Drowning, Not Waving…

Last week I attended The European Information Security Summit 2019 and spoke on the closing keynote panel at the end of the second day. The topic was “Unacceptable personal pressure: How senior Cyber Security Executives safeguard their own mental health, and those of their teams”, and as a panel we were surprisingly open about our experiences. Afterwards a number of people spoke to us about how pleased they were that we had been open and honest about a subject that is so often swept under the carpet as too difficult to deal with or just plain embarrassing. I have also seen the LinkedIn articles written since get a huge amount of traction with every comment a positive and supportive one.

I briefly told my story last week, and so have decided to elaborate a little more to a larger audience here. This is not meant to be virtue signalling, or jumping on the bandwagon, but rather a message to everyone out there who has suffered in silence and felt they were the only one with these feelings. These are the “highlights”, and some parts of the story are just between me and, well me, but I am sure this will paint the correct picture.

My last role was challenging to say the least; as a  newly minted CISO I was tasked with building a security team from the ground up (again) in a large global organisation that was as politically charged as it was not interested in security. We did well, growing to over 60 people at last count before I left, and were considered a high performing team who collaborated and never said no. People enjoyed working with us and we took on more and more work and constantly delivered.

The cost though was an intense environment where my main role was PowerPoint and politics, and constant air support for the team. Combine a tough travel schedule and the global, always on element, I never truly switched off. That said, one of my mottos was “Work Hard, Play Hard” so evenings with teams, internal clients and their customers in different countries were long, hilarious and helped us bond even closer to perform even better. Frankly it was exhausting and my sleep suffered.

So I did what every self respecting professional does, and started to self medicate with alcohol. It was, for the most part free from British Airways and Hilton, or on expenses (see above). It wasn’t a problem as I had a good tolerance, was a happy (maybe even hilarious) drunk, and while stupid things were done, it only bought us closer and more effective as a team.

And it wasn’t a problem for a number of years… until it suddenly was.

2017 was a very difficult year for me. In that year I drank almost every single day to excess as a result. I would get up in the morning and carry on working until the end of the day and I would start again. I wasn’t an alcoholic as I didn’t need to drink 24 x 7, so that was OK. I also managed to spend thousands of my own money on nights out with friends and team mates, pushing myself seriously into debt. My anxiety, stress and depression were getting worse, but I was able to medicate for that myself, so no problem.

Then came Rome. I will save you, dear reader, from the gory details, suffice to say that at 5am on a Monday morning at the end of September I found myself at the top of a building incoherent with emotion, raging at the universe, and willing myself to jump off. I had lost my third phone that year from the nights entertainment, had driven myself further into debt and I just couldn’t do it anymore.

Thankfully, an ambulance turned up, I was talked down, hospitalised for a few hours and then discharged. With no phone, in a foreign country, no idea of where my hotel was or where I even was, I managed (in a complete blur) to get back to the hotel, call my wife, get to the airport and get home only to spend the next four weeks in the care of the NHS and my family, and off work.

The irony of my situation wasn’t lost on me; here I was, a successful, well paid, C-Level Executive, ostensibly well known and regarded in the industry, and I am clinically depressed and suicidal. Therefore to say I was scared, lonely and emotional would be an understatement, and I decided to make some changes in my life.

Two of those changes are of direct relevance here;

  1. I stopped drinking alcohol. I was classed as a Non-Dependent Alcoholic and as a result was tasked with cutting down my intake dramatically. I decided to stop entirely, a choice I would have considered unthinkable, even laughable, just a few months before. I haven’t drunk alcohol since, not because I can’t allow myself to, but because it simply isn’t an important part of my life now.
  2. I decided to be more open about my mental health issues with not only my family, but my friends and work colleagues, and address them proactively.  I was not going to be defined by this event and lifestyle change, and I also wasn’t going to be held to ransom, mistakenly or maliciously, by the events I have just disclosed above. I have yet to discover anyone who I confided in who was at the very least supportive, if not understanding, be they family, friends and especially my team.

There is of course a damn good reason why I am sharing this with you. What follows is my takeaways for everyone who read the above and felt it resonated with them even just a little.

