Opening a New Door of Opportunity

As many of you have worked out by now I am no longer in full time employment and have decided to open the doors on my own business; I give you (TL)2 Security Ltd:

tl2_square_colour_logo

Originally intended to fill a gap on my CV while I find a full time job, and allow me to take on work in the interim, I have been blown away by the interest in the services (TL)2 Security offers and thee immense goodwill from so many people. As I was building the website I decided to go beyond a simple one page brochure and expand it a little, resulting in a genuine sense of excitement that I really could make a go of this little enterprise!

As a result I am sat in an office in Paris having just signed my first contract for a couple of months of work. This isn’t just any work, this is an international contract no less! I am also pleased to say I also have other work lined up and getting ready for the contract stage and all in all I am feeling a little pleased with myself.

FIST-PUMP-BABY-THUMB

You can visit the official site at (TL)2 Security, and see the consultancy services on offer, but they broadly fall into two camps, namely strategic (vCISO, strategic advice & support) and Speaking (conferences, keynotes, brand advocacy). It is deliberately very broad at this point and plenty of grey area in between where I will no doubt take on work that is neither one camp or the other; I do have a mortgage to pay after all.

So please welcome (TL)2 Security to the world, incorporated on 25th January 2019, and the first contract signed exactly a month later. It was a difficult labour, and I am still finding my feet, but I am so very, very excited to help it grow up and become a force to be reckoned with.

As the well know philosopher and entrepreneur, Derek Trotter, once said;

“This time next year, we could be millionaires”


What, No Expense Account? My RSA 2019 Itinerary

Yes, you read it here first, I will not be jetting into San Francisco on my private jet and staying at a hotel I wouldn”t tell you plebs about anyway.

RSA 2019 will be a first for me in that I am representing myself and not expensing my trip on the company dime. I am attending in part, to the generosity of ITSP Magazine, (cheers, Sean and Marco!) and all I have to do in return is type a few words out for them. They may already be regretting that decision after seeing me insulting you, dear reader, in my first sentence of this blog.

I often attend RSA without a solid itinerary, getting a lot of value of the “hallway track” and the multitude of events that are thrown in and around the city during the conference proper. However, since I now have some of my personal cash invested in this trip (I am staying in an AirBnB with a shared bathroom for goodness sake), it is probably wise to get at least some kind of structure together. To wit:

dirty-bathroom

Oh, the inhumanity…

The Sessions

  • HUM-T06: Humans Are Awesome at Risk Management
  • DevOps Wine0ing (Not Whining) Cocktail Party
  • ID-T07: Studies of 2FA, Why Johnny Can’t Use 2FA and How We Can Change That
  • CXO-T09: How to Manage and Understand Your Human Risk
  • InfoSecurity Magazine Breakfast Briefing
  • Threat Modelling Brunch with IriusRisk
  • Security Blogger Awards (is it still on this year?)
  • KEY-R02S: Burnout and You: Fireside Chat with Dr. Christina Maslach
  • CXO-R11: The Fine Art of Creating a Transformational Cybersecurity Strategy
  • PROF-F01: Five Secrets to Attract and Retain Top Tech Talent in Your Future Workplace
  • PROF-F02: Why the Role of the CISO Sucks and What We Should Do to Fix It!

In summary then, risk, stress, strategy and human beings; all the key ingredients of any information security function.

This is my first cut of the agenda, and I reserve the right to not attend these and attend others, especially if some of my friends, colleagues, old drinking buddies and interesting random strangers turn up. Because that is what RSA is really about; meeting, networking and swapping ideas and opinions in real time.

The educational element is excellent of cours,, but it is rare that they will address exactly the problems you are facing day to day. You will learn something, you will expand your knowledge and you will take fantastic advice away with you, but it is rare you will get an hour face to face with he speaker. Taking the opportunity to really network and chew the fat with your old chums, as well as new o9nes is an invaluable way of really focusing your efforts.

Of course I have some specific goals (remember my reason for staying in the AirBnB?); I will be networking to find potential consulting work in the future, looking for NED or advisory positions, and seeing what is coming on the horizon from the many vendors. I am also interested to see if Artificial Intelligence code has actually been written in anything other than PowerPoint, although I suspect I will be disappointed again on that front.. Meeting my old boss and mentor, my old Deputy,  a multitude of other pals, even the guy who reckons he is the sole founder of Host Unknown (when everyone knows that is me), is just icing on the cake. I am definitely looking forward to catching up with the person who said I could use their hotel room bathroom too.

