn’t have a point, you will always be in the “meh” zone.

Next time (or maybe the time after), The Art of the Presentation (Part 2 of 3) – Practising.