A fun filled week, moderating, presenting, acting.

leader-summit-headerLast week was a very busy week for me in the information security arena, which given not that long ago I said I was winding down for the end of the year into Christmas was a little surprising.

On Tuesday I was asked, somewhat last minute, to moderate a panel on Threat Intelligence at the InfoSecurity Leadership Summit. This is not a primary area of interest for me, but given I was moderating the panel and not on the panel itself I felt I had nothing to lose. With about 10 days notice, one short conference call and a rapidly drawn up set of notes the session went very well, although we had a very limited amount of time resulting in no questions from the audience which was disappointing. I do think I achieved my three key objectives for the session though:

  1. Start and finish on time
  2. Keep the panel from drifting off topic
  3. Make the panel look good

Moderating a panel is somewhat less glamorous (if that is the right word) than presenting or being on a panel, but I like the good folks at InfoSecurity so was happy to help out. The experience was useful for me as well, as moderating is very different to being a talking head. The conference itself was also very good, especially given it was the first one the folks at InfoSecurity have done in this space. I look forward to next years.

The day after, on the 4th December I flew to Frankfurt to attend the World Class Mobile Collaboration conference, where I was asked to present an old favourite of mine, An Anatomy of a Risk Assessment. Due to some technical difficulties I had to present an hour before I was scheduled to which somewhat put me on the spot, but actually worked out rather well. I had some great conversations with people in the break afterwards and swapped contact details with a number of them too. It was a very enjoyable but exhausting day though as I had to return that evening to get back to my day job. They kindly recorded the presentation, below:

http://vimeo.com/81118214

And finally, on Friday 6th a Christmas Message video was released that I was involved with in collaboration with Host Unknown and Twist & Shout. I blogged about it on the day but I wanted to mention it again as I do think it is a good example of putting points across in bite sized chunks that are memorable and effective (Twist & Shout are very good at this). There will be some behind the scenes footage being released next week, so look out for it on Twitter and the Host Unknown blog.

Back to work for a rest for the next two weeks I think!


Video: Playing the Game of Thrones at RSA Europe 2013

I’m no HBO, but I am pleased to say I have just posted a video of my talk at RSA onto YouTube, entitled “Playing the Game of Thrones; Ensuring the CISO’s Role at the King’s Table. Recorded by my good friend and evil twin brother Kai Roer (@kairoer) it is the session in its entirety along with pertinent slides throughout.

I was pleased with my personal performance at the time, but of course watching it I see many areas I could improve upon. (I am planting my feet better, but still by no means do I stand still for instance.) The staging of the room was very poor, but unfortunately there was not a lot that could be done about that, and many other speakers had to put up with the same issues.

The full abstract for the talk (from the initial submission) is:

Why is is the CISO constantly frsutrated with being required to report to areas of the business that either don’t understand it or conflict with so many of the core deliverables of the role? Too often it is beholden to the agenda of the technology focussed CIO or blinkered by the financial constraints of the CFO. How has the role even got to this place?

Starting with a brief historical look at where the CISO role was borne from in the first place, progression to this current state of affairs is shown to be inevitable.  What is needed is a plan to disrupt this status quo and ensure a CISO is in a position to not only understand the power of the business intelligence that is produced in a well managed environment, but how to ensure it reaches the board in a way that is understood.

Through the use of a universally understood information security model, the CIA triangle, the presentation explores three key areas to assure the success of the CISO in being asked to report to the board rather than being summoned to it.

Initially the actual source of the information, its gathering, the methods employed and the common pitfalls often seen are explored and clarified. What are the common mistakes, how are they rectified and how can you recognise when the data gathering programme is going awry?

Secondly, how is it being pulled together, and what is it saying? How to understand the audience it is being presented to and what can be done to improve its chances of being understood.

Finally, how does the CISO make the final push for the board? What are the key principles that need to be understood about supporting a successful business, what home truths about the information security industry are rarely mentioned and how can the CISO differentiate themselves from those that came before?

This presentation seeks to broaden a CISO’s skills beyond the technical and the post nominal focussed industry accepted norms and into those that actually help a business do what it does best.

The content from this and my other recent talks will start to appear on this blog as I put my ideas down more into the written word rather than a presentation format. I have just one more speaking engagement before the end of the year now, and one in the first two weeks of the new year, so I hope to find more time to write rather than created decks.

I hope you enjoy the video, and as always I would greatly appreciate your feedback both positive and negative/constructive.