  1. Alcohol is a bad way to treat yourself for anything longer than a few days. Talk to a doctor or therapist sooner rather than later and save yourself a life threatening event to wake you up.
  2. There is no stigma in sharing your mental health struggles. I am constantly amazed at the overwhelmingly positive response from everyone I talk to about my personal experiences. If your friends and colleagues are not supportive of you, perhaps you should question why you are in the state of mental decline in the first place.
  3. If you work for a good company, and/or have a good team, your time out of the office will be dealt with and accommodated for allowing you to recover. When you come back, you will do so with more energy and vigour than most other members of the team. If you are not being supported, see point 2.
  4. If a member of your team is struggling, you don’t actually have to do much to help. Communicating to them that they should take whatever time they need to address their issues, and not asking questions is all that is needed. If your team can’t take up the slack, then how are they going to cope during an incident anyway?
  5. Be supportive if you can; it is difficult, but even small gestures like gifts of tea and chocolate (you know who you are…) or staying in touch over instant messenger to make sure someone is OK is also a great way to show your support. Humour helps too.

I’m going to close this with a call to action. This isn’t some virtue signalling programme that I will front up on Twitter and Facebook, but rather a call for everyone to include mental health topics in their team meetings, their management reports and metrics, as well as face to face meetings. The financial losses to our industry are probably staggering because of mental health issues, so we should be tracking and probing on it in our organisations as much as gender or racial diversity.

I want to reiterate, again, that if you are feeling it, someone else is feeling it too. Now you know what I have been through, I hope it means you now you have someone you can reach out to as well, or have to courage to seek help and support when before you didn’t.

As for me, I have never been better these last 18 months or so. I sleep better, I work better, I manage stress better, and I am pretty sure my jokes are better too. Therefore, I leave you with this unattributed quote:

I wouldn’t recommend suicide, it’s bloody dangerous. I nearly killed myself…

 

Note: I am going to be at the RSA conference in San Francisco in a 
couple of weeks time, as well as at a variety of other conferences 
over the coming months. Please do say hello and let me know your 
thoughts on this topic. Should it be as mainstream as I suggest, 
or should we just stick with the stiff upper lip approach?
Can and should we be doing something else?

The Art of the Presentation (Part 1 of 3)

In a post a few years ago I talked about The Art of the Conference, and what conference organisers can do to improve their conferences and make lives easier for their presenters. I was reminded of this post again recently as this is the sixth year that I am mentoring a rookie speaker at BSides London, and in my initial conversation with them I discussed a three stage approach to creating, practising and delivering the talk (the latter of which touches on the content of my previous post).

This post focusses on the first part of this process, the actual creation of the talk.

The Idea

This is actually the hardest part of the entire process (aside perhaps from actually standing in front of 200 people of course). In my experience many people try to not only come up with a wholly unique idea, but then try and explore it in too much detail. Given your talk will probably be competing against many other talks, the easiest way to make yours stand out is with it’s simplicity. Take the core of a topic, and honestly ask yourself what your view on it is; do you agree with it, if not why not, what could be better, what is your experience of it and how have you addressed it? By keeping it simple your audience will have more chance of remembering what you said. This process could take anywhere from minutes to weeks and weeks dependent upon your experience, knowledge and confidence. Don’t assume however that just because you have an opinion that everyone else is fully knowledgeable of it either; if nothing else you are bringing your own unique viewpoint.

The Creative

This is a point at which your approach may differ, but I have always found this the best way of actually inspiring myself and getting my story straight. I fill a sheet of paper with boxes (below) and then start to sketch out, not always legibly) the approach I am going to take on the deck I produce. I do this because it ensures I don’t write any actual prose on the topic; personally when I do this I find it very difficult to then pull myself away from the prose when presenting. It is a mental block of sorts of course, but this approach allows me to sketch out the story of my talk without having to get attached to a certain way of saying things

I try and avoid too many words as they are a distraction to the audience, and focus on high resolution images that help embellish my point or provoke an appropriate reaction from the audience. There are some very good books on creating slides for presentation that I have referenced, Presentation Zen and Slide:ology; I strongly recommend these to anyone who wants to up their game on the visual presentation side of things.

