The Lost CISO who?

And why am I being spammed with Twitter and LinkedIn about him all the time at the moment?

I came up with the concept of The Lost CISO when I was working late in the office one night. I decided to start writing and doing something about it straight away, and even created the banner and took my own picture for it sat at my desk. I also pulled the graphics together there and then, not in Photoshop, but Apple Pages (I was an executive at the time and to my shame do not know how to use PhotoShop. It still came out alright I think, though.

youtube-banner-png.png

The idea was to create short informational videos, 2-3 minutes long, almost like a high energy presentation, in front of a green screen that I could then superimpose relevant imagery etc. It was a good concept, I thought, and within my technical skills with a camera and Final Cut Pro X. Or so I thought. I could also put all of my other InfoSec videos under the same brand, tying it up into a neat piece of branding. The films would be aimed at people simply are keen to learn, and no more. Not all of it will be groundbreaking stuff, but it will be researched, experienced or just advice that flies in the face of common knowledge. The basics, Plus, I suppose.

I created a test and shared it with some friend who gave me some honest feedback on quality, imagery etc.. I then did a first episode (bearing in mind each one took me about 7 days of intermittent working to edit), shared it again, and excitedly held my breath.

“Do not release this… it will do your personal brand more damage than good…”

Ouch.

Back to the drawing board; except I didn’t, life and work got in the way. Until twelve months went by, and I decided to just get this done properly once and for all. So I invested in some quality lighting, foley and a decent green screen, and even hired someone to do the filming and editing for me, and got to work. Of course, now I run my own business, I wasn’t able to prepare the topics as well as I wanted. To be honest, I pretty much flew through the filming so I could get onto the next job in my increasingly long To-Do list, but the quality, and to be honest, the creative talent I hired shines through far more than before.

As always, my success (such as it is) is tied to the talent of others. A lesson for everyone there, I think…

What’s the infosec lesson here? None really, although perhaps at a stretch I could say that just because my original idea failed didn’t mean it was a bad one, and I just needed the right resources. I don’t know, parallels to infosec education and awareness training maybe.

I hope you enjoy the series, and please do comment on them, let me know what you think and also if you would like a particular topic covered.

 

 

 

 


Keeping It Supremely Simple, the NASA way

Any regular reader (hello to both of you) will know that I also follow an ex NASA engineer/manager by the name of Wayne Hale. Having been in NASA for much of his adult life and being involved across the board he brings a fascinating view of the complexities of space travel, and just as interestingly, to risk.

His recent post is about damage to the Space Shuttle’s foam insulation on the external fuel tank (the big orange thing),and the steps NASA went through to return the shuttle to active service after it was found that loose foam was what had damaged the heat shield of Columbia resulting in its destruction. His insight into the machinations of NASA, the undue influence of Politics as well as politics, and that ultimately everything comes down to a risk based approach make his writing compelling and above all educational. This is writ large in the hugely complex world fo space travel, something I would hazard a guess virtually all of us are not involved in!

It was when I read the following paragraph that my jaw dropped a little as I realised  that even in NASA many decisions are based on a very simple presentation of risk, something I am a vehement supporter of:

NASA uses a matrix to plot the risks involved in any activity.  Five squares by five squares; rating risk probability from low to high and consequence from negligible to catastrophic.  The risk of foam coming off part of the External Tank and causing another catastrophe was in the top right-hand box:  5×5:  Probable and Catastrophic.  That square is colored red for a reason.

What? The hugely complex world of NASA is governed by a five by five matrix like this?

Isn’t this a hugely simplistic approach that just sweeps over the complexities and nuances of an immensely complex environment where lives are at stake and careers and reputations constantly on the line? Then the following sentence made absolute sense, and underscored the reason why risk is so often poorly understood and managed:

But the analysts did more than just present the results; they discussed the methodology used in the analysis.

It seems simple and obvious, but the infused industry very regularly talks about how simple models like a traffic light approach to risk just don’t reflect the environment we operate in, and we have to look at things in a far more complex way to ensure the nuance and complexity of our world is better understood. “Look at the actuarial sciences” they will say. I can say now i don’t subscribe to this.

The key difference with NASA though is that the decision makers understand how the scores are derived, and then discuss that methodology, then the interpretation of that traffic light colour is more greatly understood. In his blog Wayne talks of how the risk was actually talked down based upon the shared knowledge of the room and a careful consideration of the environment the risks were presented. In fact the risk as it was initially presented was actually de-escalated and a decision to go ahead was made.

Imagine if that process hadn’t happened; decisions may have been made based on poor assumptions and poor understanding of the facts, the outcome of which had the potential to be catastrophic.