Amsterdam has them now: RSA Europe 2013 and playing the Game of Thrones

IMG_2991As usual it was a great week at RSA Europe, as much for the hallways track as all the other tracks on offer. Whilst it may not be as large as it’s bigger brother in San Francisco the move to Amsterdam from London seems to have given the conference a new sense of purpose and scale. The potential to grow in this location is obvious. But I hope it doesn’t grow too much more; there was always a sense of knowing what was going on and when, and where you were in relation to the auditoriums and speakers. I am sure that sense of perspective is more than lost in the scale of RSA San Francisco.

It still had it’s challenges, all minor. For instance, tea and coffee points that seemed perpetually shut throughout the day, a distinct lack of activities on Wednesday even after a 17:00hrs close, and perhaps the location did not lend itself to the kind of out of hours socialising that London had to offer. For me the Novotel bar became the centre of my networking experience, no bad thing, but I would wager there were a few more hotel bars doing the same thing meaning the networking was seriously fragmented.

The usual suspects were there for me to socialise with as well as some new faces, such as Tor and Kjetil from Norway who were both intelligent and hilarious, a combination I always enjoy. I managed to meet a few more of our industry “luminaries” as well which is always interesting (never meet your heroes!), as well as catch up with others I had met previously and enjoyed their company and insights.

IMG_2998For me the whole conference was focused upon 14:40hrs on the Thursday when I presented “Playing the Game of Thrones: Ensuring the CISO’s Role at the King’s Table”. Not only was I presenting in my own right but I was also presenting content and an approach that I had synthesised from a variety of sources and my previous thoughts and theories. The session went extremely well, was watched by a number of people I know and respect, and was fully attended (with even a couple of people having to stand). Questions at the end were thin on the ground although I had noticed that throughout the conference, but the feedback has been phenomenal. I haven’t had the formal feedback from RSA yet, but their newly introduced conference app allows me to see a certain degree of feedback on both me as a speaker as well as the talk itself.

RSAC Europe 2013 GRC-R08 THOM LANGFORD.005

The slides are above in PDF format, and are also available in Keynote format here. My good friend and evil twin brother Kai Roer kindly filmed the talk as well, and as soon as that is available I will be publishing that on YouTube. One of the key reasons for doing so is to invite more comments on the material itself, as I made a few bold statements that I am sure not everyone would agree with. For instance, the less influence a CISO has, the more prescriptive (and lengthy) the policies are, in turn making them less effectives. This is based on my observations only rather than research, so getting feedback on points such as this helps inform everybody more.

All in all it was a great week, making new friends and meeting old ones and always learning new things almost every hour. Here is my honour roll of folks from the week that made it as memorable as always:

Javvad, Brian, Kai, Kjetil, Tor, David, Dave, Bruce, Tor, John, Dwayne, Quentyn, Neira, Josh, Martin, David & Olivier (my apologies to anyone I left out, it is the fault of my memory and not how memorable your were!).


Announcements, Presentations and Work!

Banyan tree, Bangalore, India

Banyan tree, Bangalore, India

It has been an incredibly busy five weeks since 44CON, with a lot of travel, projects coming to fruition, conference talks and preparation as well as more writing than is reflected in this blog.

I have spent three weeks (over two trips) in India carrying out five security risk assessments and hosting one three day client visit, and all I can say is that my India based colleagues continue to impress and amaze me with their knowledge, analytical skills and above all friendliness. I had the good fortune to spend some time with them at a team outing, discovered a mutual friend in London and also hit the dancefloor with them (if you have never danced in an Indian nightclub, you haven’t really danced!).

I was also able to spend an evening with the lovely folks of the Delhi chapter of NULL in Noida, and had a great couple of presentations (WAF and compliance) as well as an engaging conversation on interviewing in the infosec world. I had struggled for the last couple of years to find good conferences and forums in India, but apparently I missed an incredibly vibrant and widespread community. I’m glad to ay that is no more the case and I look forward to attending more in the future (along with my India based colleagues). On my return I attended the IT Security Forum and spoke on “Throwing Shapes for Better Security Risk Management” covering three ways to manage your security programmes more effectively.