This approach also allows you to build a story; making sure your presentation has a beginning, middle and end help draw your audience in. What talk would you rather watch…

My talk is about a simple technology we used to allow someone to Tweet over a phone call.

or

John Doe is a man who was imprisoned on the flimsiest of evidence and with ludicrously high bail. He had restricted access to legal counsel and even family were not allowed to visit him. His entire campaign for justice was focussed around his significant Twitter followers, and given his elevated fame in his industry was where most of his support would come from. Here is the story of how we used a Raspberry Pi, two cans, a length of string and Python to allow him to live Tweet from his weekly phone call, directly and un-redacted, and ultimately beat the corrupt government that had arrested him.

Your approach needs to be simple, but that doesn’t mean it needs to be dull.

The Timings

Timing a presentation is very difficult, but after some experience I have found I can not only tell roughly what the length of a presentation created like this, but can also vary it in length, sometimes upon to 100%. The other rule of thumb is to dive the number of minutes you have by the number of slides. One slide for roughly every minute is a good place to start, but keep an eye out for when that number increases. Trying to cover more than one slide every 15 seconds is going to be very challenging.

The Takeaways

I often say that people will remember less than 30% of what you said less that 30 minutes after you have finished speaking. Not only is this where the simplicity of your deck is important, but also making sure you leave the audience with clear activities or advice on what to do next is vitally important. If you don’t do this, you will leave the audience somewhat nonplussed even if your content is great. As one close friend of mine said to me after I had asked for feedback:

It was a good talk, but I got to the end and thought “meh, so what?”

Your talk can be interesting, but if it doesn’t have a point, you will always be in the “meh” zone.

Next time (or maybe the time after), The Art of the Presentation (Part 2 of 3) – Practising.


What does a CISO actually do?

I read this wonderful article by Helen Patton  a CISO and contributor to Medium, and in it she describes the seven main areas she spends her time as a CISO; Technology, Data, Business, All The Other Internal Stuff, Vendors and Partners, Law Enforcement and Customers. (She also adds an eighth area, her Security Team of course!).

It is a fascinating read and one that tells a lot about the type of work a CISO will find themselves doing, and much of it resonated with me. I do believe however that the viewpoint is constrained by one aspect of her role, and one Helen states upfront:

Given that Cyber Security is about, well, cyber, and given that in my organization my administrative reporting line goes through the CIO, I spend a fair amount of time working on technology strategy.

It prompted me to write this post because I feel a CISO can do so much more once the role is removed from the auspices of IT. This has been a pet topic of mine for a number of years now, and it is a similar challenge CIO’s once faced, i.e. not reporting into the highest level of management possible. even spoke back in 2013 at RSA on just this topic.

This is a very common reporting line of course, largely because information security responsibilities often come out of IT, or the focus is purely on IT security and therefore fits into that service. It does however create potential issues:

  • The infosec message is filtered through the IT lens, and security issues become a smaller part of the overall IT programme.
  • The role is focussed significantly more on technology (the first item on Helen’s list above) and doesn’t take into account other factors, such as physical, people, or even awareness.
  • If the security function is dictating or heavily influencing technology and architecture, a conflict of intents can arise if there are security deficiencies in those aspects. There is no independent perspective on testing the environments, and a conflict of interest in highlighting deficiencies therein.

In these circumstances the role has a tighter focus, is more hands on, and may potentially not bring the benefits to an organisation that it could.

So what should CISO be doing then?

The CISO primarily needs to be a representative of the business, and not of a department. By that I mean that the CISO is not always going to be the best information Security professional in the same way that the CFO is not always the best accountant. They are however the best person to make decisions that span their area of responsibility AND the business, and actually focus on the bigger picture.

My role as a CISO therefore is not to make the company the most secure company in the world. If I did that, it would be out of business in a matter of months; loss of agility, inability to invest, reluctance to accept certain projects etc etc would make the company wholly unprofitable. My role is to help the company sell more, do more, innovate more and earn more… through the judicious application of security as a competitive advantage.

