European Security Blogger Awards 2013 – a Thank You and an important tip

4 Comments
The Beautiful Trophy Itself

One of the Shiny, Beautiful Trophies

Just over a week ago the good, the awesome and the rockstars of the European blogging scene centred upon the the function room of the Prince of Teck pub in Earls Court for the inaugural European Security Blogger Awards of 2013. The atmosphere had a nervous tension and a strong feeling of anticipation (as well as a few bow ties for some other award going on immediately after that night!). These awards would not have happened if it wasn’t for two gentlemen in particular, namely Jack Daniel (@jack_daniel) and Brian Honan (@brianhonan) and without the sponsorship of Tenable (for the bar) and Qualys (for the trophies themselves). Both of them organised this off their own backs, were extremely gracious hosts and ultimately did this for the betterment of the European infosec community, and I wish to recognise that formally.

Thank you Jack and Brian, and to our sponsors.

But moving onto the awards themselves; after an initial round of blind nominations, the finalists were announced on Saturday 13th April and a no doubt frenzied bout of voting commenced, interspersed by all the finalists vying for your votes. My favourite had to be this one from Kai Roer (@kairoer), someone certainly not known for his modesty!

Kaibloggeraward

But aside from my evil twin shamelessly and quite rightly asking for votes (he has a great blog, check him out!) there were regular reminders and links from Brian and Jack to get voting and many retweets. I’m not sure how many votes were cast but I imagine they were well into the hundreds.

And so the night came, and after a day at Infosecurity Europe just over the road, and the practising of our “disappointed we didn’t win but SO happy for the winner” faces, it was down to Jack to announce the nominees and winner. They are listed below, but before that I want to move onto the tip I promised in the title…

Below are links to some of the smartest minds in our industry, and not only that, but they are willing to share their knowledge with you, for free. In any industry that is a rare gift to be given so I would like to encourage everyone who reads this to visit some of these blogs and follow them on Twitter, and also actively participate in the discussions, opinions and (dare I say it) thought leadership that is being presented. As a blogger myself I know the thrill of discussing a topic with someone, whether they agree with me or not. If you disagree with something that is being said, then politely and respectfully say so and put your point across. Even a simple message of support or a ‘Like’ means these people are going to be more likely to continue to blog and share their ideas with you in the future. And of course, if you think you can do better we would welcome you with open arms; this is not an exclusive club.

And so, without further ado, and a final thank you to Brian and Jack, here are the results of the European Security Blogger Awards 2013!

Best Corporate Security Blog
Malware Must Die
Sophos Naked Security Blog  < WINNER!
F-Secure Labs Blog
Countermeasures
SecurityWatch
SCRT Information Security
Cyberis Blog
Security for UK Legal Professionals
Holistic Security Blog
Securelist

Best Security Podcast
Finux Tech Weekly 
Eurotrash Security Podcast  < WINNER!

Best Security Video Blog
Christian008
Info Cynic < WINNER!
Security Tube

Best Personal Security Blog
Chat Back Security
Neira Jones
/Dev/Random
Pentest-n00b
The Roer Information Security Blog
SecurityWatch
Make IT compliant – Security and Compliance
Naked Security
Thom Langford  < WINNER!

Most Entertaining Blog
The Gentleman Hackers Club
Info Cynic  < WINNER!
Sophos Naked Security Blog
Holistic Security Blog

Most Educational Blog
Sophos Naked Security Blog
Infosec Cynic
HTML5 Security
Security Watch  < WINNER!
Securelist
Holistic Security Blog
Professor Alan Woodward Blog
Offensive Coder
Bruce Hallas 

Best New Security Blog
Jitender’s blog
Advent IM Security For Schools
Chatback Security
Marlin Brighton Blog
Dave Waterson on Security  < WINNER!

