Managing the Cyber Threat: Insights from Senior Leaders

I’m happy to announce that the registration for the NextSec June 2014 Conference is still open.

Location: Investec Bank plc, 2 Gresham Street, London, EC2V 7QP, United Kingdom
Date: 5th June, 2014


18:00 – The role of a CISO in a cloud, mobile and social world

Speaker: David Cripps, Investec CISO

David is the Information Security Officer for the Investec Group and is responsible for the Group’s information security programme; ensuring that the risks to their information assets are identified and appropriately managed. He has a strong technical and networking back- ground in the finance and telecommunications industry. David has also worked as an elec- tronics instructor in Sri Lanka.

David has been awarded a master’s degree in Internet and Telecommunications Law (LLM). He is a Certified Information Security Manager (CISM), Information Systems Auditor (CISA) and Information System Security Professional (CISSP). David has also been awarded an Ad- vanced Professional Certificate in Investigative Practices (APCIP).

18:25 – The rule of three: cyber resilience in a fast-changing world

The rule of three: cyber resilience in a fast-changing world

  • Three walls to structure controls and contingencies against cyber attack
  • Three principles to drive the design of practical and focused cyber defences
  • Three strategies to maintaining agile, adaptive and sustainable counter-measures to meet the cyber challenge

Speaker: Daniel Barriuso, BP CISO

Daniel Barriuso is the Chief Information Security Officer (CISO) at BP. He is responsible for cyber security across the Group, including strategy, governance, architecture, education, counter threat operations and incident response. Daniel is a frequent speaker and contribu- tor at security forums and events. Prior to joining BP, Daniel was CISO at Credit Suisse and coordinated a number of security initiatives across the financial services sector including the ‘Waking Shark’ response exercise. Daniel also dedicates his time as a Professor at the ‘Universidad Politecnica de Madrid’, where he lectures and researches in the areas of IT governance and information security investment.

18:50 – From Graduate to VP: My journey in the realm of Network Security

Speaker: Raghu Nandakumara , Citi Network Security Manager

Following completion of his MSc, Raghu joined Citi in 2004 as part of the UK Technology Graduate Programme and was placed in the EMEA Information Security Services team. Initially working in Operational Support he was part of a team that were responsible for the maintenance and stability of all perimeter security infrastructure in EMEA, including firewalls, proxies and remote access. He moved into the Network Security Engineering organisation in 2008 and was initially responsible for security service delivery on business projects (including handling large scale divestitures and acquisitions) as well as build out of security infrastructure in Citi’s new strategic data centre in the region. Having spent the last few years being the SME for a few Network Security products he now runs the Net- work Security Engineering Tools and Automation team.

19:10 – ISACA’s Cyber security Nexus (CSX) Program

Overview of ISACA including Cybersecurity Nexus (CSX), ISACA’s recently launched pro- gram that provides insights and resources for cybersecurity professionals.

Speaker: Allan Boardman, ISACA International Vice President

Allan Boardman, CISA, CISM, CGEIT, CRISC, ACA, CA (SA), CISSP, is a risk officer at Morgan Stanley and International Vice President at ISACA. He began his career with Deloitte in Cape Town and has over 30 years experience in IT assurance, risk, security and consultan- cy roles at organizations including JPMorgan, Goldman Sachs, KPMG, PwC, Marks and Spencer, and the London Stock Exchange. He is a past president of ISACA London Chapter and has served on the BCS’ Information Risk Management and Audit Committee. He is a member of ISACA’s International Board of Directors, currently chairing its Credentialing and Career Management Board, and is a member of ISACA’s Strategic Advisory Coun- cil. He has served on ISACA’s Leadership Development Committee and chaired ISACA’s CISM Certification Committee. He was a volunteer at the Paralympics in London 2012 and Sochi 2014, and is a school governor where he chairs the Finance Committee.

KPMG’s Cyber Security Open Evening


I’m sharing client case studies at the KPMG’s Cyber Security Open Evening.

At KPMG we believe that cyber security is about what you can do – not what you can’t. Far from being a pure technical fix which can paralyse a company, we focus on driving change and helping our clients secure the future of their business. That’s why we’re still growing.

We have talented people with a passion for fighting the cyber threat. Come along to our open evening to speak to our specialist teams, who will be showcasing our insights and debating topical issues.

Come and see what the industry’s leading Cyber Security team are working on at KPMG’s Cyber Security Open Evening, Wednesday 28 May from 6pm at KPMG, 15 Canada Square, London E14 5GL.