Put simply, a CISO needs to stop saying “No” to projects or requests that on the face of it are high risk, and stop expecting 100% security on rollouts prior to launch. That doesn’t mean we can’t aspire to perfection, or aim to build the very best environment we can, we just have to accept that something that is a high risk to us, may be a low risk to the business overall. Of course the business needs to understand what the security risks are and be cognisant of the risk when taking decisions, but security is not the single most important input here, it is one of many. We are advisors, not dictators.

The CISO therefore not only does many of the things Helen points out in her article, but it goes beyond that; above everything else in my opinion is being able to truly understand the business, it’s challenges, goals and vision, provide performance information, read the company reports and educate the senior leadership on what risks there are without sowing F(ear), U(ncertainty) and D(oubt). In other words then, what does a CISO do…?

Powerpoint and politics.

Everything else is just details.


Making the world angrier, one process at a time

Angry Thom BlogI have recently set up Family Sharing on my iOS devices, so that I can monitor and control what apps go on my kids devices without having to be in the room with them. Previously they would ask for an app, and I would type in my AppleID password and that was  that. Unfortunately with my new role I am travelling so much now that the thought of waiting a week before they can get an apps was causing apoplectic grief with my kids. Family Sharing was the solution, and when I had finally worked it out, we were goood to go and it works well. I can now authorise a purchase from anywhere in the world. I get woken up at 3am with a request for a BFF makeover or car crash game (one girl, one boy) but my kids are happy.

One problem however was that for some reason my daughters date of birth was incorrect, therefore indicating that she was an adult, and thereby breaking the whole “app approval” process. Straightforward to fix? Not at all.

I won’t bore you with the details, but it was the most frustrating process I have encountered in a long time. I admit, I misinterpreted the instructions along the way (they were a bit asinine in my defence), but it came down to the fact that I had to have a credit card as my default payment method for my family account, not a debit card, simply to authorise the change of status of my daughter from an adult to a child. In other words, I had to jump through hoops to restrict her  account rather than give it more privilege. Not only that, but from an account that already had the privileges in the first place. There didn’t seem to be any element of trust along the way.

I am sure there is a good, formal response from Apple along the lines of “take your security seriously”, “strong financial controls” etc, but as an experience for me it sucked, and if I could have worked around it I would have. Thankfully not all of Apple’s ecosystem works like this!

This is a problem for many information security organisations when they introduce procedures to support organisational change or request mechanisms. For instance, how many times have you seen a change request process require CISO, CIO and potentially even higher approvals for even simple changes? Often this is due to a lack of enablement in the organisation, the ability to trust people at all levels, and often it is a simple lack of accountability. It seems we regularly don’t trust either our own business folks as well as our own employees to make the right decisions.

Procedures like this fail in a number of places:

  1. They place huge pressure on executives to approve requests they have little context on, and little time to review.
  2. The operational people in the process gain no experience in investigting and approving as they simply escalate upwards.
  3. The original requestors are frustrated by slow progress and no updates as the requests are stuck in senior management and above queues.
  4. The requestors often work aroun d the procedure, avoid it, or simply do the opposite of what finally comes out of the request as work pressures dictate a quicker response.
  5. The owners of the procedure respond with even tighter regulations and processes in order to reduce the ability nof the nrequestor to wotk around them.

And so the cycle continues.

The approach I have regularly used in situations like this comprises of two tenets:

  1. Consider the experience of the user first, then the desirable outcomes of the process second.
  2. Whatever process you then come up with, simplify it further. And at least once more.

Why should you consider the expoerience of the user first? Who is the process for the benfit of, you as in formation secuity, or them as the end user? If you answered the former, then go to the back of the class. We are not doing security for our benefit, it is not security for the sake of security, it is to allow the user, our customers, to do more. If we make their experience bad as they do their best to make more money, sell more beer, do more whatever, security becomes an irellevance at best and a barrier to successful business at worst.