A project I have been working on with my good friends and colleagues @sirjester and @j4vv4d finally came to fruition with the help of @jimshout, called Host Unknown. I am extremely proud of this project and we have spent many hours agonising over the details, honing the performances and getting website, YouTube and social media coordinated; in fact it was a lot more work than we expected! There is so much more in the pipeline, and if you would like more information please contact us, I promise you will only be mildly disappointed! (I am also legally obliged to point out that it was all my idea, despite what some of you may have heard.)

My other piece of news is that I have been asked to be a guest blogger for Iron Mountain, something I am absolutely thrilled by! I have already posted my first article, and I am looking forward to writing many more. As someone who can often struggles to  get down to the process of actually writing int he first place, (once I am started I seem to be OK!) I see this another incentive to flex that particular creative muscle more frequently, as well as getting used to writing on specific subjects, somewhat to order. I will of course be cross posting back to this blog, but I would encourage you all to head over and see what they have to say. My particular favourite is @christiantoon who is certainly one of the more prolific writer on the site (and a great guy to boot!).

It’s the RSA Europe conference next week, and I have been busy preparing my presentation “Playing the Game of Thrones: ensuring the CISO role at the King’s Table”. While there is an element of content that I have covered in other presentations before, this is nonetheless a new presentation with plenty of new content, somewhat more research based (although by no means academic) and very much pushing me out of my comfort zone. That said I think it is going to be a strong presentation which should generate some good discussion; here’s a podcast where I explain what I am going to be talking about, and I will of course be covering the conference in my next blog.

With all of this going on I haven’t been able to post as regularly as I would have liked, but I am building up a great stash of content that should see us through the winter months. Winter is coming after all!

 


Sailing the High Seas at 44CON

logo-1I have just returned from 44CON, a technical infosec conference that is held in London and in its third year. As with any multi day conference you come back tired but educated, and happy but deflated that it is over. A speaker party, a conference after party, two gin’o clocks, a conference bar and some fabulous presentations makes for an exhausting two days.

Organisationally it is extremely well run; the crew are are friendly, knowledgable AND efficient (it’s rare to have all three), the venue is of a high quality, the sponsors are low key but available, SpeakerOps is excellent, and with the exception of myself and two others the attendees are amazingly smart and technical. I was able to chat to a number of the speakers at a reception on Wednesday night, and the level of detail they went into for their research was simply mind-blowing; one person even decided to write his own 3D presentation language instead of using PowerPoint or Keynote, just for this one presentation!

I spent the first day mostly at the InfoSec track rather than the technical track, learning about “Security lessons from dictators in history” and “Surviving the 0-day – reducing the window of exposure”, both very good. I did attend a technical talk in the afternoon along with two friends (the two mentioned above!), and to be honest he could have been speaking a different language with what he was talking about; to make it worse he apologised at the end for not making it technical enough! It was a fabulous talk though, wonderfully presented, and let down only by my lack of technical knowledge of the subject.

As a backup speaker for the infosec track I thought I was off the hook at this point as nobody had dropped out, but it was announced at this point that there would be a “hidden track” of talks, of which I was one of them. This hidden track would take place at an undisclosed location and you had to talk to vendors and other con goers to find out where it was. It was at this point I excused from the after party to add a little more content to my slides.

Sailing the Cs of Disaster Planning 44Con.001

Sailing the High C’s of Disaster Planning – Click for PDF

The following morning, after the opening presentation I was second in the hidden track. My talk was entitled “Sailing the C’s of Disaster Planning”, and the main drive of it was of a simple “framework” that allows you to be be able to not only test the effectiveness of your disaster/business continuity planning, but also help to communicate the key elements of the plan upwards to the board and down through the key players in the organisation. This was the first time I had given this talk, and to be honest some of the ideas have not quite been fleshed out, although the concept is sound. It was well received by about 20 people (not bad given it was a hidden track) and there were some good questions and conversations afterwards. Feedback received later in the day was both encouraging but also useful in highlighting areas that need to be improved.

A copy of the slides are above; if you take a look at them please provide feedback as always (caution, 12.5Mb PDF).

I will be using this blog to flesh out those ideas and gather feedback over the next couple of months, firstly by looking at the high level concepts of this approach, and then subsequently break down the five elements of the approach into further blog posts.

The remainder of the second day at 44CON was taken up with more talks, as well as a bit of filming with my two colleagues, the two unknown hosts you could say, for something we hope to release in the next few weeks.

I would like to thank Steve and Adrian and the entire crew of 44CON for an excellent event, and I am certainly coming back for next year, at a new, larger yet undisclosed location.