I’m passionate about helping people understand security better. In my experience, using analogies has proved to be one of the best tools to help them learn. People have a far better and long-lasting understanding when they can relate to an experience that illustrates the concept they are to comprehend. Describing situations and possible outcomes can be just as easily done by telling stories: They are not only pleasant to read, hear or imagine, but they also transfer knowledge in the most effective way.
That’s why I decided to contribute to The Analogies Project.
Here’s what their website say about about the project:
The aim of the Analogies Project is to help spread the message of information security, and its importance in the modern world.
By drawing parallels between what people already know, or find interesting (such as politics, art, history, theatre, sport, science, music and every day life experiences) and how these relates to information security, we can increase understanding and support across the whole of society.
Why use analogies?
Many aspects of information security are highly technical and require a deep specialist knowledge. However, we know that all security depends ultimately on the awareness and preparedness of non-specialists.
Information security professionals cannot rely solely on technology to protect their organisations. They must engage with senior management and users in a way that their message is understood, fully appreciated and implemented. In this way they can drive changes in attitude and behaviour that will make the organisation more secure.
To do that, they must find a new language to get their points across to the non-specialist. And this is where the Analogies Project comes in….
Our past is littered with examples of how the prosperity or decline of individuals, enterprises, governments and nation states has depended to a greater or lesser extent, on the confidentiality, integrity and availability of information. By using storytelling, analogies and metaphor we can transform these real life events into powerful tools for engagement.
Please feel free to check out my profile and read my analogies.
I was invited to deliver a lecture on ethical hacking to the graduate students at the University of Bradford. We started off by discussing basic principles and approaches and concluded covering specific tools and techniques.
The students, with various backgrounds ranging from mobile application development, to communications and networks actively participated in the discussion. I was also very happy to share some case studies and real-world examples around vulnerability, threat and risk management.
To expand on my research on the human aspect of security, I created a simplified model to highlight the relationship between productivity and security. The main hypothesis, is that there is a productivity cost associated with the security controls.
The interactive simulation was created and is available at http://www.productivesecurity.org. It allows users to implement their own security policies and observe the relationship between risk reduction and impact on productivity cost. Easy to understand visual feedback is available immediately for the users. This helps to understand security managers’ perspective when implementing security controls in a company.
The creation of the model was inspired by research conducted by Angela Sasse and her colleagues at the University College London.
Please get in touch if you have any feedback or would like to discuss the underlying research findings.
This week I was really happy to be back at the University College London where I got a degree in Information Security from. I was invited to the Technology & Entrepreneurial Start Ups Insight session organised by the Management Science & Innovation Department. I met many bright students interested in technology, including current MSc Information Security students. It was very interesting to find out how the curriculum changed to address modern industry trends and needs.
The day after I was proud to represent KPMG at the UCL IT and Technology Careers Fair. It comes as no surprise that there were many students interested in starting a career in the information security field. I was happy to help out with some suggestions, especially remembering that I attended the very same event some years ago.
We am delighted to invite you to the NextSec Cyber Security Conference ‘The Changing Face of Cyber Security’ on 11 December 2014 at EY, 1 More London Place, SE1 2AF, London.
The conference will provide an opportunity for you to hear senior cyber security leaders, from a range of industries, share their cyber security experiences and insights through presentations following three main themes:
1) the changing cyber threat landscape,
2) the diverse techniques that have been adopted in response to the threat, and
3) the range of cyber security roles across different sectors.
The second half of the conference will address the changing dynamics required for leadership in cyber security including gender diversity and inclusiveness.
An open Q&A panel discussion will close the conference sessions.
- Date: 11 December 2014
- Time: 5.00pm – 8.30pm followed by networking and drinks
- Location: Mulberry Restaurant, EY, More London Place
- Cheryl Martin, Partner, EY
- Leron Zinatullin, NextSec Committee Member and Information Security Advisor, KPMG
Confirmed speakers and panellists:
- Cheryl Martin, Partner, EY
- Sian John, Security Futurologist, Symantec
- Robert Coles, Chief Information Security Officer, GlaxoSmithKline
- Elena Cinquegrana, Associate Director, Navigant
- Lucy Chaplin, Assistant Manager, KPMG
- Freddie Hult, Senior Cyber Resilience Adviser, Cyber Resilience Ltd
Please visit the website to register for free.
NextSec is a networking group of young professionals working in cyber security and information risk management in the UK. The group exists since January 2012 and currently has over 290 members. These 290 members work for over 59 organisations in the UK. We have a diverse representation of young professionals working in financial services, oil and gas industry, industrial goods and retail, marketing, telecommunications, software, technology, professional services, and public sector. For more information about NextSec, please visit our website and LinkedIn group.
During the 8th and 9th of October 2014, I attended the Cyber Security EXPO in London. It was co-located with IP EXPO Europe and presented the participants with an opportunity to partake in knowledge sharing discussions, various talks, trade stands and many more.
(ISC)² London chapter were running their regular community meeting. Everyone could also participate in the RANT event
The selection of presentations was great, ranging from fairly technical to business-oriented.
Bruce Schneier also took part in the event delivering a talk on incident response. It was an interesting discussion on economics and psychology of information security in the context of modern trends.
Finally, it was a great opportunity to finally catch up with my friends, including Javvad Malik, Jitender Arora, Mo Amin and many others.
Major changes frequently introduced by security projects might be seen as necessary evils without delivering value to the business. To change this perspective, a project manager should proactively manage benefits and make sure they are achievable and verifiable.
The key objectives of benefits management is to ensure that benefits are identified, defined, and linked to the company’s business strategy.
Realistic planning of benefits is the first step to achieve project success. It is, however, an ongoing activity and requires many iterations. In order to drive the realisation of benefits, the following template can be used to capture potential benefits and measure its impact on the organisation
|Benefit||Expected benefit outcome||Benefit Type||Where will the benefit occur?||Who will be affected?|
Image courtesy of ddpavumba / FreeDigitalPhotos.net