The key point I am making is that a simple approach to complex problems can be taken, and that ironically it can be harder to make it happen. Everyone around the table will need to understand how the measures are derived, educated on the implications, and in a position to discuss the results in a collaborative way. Presenting an over complex, hard to read but “accurate” picture of risks will waste everyone’s time.

And if they don’t have time now, how will they be able to read Wayne’s blog?

 

 


Price versus Value; Why it is Important in Information Security

Running my own business now means I have to work out how much I am going to charge for my services, and if the market (or client) is going to be willing to pay me that price. It makes for an interesting internal dialogue, especially as I have always been told to not sell myself short or underestimate the skills I have and the value they bring to a client.

I recently lost out on some work because the client decided to go with somebody established rather than a new company like me. To be fair to them they had paid me well for five days consultancy to help them work out what they wanted, and they were very pleased with what was delivered so I honestly thought they would choose me. Hubris at its best I suppose.

I suspect that by going with a larger, established company they may well be paying less than I quoted for (it was assistance with ISO27001 certification by the way). The established company would have a larger range of resources, some certainly more junior than me and the people I was going to subcontract with, a tried and tested approach they have used hundreds of times before, and larger resources to back them up throughout the process. The client will certainly become compliant and obtain the certification.

Now, I am not going to denigrate the work this competition do, but I imagine they would be very task oriented, focussed on getting the certification for their client, and ensuring they come back year after year for more support. Then they will be onto the next job and doing the same thing again in short order. I have been a part of this process myself in my old consulting days.

So what value would someone like me bring then, especially if the end goal is the same, i.e. certification? Put simply, I strongly believe in the differing cultures of one company to the next, and the fact that what is left at the end of the certification needs to be reflective of that culture and able to be adopted for the long term. That means policies, procedures, communications and the overarching ethos of the programme must be in harmony with the clients vision and goals. That is very hard to do with a boilerplate approach. I guess it comes down to “the personal touch” as well as a somewhat selfless approach in ensuring the client is educated in the process enough along the way that they could actually go through the process again with significantly less of your support.

Is it the most immediately profitable approach? Of course not, but it is how you build “sticky” relationships with potential clients by ensuring they see you are there for their benefit and not yours. With a bit of luck this will mean more opportunities with them in the future or recommendations to other potential clients.

There are certainly no hard feelings between me and the client I mentioned at the beginning, they are lovely, honest and transparent people who I enjoyed working with and who paid me a fair price for my time in the analysis phase, and I really do wish them the best of luck in their certification with their new vendor.

I just hope they call me when they realise what they could have had. <Disengage hubris mode>


A Lot of Talking…

One month in and (TL)2 Security seems to be attracting a fair amount of interest which is very heartening. What I am not used to however is projects just disappearing. In my old day job, if i decided to pursue a project we got onto it and did it until it was finished or I decided to abandon it. In my new world that decision is not up to me and so a number of leads have, as is the normal course of things, just gone cold on me.

It is, to say the least, very disconcerting, and I have a new found respect for salespeople as a result. Who knew I would be uttering those words today?

That said, I am also keeping busy preparing for two big speaking engagements coming up:

One Identity UNITE Conference, April 1 – 4 2019

This is a new conference for me, and one where I am doing the closing Keynote of the main conference on Wednesday 3rd April.

A closing keynote is an interesting one to do, and I discussed this with the organisers in a preparation call; the delegates will be tired and need buoying up , the message needs too be uplifting and inspiring, and does not need to be technical or even a core message from the conference.

To that end I will be talking about trust, why it is important, how we lose it and what to do when that happens. Trust is key in IAM, not least because it is a fundamental tenet of uniquely identifying someone under the auspices of the authorising them to a system. But it also matters as we continue to gather more and more details about people in order too ascertain their identity in the first place. I opened a business bank account recently and had to take a photo of my passport to be uploaded in order to be correctly identified. I have to trust that that bank will not lose my passport details or sell them on, and if they do, what are they going to do about it?

Wednesday 3rd April: Won’t Somebody Think of the Users? – Auditorium

I am looking forward to the conference, and while it is driven by a vendor for its users the agenda looks to be very engaging across the board. Any vendor that avoids selling directly during events like this is always OK in my books!

card_57bae26a3ac5378b4433ffaf300bdf12

European identity & Cloud Conference, May 14 – 17 2019

I have worked with Kuppinger Cole at this conference (and a couple of their other ones) since 2014; they put on a fantastic show with great talks, and a wide range of workshops and topics. The setup is very professional, and the staging and production vales are very high. As a speaker it is an absolute pleasure as everything is taken care of, your requests are taken seriously and they do their best to make the environment as easy as possible to work in.

