Over the years I’ve had the opportunity to acquire multiple professional certifications in cloud security, project management, industrial control systems security, data privacy, architecture and more.
Passing an exam, of course, doesn’t make you an expert: a credential itself doesn’t always guarantee skill. However, I found the process of studying for one rewarding in itself.
It helps structure your existing knowledge and learn a few new things that you could’ve otherwise missed along the way. Combining your prior practical skills with some of the good practices at the heart of these certification paths also allows for continuous improvement.
I write about how to pass some of these exams on this site, so feel free to get in touch if you would like to discuss my preparation strategies and exam tips.
Asset management is often regarded as the foundation of a security programme. You can’t protect something that you don’t know you have. This extends beyond internal systems to your organisation’s partners. Depending on the line of business, supply chains can get increasingly complex. They include vendors, manufacturers, retailers and distributors in multiple geographies and regulatory regimes. Securing such a network is no easy task and should start with visibility and careful risk management.
I previously wrote about the complexity of communication and the multi-faceted nature of the CISO role. Combining these perspectives, I would like to give an overview of what a communication strategy might look like for a security leader.
Product security is more than running code scanning tools and facilitating pentests. Yet that’s what many security teams focus on. Secure coding is not a standalone discipline, it’s about developing systems that are safe. It starts with organisational culture, embedding the right behaviours and building on existing code quality practices.
I recently had a chance to collaborate with researchers at The Optus Macquarie University Cyber Security Hub. Their interdisciplinary approach brings industry practitioners and academics from a variety of backgrounds to tackle the most pressing cyber security challenges our society and businesses face today.
Both academia and industry practitioners can and should learn from each other. The industry can guide problem definition and allow access to data, but also learn to apply the scientific method and test their hypotheses. We often assume the solutions we implement lead to risk reduction but how this is measured is not always clear. Designing experiments and using research techniques can help bring the necessary rigour when delivering and assessing outcomes.
I had an opportunity to work on some exciting projects to help build an AI-powered cyber resilience simulator, phone scam detection capability and investigate the role of human psychology to improve authentication protocols. I deepened my understanding of modern machine learning techniques like topic extraction and emotion analysis and how they can be applied to solve real world problems. I also had a privilege to contribute to a research publication to present our findings, so watch this space for some updates next year.
While in quarantine after arriving in Australia, I had a chance to catch-up on some learning.
I completed two specialisation tracks on Coursera offered by Macquarie Business School as part of their Global MBA programme. The courses covered a variety topics, including negotiations, change management, storytelling, board engagement, innovation, strategic management, sustainability, supply chains and more.
As someone who worked for both large multinationals and small tech startups, I’m often asked whether the scale of the organisation matters when building security culture.
I think it does. Managing stakeholders and communication gets increasingly complex in larger organisations. In fact, the number of communication paths tends to increase dramatically with every new stakeholder introduced to the network.
I’ve had the privilege to advise a number of smaller companies in the beginning of their journey and I must admit it’s much more effective to embed secure behaviours from the start. We talk about security by design in the context of technical controls – it’s no different with security culture.
While working as a consultant, I helped large corporations with that challenge too. The key is to start small and focus on the behaviours you want to influence, keeping stakeholder engagement in mind. Active listening, empathy and rapport building are essential – just rolling out an eLearning module is unlikely to be effective.
I’ve been featured in an eBook by Thales sharing my thoughts on challenges organisations face on their Zero Trust journey and how to overcome them. It’s a huge topic that can be approached from different angles and it’s certainly difficult to capture it in a single quote. However, asset management should be an important consideration regardless of an implementation model.
I had a privilege to engage with NHS Digital as an external consultant in a technical architect capacity to help enhance their cyber security capabilities. NHS Digital continues to play an important role in the current pandemic in the UK and it was an honour to be able to contribute to the security of their operations.