There will also be a Host Unknown party, bought to you by the kind sponsorship of anyone who turns up, just like last year in Las Vegas during Black Hat and DefCon. I have heard at least two of the sole founders will be there to welcome the dollar bills of sponsorship from the attendees.

It’s going to be a long, endless week, but I do know that I will come back with more knowledge, more passion, more energy and more excitement for our industry than ever before.

And a whole lot less cash in the bank, so if you see me, don’t forget to offer food and drink.


The Art of the Presentation (Part 1 of 3)

In a post a few years ago I talked about The Art of the Conference, and what conference organisers can do to improve their conferences and make lives easier for their presenters. I was reminded of this post again recently as this is the sixth year that I am mentoring a rookie speaker at BSides London, and in my initial conversation with them I discussed a three stage approach to creating, practising and delivering the talk (the latter of which touches on the content of my previous post).

This post focusses on the first part of this process, the actual creation of the talk.

The Idea

This is actually the hardest part of the entire process (aside perhaps from actually standing in front of 200 people of course). In my experience many people try to not only come up with a wholly unique idea, but then try and explore it in too much detail. Given your talk will probably be competing against many other talks, the easiest way to make yours stand out is with it’s simplicity. Take the core of a topic, and honestly ask yourself what your view on it is; do you agree with it, if not why not, what could be better, what is your experience of it and how have you addressed it? By keeping it simple your audience will have more chance of remembering what you said. This process could take anywhere from minutes to weeks and weeks dependent upon your experience, knowledge and confidence. Don’t assume however that just because you have an opinion that everyone else is fully knowledgeable of it either; if nothing else you are bringing your own unique viewpoint.

The Creative

This is a point at which your approach may differ, but I have always found this the best way of actually inspiring myself and getting my story straight. I fill a sheet of paper with boxes (below) and then start to sketch out, not always legibly) the approach I am going to take on the deck I produce. I do this because it ensures I don’t write any actual prose on the topic; personally when I do this I find it very difficult to then pull myself away from the prose when presenting. It is a mental block of sorts of course, but this approach allows me to sketch out the story of my talk without having to get attached to a certain way of saying things

I try and avoid too many words as they are a distraction to the audience, and focus on high resolution images that help embellish my point or provoke an appropriate reaction from the audience. There are some very good books on creating slides for presentation that I have referenced, Presentation Zen and Slide:ology; I strongly recommend these to anyone who wants to up their game on the visual presentation side of things.

This approach also allows you to build a story; making sure your presentation has a beginning, middle and end help draw your audience in. What talk would you rather watch…

My talk is about a simple technology we used to allow someone to Tweet over a phone call.

or

John Doe is a man who was imprisoned on the flimsiest of evidence and with ludicrously high bail. He had restricted access to legal counsel and even family were not allowed to visit him. His entire campaign for justice was focussed around his significant Twitter followers, and given his elevated fame in his industry was where most of his support would come from. Here is the story of how we used a Raspberry Pi, two cans, a length of string and Python to allow him to live Tweet from his weekly phone call, directly and un-redacted, and ultimately beat the corrupt government that had arrested him.

Your approach needs to be simple, but that doesn’t mean it needs to be dull.

The Timings

Timing a presentation is very difficult, but after some experience I have found I can not only tell roughly what the length of a presentation created like this, but can also vary it in length, sometimes upon to 100%. The other rule of thumb is to dive the number of minutes you have by the number of slides. One slide for roughly every minute is a good place to start, but keep an eye out for when that number increases. Trying to cover more than one slide every 15 seconds is going to be very challenging.

The Takeaways

I often say that people will remember less than 30% of what you said less that 30 minutes after you have finished speaking. Not only is this where the simplicity of your deck is important, but also making sure you leave the audience with clear activities or advice on what to do next is vitally important. If you don’t do this, you will leave the audience somewhat nonplussed even if your content is great. As one close friend of mine said to me after I had asked for feedback:

It was a good talk, but I got to the end and thought “meh, so what?”

Your talk can be interesting, but if it doesn’t have a point, you will always be in the “meh” zone.

Next time (or maybe the time after), The Art of the Presentation (Part 2 of 3) – Practising.


Ground Control to Major Thom

I recently finished a book called “Into the Black” by Roland White, charting the birth of the space shuttle from the beginnings of the space race through to it’s untimely retirement. It is a fascinating account of why “space is hard” and exemplifies the need for compromise and balance of risks in even the harshest of environments.