To register your interest please book your place

Password Policies: Security vs Productivity

A password policy can include a number of parameters. Let’s examine them from both security and productivity perspectives:

  • Minimum password length defines how many characters a password should consist of. The longer the password, the more resistant it is to a brute force attack given other password best practices are followed. Longer passwords, however, are usually harder to remember which may lead to instances of writing passwords down.
  • Password complexity. If a password includes a combination of upper- and lowercase characters combined with numbers and special characters, the harder it is to run a dictionary attack against such a password. Similarly to long passwords, complex passwords are usually harder to remember.
  • Password renewal policy ensures that users regularly change their passwords. This helps to minimise the potential security impact of compromised passwords. Although this policy is beneficial from the security perspective, users may struggle to come up with new passwords that satisfy security requirements.
  • The policy restricts users to set passwords they used before. This forces them to come up with new passwords to make sure that if the password was compromised it is not reused. Although this policy is beneficial from the security perspective, users may struggle to come up with new passwords that satisfy security requirements.
  • Locking out a user’s account after a number of wrong password attempts is a strong measure against a brute force attack. The attacker in this case is unable to try all possible combinations using specialized software. From the usability perspective, however, legitimate users might enter their passwords incorrectly as well and be unable to access the system. This may result in the increased number of calls to the company’s Help Desk or increased time for manual password reset.

Password complexity and usability explained in one comic.

Martin Ruskov: People follow examples, not advice

Interview with Martin Ruskov – Researcher in Exploratory Learning


Martin Ruskov recently completed his PhD on Educational Serious Games in the Information Security Research Group at UCL. As part of his research he developed a prototype for participatory information security, based on the Conjunction of Criminal Opportunity framework (a holistic crime prevention framework). The prototype is currently being used in graduate classes on security at UCL and Oxford University. Martin has previously worked in the broader field of interactive media and has been involved in teaching in leading organisations across Europe.

What problems do you see with human behaviour and security compliance?

People follow examples, not advice. In other words, for them it is important to see that management take security policies seriously by taking the lead in compliance, not only say so, but later circumvent them. This is a general management issue which was summarised very well by Chris Argyris for HBR in 1991 but there is growing evidence (as in the yet unpublished work at UCL’s Information Security Research Group ) that this is an important issue and subsequently awareness and behaviour of management needs to be addressed.

When management is compliant and transparent about it, the rest will follow. However, this is an expensive process, not only financially, but again in broader resources, with delayed returns.

Finally people are inclined to seek easy answers. Unfortunately reality is complex and very often a simple rule how to handle certain situations cannot be written. The challenge is to find a balance between personal responsibility and judgement on one hand, and efficiency on the other.

Can game-based learning help to resolve this issue?

I am far from convinced that game-based learning is the way to address awareness and behaviour change at the level of senior management.

However, game-based learning and captology have suggestions that show how attention can be attracted, ideas can be explored, and potential solutions can be advocated and encouraged.

How to improve security awareness trainings?

Complex issues require extensive discussion, and feedback about practice as a way to be grasped. It is my strong belief that these are activities that require a lot of effort on behalf of facilitators, trainers or lecturers.

I believe that a sensible way to try to optimise awareness training is to try to automate trivial issues when there exists the desired clear-cut yes or no answer, so that resources can be dedicated to lengthier and confusing discussions about complex topics.

How to improve usability of security controls?

This is a very difficult issue. Ease of use usually means less need for the users to deeply comprehend the underlying mechanisms. As an illustration we can use personal computers, for example usability paradigms in the OSX vs Linux operating systems . Whereas OSX has always the coolest interfaces, presets and skins, it leads people into an Instagram-like mainstream fashion where superb content can be produced with minimal effort. Linux, on the other hand gives users complete control. This leads on one hand to much higher threshold to entry, but on the other to much more experimentation and learning in the process of doing. Ideally we would want professionals (in this case CISOs, and information security officers in general) to be able to work out everything themselves, but in fact we can rarely afford the necessary resources (e.g. time and money) for that. Academia takes this approach – both in mathematics and project management many professors would ask students first to work out a method by hand before they engage with the tools that automate it, but again with academia one of the biggest challenges is that the curriculum is overloaded and not flexible enough to meet new challenges.

How companies should change their approach to information security management?

I believe a continuous iterative approach would provide valuable insights of the issues in context. Information security is an arms race between attackers and preventers. It is difficult to involve in it employees who have other primary tasks, but security managers should be ready to accommodate contributions from volunteering employees. It is much more productive and efficient to collaborate with the people willing to engage, which would hopefully lead to wider engagement from others. Hopefully such an approach would lead to broader awareness culture among employees, while yet maintaining their focus on their main professional goals.

Delivering a Seminar at the London Metropolitan University

RIG (1)

I was invited to give a talk on industrial systems security at the London Metropolitan University.

The seminar was intended for academic staff to discuss current problems in this field. We managed to cover a broad range of issues regarding embedding devices and network and IT infrastructure in general.

The professors shared their perspective on this subject.  This resulted in the  identification of several research opportunities in this area.

Image courtesy of Vlado /