10 Rules of Risk Management… In 10 Movie Quotes

3 Comments

I had an absolute blast last night presenting at the Acumin RANT forum (https://www.rantforum.com) on the topic of “10 Rules of Risk Management… In 10 Movie Quotes”. The premise was simple – people don’t remember rules or dull facts, but they do remember things that emotionally touch them in some way. Each quote and movie opened up a conversation on an aspect of risk management (although the term “rule” was a little inaccurate of course). Given it was the RANT forum, and I was competing for the attention of the audience against the allure of a free bar, there was plenty of opinion and discussion flowing around the room throughout. Hopefully a few of the points I was trying to make will have stuck as a result of quotes such as “You’re gonna need a bigger boat” or “I see dead people”.

I felt the audience engaged and participated throughout with lots of very verbal agreement and disagreement throughout, and it was exciting to be right at the centre of the maelstrom. If you have never been to a RANT before just imagine one person being surrounded by a large number of people only a few feet away; with your back to the projector screen, there is no lectern to hide behind and no stage to stand on. It’s do or die, and a  #Fail never far from your thoughts!

Not everyone agreed with the points I was making of course but that just generated further conversation. I had some excellent follow up conversations with a number of people, including a great idea for my next presentation which a stated up front I might shamelessly steal – I think i got his agreement that doing so was OK! I had some very positive feedback afterwards as well for which I am very appreciative of; if you are reading this and want to provide more feedback, of both kinds, then please do. Without wishing to sound too “new age”, feedback is a gift you can give someone that will allow them to grow and improve. Without it we continue to make mistakes and miss the opportunity to learn.

Gemma (from Acumin) and I tried something new this time as well, filming the presentation with two cameras. It will take me a few days to splice the footage together, but as soon as it is done I will have it posted here. I know some of those who attended were interested in both reviewing and sharing the footage, as well as the slides; these are below, as well as a slideshow of the deck. I use Keynote  for my presentations, so the PowerPoint conversion is never a true representation. If in doubt, use the PDF. Someone mentioned last night that they may want to link to the content here too. I have no objections to this, just credit me and don’t muck about with the content!

My thanks to Acumin for hosting the evening, and thank you to all of you who took part, especially the very lucky prize winners! (If you wanted a pen but didn’t get one let me know and I will do my best to send one to you).

This slideshow requires JavaScript.

Files for download:

PDF – 10 Rules of Risk Management

PPT – 10 Rules of Risk Management

Keynote – 10 Rules of Risk Management (native)

Movie from the evening – Coming Soon

May I Ask YOU A Question Or Two…?

1 Comment

The iPhone5 launch is very exciting for many people, and I have to admit myself included. Whatever your opinion of that particular can of worms, one thing is for sure, and that is many people will be parting with a lot of money in the next week or two in order to get hold of the latest piece of geek chic.

When there is a likelihood of a money changing hands, scammers and criminals will never be far behind.

I took a phone call (from a UK 0845 number) on my mobile phone on Saturday from someone claiming to be from O2, with an offer to get the new iPhone5 on the day of release without having to queue for hours at my local O2 store. They would even honour the lower retail store price compared to the order online price; on my tariff that meant £70 for the handset rather than £100 because I was a good customer (which I am). What an offer!

Without thinking, I confirmed the first line of my address… and then thought “Oh crap, shouldn’t have done that”; I got a bit carried away. They had called me, not the other way around, I really had no idea who they were!

Cast your mind back a few years ago, and there was a semi legal scam whereby people would take calls from “a representative from <insert mobile provider here>”. They would entice the individual with early upgrades and a new phone, get the verbal agreement, and then shift the contract to a new, third party provider. The downside was that this provider had many hidden charges and an average £25 bill would become £125 overnight partnered with a legally binding contract. This was soon clamped down upon, but this example starting to ring through my mind!

It was at this point that I had verbally agreed that I wanted the new iPhone delivered to my door on a new and cheaper contract this coming Friday… Oh dear God, Have I just committed professional suicide here?!

I turned on my professional brain, and then asked the person at the end if she really was from O2, and obviously she replied “yes!”. So I asked her if she would mind if I asked her a few security questions “of course not, I would do the same!”. i logged onto my O2 account and asked her for my account number, last bill amount and how long I had been a customer. She had all of the information to hand, I was happy, and I am now looking forward to a new phone on Friday (either that or this blog will be closed down on Saturday!).