In my experience, most conference organisers will focus mostly on the attendees; after all they are the ones that are playing to attend. Speakers are often bundled around, ignored until five minutes before we are required, told we have to use their Windows XP laptop with Powerpoint 2011 on it, and then quickly forgotten about.

Not so Kuppinger Cole. Given I have spoken at their conferences some five times, and enjoyed every part of it means not only do they like what I do, but I also like what they do. To be fair, they also like to get the value for money out of me so I am going to be presenting one keynote and then involved in two other talks:

Tuesday 1§4th May: Facing the Post-GDPR Reality – Auditorium

Wednesday 15th May: How Traditional IAM Will Change Within the next 5 Years – ALPSEE

Wednesday 15th May: Panel: Anonymisation and Pseudonymisation – What Is It and Why Does It Matter? – AMMERSEE I

What I also like about working with Kuppinger Cole is that these are the titles they gave me. I could change them if I really wanted, but as they stand they challenge me to create interesting content and take it in a direction i may not have originally though of.

Ultimately, what I am saying is come and see my talks as i will be delivering with a smile and from a good place (not just the stage), and in fact every speaker will be doing the same. Come and see the difference a happy speaker makes at a fabulous conference!

 

 


What, No Expense Account? My RSA 2019 Itinerary

Yes, you read it here first, I will not be jetting into San Francisco on my private jet and staying at a hotel I wouldn”t tell you plebs about anyway.

RSA 2019 will be a first for me in that I am representing myself and not expensing my trip on the company dime. I am attending in part, to the generosity of ITSP Magazine, (cheers, Sean and Marco!) and all I have to do in return is type a few words out for them. They may already be regretting that decision after seeing me insulting you, dear reader, in my first sentence of this blog.

I often attend RSA without a solid itinerary, getting a lot of value of the “hallway track” and the multitude of events that are thrown in and around the city during the conference proper. However, since I now have some of my personal cash invested in this trip (I am staying in an AirBnB with a shared bathroom for goodness sake), it is probably wise to get at least some kind of structure together. To wit:

dirty-bathroom

Oh, the inhumanity…

The Sessions

  • HUM-T06: Humans Are Awesome at Risk Management
  • DevOps Wine0ing (Not Whining) Cocktail Party
  • ID-T07: Studies of 2FA, Why Johnny Can’t Use 2FA and How We Can Change That
  • CXO-T09: How to Manage and Understand Your Human Risk
  • InfoSecurity Magazine Breakfast Briefing
  • Threat Modelling Brunch with IriusRisk
  • Security Blogger Awards (is it still on this year?)
  • KEY-R02S: Burnout and You: Fireside Chat with Dr. Christina Maslach
  • CXO-R11: The Fine Art of Creating a Transformational Cybersecurity Strategy
  • PROF-F01: Five Secrets to Attract and Retain Top Tech Talent in Your Future Workplace
  • PROF-F02: Why the Role of the CISO Sucks and What We Should Do to Fix It!

In summary then, risk, stress, strategy and human beings; all the key ingredients of any information security function.

This is my first cut of the agenda, and I reserve the right to not attend these and attend others, especially if some of my friends, colleagues, old drinking buddies and interesting random strangers turn up. Because that is what RSA is really about; meeting, networking and swapping ideas and opinions in real time.

The educational element is excellent of cours,, but it is rare that they will address exactly the problems you are facing day to day. You will learn something, you will expand your knowledge and you will take fantastic advice away with you, but it is rare you will get an hour face to face with he speaker. Taking the opportunity to really network and chew the fat with your old chums, as well as new o9nes is an invaluable way of really focusing your efforts.

Of course I have some specific goals (remember my reason for staying in the AirBnB?); I will be networking to find potential consulting work in the future, looking for NED or advisory positions, and seeing what is coming on the horizon from the many vendors. I am also interested to see if Artificial Intelligence code has actually been written in anything other than PowerPoint, although I suspect I will be disappointed again on that front.. Meeting my old boss and mentor, my old Deputy,  a multitude of other pals, even the guy who reckons he is the sole founder of Host Unknown (when everyone knows that is me), is just icing on the cake. I am definitely looking forward to catching up with the person who said I could use their hotel room bathroom too.

There will also be a Host Unknown party, bought to you by the kind sponsorship of anyone who turns up, just like last year in Las Vegas during Black Hat and DefCon. I have heard at least two of the sole founders will be there to welcome the dollar bills of sponsorship from the attendees.

It’s going to be a long, endless week, but I do know that I will come back with more knowledge, more passion, more energy and more excitement for our industry than ever before.

And a whole lot less cash in the bank, so if you see me, don’t forget to offer food and drink.