An Anatomy of a Risk Assessment

Leave a comment

The video below is my presentation to the RANT forum in London on “An Anatomy of a Risk Assessment”. In it I give a personal view on the mechanics underlying a risk assessment or audit. It is not a highly technical approach, and is not meant to be; for that purpose there are plenty of books and guidance available elsewhere. Instead I take a more human approach as to how to get the most out of an assessment, from both sides of the table. The slides are available at the link below, in Keynote, PDF and Powerpoint format or can just be viewed through your browser. Presenter notes are there and are my original presentation ideas, and so therefor may not accurately reflect the presentation on the night!

http://bit.ly/wF3pKe

Technically, this was my first ever public speaking engagement of any note (I did a two minute session in the November RANT), and so I am scrutinising my performance significantly to ensure I can improve upon this presentation for reuse at other venues. If you attended, or indeed if you care to review the video below I would welcome your feedback. I must say though, having watched it a number of times now, I am very much painfully aware of my annoying personal tics, mannerisms and expressions of speech! Still, it was an immensely enjoyable experience and one I am looking forward to repeating at some point in the next twelve months.

The book I make reference to at 16:00 is The Leaders Workbook by Kai Roer (http://amzn.to/xm3dy2), an inspirational book, but only if you use it properly!

Under Construction… No Longer!

Leave a comment

On the eve of my first real post for nearly a year, but a busy few months, this site is officially no loner under construction! There is more work to be done, namely About Me, Reading List and and a few other pages I have in mind. They will come over time, but most importantly is the fact I am now ready to contribute to the infosec ecosphere!

Bear with me while I transfer old content and add new content throughout this site. Trying to keep it simple and engaging!

The New Home of TandTSEC, the blog

Leave a comment

Fairford Airshow 2011I am in the early days of setting up this site as the formal blogging site of TandTSEC. It has been almost a year since I set up the original site, and after an initial flurry of blogs they dried up quite quickly. I have come a long way in my professional development since then, significantly catalysed during the RSA Europe conference last year.

Moving to this site will allow me to overcome one problem in particular, namely that of being able to update my blog from anywhere and on any of my mobile devices. My hope is that I will be able to post an update when the mood hits me rather than when I get back to my desk at home. Given the amount I find myself traveling this was a problem!

I am also starting on the speaking circuit. I am in the middle of preparing my first presentation ready for delivery this coming Tuesday at the RANT forum in London. With that in mind I am challenging myself to come up with more frequent updates, opinions and thoughts to act as the “manure” for new presentations, articles, and hopefully a book!

Here is to a new chapter in my InfoSec career!

Who’s RANT is it Anyway

Leave a comment

A short presentation given at the last Acumin RANT of 2011. The purpose of the exercise was a short, two minute presentation on a topic of your choice, but with slides unseen or changed.

Great fun, and on the back of this I agreed to do the first RANT presentation of 2012!

Communication, Collaboration, Command & Control

Leave a comment
I mentioned in an earlier post that I don’t necessarily subscribe to the view that crisis plans need to be heavily documented in the form of runbooks or procedural artefacts. In this posting I would like to explore that in a little more detail.

It is certainly not the case that I think there should be no procedural documentation, or even detailed documentation, as long as it is in the right place and appropriate to the people requiring it. That said, i think the default approach to any implementation of crisis, incident or disaster recovery plans leads to a vast amount of needless writing. Having been involved in a programme to simply document what a particular team does with over thirty documents being created from scratch I can testify to the futility of that approach.  Hence I propose the two tier approach to writing these plans up.

Tier two documentation is that which is required by the functional team; in the case of disaster recovery it is the detailed documentation of how to fail over applications and services. With crisis management it may be evacuations plans, roles and responsibilities of fire wardens, and with incident management it might be an escalation and first fix path of procedures.  This is important, because in many of these cases the people involved in the ground are often in twenty four hour shift patterns and early in their career, or even volunteers (fire wardens etc.), and through no implicit fault of their own have less incentive to fully memorise or become proficient in activities that might never happen on their shift. They need to have a reference document, a thing they can refer to when their pulse is pounding and their heart pumping in the middle of a crisis. I should know, I was that soldier in my first job out of university!

However, there is a group of people that simply can’t be told to have documentation available to hand when the time comes, or even to memorise the roles and responsibilities; the senior leadership who actually make many of the critical decisions during a crisis. What is required here is ability to Communicate and Collaborate very quickly (optimally within just a few minutes of the crisis being recognised), and then have the capabilities at hand to establish rigourous Command & Control. This approach applied to most organisations (except perhaps the behemoths like IBM or TCS where different segments of the organisation could operate like this where the input of most if not all of the C level execs is required

These execs need to be involved in crisis no matter what the subject because what they are good at is synthesizing information from a variety of sources and being able to make decisions quickly, effectively and in the best interests of the company and its people.

Some pre-requisites to this approach though:

  1. A recognised approach to define the severity of a crisis prior to declaration.
  2. A mechanism of simultaneously contacting multiple people through redundant channels in a matter of seconds of a crisis being declared.
  3. A series of very simple yet effective steps for the crisis team to follow.
  4. The ability to manage a “crisis room” either real or virtual at no notice.
  5. The recognition that a crisis is by its very nature flexible, and therefore understanding you will not know all the facts from the outset (the “fog of war” effect).

I will investigate this in more detail in a later article, but for the time being, the main question anyone should ask themselves when prparing crisi plans is “how can i simplify this further?”.