It did occur to me however that I felt a little awkward asking these questions. How many other people in a similar position, offered an enticing deal would do the same thing? And how often would someone be ripped off as a result. We receive phone calls all the time from our service providers, and very often just asking for innocent information or making sure you are happy with their current deal, but sometimes the first question they ask is a “security” question to confirm you are the correct person. This normal procedure is easily hijacked by social engineers who could over the course of a few months gather a vast amount of information just from phoning you and asking you outright!

Has anybody else experienced this kind of thing? Have you missed some great deals because you missed the opportunity to grab it because you were too suspicious or have you thrown caution to wind only to regret it later, if only for a short period of time? How cautious do we need to be in these circumstances?

One thing I learnt however is that in the middle of a conversation, it is very easy to forget who called who; remembering that if you answer the call you haven’t confirmed their identity and therefore need to ask some security questions of your own is probably  the best way of keeping you out of trouble!

“An Anatomy…” at the BCS

Leave a comment

A short post to give the Wiltshire branch of the BCS a pointer to the slides from the presentation I gave last week on Tuesday 24th July in Swindon. It was an excellent evening, although I suspect the turnout was somewhat diminished by the weather!

The audience also included members of the IET which bought a very interesting slant to the questions at the end. I have also exchanged a few views with folks over Linkedin as well, and if you are still awaiting a response from me please bear with me!

The one thing that did however fail was the video recording of the talk; unfortunately it gave out halfway. I was going to edit the footage anyway and then perhaps link to an alternative recording of the same talk, but I have taken the decision not to as it is a messy compromise to try and stitch two different talks together to get the entire content in one place. As a result I have decided to simply link to a previous recording, specifically the BsidesLondon one I gave in April.

So, thank you Geoff Hunt for having me along to speak to the Wiltshire branch of the BCS (where I am also a largely absent member of the committee!) and especially thank you to the folks in the audience for your interest and your questions. If any of you do happen to have any more questions, please don’t hesitate to ask them in here, via email or Twitter. Any feedback is also of course very much welcomed.

The video can be found here, and the slides can be found here (note that the presentation is originally in keynote format, the PPT export may look slightly different).

Where is Your Data?

Leave a comment

Have you paused to consider where your data is at any given time in your organisation?

All but the smallest of organisations is likely to have notes, CV’s, financial records, personnel records, legal documents and the like, and that is just the stuff in paper form. Throw in electronic records, and you include emails, working documents, client deliverables such as code or documentation, even firewall logs or IT documentation and records.

Now that you have a picture in your head of what exactly might be out there, do you know where it actually is? Any organisation that operates in more than one country, and with the advent of the cloud any small organisation that uses third parties for any of it’s traditionally in house capabilities is very likely to find data in different countries. While this may come as no surprise to some, for many once they have carried out even a rudimentary analysis this is likely to come as a shock.

The problem I feel is that the pervasiveness of technology, and the ability in the modern business to operate without boundaries as result. By this I mean  when, for instance, someone looks at, alters, reviews or saves data of any kind more often than not they have no idea where that data resides. Is it in the server room across the hall, a colocation facility across town or in another continent? Even when the various professions in an organisation are aware of the various compliance and regulatory requirements (Human Resources, Legal etc.), because the location of the storage devices themselves are invisible to them the issue is not even considered.

For instance, a Hiring department in one country may take the personal details of a new hire such as name address and bank account and upload them to a file server in Excel or onto a SharePoint for the Finance department to set up into payroll. The server this data resides on may be in a second country, while the person who updates the financial systems resides in a third country. In many cases this may not be acceptable according to local data protection laws for the storage and access to a given country’s resident data. This is more often the case when one country has significantly greater (or better) privacy laws than another.

The solution to this is two fold, one legal and one common sense:

Legally, agreements can be put in place; these can include well known standards that can be adopted between reciprocal countries. Perhaps the most well known is the Safe Harbor Privacy Principles. This is a set of seven principles that allow for the streamlined compliance of US companies to the EU Directive 95/46/EC and was developed by the US Department of Commerce in consultation with the EC. There have however been concerns raised about the efficacy of this approach, but it still remains a common and well known one nonetheless.