Best EU Security Tweeter
@rik_ferguson < WINNER!
@jameslyne
@_securitycat
@ChrisJohnRiley
@quentynblog
@j4vv4d
@brianhonan
@xme
@securityspeak
@gcluley
@n0x00
@0x6D6172696F
@mikko

Grand Prix Prize for the Best Overall Security Blog
Sophos Naked Security Blog < WINNER!
Infosec Cynic
F-Secure
Security Watch
Light Blue Touchpaper
Holistic Security Blog
Didier Steven’s Blog
Bruce Hallas 

If you made it this far you may have noticed I was very honoured and pleasantly surprised to have won Best Personal Security Blog, and against some real industry heavyweights too. My thanks to all of those that voted for me, it means the world to me.

Don’t Put Baby in the Corner

2 Comments

5670_fullLast week I had the opportunity to do both a presentation at the BCS IRMA Specialist Group as well as take part in a drastically reduced panel with Javvad Malik (and only Javvad!) at the InfoSec Europe 2013 Press conference.

Firstly I want to recount the panel for the press conference. After some last minute drop outs (one of which I was replacing anyway!) there was just Javvad and me available to do it less than 24 hours before we were due to start. In his own inimitable style he proposed a double act Parkinson style to talk about the challenges faced by a CISO in the Enterprise. I was somewhat unconvinced by this but true to his word, the whole session went extremely well and was thoroughly enjoyable. Afterwards Javvad was told  by some of the journalists that the session was a great way to end the two days with the non vendor focus of the session, and the humour that Javvad and I of course used!

One of the main topics we discussed was that of the position of the CISO within the organisation and the influence that this subsequently brings. Ultimately my position is clear on this, that the CISO needs to be as high in the organisation, and as independent of vertical alignment as possible. What I mean by this is that if the CISO is on the board (or executive leadership team as appropriate) and does not report into the CFO, COO, CIO or any other C level executive there is a dramatically increased chance of security being a successfully managed activity in the enterprise. It ensures full representation of the security function at the most senior levels, free of conflicts of interest and able to vie for budget and attention on an equal footing with the rest of the business units.

I will caveat this however. If there is no security function in place or it is in its nascent stages, or the business itself is smaller, it makes absolute sense to have the security function perhaps initially reporting into the CIO; in all likelihood the staff building the team will come from IT anyway. However, as the team grows it needs to evolve its leadership and position in the organisation, perhaps moving away from the IT function, to the COO and then ultimately to the board.

This transition is something that I have never seen planned in advance, and this is probably one of the fundamental reasons why the CISO and security function is constantly under represented in the modern enterprise as it struggles to gain independence. This will always result in poor awareness and training, lack of budget and lack of true top down security adoption as they compete for ever diminishing resources from lower down in the organisation.

One fairly unique place I have seen the security function is reporting into the General Counsel/Legal function. This I have seen work well as it is the GC that is traditionally responsible for the tracking and management of risks for the enterprise, and frequently has the ear of the CEO. I rarely see a conflict of interest with the security function either. This is not common though, and is likely to only be likely in the larger organisations that have a formal role of GC.

Bottom line, if the newly appointed CISO (i.e. a senior level position for a mature security team) reports into the CIO, then in reality, security is not going to function effectively in that organisation.

And finally (although not in chronological order), the BCS. It was the final presentation of “An Anatomy of a Risk Assessment” and it was (as far as I can tell) well received. Unfortunately the weather and lack of sandwiches post the even meant there was little time to mingle afterwards, but I have since received a number of favourable comments and of course connection requests on LinkedIn which is always heartening. I did however  feel I didn’t answer one of the questions at the end, about India, particularly well, and may have come across as a little disingenuous when nothing could be further from the truth. I hope my friends and colleagues from india will forgive me if they make it to the end of the video when I get hold of a copy (and post it here). As an aside I found an extremely flattering write up of the very first time I presented this in January last year. To the author at Acumin, thank you! http://acumin.wordpress.com/2012/02/

All in all, a very enjoyable and engaging kick off to 2013.