Making the requstors exoerience as painless and as straightforward as possible (perhaps eeven throw in a bit of education in there?) they are encouraged to not only see the long term benefits of using the procedure as we defined, but also become fanatical advocates of it.

Secondly, why should we keep it simple? Well not only to support the above points, but also because guess who is going to have to support the process when it is running? Of course, you and your team. If the process itself is bulky and unmanageable then more time will be spent running the process than doing the work that the process needs to support. If that amount of time becomes too onerous over time, then the process itself breaks down, the reporting on the process becomes outdated, and ultimately the process itself becomes irrelevant and considered a waste of time by those it affects.

Putting your requestors at the centre of your simplified process universe will always make that process more robust, more understood, more beneficial and of course more relevant to the business, and who can argue with that?

InfoSecurity Europe

I spoke at this years InfoSecurity Europe in London a few months back on articulating risk to senior management. Peter Wood, the moderator, did an excellent job as moderator of the panel, and even revitalised my faith in them after too many very poor experiences earlier this year.


Your InfoSec premiums have increased by 20% this year. Are we worth it?

High-insurance-PremiumsMy annual home insurance quote came through this morning, with the usual 10-20% uplift that I know I can remove again through simply phoning the provider and threatening to leave. It is a pretty standard technique in the industry that has been going on for years, and that preys upon the lazy people in the world who can’t be bothered to look for a better deal.

Rewind a few months when I spoke with a very senior executive who admitted that he saw information security as a form of insurance.

“I don’t want to have to pay for it, but I do because I know that when I need it you guys come and fix the problems we are in”

This is a somewhat common and fair attitude to information security given our background as an industry and how we often interact with the business (a particularly large topic that this entire blog is really about). yet what was so interesting was his follow on comment:

“the things is, I am sure there is so much more information security can do for us, I just don’t know what it is”

When I first took out home insurance, I was most concerned about getting the cheapest quote. I was young, free and almost single, but all of the extras that the larger insurance companies were offering (and charging for) did not concern me. If my house burnt down I would find somewhere else to live while the insurance company sorted everything out, what do I need a hotel for?  Lost my house keys? I will change the crappy lock on the front door myself when I get round to it, I don’t need a locksmith from the insurance company to do it for me.

Fast forward to today, and I live a far more complex busy life, cash rich (relatively speaking), time poor, with responsibilities to my children and wife, and a lifetime of memories in my house that are virtually irreplaceable. if things go wrong, I need it fixed quickly and easily and with the minimum of impact to me and my family. I even have proactive services, such as boiler cover and servicing to reduce the likelihood of things going wrong in the first place. Therefore I am leveraging every aspect of what the insurance company can give me even before something goes wrong, and the peace of mind that I get knowing they are looking out for me even prior to disaster striking is worth (almost!) every penny.

An information security programme must be able to sell every aspect of its services to the business, and not just be seen as a reactionary force. if it does that, every time something goes wrong, both the financial and emotional premiums of paying for your services will increase time over time until the point the programme is seen as imply an overhead like paying the rent and keeping the plant watered, i.e. when the time comes, costs to be reduced.

Look at how you provide service before the fact; risk assessments, security testing, awareness and education can all be seen as services that prevent and/or add value to the business. What about the day to day? Consultancy to the business to do things securely without them even thinking about it; it doesn’t have to have “security” written on it to be a win for you and the business. And of course don’t forget after the event; incident management, business continuity, or even helping in the quality acceptance environments after something has been developed.

The key is to be involved in the full lifecycle of your business, whatever they are. They will be different from business to business and industry to industry, so it may not always be easy to identify, but it is extremely valuable.

And the prices we quote every year? Unlike insurance premiums, we are worth every penny.

Note: I don’t actually like the analogy of infosec and insurance, but it is one I regularly hear, so I decided to try and embrace it in this blog. I still don’t like it, but I can see how it could be useful for a simple elevator pitch or short conversation. There are plenty of analogies out there, and the best place for them in my humble opinion is at The Analogies Project. Check them out, and use them wherever possible. Even better, think about becoming a contributor.

TAP-Contributor-Dark-250x160