Another legal approach, and one that appears to be be more commonly adopted in recent years is that of Binding Corporate Rules. Developed by the European Union Article 29 Working Party it is wider in scope than Safe Harbor as it applies to any country that may want to exchange or store data from an EU country. Both of these examples (and other alternatives) do require a lot of work to effectively adopt, the latter especially, and should not be entered into lightly. More often than not third parties/consultants will need to be employed to bring the very specialist skills required.

The second solution, and one in reality that should be taken in conjunction with the legal approach, is that of awareness. This is awareness on behalf of the organisation as to where it’s information and data is stored, and also awareness of the individuals who are managing and posting this data to the various locations required. IT moves faster than ever, and the location of your data store may well move with it. These individual teams will need to engage with IT and the CIO and become firm stakeholders during any kind of IT infrastructure upgrade and bring their specialist knowledge to the table. And the company will of course need to commission an international data location map!

The alternative unfortunately is a knock on the door from the Data Commissioners Office (or equivalent from outside of the UK) and a potentially heavy fine and the related embarrassing media frenzy. That is going to cost significantly more money than that cheap hosting deal in India.

BSidesLondon – Woot Woot!

2 Comments

What a marvellous couple of days I have just had; Tuesday at InfoSec Europe in Earls Court followed by BSidesLondon in The Barbican on Wednesday. While InfoSec was good, and I enjoyed not only the wide variety of stands, prizes, swag and educational events, it is and will always be a trade show. I always feel I am one tiny eye contact away from signing up to 1000 licenses of a product I never knew I need.

BsidesLondon however was an entirely different event. This was the first BSides event I have attended anywhere, and its reputation as an edgier, grittier and slightly geekier type of conference (or at least that is what I picked up on) was entirely unjustified. What I experienced was an extremely high quality of talks, great organisation, interesting activities, engaging workshops and above all a broad, eclectic mix of information security professionals. To be honest, I was somewhat concerned that my professional background in governance, risk and compliance was going to be entirely misaligned, but I was encouraged to attend by a colleague in our Boston office. How mistaken I was!

I should have guessed really when a talk I submitted was voted for by the attendees (An Anatomy of a Risk Assessment) – I explicitly stated it wasn’t technical, or even focussed on a given standard, but rather a more social/human experience of risk assessments. Whilst I didn’t exactly fill the auditorium to the gunwales, I estimate there were about seventy people attending. I also had some great questions at the end and a stream of conversations and compliments throughout the rest of the day. I even managed a few more Twitter followers!

(On that last point, I think I really am going to have to pull my finger out now and start providing some real value on Twitter, and especially this blog!)

The “Crew”, and team of people entirely made up of volunteers who gave up their full day to support the event (and miss out on all of the great activities as well) did a phenomenal job in both setting it up and managing it. I was able to thank a few of them in the bar at the after party, but I know I missed a few; to all of you, Thank You!

If pushed to, there would be a few things I would change; please understand this is by no means a criticism of any aspect of this years event, but rather a desire to see a cycle of continual improvement!

1. Make it a two day event. I would hope this would encourage more volunteers who could do a half day stint at a time. This would mean that volunteers would not miss out on the excellent content. (I heard many times “I haven’t been able to see a single talk all day”)

2. Charge a nominal fee. By nominal I mean £50 for two days (£25 for students/concessions etc of course. That is only a night or two of beer for an average student and they will more than make up for it at the after parties!). This would ensure people actually turn up – I saw a lot of unclaimed name badges at the reception which is a massive shame given the clamour for tickets. One day tickets could be suitable priced at £30 and £15. This would also take the pressure of the organisers for the basics like T Shirts, lunch, booking fees etc and the (excellent) sponsors can focus on the value-add stuff.

3. Increase the numbers. I know smaller events have a niche value and connect with the community more effectively, but I think a third track formal could easily be accommodated next year as the reputation of this event will only improve and numbers wanting to attend will increase. There is a balance to be had, but pushing to 500 or 600 is still viable in my humble opinion.

All that said, even if everything stayed the same I will still be attending next year, and hopefully speaking again. Congratulations to all involved, what an amazing event. It’s barely been two days and I am already looking forward to next years!