Having seen two shuttles first hand in the last nine months (the Enterprise on USS Intrepid in New York and the Atlanta at Kennedy Space Centre), it boggles my mind that something so big could get into space and back again, to be reused. Facts like the exhaust from each of the three main engines on the shuttle burn hotter than the melting temperature of the metal the engine ‘bells’ are made of (they ingeniously pipe supercooled fuel down the outside of the bells to not only act as an afterburner of sorts but also cool the bells themselves) go to show the kind of engineering challenges that needed to be overcome.

There was one incident however that really struck me regarding the relationship between the crew onboard and the crew on the ground. On the Shuttle’s maiden flight into space, STS-1 also known as Columbia carried out 37 orbits of the earth with two crew on board, mission commander John W. Young and pilot Robert L. Crippen. Once orbit was achieved an inspection of the critical heat tiles on the underside of the shuttle showed some potential damage. If the damage was too extensive the return to earth would (as later events in the Shuttle’s history proved) be fatal.

The crew however were tasked with a variety of other activities, including fixing problems onboard they could address. They left the task of assessing and calculating the damage to those on the ground who were better equipped and experienced to deal with the situation. This they duly did and as we know Columbia landed safely just over two days later.

It struck me that this reflects well the way information Security professionals should treat the individuals we are tasked with supporting. There is much that individuals can do to help of course, and that is why training and awareness efforts are so important, but too often it is the case that “we would be secure if it wasn’t for the dumb users”. The sole purpose of the Columbia ground crew was to support and ensure the safe return of those on board STS-1 so that they could get on with their jobs in space. Ours is the same.

Just because te crew had extensive training to deal with issues as they arose, the best use of their time was to focus on the job in hand and let ground crew worry about other problems. The people we support should also be trained to deal with security issues, but sometimes they really need to just get on with the deliverables at hand and let us deal with the security issue. They might be trained and capable, but we need to identify when the best course of action is to deal with their security issues for them, freeing them to do their work.

Never forget that we support our organisations/businesses to do their jobs. We provide tools to allow them to be more effective in their end goals but it is still our responsibility to do the heavy lifting when the time comes. Except in very rare cases we are there because of them, not in spite of them.

(Photo courtesy of William Lau @lausecurity)


Security is Not, and Should not be Treated as, a Special Flower

My normal Wednesday lunch yesterday was rudely interrupted by my adequate friend and reasonable security advocate Javvad calling me to ask my opinion on something. This in itself was surprising enough, but the fact that I immediately gave a strong and impassioned response told me this might be something I needed to explore further…

The UK Parliament in this report have recommended that CEO salaries should be defined by their attitude and effectiveness of their cybersecurity. I am not one normally for histrionics when it comes to government reports, partly because they are often impenetrable and not directed at me or my lifestyle, but I will make an exception in this case. I think this attitude is quite simply short sighted and a knee jerk reaction to a very public breach that was admittedly caused by a lackadaisical attitude to security.

I have argued for a long time that the security function is not a “special flower” in the business, and that by supporting that case security becomes an inhibitor of the business, restricting it from taking the kind of risks that are vital to a growing and agile business. The only way I would agree to this demand would be if the CEO’s compensation was directly related to financial performance, staff attrition, number of court cases levelled and number of fires or false alarms in its premises, and have that all supported by a change in the law. If that happened, there would suddenly be a dearth of well paid, well motivated CEO’s in the country.

By calling security out individually means the security function will all to easily slip back into old behaviours of saying NO! to every request, only this time the reason given is not just “it’s not secure”, but also “Bob’s pay depends on it”.

This can only work if every other function of the CEO was also covered by similar laws as I said above. Sure, there are basic behaviour laws around financial, people, legal, facilities etc. such that a company can’t be embezzled, people can’t be exploited or put into danger etc.. But this recommendations makes security far to primary a concern. It also doesn’t even take into account the fact that determined hackers will get in anyway in many cases, or that data can easily be stolen through softer, social engineering techniques. Zero day exploit, never before seen? Sorry Mr CEO, you need to take a pay cut for not having a cyber crystal ball and defending against it. Determined nation state attacks? Tough luck you only have a cyber budget a fraction the size of the attackers, back to reduced pay.

I get that many folks are angry with the level of CEO pay and reward in the workplace these days. In the case of Talk Talk I find it astounding that Dame Dido Harding has been awarded £2.8 million GBP in pay and shares after what has to be an absolutely disastrous year fro Talk Talk. That said, I also don’t know the details of her contract and the performance related aspects of it; maybe she hit all of her targets, and cyber risk was not one of them.

This is where we need to address this; not in law and regulation, but in cyber savvy contracts and performance metrics within the workplace and enforced by the Board. No emphasis on cybersecurity, but a balanced view across the entire business.

No single part of a business is the special flower, we all have an equal and unique beauty and contribution to make.